Can Internal Auditors Assess Both Risk Management and Governance Processes?

This week, I have spent time reviewing a proposed rule by the SEC that would expand required disclosures relating to, among other things, the board’s oversight of risk management — a major governance activity. It’s fair to say that while I am pleased that the SEC is addressing important needs, I am disappointed in the results.

For example, I would like to see the compensation committee disclose whether and why it believes any consultant engaged to help it review executive compensation is sufficiently independent of management influence (e.g., not affected by other consulting engagements) to be objective in its advice. Instead, the SEC proposal would require the company to disclose fees paid the consultant — and let the investor decide.

I would also have preferred to see the SEC recognize the value that can be brought to the governance table by an effective, resourced internal audit department. The document does not mention internal auditing. I for one would like to see significant changes to address internal auditing’s role in providing assurance. For example, the Audit Committee Report should include disclosures of whether there is an independent, resourced internal audit function that reports to the audit committee and CEO — and if not, why not.

Talking to others, there appears to be a body of opinion that internal auditors are ready to take up the challenge of providing assurance on risk management, but not yet on governance processes. The IIA is developing guidance on both, but the people I spoke with want to take one large step at a time.

What do you think? Let’s not forget that assurance on both governance and risk management are required by IIA Standards.

Posted on Aug 13, 2009 by Norman Marks

Share This Article:    

  1. I agree that more emphasis and reliance needs to be placed on Internal Audit, and "transparancy" for exceutive compensation should be mandated.

    Governance, through metrics to help define the policies provide an incredible source for unit and company goals, and raise issues and successes in dialogues to the management groups reviewing them. 

    Auditor insights to the policies and metrics would be a valuable contribution to the process.  It's time to get going on it and build on the IIA standards.

  1. The fundamental problem for internal audit is: 'why is thy master?' - too often that is seen as something aligned to management, unlike the external auditors who should be aligned to shareholders - or whatever stakeholders the lastest law requires.

  1. I recommend readers also look at the different points on the SEC proposal made by my friend, Tim Leech, in his blog.

  1. Richard:

    I agree with you that this SEC proposal is an important one for internal audit and agree that IA should be providing opinions on some, but not all, elements of what most people define to be governance.  I think the IIA needs to raise the very important issue of who will provide the board assurance that the information and status reports they receive on risk and risk management systems are reliable.  This is an area that IA should stake claim to and build competency, clear standards, and infrastructure to legitimize efforts in this area.  

    Having said that, it is important to recognize that the SEC may have doubts about the ability of many IA departments to provide meaningful and reliable assurance on risk management systems.  Many IA shops over the past decade have not seen or reported reward systems as a significant risk.  History tells us that the IA profession as a whole  needs to raise its own risk management game if it is going to be credible reporting on how well management is doing managing risk.  I said in 1991 and continue to believe that the original COSO control framework underweights what I call "Commitment" controls and "Process Oversight " controls. They are included in the model but underemphasized.

    Some food for thought and debate.

  1. Great topic, Norman. I'd love your thoughts (and others!) on one aspect of governance: governance of data assets and related processes, applications, and systems. Through the Data Governance & Stewardship Community of Interest (the membership arrm of the Data Governance Institute) and other venues, I am constantly asked about models and guidance regarding oversight of policies, standards, and compliance requirements. Historically, such questions have been framed by IT groups that take a management-centric perspective: Management sets a standard, Management assigns some group (if we're lucky) to "monitor" compliance )not audit it, unless a compliance reg requires it), then Management teams collaborate to decide how to address issues, and then (historically), no one is in charge of following up, assessing impact, communicating with stakeholders, etc. The flaw in this model is obvious to anyone who considers the inherent differences between governance and management.  There is growing belief that internal audit groups and Data Governance teams should collaborate more closely.  Your thoughts? IIA thoughts? 

  1. Oops... That's the Data Governance & Stewardship Community of Practice -- not Interest.  I need better controls over my keystrokes <grin>  Would anyone be interested in speaking to our group (teleconference) on IIA (or internal audit or GRC) thoughts on what Data Governance teams should be doing, or how they should be doing it? 

  1. Gwen, I would be happy to chat. Let's chat directly. You can reach me at

  1. As the token non-auditor in the room, would I be wrong in assuming that if IA had to audit risk, they could not BE risk too?

    I would be delighted if IA provided assurance on risk management because hopefully this would create a clear separation between risk and audit within organizations. I believe we all agree it's often fuzzy and many organizations and CFOs don't know any better?

    I once had accountability for the ERM function and reported to the Head of Risk & Audit (who reported to the CFO.) It was completely dysfunctional (she should not have been wearing both hats) and business didn't understand the difference between the role of the auditors and what I did.

    I would hope making IA audit risk would force organizations to make a clear distinction between the two thus purifying the risk function.


Leave a Reply