Why Internal Audit Must Assess and Provide Assurance Over the Management of Risk

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


It is heartening to see more and more organizations requiring their internal audit departments to assess and provide an opinion on the effectiveness of risk management — or, using my preferred language, the management of risk by the organization.

I did a short video with Richard Chambers, President and CEO of Global IIA, on this topic. This was after I had posted a "tweet" saying that internal audit leaders who failed to provide assurance on risk management “deserved a seat at the children’s table.” While most laughed and agreed, this did draw some criticism from other internal audit leaders.

As I explain in the video, internal audit needs to focus on the risks that matter to the organization if they are to be relevant. Often, the greatest risk is that the organization’s leaders are not aware of the risks between them and their objectives.

Do you agree with my observation?

Do you agree also that not having expertise in risk management is no excuse: that expertise must be obtained, even if requires going to an external source, i.e., co-sourcing.

You might be interested in other short videos on the value of internal audit performing SOX testing and internal audit’s role in organizational governance. Do you agree with my comments?


Posted on Oct 17, 2013 by Norman Marks

Share This Article:    

  1.  Yes, I'm totally agreed with your both cmments. My opinion relating to internal audit function on risk management is that even internal auditors are unaware of the probable risks that might be faced in near futurei.e. 3-5 years. Leaders have their preferences & objectives but auditors should assess organization's risks. 

  1. Hi Norman. I have watched your video with Richard and I think you are right. We need to audit governance. The UK ICAEW (Chartered Accountants) has an interesting article 'What should companies be responsible for? It is part of 'Dialogue in corporate governance' (http://www.icaew.com/en/technical/corporate-governance/dialogue-in-corporate-governance/five-questions-new-challenges). Experience has shown that there are always two other objectives in any hierarchy which are 'Define a strategy to achieve the objectives' and 'Support the achievement of objectives'. In short, you need a plan to get where you are going and the resources to get there. I'm currently trying to put together a risk register, using a mind map, based on the ICAEW objectives, with these additional two. So the first objective to consider is the setting of strategies for the main objectives. It's proved interesting - there is one risk for example, 'the board of directors behaves irresponsibly'. The first COSO attribute acts as a good control, 'The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behaviour the importance of integrity and ethical values to support the functioning of the system of internal control'. How do you audit this? The best audit test I can suggest is to audit their expenses! You raise this problem in the video - the management of these strategic risks is difficult to audit. However, we do need to persevere and get the expertise because it is an area where the existence of IA can really be justified. Indeed, since internal controls arise from the need to manage risk, if internal auditors don't have expertise in risk management, they don't have expertise in internal controls. (The very incomplete mind map is at http://dmgriffiths.com/rbia/files/mindmaps/Risk%20Universe.html.)
  1. I agree with your first paragraph but would caution that for the sake of clarity and consistency, we use the phrase "governance, risk management and control processes" instead of just risk management.

    Even if one assumes you are using "risk management" expansively to include all the others, one cannot be sure and some may assume you are explicitly excluding the others.

    Unfortunately, the exhortation for internal auditing to focus on risks may lead many to take their eyes off the ball - the organisatinal objectives. 

    I would suggest that focusing on attributes of the objectives (to generate the criteria  to which the risks need to be identified) is a surer way of identifying risks to objectives than focusing on the risks because to be properly articulated, risks focus on (are derived from) criteria to particular attributes of objectives rather than the other way around.

    In any case, that's all management's responsibility, which is our job to let them know. We can then later assess (offer an opinion) if they are implementing the processes well enough and do not for example assume without assessment that identified risks are significant.

    All in all, I agree with the basic thrust of your points.



  1. I agree with Norman that Internal Auditors should be "auditing the management of risk by the organization". However, this may not always be the same as auditing the risk management function. Hence, "auditing the management of risk by the organization" is to be considered as part of each and every audit done in the organization. Most often internal auditors note that the perception of risk by management is different from those of auditors. A constant dialogue with management is required to bridge this gap is risk perception and if internal auditors are still not convinced then the considered risks should be reported to the management and Board.

Leave a Reply