When internal auditors assess the adequacy of controls, we should consider whether the level of risk to the organization is at an “acceptable level” (see IIA International Standard 2201). When that level of risk is “unacceptable” in the opinion of the auditor, there is an obligation to “discuss the matter with senior management” and the matter will be included in the formal audit report (quotes are from Standard 2600).

I usually don't blog about other people's writing, but I found a recent article by Richard Steinberg interesting (Richard is a former PwC senior partner who led the firm's work on the COSO internal control framework, founded PwC's risk management and control consulting practice, and directed the global corporate governance practice). Richard suggests and discusses a few alternate board models that are being considered as improvements on the current board governance structure. I join him in thinking something has to change, and not being certain how things will turn out.

An apparent trend is for the chief audit executive (CAE) to be asked to lead or manage the organization’s risk management function. I know several major companies where the CAE either is also the chief risk officer (CRO), or has risk management reporting to him or her. Several are also responsible for compliance, and at least one company has the CAE as head of the governance, risk, and compliance (GRC) function.