Internal Audit Needs to Stop Assessing and Reporting on Controls

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


Love him or hate him (few are undecided), Tim Leech is a man of passion. He is passionate on the topics of internal audit and risk management, to name just two.

Now Tim and I often disagree, and we do that with passion as well. But I have to agree with the theme of his presentation at the IIA’s GRC conference in Florida last week. (I am hoping Tim will share his slides in a comment to this post.)

His presentation was on the topic “Honorably Retire ‘Internal Controls’ and Promote ‘Risk Treatments’: It’s Time.” The concept that I agree with, in my language, is this:

  1. Internal audit should focus, and report to its stakeholders, on whether risk is being managed at desired levels. Reporting on whether the controls are in place is not answering the right question. That question is “Do I have reasonable assurance that the right risks are being taken?”

  2. When you report on controls, you are reporting on one way risk can be treated if it is at undesirable levels (another way is to avoid the risk by, for example, exiting that aspect of the business or selecting another vendor). You are leaving it to the board and top management to take your report on controls and figure out what that means to what matters to them — and that is risk.

But, if we are to assess whether controls ensure risk is managed at acceptable levels, we have to know what those levels are.

Tim and I agree that an essential first step is to audit and assess the organization’s risk management process. Hopefully, they have established what those acceptable levels of risk are.

But after that Tim and I start to disagree. This is a comment he wrote on another post:

“What I think is IA should provide assurance to the board on the question of whether management has an effective risk management process capable of informing the board of significant residual risk status positions related to important value creating and value eroding objectives.

“If the organization's management is not creating a composite/consolidated report on residual risk status for the board, IA should play a lead role creating one for the board at least annually until such time as management begins creating one.”

I don’t like the idea of auditing, just as you would a set of financial statements, the ‘residual risk status’ at some point in time. I prefer to assess and report on the risk management framework and process and whether it provides reasonable assurance that such reports can be relied upon at any point in time. That will include auditing the controls over the more significant risks to assess whether their design and operation provides reasonable assurance that risks are managed as desired.

I also don’t like the idea of internal audit taking on a management responsibility and providing risk reports — and annual is hardly acceptable.

I suggest:

  1. It is management's responsibility to identify the desired level of risk and if the internal auditor finds that management does not know what that is they should give strong consideration to making that a significant issue in the report. How can management manage risk at desired levels if they don't know what those levels are?
  2. If management has established risk criteria or similar, the internal auditor should use their judgment to determine whether the controls provide reasonable assurance that risks are within those ranges. That is what they should report.
  3. If management has not established risk criteria or similar then, as we are guided in the IIA Standards, internal audit should use their professional judgment and common sense to initiate a dialogue with management to determine whether the current level of risk is acceptable or not. That may lead to a discussion with the board. It may not. If we agree with management that the risk is acceptable, I would not report to the board.

What do you think? Do you agree with Tim or me, or disagree with both of us?


P.S.: Tim is one of the best speakers on the "circuit." Whether you like what he has to say or not, he has a wonderfully dry sense of humor and great passion for his message.


Posted on Aug 28, 2012 by Norman Marks

Share This Article:    

  1. Norman: 

    Thanks for your kind words.  A link to the presentation I made at the IIA GRC Conference is below FYI.

    I am promoting an assurance approach that clearly assigns responsibility for objectives and reporting current Residual Risk Ratings ("RRRs") on important value creation/value errosion linked objectives to management. The approach encourages management to prepare consolidated reports on residual risk status (or stated another way composite uncertainty/certainty ratings)  for the board of directors. IA provides assurance to the board by reporting on whether the process that produces the consolidated report on risk status, and the report itself is materially reliable, much like external auditors attempt to do with external financial statements today.  IA can also play a key role implementing and maintaining this framework.

    IIA Canada has invited me to present these ideas to members via a cross Canada webinar on Sept 11th.
    IIA Global asked me to present at the IIA GRC Conference in August and again at the IIA All Star Conference in Las Vegas in October.

    Radical change won't occur without a willingness to debate new ideas and approaches that claim to be radically better than status quo/traditional approaches. My thanks to Norman, IIA Canada and IIA Global for providing an opportunity to expose these ideas and have that debate.

  1. Companies in certain countries are required to assert as to the adequacy of their enterprise risk management frameworks and either their risk responses or internal controls that mitigate these risks to acceptable levels. In some countries, there is a statutory requirement for the BOD to obtain an independent opinion on the adequacy and operating effectiveness of these assertions. Either internal audit or a 3rd party. I believe the IIA standards support internal audit's focus on this, yet only 5% have include this in their audit plans per an 2012 IIA survey. In many countries their is no requirement for these assertions/opinions other than for financial accounting and reporting risks, risk responses/internal controls. This is the emerging best practice and one that makes business sense for shareholders/stakeholders. Best practice companies will evolve to this even though they are not required to do so. Other countries will start to take the lead in getting broader, more transparent disclosures on how the business is managed for value creation and value preservation, something we call Value Intelligence
  1. I have yet to meet an auditor who can think "risks". This raises the bar for the audit profession. It will take decades to make this transition for auditors. I guess control was always the easier way out and when IIA started, it's the best place to look at things.

    Who can provide the training?

  1. There is an existing process to get the important points about unmitigated risks across to management and, at the same time, provide a financial target for funding solutions. That is ....

    The SEC this year has made it a requirement for public companies to provide for (expense), and reserve against (liability)  potential adverse financial results arising from inadequate IT and information systems risk management. Just put Internal Audit in charge of creating and justifying the dollarized amount of the reserve base on known existing risk. This can easily be set at millions of dollars in many midsized companies.

    This will facilitate the internal Auditors, management, and the outside auditors doing their jobs and recognizing that "accepting" unacceptable risks are not free.

  1. James, can you clarify your comment a little. To the best of my knowledge, the SEC has not changed the accounting rules on recognizing a liability; what it has done is clarify the requirement that firms disclose significant events, such as an actual intrusion, that may result in future cost or damage to the organization and/or its stakeholders. I am not aware of a need to make a reserve for information security weaknesses. The requirement remains to recognize the effect when that weakness is exploited.

  1. IA has an important role to provide reasonable assurance as well as consultancies to management. The risk based audit approach in conducting the audit is the way how IA help management to recognize and mitigate the risk. Though the management has full authorities to run the company as an executive position. Thus it's management's responsibility to identify the desired level of risk and make decision accordingly. While IA, based on their professional judgment and independently, should do their tasks that's been assigned. I think the COSO ERM clearly defined about the circumstances can be applied as minimum control condition i.e. segregation of duties, monitoring. etc. IA is not super body that can cover the weaknesses of the management's role, especially the desired level of risk related to the decision they'd taken. When IA notice there is certain level of exposure risk to the company, then IA should communicate this condition to management or higher level, if necessary.
  1. To Another Thought:  

    Your point about training is an important one.  The IIA standard curriculum and training offerings currently offers little in terms of training on specific methods/techniques to identify risks.  The training we provide promotes the core notion that audits that do a poor job identifying and measuring risks can not form defensible views on the adequacy of risk treatments/controls. Unfortunately many internal audits today form views on control effectiveness with only limited effort to identify and measure risks.    Our core risk skills training provides training on 10 specific methods auditors and risk specialists can use to identify plausible risks. Many audits and ERM workshops today still rely heavily on "brain storming" to identify risks.  This approach in isolation is rarely reliable.  A link to the workshop we are running for IIA chapters on core risk skills  is below:

    I would hope that it won't take decades to transition internal auditors and ERM teams from the current "Supply driven/Control/Risk Centric" approach to what we call "Demand driven/objective centric",  however there needs to be strong support for change through IIA standards, certifications and training offerings to support the radical changes necessary. The new CRMA designation is a major positive step. 

  1. Clearly where all auditors should already be.   We are quickly moving to metrics in our assurance process that reward the accountable auditors and business leaders for evaluating risks and the best/minum controls that manage the risk within the organization risk tolerance.    Value added auditors that provide insights to their organization are essentially business consultants, consuling on the best methods for risk mitigation and then ensuring through assurance efforts that those risk mitigation efforts (previously known as controls) are working.    Management wants to know - needs to know - that the risk is managed.   Whether a control works or doesnt work is not a complete actionable message for management.

  1.  Mr. Rose, I congratulate you!

  1. Great concept and direction, and to re-iterate Mr. Rose, where we should already be.  I have regularly tried to drive the concept of risk, residual and inherent, and risk management with my team in our discussions with management.  With some it is quite effective, but there are still those with the "dear-in-headlights" reaction, so clearly education and eventual migration is in order. 

    I also sometime struggle with being a good business consultant by providing insight on the best methods for risk mitigation.  This can often be dependent on the business and the particular risks being exposed to, making identification of the "best" method a challenge.  Sharing experience & knowledge - of course, classifying it (best, not-so-best, other) - I'm not sure, having that discussion - absolutely!  I'm very curious how others do this.

  1.  Once told you only need 16% critical mass to change the paradigm so keep going with it.  When costs are being cut and IA touches barely 5% of the workplace you need concepts that have a huge halo effect.  Focusing on risk exposure over controls does that.  Combine more with business improvement teams (they are everywhere and variously labelled) and you have a connected story to tell.

    Still have Tim's workbook from 8 yrs ago and big fan. Just added Norman and some others above to my list! Challenge for you Tim is to present this stuff at a CFO forum not just IA...

  1.  In my experience, internal audit groups aren't comfortable providing this type of assessment because it exposes them to risk. It's easier to focus on controls. It's more objective and less debatable by management. Internal auditors would need to up their soft skills and their risk skills to operate in this new way. It's definitely necessary if they are to deliver true value to their companies.

  1. Thank you Mark, I totally share your view of the role that Internal Audit reporting on the effectiveness of controls is not helping to mitigate the risks. Only the person who is the owner of the risk knows what he/she can tolerate and writing or updating a process or procedure or writing a policy as per the Internal Audit findings is not the answer. Even though King III states that Internal Audit needs to move from compliance to a risk based approach, there is still no change.

    It is only through risk self-assessments that the effectiveness of controls can be assessed and nobody uderstands what needs to be done to mitigate the risk better than the risk the owner. I am constantly in touch with our Internal Auditors and I make sure that they clearly understand what our risks are even before the commence with the audit. This is achieved through explaining to them our risk appetite (documented) and how we manage our risks following a risk process through self-assessments to determine the effectiveness of the controls as defined in our control framework.

    At the time of Internal Audit's engagement, I present them with a risk matrix that starts with a high-level policy statement and objective that is mapped to a specific risk(s) in our risk profile and lists all the controls (standards, processes, procedures, guidelins and working instructions)  which are documented, implemented and evaluated on an ongoing basis. It is now clear to them what is deemed as a risk and their focus is then to ensure that our risk management process is working to manage our risks. I truly appreciate our Internal Audit department and it is my responsibility to ensure that they understand what my risks are and not to report a risk that will take away the focus from what is really hurting us.

  1. 1) Apart from risk management, a 'minimum' level of internal controls, mainly based on separation of duties, is needed to be able to express a positive opinion on the financial statements. To my opinion IA should always report on ineffective or not operatinal internal controls that should provide this minimum level

    2) The entire set of controls is selected to reduce risk to an acceptable level of residual risks. Monitoring of the operational effectiveness is part of this set. If a (key) control is not operational, this should be notices by the monitoring controls and corrective action should be undertaken. In the monitoring does not reveal that a key control is not operating and/or no corrective has been undertaken, you may have reason to believe that the 'entire framework' is not working as it should and management is not 'in control' despite what they say.
    Risk is a different matter and may need further investigation. This is about the question if actually something did go wrong in the period that the key control was not operational. IA must have time/budget to carry out this investigation. Management may decide not to supply time/budget to carry out this investigation.
    The investigation may reveal that nothing has go wrong. Reporting only about actual risk and not about the fact that some key controls have not been operating well, may give management the false impression that all is well.



  1. For those interested in learning what an "objective centric" assessment approach to compare it with control centric and process centric approaches I co-authored a paper with Jeff Thomson while Director of the IMA Finance GRC Research Center that provides a fairly rigorous introduction. This paper was presented by the IMA to the SEC to try and influence them to adopt a more effective approach to SOX 404..


    Our current focus is helping organizations transition from "Supply driven/process and control centric" assurance approach used in the vast majority of organizations today to what we call "demand driven/objective centric" assurance.   IIA Calgary will be presenting the first workshop on this new assurance approach Oct 1-2 in Calgary Alberta. The link below provides more information for those interested.


  1. When you analyze the risks, often there will be controls that critical to successfully managing the risk.  These controls are significant and must function as planned every time.  I developed a process in Internal Audit where a periodic review of these critical controls was performed to validate that the controls were working.  This was typically a one to two day review where only enough work was performed to determine that the control was working as planned.  I called this process a Key Control Checkup that enabled audit staff to cover a large number of critical controls in a short period of time. We used these as filler projects between audits.  This was very successful and the audit committee liked the additional audit coverage beyond the audit plan.

  1. After the savings & loan scandals of the 1980s, COSO was formed and developed the internal controls framework. The spectacular corporate failures of late 1990s/ early 2000s proved that a company could still be driven off a cliff, even if it is well-controlled. Realizing that internal controls are not enough, COSO developed the ERM framework. Sarbanes-Oxley mandated internal controls, with external auditors providing assurance over internal controls over financial reporting. Internal Audit was the default choice for work on internal controls in advance of the financial auditors. In a twist on the saying “what gets measured gets done,” I suggest that “what gets regulated gets done” – and often no more. Once IA settles into the rut of internal controls, if there is no calamity, nobody notices. “We’re not at the table” is a common lament – of IA and other functions. I suggest that if IA limits their activities to internal controls, we are merely replicating the “first and second lines of defense.” There is little added value, and reports to the Audit Committee are routine. The Audit Committee and IA’s other stakeholders need a competent resource to consistently and professionally challenge management on business strategy, operations, compliance, and all types of reporting. This is the true “third line of defense” – and it provides the value our stakeholders are looking for. Transitions like this don’t come easy – for organizations, professions, or individuals. An annual risk discussion is a step in the right direction, but it should not be regarded as the ultimate goal. If IA follows the trajectory of COSO and challenges management on risk-oriented issues, our stakeholders will demand that we are at the table.
  1. I do agree with Norman on his radical approach to internal auditing. However I disagree on the tfollowing:

    1. Limiting internal auditing to this statement, "IA provides assurance to the board by reporting on whether the process that produces the consolidated report on risk status, and the report itself is materially reliable, much like external auditors attempt to do with external financial statements today", takes away the flavor from the internal audit function. The ability to assess an entity's risks (whether at the planning stage or in appraising management's risk assessment) positions the internal auditor to add more value to both the risk management process as well as utilizing their consulting opportunities in the risk assessment process. Experience shows that the Management is not always experienced in risk assessments.

    2. Not many organizations are risk some cases there have been reported resistances to the concept of risk management from Management. So purely approaching internal audit from a "risk management process" standpoint misses the point when dealing with control oriented entities. after all, senior management and the board are the consumers/customers of internal auditing.

    3. The reported failures of the SOX, and risk management in general, especially in 'motherland' USA, points to the need for a better, more pragmatic approach to internal auditing which combines 'risk', 'controls', and many other ingredients that help organizations to achieve objectives.

Leave a Reply