It is heartening to see more and more organizations requiring their internal audit departments to assess and provide an opinion on the effectiveness of risk management — or, using my preferred language, the management of risk by the organization.
I did a
short video with Richard Chambers, President and CEO of Global IIA, on this topic. This was after I had posted a "tweet" saying that internal audit leaders who failed to provide assurance on risk management "deserved a seat at the children's table." While most laughed and agreed, this did draw some criticism from other internal audit leaders.
As I explain in the video, internal audit needs to focus on the risks that matter to the organization if they are to be relevant. Often, the greatest risk is that the organization's leaders are not aware of the risks between them and their objectives.
Do you agree with my observation?
Do you agree also that not having expertise in risk management is no excuse: that expertise must be obtained, even if requires going to an external source, i.e., co-sourcing?
You might be interested in other short videos on the value of
internal audit performing SOX testing and
internal audit's role in organizational governance. Do you agree with my comments?