Now Tim and I often disagree, and we do that with passion as well. But I have to agree with the theme of his presentation at the IIA’s GRC conference in Florida the other week. (Tim has graciously made his slides available here.)
His presentation was on the topic “Honorably Retire ‘Internal Controls’ and Promote ‘Risk Treatments’: It’s Time.” The concept that I agree with, in my language, is this:
- Internal audit should focus, and report to its stakeholders, on whether risk is being managed at desired levels. Reporting on whether the controls are in place is not answering the right question. That question is “Do I have reasonable assurance that the right risks are being taken?”
- When you report on controls, you are reporting on one way risk can be treated if it is at undesirable levels (another way is to avoid the risk by, for example, exiting that aspect of the business or selecting another vendor). You are leaving it to the board and top management to take your report on controls and figure out what that means to what matters to them -- and that is risk.
But, if we are to assess whether controls ensure risk is managed at acceptable levels, we have to know what those levels are.
Agree to Disagree
Tim and I agree that an essential first step is to audit and assess the organization’s risk management process. Hopefully, they have established what those acceptable levels of risk are.
But after that Tim and I start to disagree. This is a comment he wrote on another post:
What I think is IA should provide assurance to the board on the question of whether management has an effective risk management process capable of informing the board of significant residual risk status positions related to important value creating and value eroding objectives.
If the organization's management is not creating a composite/consolidated report on residual risk status for the board, IA should play a lead role creating one for the board at least annually until such time as management begins creating one.”
I don’t like the idea of auditing, just as you would a set of financial statements, the ‘residual risk status’ at some point in time. I prefer to assess and report on the risk management framework and process and whether it provides reasonable assurance that such reports can be relied upon at any point in time. That will include auditing the controls over the more significant risks to assess whether their design and operation provides reasonable assurance that risks are managed as desired.
I also don’t like the idea of internal audit taking on a management responsibility and providing risk reports -- and annual is hardly acceptable.
Management Should Take the Lead
- It is management's responsibility to identify the desired level of risk and if the internal auditor finds that management does not know what that is they should give strong consideration to making that a significant issue in the report. How can management manage risk at desired levels if they don't know what those levels are?
- If management has established risk criteria or similar, the internal auditor should use their judgment to determine whether the controls provide reasonable assurance that risks are within those ranges. That is what they should report.
- If management has not established risk criteria or similar then, as we are guided in the IIA Standards, internal audit should use their professional judgment and common sense to initiate a dialogue with management to determine whether the current level of risk is acceptable or not. That may lead to a discussion with the board. It may not. If we agree with management that the risk is acceptable, I would not report to the board.
What do you think? Do you agree with Tim or me, or disagree with both of us?
PS. Tim is one of the best speakers on the circuit. Whether you like what he has to say or not, he has a wonderfully dry sense of humor and great passion for his message.
Editor's Note: Another article by Norman Marks you might enjoy is: