Assurance on Risk Management Effectiveness: What Are We Waiting For?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.
 
 
For almost four years now, I have been advocating that the internal audit profession embrace the challenge of providing assurance on the effectiveness of risk management. I believe it is the most significant opportunity for our profession in a generation. Yet, recent survey data would indicate that we are reluctant to make such assurance an integral part of our portfolios of internal audit coverage. I have but one question: What are we waiting for?
 
There is widespread agreement that failures of risk management in the late 2000s (particularly in the financial services sector) were a major contributor to the lingering global economic crisis. One of the legacies of this crisis will be a myriad of new regulations and statutes around the world designed to pressure management to become more effective in managing risks and boards to become more effective in an oversight role. As boards, in particular, struggle to demonstrate that they are effective in their oversight role, who will they turn to for assurance? Surely they cannot rely strictly on such assurance from management, for management cannot be fully objective in providing assurance about its own performance.
 
I believe the most obvious source of assurance on the effectiveness of risk management for boards is the organization’s internal auditors. Yet, the Audit Executive Center’s recent Global Pulse of the Profession survey reveals we are barely scratching the surface of this important opportunity. In fact, on average only 4 percent of internal audit plans worldwide are dedicated to providing assurance on the effectiveness of risk management. Amazingly, 52 percent of respondents, globally, indicate they are dedicating no resources to such assurance in 2012; and 92 percent indicate that such assurance comprises less than 10 percent of their audit plans. The only good news (if you can call it that) is that 38 percent indicate they are increasing coverage over 2011 levels.
 
The IIA remains convinced that assurance over risk management will be a key imperative for our profession in the decade ahead. In fact, we are so convinced that we launched the Certification for Risk Management Assurance (CRMA) in late 2011. This certification is designed to afford internal auditors worldwide the opportunity to demonstrate their proficiency in providing assurance on risk management effectiveness. The response has been amazing! More than 4,000 internal audit professionals worldwide have added CRMA to their resumes/CVs in the past year. By the end of 2012, it is likely to be The IIA’s second most widely held certification, behind only the CIA.
 
So why aren’t chief audit executives, who play a major role in setting internal audit priorities, embracing the challenge and leveraging all of the newly qualified resources? I still believe it is a matter of their “comfort zones.” This has simply not been a priority for the profession in the past, and many CAEs don’t feel comfortable raising their hands to take on a new role. It should also be noted that boards and management are not clamoring for internal audit to assume this new role either. Perhaps with a better awareness campaign on the part of CAEs, more demand would present itself. Either way, a comprehensive risk assessment in the annual/continuous internal audit planning process should highlight the gap in risk management assurance coverage.
 
It’s ironic that all of this is coming at a time when internal auditors are clamoring for a “seat at the table.” It is argued that such a “seat” will afford internal auditors a better understanding of key business and strategic risks. Perhaps it was bit harsh, but I couldn’t help but smile when noted thought leader, Norman Marks, recently observed on Twitter that “internal auditors who don’t provide assurance on risk management deserve a seat at the ‘children’s table.’” Ouch!
 
I have shared my thoughts on this important topic. I welcome yours.

Posted on Sep 17, 2012 by Richard Chambers

Share This Article:    

  Comments (9) un-categorized
  1. Comment by: Norman Marks   (9/17/12 05:33 PM)   

     Brilliant - and clearly stated. Well done, Richard

  1. Comment by: Tim Leech   (9/18/12 09:38 AM)   http://riskoversight.ca

    Richard: Thanks for raising this important issue.  The training workshops I run on Standard 2120 for IIA Chapters allow groups to specifically discuss why so few IA shops are complying with the new IIA  "must do" standard.  The responses cover some of the same ground you reference above - "Don't know how", "board isn't asking".  They also raise issues like "our company doesn't have an ERM framework" , "we are the only group that does formal risk assessment so we can't audit ourselves", "we don't want to do an audit where we know the conclusion will be the company/organization has ineffective risk management processes".

    On the plus side the pre-conference workshop on Standard 2120 I will be presenting  at the IIA All Star Conference in Las Vegas Oct 8th was orginally set for 25 people and has had to be expanded to 75 - the capacity of the room available.  It has sold out

    What I believe has not been done is the IIA globally needs to formally address the impact of traditional direct report auditing, the assurance paradigm practiced around the world that continues to be the foundation of the CIA and IIA training offerings,  on the adoption of effective risk management processes by public and private sector organizations. . I have stated for two decades that "more and better direct report audits demotivates work units from learning how to perform effective risk assessments themselves"   If all IA shops told their companies they were going to discontinue being primary risk/control analyst/reporters and were going to focus on ensuring work units reliably report on risk status the world would change overnight.  

    Is the IIA willing to study this issue?

     

  1. Comment by: Sean Lyons   (9/18/12 10:31 AM)   

    Richard, this is a serious challenge for IA in general and for CAE's in particular. It is very important that this challenge is addressed head-on, rather than being continually side-stepped.

    I wrote about this from the perspective of a corporate defense program in my my short article entitled "In Defense of the Corporation" in the October 2009 publication of The Internal Auditor magazine. See link:

    http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1539879  

    I hope it is still of help and of interest. 

  1. Comment by: Norman Marks   (9/18/12 11:02 AM)   

    I am glad to see an active discussion on the merits of Richard's message, both those in agreement and those who see difficulties.

    The issue is not that the IIA, IMHO, has failed us. After all, this has been in the standards for a while.

    No, each internal audit department has to recognize the need for change, then develop and implement a strategy for getting there.

    In my post yesterday (http://normanmarks.wordpress.com/2012/09/17/ernst-young-says-the-future-of-internal-audit-is-now-and-they-are-right/), I referenced a study by E&Y that says 25% believe IA does not have a positive impact on risk management activities. 80% believe change is needed, most of whom say this should be completed within 2 years.

    Time to stop the debate and get CAEs and their boards to take action.

  1. Comment by: Norman Marks   (9/18/12 11:10 AM)   

    PS - I am not implying that the IIA has failed us. It has not. Many CAEs have adopted a true risk-based approach and audit risk management, and the IIA Standards say it is needed.

    The failure rests, IMHO, with boards and CAEs for not doing it.

    Like Tim, I present on auditing risk management and find most departments are not doing it. As he says, there are several (poor) excuses for not doing it:

    1. "We don't have risk management." My response: "well, that means the audit is completed and you just have to report."

    2. "Management and the audit committee don't expect it". My response: "Educate them! Where is a greater risk than not knowing what your risks are?"

    3. "We don't have the skills." My response: "Go get them, even if you have to cosource for a while!"

    4. "We are the ERM function". My response: "First, is what you are doing sufficient? If not, report the issue. If it is, then cosource the work."

    No more excuses. Take action and move to the adults' table,

  1. Comment by: Tim Leech   (9/18/12 01:21 PM)   http://riskoversight.ca

    Norman:  I agree with your central focus amplifying RIchard's call to action.  

    It is important to note however that the EY survey and the questions they asked are laregely based on the assumption that IA will continue to do "risk-based" "direct report" audits and provide subjective opinions on whether internal controls are "effective".  Unfortunately, most audit departments today focus solely or heavily only on "controls".  Few internal audit departments today, in my experience, assess the full range of risk treatments to assess the overall residual risk status linked to key strategic and foundation objectives.  See my IIA GRC Conference for more details at:

    http://riskoversight.ca/wp-content/uploads/2011/03/Risk-Oversight-Honorably-Retiring-Controls-Promoting-Risk-Treatments-July-2012.pdf

    A key question needs to be asked is: If the "risk-based" audit plan has truly identified high risk and material areas worth the money to audit (direct report audits fully costed often cost $50,000 and more) why hasn't management undertaken a risk asssessment themselves?  If they had, the role of audit is to quality assure management's assessment to determine whether material retained risks are being reported upwards to senior management and the board.  If they haven't, it is a sign that either IA's plan is not really risk based in a material sense or the organization has weak risk management processes.

    I still believe the negative impact of IA plans that focus the majority of resources on direct report audits with subjective opinions on control "effectiveness" needs to be studied.

  1. Comment by: Steve Roberts   (9/21/12 05:07 AM)   http://www.pwc.co.za

    Richard I can not agree with you more. In South Africa the strategic importance of the risk management process was highlighted with the release of the King III Code on Corporate Governance. This code also identified the need for the Board and Audit Committee to receive some form of assurance that the risk framework is adequately designed and has been consistently applied across the business.

    Educating the Boards and Audit Committee members is crucial and we have seen the requests for an 'ERM Maturity Assessment " to be included in the annual IA plan increase dramatically over the last two years. Once organisations see the benefit of a well designed and effective risk management process they ask themselves the question "Why did we wait so long to implement ?"

    In respect of the skill sets required many internal audit functions do not have the necessary skill sets - solution  - co-source for the first 1 or 2 years and ensure that there is a proper transfer of skills to one of your staff members during that period.

  1. Comment by: Dan Clayton   (9/25/12 02:37 PM)   

    After attending the IIA GRC Conference in August one realization surfaced for me. Internal Auditors will always struggle to assess any form of management oversight, until they fully understand what basic expectations of management are... If all that is to be assessed is a Risk Management Program defined by our criteria, with our audit language then we can do it today, but it will be of low value.

    We have come from this world of adherence auditing. Does the financial report adhere to reporting standards? Does this department adhere to policy? Is this department adhering to regulatory requirements? In the last decade suddenly we are suppose to be strategic and business objective focused. How does this operation ensure success?

    Where our industry has failed is in understanding this top down value chain that is how a company defines and protects the value it seeks to create. If we had done this before we launched off into our “value-adding” initiatives, we would have built leading practices for business management (value protection) first. Risk management would then have been a module or process within the ideal management structure. However today, we come at management with an application or a theory that contains a foreign language and a new department. We have to scare them into adopting it because they can’t understand how it helps them reach their objectives.

  1. Comment by: Dan Clayton   (9/25/12 02:37 PM)   

    If we as a profession take the lead in defining leading business management (governance) practice that protect the most value we guarantee our future will perpetually be connected part of the value adding organizational foundation. If we don’t we will always be fighting to prove our thing will add value. With this being said, why has the IIA not focused on Governance and Management oversight Assessment first. I did attend a promising GRC Governance session (also attended by Tim Leech) by the IIA NA Leader defined governance using OCED principles to be oversight functions at any level. Now if we could just create standards around this we would give the profession context for what we mean by Risk Management Assurance.

     

Leave a Reply