Everyone agrees that internal audit has an important part to play in risk management, but just where to draw the line is always a controversial topic. Some think internal audit should play a lead role in risk management, setting the risk management agenda and advising management on risk issues. Others take a more purist position, stating that internal audit should only be there to audit the risk management function.
It’s not surprising. There are widely divergent views on the job of internal audit in general. As an internal auditor, clients and stakeholders are often ask what they believe to be their role. The answers tend to vary widely depending on the maturity level of the client’s internal controls environment. Some see internal audit mainly as the function in charge of Sarbanes-Oxley (SOX) compliance, while others say that it is to uncover fraud or malfeasance. The one common reply, however, that internal auditors are the “controls experts,” rarely changes.
If stakeholders have a narrow and incorrect idea of the problems we solve as internal auditors, what are we doing collectively to change that perception? This well-known quote by psychologist Abraham Maslow illustrates how easy it can be to incorrectly define a problem: “If the only tool you have is a hammer, then every problem looks like a nail.” If stakeholders view internal auditors as only “control experts,” then I can correctly rephrase Maslow’s quote to say: “If our only tools as internal auditors are controls, then every problem looks like a potential risk.”
If we want to think more broadly and completely about the role of internal audit in risk management, we need to think beyond controls.
Internal auditors simply must have a strong understanding of the macro and micro risks impacting their respective organizations. Given the increasing threats and dynamic nature of risks confronting many organizations, an inflexible or static “annual audit plan” approach might not provide the responsiveness needed for internal audit to quickly change course and address evolving risks. The use of Risk and Control Self-Assessments (RCSA’s) in theory seems a practical approach. However, the output from using RCSA’s and the skills of the risks’ owners might highlight inefficiencies in identifying and mitigating evolving risks.
Consistent failures stemming from poor tone-at-the-top, sub-culture clashes across different LOB’s within an organization, lack of skills to identify and mitigate key risks, and inability to implement continuous monitoring and oversight of key functions are a few examples that could expose an organization to significant risks. Internal audit will see these dynamics at varying levels in the course of executing our missions. Failures to accept the reality and risks associated with these problems can be directly linked with the inability of the internal audit function to navigate volatile risks environments to create value.
Join IIA Nigeria today to advance your internal audit professional career.
For further details, see below.