First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Misunderstanding risk and internal audit

sirenvoicesThere are many voices urging people to act when it comes to the topics of risk management and the role of internal audit. Unfortunately, most of these voices are like sirens, tempting you to go the wrong way.

A recent piece on AcountingWeb entitled More boards count on internal audit to identify risks has good intentions, but could lead people astray.

For a start, it is not internal audit’s role to identify risks. That is most definitely management’s responsibility. Internal audit should:

  • Audit and assess management’s ability to identify, assess, and manage the more significant risks that can affect (positively or negatively) the achievement of objectives. That assessment should be communicated formally to the board and top management on at least an annual basis
  • Audit and assess the adequacy of the controls relied upon to manage the risks that matter to the achievement of objectives, reporting same to board
  • Ensure the board understands where the controls are not adequate and that failure raises the level of risk to objectives to an unacceptable level. Internal audit should (but frequently does not) identify which objectives are affected
  • Add value by providing insight and recommendations to management to improve the systems of risk management and internal control

Now, if internal audit is not doing the above there is a problem. Reading the article, it can be assumed that many internal audit departments are falling short – and that management and the board do not set the expectations for internal audit high enough.

Another assumption from the article is that many management teams do not have the capability to identify, assess, and manage risk. That is why some are defaulting to internal audit to step in. But, while internal audit can and should report situations where the risk is different to what management and the board believe, internal audit should not be the function relied upon to identify risk.

Yes, internal audit can take on additional risk management responsibilities – as a coordinator, facilitator, and evangelist. But, it must not assume management tasks such as assessing the level of risk or deciding what action is required – which would compromise its independence and objectivity.

Do you agree?

We can discuss this further in Chicago in April. See for details.

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, ,

Comments are currently closed.