Risk-Based Audit Opinions That Matter

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Almost everybody, whether on the board, in management, or in internal audit, agrees that internal audit should be “risk-based.”

But I don’t think they are talking in the same language.

Let’s start with four assertions about leading thinking and practice:

  1. Internal audit should design the audit plan and perform audit engagements that focus on the risks that matter to the organization.
  2. The risks that matter are those that might have a significant effect on the achievement of the organization’s objectives and delivery of value.
  3. Internal audit should provide assurance to the board and executive management that those risks, the ones that matter, are managed at acceptable levels by the organization’s processes. If not, their assessment should be supplemented by recommendations to improve those governance, risk management, and internal control processes (best practice is to agree with management on the actions to be taken, such that the audit report identifies those actions rather than including internal audit recommendations and a management response).
  4. The internal audit report should provide that assurance in a clear manner. That means that it should spell out the auditor’s professional opinion of the adequacy of management’s processes to ensure that the risks are maintained at acceptable levels.

I believe this is leading thinking and practice, but as with any such assertion there are some who will agree and some who will not. Certainly, what I have asserted is not "traditional" thinking, even though a notable and commendable few have been doing it for some time.

For example, there are some who believe that internal audit should not provide an opinion. Instead, they rate the risk levels as high, medium, or low (or use another scale). I believe that this is passing the buck: They are making their customers on the board and in management decide whether management is managing risks effectively rather than sharing their professional opinion on the topic.

Others have a very different view of what “risk-based” means. They still use an audit universe (a list of all locations and process that could be audited) instead of a risk universe. They rate the locations and processes using factors such as revenue, asset size, time since last audit, the significance of prior audit findings, etc. Then they select the locations and processes that rated highest for audit. The scope is based on the risks at those locations or in those processes. In other words, their assessment is of the risks in those processes or at those locations.

The problem with this traditional approach is that it assesses the risks that matter to the locations or processes, not necessarily the risks that matter to the organization as a whole — and its ability to achieve its objectives and deliver value.

One provocative (and even more controversial than me) internal audit advocate believes that internal audit should provide an opinion on whether the residual risk reporting provided to the board by management is reliable. I have stated my objections to this idea several times. The primary ones are:

  1. The board and management want to know whether they can rely on the organization’s processes to manage risk every day, not just the occasional reporting of risk to the board.
  2. Internal audit needs to communicate in the language of the business and of the board. Even risk managers don’t talk about “residual risk reporting.” In fact, most risk practitioners don’t use the term “residual risk” any more, they just talk about “risk.”
  3. The board and top management need to know what objectives are affected when risks are outside accepted levels. They need to know this so they can assess the actions to be taken (which might include changes to strategy), whether management’s forecasts and projections are "at risk," etc.

Some are concerned that this approach will not work when management has not established what levels of risk are considered acceptable (i.e., its risk tolerance, appetite, or criteria). As the IIA Standards say, in this situation internal audit should use its own judgment (in collaboration, if possible, with management) on whether the level of risk is acceptable. We have been doing that for decades, so I don’t see a problem doing it in 2013. I suggest that internal audit should also take this opportunity to explain to management and the board the value of establishing acceptable risk levels: without them, how will operating management know whether they are taking the right risks?

Others say that their boards and top management are not asking for this assurance. My answer is that their boards are failing them: Either they don’t know what internal audit can do for them, lack confidence in internal audit to address other than financial or compliance risks, or are complacent.

I welcome your comments. I will try to answer the objections I am sure will be posted.

Posted on Apr 5, 2013 by Norman Marks

Share This Article:    

  1. I don't believe it is that black or white on risk only. The audit department I once worked for came across a situation in which important key controls had not worked because of absence of the manager who should have executed those controls (sickness) and no arrangement for replacement during this absence. During this period, fraud could have been committed and not have been discovered. Additional checking of actions and transactions was undertaken afterwards to see if anything unwanted had happened. Fortunately, nothing had. The reaction by management was as if nothing had happened at all, as if there had not been any risk. The fact that they had not been 'in control' didn't matter.
  1. Norman: Since I suspect the person you are referencing as "One provocative (and even more controversial than me) internal audit advocate" is likely me, I think it's important that you understand that what we are advocating in our presentations globally  is reporting on key value creation and potentially value eroding  objectives real time, not point in time,  that are deemded outside of risk appetite/tolerance.   You seem to only focus on the term "residual risk status" in our presentations but not the key "Residual Risk Rating"  ("RRR") we advocate to simplify reporting to senior management and the board.  Sometimes the "Residual Risk Rating" is assigned by an "OWNER/SPONSOR" of objectives in organizations that embrace risk self-assessment. In those organizations that are still content with Internal Audit being the primary risk/control analyst/reporter it may be Internal Audit that assigns the RRR or other assurance specialist such as safety, environment, compliance, outside specialists, etc.  

    In many organizations management doesn't report on risk to the board hence internal audit must continue to function as the primary risk/control analysts.  In today's world I believe IA filling the role of primary risk/control analyst providing subjective opinions on "control effectiveness" without providing reliable information on the risk that remains after considering risk treatments or opining on the effectiveness of mangement's risk management processes  should be considered to high risk.

  1.  Tim, you saw through my very thin disguise!

    You draw importance to the idea of "reporting on key value creation and potentially value eroding  objectives real time, not point in time,  that are deemded outside of risk appetite/tolerance". I agree that this can be important, but even more important is reporting on whether has the capability to manage risks within tolerance! There is some, but little value in reporting that the risk is outside tolerance when management knows that perfectly well and is taking appropriate actions in response.

    You also state"In many organizations management doesn't report on risk to the board hence internal audit must continue to function as the primary risk/control analysts". I disagree with this assertion as being outside the scope of internal audit and in violation of IIA Standards and their Position Paper on the role of internal audit in risk management. Instead, internal audit should report to the board that management does not have effective risk management in place.

    We do agree that internal audit should not report on control effectiveness, but instead focus on whether management has the processes in place and operating effectively to manage risks. 

    My fondest wish is that you would join the call, with which I believe you agree, instead of blazing a separate path.

  1. Norman:I have been calling on the IIA to advocate Internal Audit reporting on management's risk management processes since the early 90s.  I was clearly blazing a path back then and it was a fairly lonely one at the time.  I am not "blazing a separate path" now since my first calls for internal audit to play a key role in CSA/CRSA in early 90s were picked up by IIA in mid to late 90s by picking up the CSA Conference (now GRC Conference) and launching the CCSA certification.  I have been calling IA to report on effectiveness of risk management processes since 1990. This was made a "should do" requirement in 2000 by the IIA IPPF standards and a "must do" requirement in 2010.  It would appear to me I am more "breaking trail" as cross country skiiers say, not blazing a separate path.

     I'm not sure why you keep focusing on a few slides in my IIA presentation and papers while ignoring the other points being made.  I am advocating that IA's main role should be to report to the board whether they are getting reliable information on the effectiveness of management's risk management porcesses AND the reliability of the information they get on the organization's  true retained/residual risk status.  You need to embrace the "AND" in the sentence to understand our vision.  both parts of the sentence are important.


Leave a Reply