Deloitte and the Risk-Intelligent Chief Audit Executive

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The latest addition to the excellent Risk Intelligent series from Deloitte talks about how the head of the internal audit function (chief audit executive or CAE) can be a driver of risk excellence within an organization.

Deloitte reinforces the notion, embraced by many CAEs, that they have a key role not only in driving risk management practices within the organization, but providing assurance on their effectiveness. (Deloitte confuses the issue by talking about management providing assurance — which they don’t and can’t, because you can’t provide assurance on what you are responsible for — and internal audit providing "reassurance." I suggest ignoring the change and substituting "assurance" every time they say "reassurance.")

The authors also correctly point out that internal audit can only facilitate management decisions, not make them themselves. Management owns the determination not only of risk levels but desired levels of risk.

Here are some quotes:

“In today’s environment, as a CAE, you have a unique opportunity to help make significant improvements in enterprise risk management effectiveness and efficiency. Your mission — should you choose to accept it — is to fight complacency and denial by enabling the organization to acknowledge, understand, and address relevant risks and thereby seek to reduce costs.”

“We believe that companies that focus solely on risk avoidance may survive but rarely thrive; only those that intelligently manage risk-taking as a means to value preservation and value creation will excel in today’s perilous yet opportunity-rich business environment.”

“While remaining aware that management and the board ‘own’ risk, internal audit can provide guidance and [re]assurance that risk is being properly and efficiently managed within the company’s defined appetites for various risks.”

My favorite is the role of the CAE in fighting complacency and denial. It is easy to say "we have completed our quarterly review of the top risks" and believe that you have effectively managed risks. That is like the ostrich sticking his head in the sand while the battle rages around him and saying “I looked up an hour ago.”

I welcome your comments.

Posted on Mar 1, 2014 by Norman Marks

Share This Article:    

  1.  I really agree with the notion that in most cases CAE have to fight complacency and denial from both Excomm & the Board.In my expereince I have seen that this is as a result of the efforts that CAE place on ERM and at the implementation and development of the framework is as good as left as the CAE project.Since as a CAE we always understand the benefits that come about with a fully functional ERM system within a corporate and how is also assist in developing our risk based audit plans maybe our level of interest in mis-understood and if there is already an expectation gap between CAE and Management the problem mount.I have also seen that some corporates in order to address the complacency problem the do not departmentalise risk management @ an ealier stage.I guess one of the COSO guidelines on ERM implementation also highlighted that once we form a Risk Unit before maturity ERM is not understaood as a processes thereby resulting in Management complacency and haveing CAE being left as more like the risk owner.I would also like to urge my felllow CAE that ERM implementation its a long process and at times lets focus on immediate gains even soon after an ERM awareness training and we built on it with commitmetnt and focus in the long-term it actuallly works out and the complacency goes

Leave a Reply