What about Chief Compliance Officer or head of the governance, risk management, and compliance (GRC) function?
An apparent trend is for the chief audit executive (CAE) to be asked to lead or manage the organization's risk management function. I know several major companies where the CAE either is also the chief risk officer (CRO), or has risk management reporting to him or her. Several are also responsible for compliance, and at least one company has the CAE as head of the governance, risk, and compliance (GRC) function.
This is different from the situations where the CAE reports administratively to the CRO and functionally to the audit committee. While awkward — the CAE may be auditing the risk management processes owned by his manager, and may disagree with the CRO on risk levels — as long as the CAE has free access to the audit committee the situation is generally manageable.
Can the internal audit function be sufficiently objective and provide assurance on the effectiveness of risk management and related controls when the CAE is also the CRO, head of GRC, or manages the risk function? Can the CAE provide assurance on controls to ensure compliance when he or she is the chief compliance officer?
In 2004, The IIA published a position paper, The Role of Internal Auditing in Enterprise-wide Risk Management (PDF). The paper made a number of assertions regarding what activities internal auditing may or may not perform.
Legitimate internal auditing roles with safeguards.
- Facilitating identification and evaluation of risks.
- Coaching management in responding to risks.
- Coordinating ERM activities.
- Consolidating the reporting on risks.
- Maintaining and developing the ERM framework.
- Championing establishment of ERM.
- Developing risk management strategy for board approval.
Roles internal auditing should NOT undertake.
- Setting the risk appetite.
- Imposing risk management processes.
- Management assurance on risks.
- Taking decisions on risk responses.
- Implementing risk responses on management's behalf.
- Accountability for risk management.
It seems to me that when the CAE directs the risk management or GRC functions, he or she is "imposing risk management processes" and has "accountability for risk management."
So what is the CAE to do if he or she is asked by management and the audit committee to take on responsibility for GRC, compliance, or risk management — even when both have seen the IIA position paper? Is it reasonable to expect the CAE to resign?
What should candidates do when offered a position as both CAE and CRO?
Finally, what more should we expect from The IIA in this area? Is it reasonable to expect The IIA to allocate its limited resources to advocacy and education efforts, when perhaps they may be better employed in advocating for internal auditing's greater role in providing objective assurance on governance and risk management practices?
I welcome your comments and suggestions in each of these situations.