When the Board Uses the Internal Audit Risk Assessment

As a CAE for many years, I would develop my plan based on an assessment of the organization’s risks that I would complete. The process would typically include:

·         Building an "inventory" or list of risks to assess, organized in categories such as Strategic, Compliance, Financial, Operational, IT, Ethics and Fraud, External, etc.
·         Meeting with senior management in each HQ and operating area to obtain their views on which are the more significant risks, and how they should be assessed (using a simple low/medium/high scale for both  likelihood and impact).
·         Adding our own internal audit assessment of risk levels (considering factors such as the history of control failures, the experience level of management and key staff, etc.).
·         Reviewing the resulting matrix or heat map with the CEO and CFO.
·         Building the periodic audit plan to address the more significant risk areas, focusing especially on those where we believe we can add value.
·         Meeting with the audit committee to discuss both the risk assessment and the audit plan.
In hindsight, I missed an opportunity and may have been guilty of reinforcing "wrong" behavior.
I believe it is management’s responsibility to identify and assess risks to the organization. Although I later added chief risk officer responsibilities, for the first 10 years or so as CAE only internal auditing provided the board (or committee of the board) with an enterprisewide assessment of risks.
On reflection, I wish I had pressed management to take responsibility for the risk identification and assessment process. I missed the opportunity to advocate for risk management. But, at least I made them "own" the assessment in the last few years.
Does your internal audit function provide the board (or audit committee) with the only enterprisewide assessment of risks it reviews? Are you enabling management to "shirk" its responsibilities by doing this?
I am interested in your views on this.

Posted on Oct 26, 2010 by Norman Marks

Share This Article:    

  1. In a former position as the CAE for a city government internal audit developed the risk assessment questions and scoring system. We then sent the questionaires to the lowest level supervisors with a cover letter from the City Manager asking them for their input.  After we received the responses we input them in a spread sheet and sent the results to the next level of supervisors for their input and continued this process up the line until the we reached the executive management level.  A multi year audit plan was then developed based on the risk assessment.  It greatly reduced management resistance to audits when they knew the audits schedule was based on their concerns.  I do not know what the long term effect was because I retired and moved away.


    Hi Norman,
    I do a smaller scale version of the things you describe above to facilitate determination of the audit projects for the upcoming year. 
    I am happy to say that the Audit Committee maintains its own "50,000 foot level" matrix of risk, mitigation, and reporting.  I then tie/link my matrix into theirs.  Additionally, Sr. Mgt recently formed a Risk Steering Committee. I plan to link to that as well when I see what output it has.
  1. Wow- good stuff Norman!! Some thoughts

    First, you are being too hard on yourself. None of us that came up in the internal audit profession knew any differently than to be the ones to conduct the risk assessment and resulting internal audit plan. This is what we were programmed to do. On the other hand, our profession was not on the cutting edge of risk management methodology having missed an opportunity to learn from the risk management profession on who needed to do what. This is water under the bridge.

    Besides, we needed to do the risk assessment. Otherwise, we could never conduct internal audits

    Second, I concur with you. It is management's responsibility to identify and assess the risks and not internal audit's domain. Internal audit can facilitate the process but with management's full participation and concurrence. Management needs to be driving this and to the extent they are not, well they are not doing their job.

    Continued below


  1. Continued from above

    Third, the process to conduct the risk assessment needs to include several other steps in addition to the ones you have noted above but again; this would be driven by the risk management function. For example: there are 15-20 techniques to get a handle on all of the major business risks. Interviews per above is one such technique but it needs to be supplemented with other techniques. There are several other steps as well but the subject for another blog.



  1. Hi, Arnold and Norman.

    It's not too late for internal auditors to partner with risk practitioners on realizing the value of ERM. A number of organizations have overcome the obstacle described by Norman by having the functions work closely together.

    RIMS has been and continues to be interested in advancing these discussions with leadership at the IIA.

    All the best,


  1. Hello Norman, It is great to see IA people question these issues. You are clearly correct in your comments, that management must take responsibility for risk management across the enterprise. In the past there has been a significant conflict of interest occurring for IA, and a management failure in general. In my own view, this has been exasperated by outsourced IA providers expanding their services/revenue at the expense of sound governance. Moving forward, I encourage the IA and ERM professions to work together in an integrated manner, but to do so without compromising independence. Aarron Spinley Director - WTI

Leave a Reply