Home > Risk > Internal audit and risk management

Internal audit and risk management

December 23, 2022 Leave a comment Go to comments

The results from my recent survey (thanks to the 75 internal audit practitioners who responded) are interesting. (You can see the results of the earlier survey here.)

First, I will review the answers about auditing risk management.

Q1: Does your internal audit function audit the organization’s management of risk?

62 (83%) indicated that they do, in one form or another. That’s good news.

Skipping the next two for a moment:

Q4. If you audit risk management, which of these is your approach? Check all that apply.

  • 37 (50%) said “We assess whether risk management practices meet the needs of the organization for decision-making”. That is my favorite answer.
  • 42% (56%) audit compliance with policies and procedures. Maybe necessary, but not sufficient IMHO.
  • 29 (39%) assess the accuracy of management’s risk reporting. I have an issue with this if internal audit is seen as knowing better than management what the level of risk is. It’s also a moving target, so I would have to see what these functions are doing.
  • 22 (29%) use a maturity model. I like this approach and included one in Risk Management for Success.
  • 36 (48%) use a standard or framework:
    • 16 use the ISO 31000 risk management standard
    • 13 prefer COSO’s ERM Framework
    • 7 use a different framework

Q5. If you don’t audit risk management, why is that? Answer all that apply.

  • 12 said there is no risk management function to audit. However, IMHO that just changes the audit. It shouldn’t be an audit of the function; it should be an audit of how well management addresses risks to objectives.
  • 7 said they don’t have the support of management for such an audit. I don’t think that should be a sufficient deterrent.
  • But 7 said they don’t have the support of the board! I hope the CAE made sure the audit committee understood why this is a problem.
  • 5 said that other functions, such as the external auditor, assesses risk management.
  • 5 said it’s not a priority. Hopefully, that’s because the CAE has confidence (such as from a prior audit) that the risk of poor risk management is low.
  • 3 don’t have sufficient experience. I hope they work around that.
  • 1 doesn’t have the budget. Hopefully, the CAE is discussing that with the audit committee.
  • 9 cited other reasons.

Going back to the second question:

Q2. Who completes the risk identification and assessment that management and the board rely on? Answer all that apply.

This is a question that will interest Tim Leech. The answers will probably surprise him as much as they surprised me!

  • 19 (25%) said management and the board rely on internal audit’s assessment. I am surprised that it’s so many, and Tim will be surprised that it’s so few. Risk assessment is a management responsibility, and the CAE should be telling the board and CEO that this is a huge problem. As CAE, I would not be comfortable if management relied on my assessment instead of their own. (Of course, internal audit can gain an understanding of the more significant risks when building and maintaining the audit plan.)
  • In 45 (60%) cases, a risk management function is responsible.
  • 24 (32%) said they have separate risk assessments in different parts of the business.
  • 4 don’t have a risk assessment, and 2 didn’t know.

Q3. When you perform an audit, do you review management’s risk assessment of the area and provide an opinion on its accuracy?

  • 35 (47%) not only said that management has a risk assessment for the area under audit, but it is reviewed as part of the audit. That is encouraging – more than I expected.
  • 21 (28%) said management doesn’t have a risk assessment for the area being audited.
  • 18 simply said No, and 1 didn’t know.

The next two questions are important.

Q6. Do you use management’s risk assessment in building the audit plan

12 replied that management doesn’t have a risk assessment, so they can’t use it. Of the 63 who do:

  • 40 (63%) said Yes.
  • 20 (32%) said that rely to a limited extent.

Q7. Is your audit plan based on an assessment of risks to the enterprise?

  • 32 (43%) said that they “audit the controls over the more significant risks to the enterprise and its objectives. We don’t perform full scope audits of processes or units”. This is my preferred approach.
  • 31 (41%) audit “those business units and processes that represent the greatest risks, and then audit the controls over the risks to those units and processes”. This is the traditional approach that I hope people are starting to realize is misguided. You will audit risks that matter only to middle management, if that, and not limit your work to what matters to the success of the enterprise.
  • 6 (8%) still use the antiquated cyclical approach.
  • And another 6 have taken a different approach (undefined).

Q8. Are you changing your approach in 2023 and beyond?

  • 34 (45%) are staying with the same approach.
  • 23 (31%) are definitely changing.
  • 19 (25%) might change.

I welcome your thoughts on the results.

  1. Douglas Hileman
    December 30, 2022 at 10:10 AM
    Reply

    The Three Lines model seems a thread through many responses, and Norman’s insights. Norman’s favorite answer to Q4 aligns squarely with Three Lines. If there isn’t a Risk function, wouldn’t Three Lines point the Board towards Internal Audit?
    In Q4, I took “assessing the accuracy of reporting” as a way to ensure that stakeholders are getting valid info; this also serves to prevent false/ misleading information and potentially fraud.

    • Norman Marks
      December 31, 2022 at 8:34 AM
      Reply

      Douglas, the Three Lines model would not point the board to internal audit. The model is intended to show the relationships between the different functions.

  1. No trackbacks yet.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.