​The State of Internal Audit and Risk Management

Comments Views

The UK's Chartered Institute of Internal Auditors (UKIIA) has published Governance and Risk Report 2014: Internal Audit's Perspective on the Management of Risk.

The report speaks more to the condition and role of internal audit than risk management, but has one useful set of statistics on risk management.

The heads of internal audit (CAEs) surveyed assessed the effectiveness of risk management at their organization.

  • About 5% assessed risk management as "fully established & effective risk culture at all levels"
  • Just over 50% said they had "established risk management with planned extension/development"
  • Less than 30% were in the "early stages of implementation"
  • Most of the rest (only a few had no formal plans for risk management) were planning to implement

This was not far different from the UKIIA's 2013 report, disappointing the authors because there has been quite a push in the UK to implement risk management programs.

The balance is about internal audit in the UK and its role with respect to risk management.

I don't know whether to be disappointed or encouraged. More than 20% of the CAEs said that they did not assess and provide assurance on the design and effectiveness of risk management. I am disappointed that it is not 100%, but realistically many should be focused on consulting/advisory services (rather than assurance) to help their organizations' embryonic programs mature. Unfortunately, the UKIIA did not ask questions about those services.

I am certainly disappointed that CAEs continue to focus on something other than the risks that matter to their organization.

The "survey says" that CAEs spend most time and effort in these areas:

  1. Operational risk
  2. Assessing risk management (hurrah!)
  3. Financial reporting and controls
  4. Corporate governance
  5. IT projects

However, these same CAEs (!) rate these areas as the top risks facing the organization:

  1. Operational risk
  2. Regulatory change
  3. Economic uncertainty
  4. IT projects
  5. Effectiveness of risk management

At first glance, these seem close. But right behind risk management are (a) reputation and brand, and (b) competitive risk, and according to the survey IA does little work in these areas.

Some might argue that internal audit can't audit either of these or #3 on the list, economic uncertainty. I disagree! IA can assess what processes management has in place to monitor and then respond to these risks.

There is much more in the UKIIA report, but I just want to highlight one item: the influence of management on the CAE remains excessive! Even though the great majority report in principle to the audit committee, compensation (69%) and especially performance assessments (75%) are set by executive management.

I welcome your comments.



Comment on this article

comments powered by Disqus
  • IIA CAE-AEC_Jan 2018_IAO_Blog 1
  • IIA CIA LS_Jan 2019_Blog 2