Proposed Increased Disclosures on Risk - IIA Response

Earlier this month, The IIA provided its response to the increased disclosures suggested by the SEC on risk and other matters. I believe these are important, especially to internal audit practitioners considering what their companies should do.

I have excerpted below the points I think are of particular interest to internal auditors. The entire reply can be downloaded from

1.  With respect to risk and compensation, we suggest that the company’s report on Form 10-K include an assertion by the Compensation Committee that:
  • It has reviewed and approved all compensation programs for executives and others whose actions may have a significant impact on the level of risks taken and managed by the organization (including the chief internal audit executive).
  • The compensation programs are consistent with the longer-term interests of the organization, not only in considering the potential for increasing risks to the organization, but also in ensuring that risks in general are managed within the risk appetite and tolerances approved by the Board of Directors.
  • It has received formal assurances from (named) management that compensation decisions (whether for individuals or groups) take into consideration whether risks have been managed within the risk appetite and tolerances approved by the Board of Directors.
  • It has reviewed and approved all compensation awards and payouts to the CEO and officers, and has taken into consideration whether any excessive risks were taken during the period that were not pre-approved by the Board. 
  • It has received a formal assurance from management that processes are in place to effectively identify, assess, and manage material risks to the business.
2.  We believe significantly enhanced procedures and disclosures should be made concerning oversight of risk management. We recommend that the report on Form 10-K include an assertion that:
  • The Board has approved the organization’s risk appetite and tolerances.
  • The Board has approved the risk management policy.
  • The Board has received formal assurance from (named) management that an effective process is in place to identify risks to the organization, assess them, determine and assign responses, and manage risks within the Board-approved appetite and tolerance.
  • Management has formally reported to the Board, or a committee of the Board, any and all situations where risks have exceeded approved tolerances.
  • The Board, or a committee of the Board, has obtained a formal report from the internal auditor on the adequacy of management’s risk management processes.
3.  We suggest that the proposed disclosures relating to the independence of any consultant engaged to assist the Compensation Committee should be changed. The committee should provide an assertion, included in the report on Form 10-K, that it has assessed the independence of any consultant and determined that the consultant is both independent and objective. It should describe the standards used to assess whether any other fees obtained by the consultant might impair its objectivity.
4.  Because it is material to the adequacy of internal controls and risk management processes, we believe that the report by the Audit Committee included in the 10-K should include disclosures that describe the internal audit department:
  • Whether an internal audit function exists and to whom it reports. If the function does not report functionally to the Audit Committee and the CEO, the Audit Committee should disclose why this is considered appropriate.
  • Whether the internal audit function provides a formal assessment of the company’s risk management and related internal control processes.
  • Whether the Audit Committee is satisfied that the internal audit function is sufficiently resourced to consider the more significant risks to the enterprise.
  • Whether the Audit Committee has received an independent assessment of the quality of the internal audit function, and whether there were any deficiencies of significance that have not been addressed.

I invite comments on the quality and relevance of these suggestions — and what they would mean to your organization if adopted.

Posted on Sep 23, 2009 by Norman Marks

Share This Article:    

  1. Norman:

    I applaud the IIA for submitting a formal comment to the SEC in support of these new disclosure requirements and providing some thoughtful input to the SEC on ways to improve it.

    I also think however that there is a bigger issue that needs to be discussed - Why have so few audit departments to date examined their organization's pay/reward systems and reported major risks to the board of directors when reward systems constitute a major risk to good governance?  Although compensation systems are included in the COSO control environment category I don't believe that the 1992 COSO integrated framework puts enough emphasis on its role in effective risk and control governance.

    In terms of the role of internal audit, I believe Internal Audit's primary role should be to provide an opinion to the board on the reliability of the risk information provided by management.  Internal audit should not play the role of the primary risk/control analysts/reporters. 

    A presentation by Richard Chambers at the IIA Canada conference last week in Quebec City indicates that a survey the IIA conducted disclosed that currently only around 1 in 4 internal audit departments are providing formal written opinions on their organizations risk management processes to their organizations board.  Given this is a "must do" professional practice standard it suggests that there is a considerable gap to be closed.

    The new SEC disclosure requirements related to compensation and risk oversight will be an opportunity for Internal Audit to elevate its role and importance if internal auditors can demonstrate they are able to competently assess and report on the full range of risk management processes that exist in businesses today - an opportunity that should not be missed.


  1. Tim, I agree with your comment about the absence of internal auditors (especially in the US) from assurance related to governance and risk management processes.

    My personal view is that internal audit should formally assess the adequacy of the risk management process (including the risk culture and the level of board oversight). Even where the CAE facilitates (because there is no separate CRO) the identification, assessment, mitigation, management, and reporting of risks, management remains responsible for the actual assessment of risks and execution of mitigation and management.

    Even an independent and resourced CRO will not have the insight into the business as the operating managers. The CRO and CAE can teach and assist, but not take on management responsibilities.

    My crystal ball tells me that enhanced disclosures are coming, boards will get more actively involved in risk management oversight, and should (and I hope will) look to internal audit for objective assurance.

  1. While all these disclosures are well intended I feel many IA Depts are not adequately prepared to opine on the adequacy of the organization's risk management processes.  This is largely due to the wide disparity of how risk management is defined, managed  and embraced in each organization.   I have seen this first hand when evaluating this Standard as part of  many QAR's.    The good news is that regulatory driven disclosures will force rapid thought capital development  and knowledge sharing across the IA profession, Sr Management and Board similar to how many organizations dealt with SOX requirements.    

    The challenging side note to ponder is how do all these discloures intersect with existing disclosure requirements (eg; does a SOX material weakness = an inadequate risk management process? ) .   I guess we can debate this at a later date!

    Thanks for sharing Norman. 

  1. Norman - thanks for raising the visibility on this critical issue.  I think Mike Pryal hit the nail on the head when he said many IA departments are struggling with performing an assessment of the risk management process.  Underlying cause: you can't assess what doesn't exist.  So the current focus needs to be on providing internal auditors with the thought leadership and tools needed to help management move in the direction of implementing an effective risk management program.  Given the silos in many organizations around responsibilities for managing and monitoring risk, it could be a big cost savings as well.

  1. Given everyone's concern about silos and the need for holistic / evironmental assessments, what do you all think of expaonding the 1300 Standard to include suggestions/opportunities for improvement bearing on governance, risk and/or compliance?

    Tim & Norm:  Let's move the conversations/emails we've exchanged into the bright light of day.

  1. Norman/Thomas:

    I have been promoting the benefits of focusing a large percentage of IA resources on the task of reporting on the quality of an organization's risk and control management systems for many years with only limited take-up from the profession to date.  Unfortunately, when Internal Audit is the primary group in an organization doing formal risk/control analysis they are largely reporting on themselves.  I believe that organizations that are unwilling to embrace risk and control self-assessment in a serious way will continue to suffer serious problems particularly in situations where their industry is facing significant changes and competitive challenges.

    I think the most important initiative that the IIA could undertake in 2010 is to work very hard to raise the capability of members to foster risk and control self-assessment in their organizations and report on the quality of their organization's risk management processes. 

Leave a Reply