​​​Deloitte and the Risk-intelligent Chief Audit Executive

Comments Views

​The latest addition to the excellent Risk Intelligent series from Deloitte talks about how the head of the internal audit function (chief audit executive or CAE) can be a driver of risk excellence within an organization.

Deloitte reinforces the notion, embraced by many CAEs, that they have a key role not only in driving risk management practices within the organization, but providing assurance on their effectiveness. (Deloitte confuses the issue by talking about management providing assurance — which they don't and can't, because you can't provide assurance on what you are responsible for — and internal audit providing "reassurance." I suggest ignoring the change and substituting "assurance" every time they say "reassurance.")

The authors also correctly point out that internal audit can only facilitate management decisions, not make them themselves. Management owns the determination not only of risk levels but desired levels of risk.

Here are some quotes:

"In today's environment, as a CAE, you have a unique opportunity to help make significant improvements in enterprise risk management effectiveness and efficiency. Your mission — should you choose to accept it — is to fight complacency and denial by enabling the organization to acknowledge, understand, and address relevant risks and thereby seek to reduce costs."

"We believe that companies that focus solely on risk avoidance may survive but rarely thrive; only those that intelligently manage risk-taking as a means to value preservation and value creation will excel in today's perilous yet opportunity-rich business environment."

"While remaining aware that management and the board 'own' risk, internal audit can provide guidance and [re]assurance that risk is being properly and efficiently managed within the company's defined appetites for various risks."

My favorite is the role of the CAE in fighting complacency and denial. It is easy to say "we have completed our quarterly review of the top risks" and believe that you have effectively managed risks. That is like the ostrich sticking his head in the sand while the battle rages around him and saying "I looked up an hour ago."

I welcome your comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3





A Risk Assessment Tool for Auditors and Risk Officershttps://iaonline.theiia.org/blogs/marks/archive/Pages/A-Risk-Assessment-Tool-for-Auditors-and-Risk-Officers.aspxA Risk Assessment Tool for Auditors and Risk Officers
Audit Committee Priorities Remain Risk, Compliance, and Technologyhttps://iaonline.theiia.org/blogs/marks/archive/Pages/Audit-Committee-Priorities-Remain-Risk,-Compliance,-and-Technology.aspxAudit Committee Priorities Remain Risk, Compliance, and Technology
Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controlshttps://iaonline.theiia.org/blogs/marks/archive/Pages/Building-the-Audit-Plan-Around-Assurance-on-Governance,-Risk-Management,-and-Related-Controls.aspxBuilding the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls
Data at Riskhttps://iaonline.theiia.org/2018/Pages/Data-at-Risk.aspxData at Risk