Risk and Control Issues Commonly Overlooked by Internal Auditing 2: The adequacy of risk management

This is the second in my series on topics that are generally significant to the business, but are too often not addressed in the internal audit plan.

#2 – The adequacy of risk management

It is plain as day that many companies ran into unanticipated problems during the current recession. I am not talking only of financial services companies. Many others suffered from the tightening of credit, a failure of companies in their supply chain, and a general failure of demand.

These organizations were not prepared. They had not identified the risks and developed plans on how to respond.

IIA Standards require internal audit to assess the adequacy of risk management processes, but too few internal audit functions do it. Observations:

  • It’s not OK to say that “the company doesn’t have a risk management program, so I can’t audit it”. IA has an obligation to inform the audit committee and top management that these essential activities are missing, and the risk to the organization and the achievement of its strategies and goals is therefore high. IA can act as a change agent through its consulting services to get effective risk management adopted
  • While internal audit usually facilitates or performs an annual risk assessment process, that is not risk management. Risk management needs to be owned by management
  • For some, risk management is something done on Fridays. All the organization really does is perform a periodic risk assessment and identify how those risks are managed. That is not sufficient in most cases. Risk is something that needs to be part of the culture, with a consideration of risk included in the setting and management of strategy, reporting on performance, and daily decision-making
  • While training in risk management is always desirable, I know from my own experience that risk management processes are just as auditable as other business processes. Get some training, read some books (see this for suggestions), follow my blogs (!), and you can be on your way

The pressure on organizations to have effective risk management processes and oversight is increasing — for example, there are now required disclosures in SEC filings relating to risk oversight by the board.

It’s time to act.

I welcome your comments.

Posted on May 31, 2010 by Norman Marks

Share This Article:    

  1. As an Internal Auditor, I fully endorse the need to have adequate risk management framework. In India also this is a legal requirement. Internal audit helps in performing risk assessments. This is taken for granted as Risk Management. A paradigm shift in perception is required here as the management does not understand that while risk assessment is an annual activity, risk management is a daily routine.

  1. Good observation with audit functions that do not perform all that IIA Standards requirre. I agree that a simple statement that because there is no risk management program, that one cannot be audited; however, once you've made that observation, reported it to the audit committee, and recommended to management that one be established, what would you suggest as a follow up in the event management doens't adopt effective risk management? The auditor must have mangement's cooperation, right? As you stated, management need to "own" risk management. What does it mean for the audit function if management does not act on the recommendation? Considering the many companies that didn't survive our economic crisis, who's to say there weren't audit functionsn who suspected trouble ahead and made recommendations that could have helped management to avoid significant loss in this recession? Management has to be held accountable for doing their part as well.

Leave a Reply