Enough! It's Time to Enforce the Standards for Assurance on Governance, Risk Management, and Internal Controls

A new report from Booz & Co., Bringing Back Best Practices in Risk Management: Banks’ Three Lines of Defense, considers the financial crisis, expresses strong opinions, and makes a number of key points (emphasis added).

  • “The real culprits were bad governance, bad incentive systems, and astonishingly poor risk management at some major banks.”
  •  “We contend that at a small number of banks, a focus on basics actually prevented many losses. In particular, they benefited from a strong risk culture combined with a sharp focus on three effective lines of defense: top management and the front office, the risk management function, and audit. These lines of defense, staffed with capable individuals imbued with a strong sense of risk awareness, are at the heart of effective risk management.”
  • “In many respects, losses stemmed from a failure of one of the core functions of banks: risk management. By this, we do not mean simply the risk management function. Rather, we are speaking of risk management in a holistic sense.”
  • “The more serious gaps within companies are related not to technology and models but to the role of individual people and general decision-making processes. Good tools and processes provide the basis for a solid risk manage¬ment framework, but the human aspects of decision-making must not be underestimated. For a number of institutions, the strong drive for profit in the seemingly benign pre-crisis environment led to veiled but intense pressures on risk departments to approve increasingly risky transactions. In turn, these assaults on the institu¬tional risk culture have weakened the stature and prominence of the risk discipline.”
  • “The risk culture of an organization stems from its leadership. If the board is to understand, define, and actively manage its organization’s risk appetite, it needs a core of executive directors with solid business and risk expertise. The board must be able to appreciate the risks being run. In practice, this means board members must not only be informed but also understand the risk–return drivers inherent in major product innovations and concentrations.”
  •  1st line of defense: top management. Responsibilities include, per Booz:
    • Promote a strong risk culture and sustainable risk-return thinking.
    • Portfolio optimization on the macro and micro level.
    • Promote a strong culture of adhering to limits and managing risk exposure.
    • Ongoing monitoring of positions and inherent risks.
  • 2nd line of defense: risk management function responsibilities include:
    • Combination of watchdog and trusted advisor; police limits with “teeth.”
    • Understand how the business makes money — and actively challenge initiatives if appropriate.
    • Top talent with business experience engaging with front office as equals.
    • Risk management separate from risk control.
    • Overarching “risk oversight unit” across all risk types.
    • Intraday availability for data and positions; comprehensive report at T+1 6 a.m.

“Alongside a farsighted and responsible front office, banks need an effective, respected risk management function. Risk managers need to go beyond the traditional role of “limit cop”: Not only do they need to understand and challenge the front office; they also need to develop a deep understanding of concentrations, correlations, and early warnings. Finance must develop a more critical understanding of the underlying risk-return drivers of profitability.”

  •   3rd line of defense: audit. Booz describes its responsibilities as including:
    • Good understanding of capital markets, the business type, and risk management.
    • Top talent within audit — to challenge the front office and risk management function.
    • Independent oversight function — with enforcement ability (e.g., immediate fulfillment of findings).
    • Ability to link business and risk with process and IT know-how.

The third line of defense — audit — has arguably failed in its role of providing independent and objective assurance of the effectiveness of the first two lines of defense.
Internal auditing’s role in governance, well expressed by the definition of internal auditing in the Standards, is to provide assurance on governance, risk management, and related internal controls. There is a growing sense, among auditors and the community at large, that internal auditing failures to provide independent assurance — in the form of assessments and opinions, not just audits with a list of findings — contributed to the recent crisis. Booz’s comments on internal audit failure are based on the absence of internal audit pressure to identify governance and risk management weaknesses and act as a change agent to inform the board and ensure the deficiencies are corrected.

Do you agree, and what will it take to move the practice of the profession of internal auditing from performing audits of controls to providing assurance of governance processes, risk management, and related controls? I offer the following suggestions for comment:

  1. Any internal audit department that does not periodically assess the organization’s governance processes (using a risk-based approach) is not performing internal auditing consistent with the Standards and must fail its quality assurance review. The Quality Committee of The IIA should provide this guidance immediately.
  2. Any internal audit department that does not periodically assess the organization’s risk management processes (using a risk-based approach) is not performing internal auditing consistent with the Standards and must fail its quality assurance review. The Quality Committee of The IIA should provide this guidance immediately.
  3. Any internal auditing department that does not have a charter that requires formal assurance (in the form of an opinion provided to the board or committee of the board) on the organization’s governance, risk management, and related internal control processes should be considered to have an inadequate charter. This should be reported in the quality assurance review, with the organization required to correct the deficiency within 12 months. The Quality Committee of The IIA should provide this guidance immediately.
  4. Any internal audit department that is not independent of management in the development of the audit plan (including changes made to reflect changes in risks) or in the provision of appropriate and necessary audit resources is not considered independent from inappropriate management influence and must fail its quality assurance review. An acceptable compensating control is if the board (or committee of the board) has full knowledge of the situation and formally approves limitations in the audit plan or in the provision of resources. The Quality Committee of The IIA should provide this guidance immediately.
  5. The IIA should develop a change management program to help member internal audit functions move from a controls focus to a program consistent with the definition of internal auditing, including providing formal assurance of governance, risk management, and related internal control processes.
  6. A senior member of IIA staff and a respected volunteer practitioner should be charged with oversight of the change management program.
  7. The IIA should establish an office to assist CAEs who believe their organization does not provide appropriate support for an independent and objective internal audit department that operates consistent with The IIA's Standards, including the regular assessment of governance, risk management, and related internal controls. This office should also consider and take appropriate actions, which may include a formal investigation, where a CAE or other internal auditor (whether a member of The IIA or not) alleges inappropriate management interference with internal audit activities.
  8. The IIA should expand its advocacy and stakeholder training efforts to influence a broader understanding by both stakeholders and practitioners of the role of internal auditing in providing assurance of governance, risk management, and related internal controls.
  9. The IIA should perform investigations of suspected internal audit failures and provide reports to those organization’s boards and discipline members where appropriate.
  10. The IIA’s quality assurance program and the results of completed reviews should be subject to an independent annual audit.


Posted on Jun 19, 2009 by Norman Marks

Share This Article:    

  1. Norman:

    I think you make many very good points in your post however it is important to note that you are asking the IIA to play a role that it has historically avoided - aggressive monitoring of the performance of members and disciplining of those that failed to meet the standards of the profession.  At this point in time, the IIA legally has limited ability to investigate even the most collosal failures of its members.  I believe that an act of Congress will be required to create the power to investigate the root causes of assurance failures.  

    I have noted before that although it is a good thing from a personal liability perspective that few, if any, Chief Internal Auditors have been held accountable for negligence, it also comes with low expectations of internal audit  on the part of many important stakeholders,  including Congress, regulators like the SEC. and many boards and senior executives.

    More can and hopefully will be done in the years ahead by the IIA to elevate the profession but commencing a study into IA failures and acknowledging that at least some internal audit departments didn't do what they should have would be an excellent start.



  1. I just finished reading "Extraordinary Circumstances" by Cynthia Cooper.

    I strongly recommend it for every audit professional, and it should be required reading for every board member.

    What would have happened of Cynthia had been able to call on the IIA for help, if my recommendation 7 had been in place? I am pleased that she mentioned support from the late (and great) Bill Bishop, but she sounds all alone except for family during her tough times.

  1. I think that this blog is one of the most important that I have read on this site.  I train many internal auditors every year and also do consultancy work with them.  There seems to be a lot of complacnecy round at the moment in terms of 'well, at least we're not at fault in the current economic crisis.'  This may or may not be true but no-one seems to be seriously asking about the role of internal audit at the moment and internal auditors certainly don't seem to be raising the issue themeselves!

    My next point links in with Tims recent posting about being a profession.  I have always been concerned about the apparent lack of oversight of internal auditors.  I am a member of the ICAEW in England and not only will you get disciplined if you do something unethical but your institute also supports you in times of difficulty.  I agree with Norman that the IIA needs to move towards this.

    Finally I got my copy of Extraordinary Circumstances in the post this morning - my weekend reading!

  1. Norman:

    Your comments and recommendations are highly perceptive, as usual.  You appear to put a lot of stock on IIA, perhaps righty so.  I guess in the US context, it may even be valid.  However, what about CAEs in other markets who feel forlorn in trying to bring in the required degree of diligence to the assurance process, but find themselves hamstrung in absence of support.

    In a market like India, and I'm not talking only of MNCs who may have more robust processes in place courtesy home country dynamics, perhaps the only thing corporates (even respectable and large ones) worry about is regulations.  And as long as the concerned regulators, mainly stock market regulators, don't consider internal audit as a key spoke in the corporate wheel, perhaps nobody can incentivise boards and audit committees to empower internal audit to the required extent for IA to fulfil its IIA-mandated mission. 

    I'm talking of the likes of corporates which dither over putting in place even an audit charter, much less an enterprise risk management policy and framework.  Only because the concerned regulations mandate the audit committee to review the internal audit & risk management processes to 'satisfy' themselves on the assurance capability, but do not lay down any specific parameters or metrics to be deployed to gain such 'satisfaction'!

    Perhaps there is a case for extending the AS-style debate on principle-based vs. rule-based regulation to the IA arena.

  1. Norman -

    A thought-provoking post as usual.  You do make us think through these issues by raising them and keeping them in front of us. 

    Because we are not like the legal profession, the accounting profession, or other such group with "true" professional staus including legal liability associated with our work, we will continue to lack the management support and external motivation/pressures to truly achieve and live the Definition of Internal Auditing as it was written 10 years ago.  Instead, the scope of coverage by IA will continue to be limited by other forces such to whom the CAE reports.  For example, an Audit Committee may only support coverage of financial-related risks and some regulatory and/or operational risks at the expense of a comprehensive program to assess governance, risk management and internal controls.  A strong CAE will get this resolved, however.

    I like your idea of having the QAR process comment on the completeness of coverage as defined; perhaps that is a good 1st step in raising awareness of the problem.


  1. Before becoming overly self-responsible as moral and high-achieving auditors are prone to do - let's consider the bigger picture.

    How would an internal auditor be effective in stopping bad stockholder governance decisions (like CEO and bonus overpayment in periods of losses, debt overleverage encouraged by the government, or the creation of creative financial instruments) when their choices were not illegal, nor against board or company policies, nor done without the full knowledge of the board?

    If Obama could find a way to put people in jail for those choices, he would have by now. But as it stands, the public has been effectively constructed against within the rules of law..

    A lot of people and their greed contributed to this mess. Internal auditors share some of the blame - but about the same as everyone else. Internal auditor extraordinairees, KPI's, or stricter international professional organizations could not have prevented this problem.  Even the financial knowledge god, Alan Greenspan, admits that while he didn't think the CDO's made sense, he had no idea it would cause the mess it did.

    Creating, buying, and selling "creative financial instruments" is not illegal; and didn't draw any attention until so many people down the line were hurt.

    I don't think that internal auditor incompetency caused a problem this large to go unchecked; I think internal auditors chose to spend their limited time and resources on areas where they might be able to make a difference. We are not structured in a way to detect or respond effectively as an international collective (yet). If only internal auditors ran the world - what a wonderful place it would be? :)

  1. The fundamental problem is that risk management is not valid. It has never been proven or demonstrated and fails because risk cannot be measured and is conjecture based in part on unknown variables. And you can't manage what you can't measure. The alternative is diligence management based on experience, good practices, standards, compliance with laws and regulations, experimentation, and enablement of competitive business. Risk is defined as the accumulation of estimates of future frequencies and impacts of adversities. It is made complex by rapidly changing  future circumstances. Risk is a negative, highly variable, excessively complex concept and is subject to challenge, opinion, and debate. Diligence is measured by benchmarking against tradition, other's practices, and fixed requirements and sometimes by competitive products or services sales results. You will never arrive at a successful discipline until you choose one that is positive and measurable.

Leave a Reply