The IIARF WhITe PAPeR

MARCh 2011

Internal Auditings Role in Risk Management

SPonSoRed by

INTERNAL AUDITINGS

Role in Risk Management

DISCLOSURE
Copyright 2011 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The Institute of Internal Auditors (IIA) International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIARF is to expand knowledge and understanding of internal auditing by providing relevant research and educational products to advance the profession globally. The IIA and The IIARF work in partnership with researchers from around the globe who conduct valuable studies on critical issues affecting todays business world. Much of the content presented in their final reports is a result of IIARF-funded research and prepared as a service to The Foundation and the internal audit profession. Expressed opinions, interpretations, or points of view represent a consensus of the researchers and do not necessarily reflect or represent the official position or policies of The IIA or The IIARF.

MARCH 2011

Role in Risk Management

ABOUT THE IIA RESEARCH FOUNDATION The Institute of Internal Auditors Research Foundations (IIARFs) vision is to understand, shape, and advance the global profession of internal auditing by initiating and sponsoring intelligence gathering, innovative research, and knowledge-sharing in a timely manner. As a separate, tax-exempt organization, The Foundation does not receive funding from IIA membership dues but depends on contributions from individuals and organizations, and from IIA chapters and institutes, to move our programs forward. We also would not be able to function without our valuable volunteers. To that end, we thank our volunteers and contributors for making our successes possible. For a listing of The IIA Research Foundation contributors for 2011, visit: http://www.theiia.org/research/make-a-donation/donor-recognition/ ABOUT ORACLE Oracle (NASDAQ: ORCL) is the worlds most complete, open, and integrated business software and hardware systems company. Part of Oracle Fusion Applications, Oracle Fusion Governance, Risk, and Compliance (GRC) provides a complete enterprise GRC platform that gives you the power to know, the power to manage, and the power to enforce. Our Fusion GRC applications combine unified intelligence into the status of your GRC activities, end-to-end support for risk and compliance management, and automated controls monitoring and enforcement. For more information about Oracle, visit oracle.com/grc ABOUT THE AUTHOR Paul Sobel is Vice President/Chief Audit Executive for GeorgiaPacific, LLC, a privately owned consumer products and building materials company based in Atlanta, GA. He previously served as the Chief Audit Executive (CAE) for three public companies: Mirant Corporation, an energy company based in Atlanta, GA.; Aquila, Inc., an energy company based in Kansas City, MO.; and Harcourt Generals publishing operations based in Orlando, FL. His responsibilities included leading the global internal audit efforts at these companies, as well as consulting on each companys ERM, compliance and internal PAUL J. SOBEL, CIA controls programs. He has also served as International Audit Manager for PepsiCo, Senior Manager in Arthur Andersens Business Risk Consulting practice, and Experienced Manager in Arthur Andersens Financial Statement Assurance practice. Paul addresses the topics of governance, ERM, and internal auditing at his speaking engagements. A published author and writer, he has authored Auditors Risk Management Guide: Integrating Auditing and ERM and was co-author of The IIARF textbook Internal Auditing: Assurance and Consulting Services. Paul has published articles in Internal Auditor magazine and Management Accounting Quarterly. An avid supporter of the internal auditing profession, Paul has volunteered countless hours to The IIA and The IIARF. Currently he serves on The IIAs Board of Directors as Vice Chair of Professional Development. In the past he has served as President of The IIARF, Senior ViceChair on the North American Board, and in other volunteer positions. He served as Program Chair for The IIAs 2010 International Conference (Atlanta, GA). He is The IIAs representative on the Pathways Commission, which is studying the future of accounting education in the United States, and recently finished a two-year term on the Standing Advisory Group of the PCAOB.
MARCH 2011 3

INTERNAL AUDITINGS

Role in Risk Management

EXECUTIVE SUMMARY
The business world is becoming increasingly complex due to new, evolving, and emerging risks. Organizations are giving risk management more consideration, but implementing an effective risk management program takes time and discipline. Internal auditors are finding they can play important roles in risk management, but there are many roles that internal audit activities are either not ready to pursue or are not proactive in pursuing. This should serve as a call for action to internal audit activities in general and chief audit executives (CAEs) in particular. Specifically, CAEs have opportunities to: Educate and train audit committees and management on risk and risk management concepts. Provide assurance on the core internal audit roles described in an IIA Position Paper titled The Role of Internal Auditing in Enterprise-wide Risk Management. Seek opportunities to perform more risk management consulting services in support of whoever is managing the risk management program, and formally communicate the results of those consulting services to the audit committee and management. Evaluate strategic risks; i.e., whether management has (1) comprehensively identified key strategic risks, (2) developed prudent risk management techniques to address those risks, and (3) established sufficient monitoring of strategic risk signposts to identify risk occurrences in time to take the appropriate actions. Devote the time, resources, and leadership to developing internal audit teams so that they have the right level of skills and experience related to risk management. Use third-party and other internal resources to supplement the risk management skills of the internal audit activity. This call for action may be challenging for many CAEs, but those with the right level of skills, experience, and confidence, and a sufficiently high position in the organization, will be able to carry out the actions described throughout this paper and truly add value to their organizations.

INTERNAL AUDITINGS

MARCH 2011

INTERNAL AUDITINGS

Role in Risk Management

INTRODUCTION
Since the 2008 financial crisis, regulatory and economic pressures are forcing organizations to do a more thorough job when conducting enterprisewide risk assessments, pursue strategic opportunities in a risk effective manner, increase the effectiveness of risk mitigation efforts, and focus on a more holistic approach to risk management. As organizations strive for success with these initiatives, many are asking: What is, and what should be, the role of internal auditing? This paper examines data from surveys conducted over the past two years and provides analysis and insights into: The direction CAEs receive from audit committees and management. The risk management activities internal audit activities are currently performing and those they expect to perform in the coming years. Internal auditings role in identifying and assessing the organizations strategic risks. The skills internal auditors need to keep pace with evolving roles in risk management. Opportunities to add greater value to their organization around risk management. While the survey data provides an interesting picture into the current state of internal auditings role in risk management, the real value is derived from the analysis of such data and per-

spectives on how this should influence the actions of CAEs and internal audit activities. As such, readers will observe several real-world perspective boxes throughout this paper where the researcher provides thoughts and observations that can help readers turn research data into potential actions to move their own organizations forward in their pursuit of effective risk management.

MARCH 2011

Role in Risk Management

DIRECTION FROM THE TOP The first question to consider is, What are internal auditors being asked to do? It is important to understand the direction that is being provided by the board of directors, typically through the audit committee (to whom most internal audit activities report functionally) and management (to whom most internal audit activities report administratively). In August 2009, a Global Audit Information Network (GAIN) Flash Survey with 321 respondents identified the following when it asked about the direction provided by the audit committee:1 auditors should play. Slightly less than half look to internal auditing to provide advice on risk management processes, and just more than a quarter have asked internal auditing to perform specific audits of risk management components. It is also notable that expectations regarding rendering opinions on the overall risk management process (23 percent) or individual risk management areas (41 percent) are relatively low. While it is difficult to speculate as to why these numbers are not higher, one answer may be found in another question from that survey. Respondents

INTERNAL AUDITINGS

Hastheauditcommitteeaskedinternalauditing
Yes
to provide an opinion on any individual programs or areas related to risk management? to provide an opinion on the organizations overall risk management processes? to perform specific audits of any components of risk management? for recommendations or advice on enhancing the organizations risk management processes?

No
41% 23% 28% 45% 59% 77% 72% 55%

were asked, How much do you agree or disagree that there is an emerging need for the audit committee to have better insight into the organizations risk management processes? The answers to this question were quite striking:2 Strongly Agree 37% Agree 38% Neutral 5% Disagree 1% Strongly Disagree 19%

While recent audit committee surveys have shown that risk management is clearly on their radar screen, the above data indicates that audit committees may not have high expectations as to what role internal
MARCH 2011

INTERNAL AUDITINGS

Role in Risk Management

Three quarters of the respondents believed that there is an emerging need for audit committees to gain more insight into risk management processes. It is reasonable to presume that a lack of general awareness and understanding about risk management results in a lower level of appreciation of how internal audit activities can provide meaningful insights and assurance surrounding risk management activities. It is also possible that audit committees do not perceive that internal auditors possess the right skills and experience to assess risk management activities, which is addressed later in this paper. internal auditing may find, questions about internal auditors skills and experience, or lack of awareness of how internal auditing can help provide assurance or advice. Regardless, the direction from the top is not building a compelling case for internal auditors to be viewed as an integral part of the risk management success.

Real-World Perspective
Most internal audit activities use a risk-based
model to develop their audit plan that considers input and requests from management. While this approach is typically sound, it may lag in identifying emerging and important risk areas. If the audit committee and management do not have a strong understanding of risk management concepts, they may not identify and request appropriate projects related to emerging risk areas. Confident, risk-aware CAEs typically have the latitude to include certain projects that, in their judgment, will provide value to the organization. They should not miss out on the opportunity to do what they think is best, even if the audit committee and management do not ask for it.

Real-World Perspective
Internal
auditors understand risk management concepts and the value proposition better than most employees. Thus, CAEs should be more proactive in educating audit committees and management on the value of effective risk management and the roles internal auditors can play to help enhance that value. Surveys consistently indicate that risk management is a key and emerging topic on audit committee agendas; thus, they will likely be asking more questions about the effectiveness of current risk management activities. CAEs should shape the understanding of audit committee members and management so that they ask the internal audit activity to play the right role in the future.

Interestingly, there is a lack of survey data addressing managements expectations of internal audit activities. As displayed in the next section, Current Roles for Internal Auditing, many internal auditors are playing various risk management roles, so clearly management is not an impediment to internal audit involvement in risk management. However, the percentage of internal auditors involved is not as high as might be expected, indicating that management may not be aggressively pushing for internal auditing to play a more prominent role in risk management. This may be due to concerns about what

CURRENT ROLES FOR INTERNAL AUDITING Despite the modest level of top-down direction received from the audit committee and management, internal audit activities have made strides in playing a role in risk management and will continue to do so. The 2010 IIA Global Internal Audit Survey (a component of the Common Body of Knowledge [CBOK] studies) indicated that 57 percent of internal audit activities around the world perform audits of enterprise risk management processes. Furthermore, 20 percent of respondents indicated that they believed performing such audits would become more prominent over the next five years.3 In the GAIN Flash Survey, 24 percent indicated that their internal audit activity had primary responsibility for risk management in their organizations,

MARCH 2011

Role in Risk Management

which likely reflected the lead role that internal auditing plays on a daily basis. However, when answering the question Who has the overall responsibility for risk management in your organization? only 9 percent indicated that internal auditing and/ or the CAE had such responsibility.4 Since there are inherent conflicts (as discussed later) between the decision-making responsibility for risk management and the objectivity requirements of the International Standards for the Professional Practice of Internal Auditing (Standards), the lower level of overall responsibility seems appropriate.

INTERNAL AUDITINGS

The GAIN Flash Survey went on to ask a series of questions designed to identify the extent to which internal auditing was playing a role in risk management. The first of these questions focused on whether internal auditing was currently playing a role, or expected to play a role in the future, in six broad areas as illustrated below:5

ROLEDESCRIPTION
1. 2. 3. 4. 5. 6. Informally provides consulting and advice on risk management practices Is the catalyst in forming risk management Has active participation in implementing risk management Participates as part of a formal risk management program Provides independent assurance on risk management Assists and advises a new, separate risk management function

Current Role

Future Role

No Role

77% 48% 45% 43% 40% 28% 21% 14% 20% 30% 35%

14%

9%

38% 35% 27% 25% 51%

The 77 percent indicating they play an informal consulting role seems to support the notion that internal auditors tend to have a stronger understanding of risk management than most business people and, as such, are frequently sought out for advice on risk management practices. While the response to the question about being a catalyst in forming risk management was much lower, that is probably due to there being more catalysts than there were five to 10 years ago when CAEs were often the impetus for initiating a risk management initiative. This is an encouraging trend.
MARCH 2011 9

INTERNAL AUDITINGS

Role in Risk Management

The responses to the other areas reinforce the fact that internal auditing has and will continue to play a role in the implementation and operation of risk management programs to some extent. However, it is somewhat surprising that only 40 percent currently provide independent assurance on risk management and 25 percent never expect to do so, because risk management is embedded in the Standards. Also, the lower percentages for the last area assisting and advising on new, separate risk management functions further highlight that many internal audit activities are not providing independent assurance and consulting services as often as one might hope.

Real-World Perspective
These results point to the need for more guidance to support practical application of a variety of risk management activities. It appears that most internal audit activities have been successful in providing broad advice on risk management, but fewer are confident enough to provide specific assurance and recommendations to move risk management ahead in their organizations. CAEs must be more proactive in obtaining and cultivating the right skills within the activity and aggressively educating the audit committee and management on the valuable role internal auditing can play in risk management.

THE GAIN FLASH SURVEY WENT ON TO ASK WHETHER INTERNAL AUDITING WAS PERFORMING THE FOLLOWING MORE SPECIFIC ROLES. 6

1. Facilitates the identification and evaluation of key risks 2. Participates in the identification of emerging risks 3. Provides assurance through written reports on the management of key risks 4. Coaches management in responding to risks 5. Provides assurance through written audit reports that risks are correctly identified and evaluated 6. Provides consulting reports to improve or implement the risk management process 7. Provides assurance through written audit reports over the risk management process 8. Does consolidated reporting on risks 9. Participates in setting the organizations risk appetite 10. Develops the organizational policies for its risk management processes 11. Implements risk responses on managements behalf 12. Makes decisions on risk responses

65% 62% 49% 43% 38% 29% 28% 17% 11% 8% 4% 3%

10

MARCH 2011

Role in Risk Management

Almost two-thirds of the respondents indicated a role in two of the more common risk assessment areas: (1) identification and evaluation of key risks and (2) identification of emerging risks. This is consistent with the answer to another question in the GAIN Flash Survey where respondents indicated that 69 percent of organizationwide risk assessments are developed annually by the internal audit activity. Risk assessment is an area where most internal audit activities have some level of experience. While it is valuable for organizations to leverage that experience, it is important to begin developing the risk assessment skills of other functions within the organization. Roles #3, #5, and #7 cover the assurance question that was discussed broadly above. These results seem to support that internal auditing is not providing the level of assurance it could provide. There is a slightly higher level of assurance around managing key risks, but a slightly lower level on managements risk assessment process (i.e., that risks are correctly identified and evaluated). And only 28 percent provide written audit reports over the risk management process. The responses to #4 and #6 support the consulting role that internal auditing plays, although these percentages are notably lower than the 77 percent who indicated that they provide informal consulting and advice. Because internal auditors perceive themselves as coaching management only 43 percent of the time, and deliver reports on consulting services only 29 percent of the time, internal audit activities may be missing opportunities to ensure that the audit committee and management recognize the valuable role they are already playing. The last five roles are not performed frequently, probably because they are management roles that could impair the objectivity of the internal audit activity. Those who do perform these roles should take the necessary safeguards, as discussed below.

INTERNAL AUDITINGS

MARCH 2011

11

INTERNAL AUDITINGS

Role in Risk Management

g the ERM framework Champ Dev ioning elop establi shmen ing t of ERM ERM stra teg y fo r bo Im ard po app Se sin rov tti al g ng ris the km ris ka an pp ag eti em te en tp ro ce ss es Consolidated reporting

s ies risk activit g to g ERM sks inatin ndin f ri Coord spo no in re tio ent ks lua gem va ris ana &e gm ey chin ion fk Coa cat to en em ag

cili Fa
i ew vi Re ng Ev al ua tin g th er ep e th

Maintaining & developin

tat
an m

ing

fi nti ide

Ev alu

ati n

gr

or

isk

tin

ge isk Givi me n s nt are c g assur pro ance orre ctly ces eval that the ses uate risks d
Giving ass urance on the risk managem ent proce sses

ma

na

of

ke yr

a an

ge

ta en

ss

an ur

o ce

ris

ks

Core internal audit roles in regard to ERM

Legitimate internal audit roles with safeguards

An IIA Position Paper titled The Role of Internal Auditing in Enterprise-wide Risk Management provides an illustration7 that presents a range of risk management activities and indicates which roles an effective professional internal audit activity should and, equally importantly, should not undertake. The five areas on the left of the fan represent core internal audit roles for risk management. The position paper states that They form part of the wider objective of giving assurance on risk management. An internal audit activity complying with the International Standards for the Professional Practice of Internal Auditing can and should perform at least some of these activities. Yet, based on the survey results discussed above, it appears that the majority of internal audit activities are falling short of this strongly recommended guidance.

on risks

k Ta

in

e gd

es ons resp behalf risk nts e ting men nagem le Imp on ma

cis io
y for risk m anageme nt

o ns

nr

is

esp kr

on

ses

bilit Accounta

Roles internal auditing should not undertake

Real-World Perspective
Internal
audit activities should provide assurance on many, if not all, of the core internal audit roles described in the position paper. Each of these areas is critical to the success of risk management. The audit committee and management will find comfort in knowing these areas are operating effectively, and if not, will want to understand what the gaps are and the potential actions to close those gaps.

12

MARCH 2011

Role in Risk Management

INTERNAL AUDITINGS

Finally, the six areas on the right are roles that internal auditing should not undertake because they are management responsibilities that would clearly impair the internal audit activitys objectivity. For those that were included in the survey, it is encouraging that few internal audit activities appear to be taking on these types of roles.

The seven areas in the middle of the fan represent legitimate internal audit roles with appropriate safeguards. While the position paper lists several safeguards that can be taken, generally they focus on not taking on decision-making or other management roles, such as those depicted in the right part of the fan. These legitimate internal audit roles are generally considered consulting roles that can greatly enhance the value provided by internal auditing in risk management. While few of these were specifically considered in the survey, the results indicate that most internal audit activities are not performing these valuable roles.

Real-World Perspective
While
there are good reasons why the last group of roles should not be undertaken by internal auditors, there may be appropriate times to do so anyway. If the organization has a significant need related to risk management, and nobody else has the experience to fill that need, it may be better if an internal auditor fills that role rather than nobody at all. The auditors objectivity will be impaired for a period of time, and this may impair the objectivity of the entire internal audit activity, but independent assurance could still be obtained from some other source (typically an outside specialist), which may provide the audit committee and management with the comfort they need.

Real-World Perspective
CAEs should seek opportunities to perform as
many of the consulting services as possible and formally communicate the results of those consulting services. Many internal audit activities have the skills to conduct these activities. Proper safeguards, which typically ensure that responsibility, accountability, and authority rest with management and not the internal audit activity, are not that difficult to put in place. However, it is important to ensure that these safeguards are well understood by the audit committee and management.

MARCH 2011

13

INTERNAL AUDITINGS

Role in Risk Management

INTERNAL AUDITINGS ROLE WITH STRATEGIC RISKS Recent studies have identified that internal auditing may play an even smaller role related to the strategic risks of an organization. Strategic risks tend to be more difficult to identify, assess, and audit. As such, many internal audit activities spend little or no time on strategic risks. This topic has been discussed in Knowledge Reports issued by The IIA over the past two years. CAEs participating in a March 2009 roundtable discussed several aspects for enhancing internal audit efforts in the area of risk management. The roundtable participants developed a series of recommended actions internal auditors can take to help their organization adopt a more strategic risk management focus. They include: Ensuring that the risk assessment identifies those risks presenting the most significant risks to shareholder value. Facilitating risk management discussions across the organization. Viewing risk management as a core competency and ensuring that auditors receive appropriate training on risk and risk management practices. Reviewing business plans to determine whether they assess the risks embedded in their strategies and have risk monitoring and trigger points. Reviewing the annual report to determine whether risks are addressed appropriately. Continuously monitoring and assessing stakeholder expectations relative to risk and risk management, as well as assisting in the education of these stakeholders. Building a stronger relationship with other risk and control business functions to drive an enhanced process to identify emerging risks. Identifying and sharing best practices in risk management. 8 At an Audit Executive Center Roundtable in August 2010, there was clear-cut agreement among participants that internal auditing needs to fully understand the scope of an organizations business strategies and the related strategic risks embedded within those strategies to ensure that the organizations audit plan addresses those risks sufficiently. Participants concluded on three quick takeaways for CAEs from this discussion of key risks: Ensure that the organizations audit committee, board of directors as a whole, or other board committee is giving appropriate attention to the organizations catastrophic and strategic risks and related risk management activities. Expand the internal audit risk assessment process to include an evaluation of the risks embedded in the organizations core business strategies or the strategies of the organizations primary lines of business. Consider how best to cover exposure to various elements of the organizations audit universe that are geographically dispersed and appear to have limited financial exposure or complexity.9

Real-World Perspective
Studies over the last decade have time and
again shown that business failures or significant reductions in market capitalization are most often caused by strategic risk failures. Therefore, CAEs must consider whether strategic risks can and should be audited. That is, it is first important to identify whether there are assurance or consulting procedures that will help assess or advise on the design adequacy and operating effectiveness of strategic risk management procedures. If so, CAEs must then evaluate whether the audit will provide adequate assurance or relevant advice. Just because something can be audited does not mean it should be audited. However, CAEs will find that there are many strategic risks for which they can provide valuable assurance or advice.

14

MARCH 2011

Role in Risk Management

THE SKILLS NEEDED TO SUCCEED It may seem intuitive to recommend that internal auditors increase their role in risk management, but they should only do so if they have the right skills and experience. In Report II of the 2010 IIA Global Internal Audit Survey, which focused on competencies of internal auditors, 72 percent cited risk analysis and control assessment techniques as important. This skill was rated the second most important skill, slightly behind understanding the business (73 percent), which is a critical enabler to understanding risk in any organization. Similarly, enterprise risk management was rated the fifth most important knowledge area for internal auditors (58 percent).10 That survey included more than 13,500 useable responses from respondents in more than 107 countries, so it clearly represents a global view of the most important skills for internal auditors. Since risk management has been an important part of the Standards and training for more than a decade, why dont virtually all internal auditors have the skills and experience in the areas mentioned above? The GAIN Flash Survey provided some insights into the challenges internal auditors face in their journey to understand risk. The survey asked respondents to vote on selected answers to the statement, To effectively review or audit risk management, the most significant challenges for internal auditing are the: (Respondents were allowed to choose multiple responses.)11 The results are illustrated below.

INTERNAL AUDITINGS

1. Perception that this is beyond the scope of internal auditing 2. Lack of management support 3. Lack of coordination or clarity of roles with other risk and control units 4. Lack of knowledge within internal auditing of risk management practices and techniques 5. Need for training for internal audit staff 6. Need for quantitative skilled internal audit staff 7. Inadequate budget 8. Need for technology tools 9. Lack of clear professional guidance and practice aids 10. Need for third-party expertise 11. Lack of support from audit committee 12. Other

34% 32% 29% 29% 28% 24% 19% 18% 17% 13% 12% 11%

While none of these answers received a high percentage of choices, there were many different ones that are rooted in fundamental aspects of managing an internal audit activity. This may indicate that a variety of seemingly minor challenges could aggregate to create situations where a high percentage of internal auditors lack the necessary skills and training to effectively fill many of the possible risk management roles that they could and should play.

MARCH 2011

15

INTERNAL AUDITINGS

Role in Risk Management

Real-World Perspective
Technology
can be a key enabler for any risk management program. Most organizations will find that they need a technology solution to manage all of the data gathered, and such solutions may also address monitoring, follow-up, and communication challenges. However, it is important to establish the risk management approach before selecting a technology solution. Otherwise, the organization may be forced to adopt the vendors approach instead of one that better fits the organizations needs and culture.

in specific but common risk areas. There were other, less frequently cited responses that represent general skills that are important for all auditors, whether in risk management roles or other audit engagements. Thus, with adequate training and effort, there is no reason why any internal auditor cannot be skilled enough to perform many risk management roles.

Real-World Perspective
CAEs are in a position to address most of the
challenges shown above. They typically have the authority and autonomy to make decisions that will effectively eliminate, or reduce to an inconsequential level, the obstacles to cultivating skilled and experienced auditors. However, individual internal auditors also have a responsibility to be proactive in expanding their own skill sets. Success in a career frequently requires individuals to recreate themselves by adding new and different skills and experience. Internal auditors should pursue opportunities to develop skills from the list to the left.

So what skills should internal auditors be focusing on to ensure they can effectively fill those roles? The GAIN Flash Survey asked that very question; specifically: To effectively assess risk management in an organization, what are the skill sets and expertise required? The most frequent responses were: 1. Business and industry understanding/knowledge. 2. Risk management expertise/knowledge. 3. Understanding of the Committee of Sponsoring Organizations of the Treadway Commissions (COSOs) guidance and other risk frameworks, benchmarks, and methodologies. 4. Good communication skills facilitation, negotiation, and interviewing. 5. Analytical skills. 6. Comprehensive internal audit knowledge and experience. 7. Expertise in specialized areas, other than finance, and their related controls. 8. Knowledge of finance process, controls, and risks.12 It is not surprising that the first three skills clearly require a good understanding of the business, as well as risk management concepts, frameworks, etc. Responses #7 and #8 are similar to the first one, except that they focus on deeper understanding skills

As further support that all internal auditors should expand their risk management skills, Report IV to the 2010 IIA Global Internal Audit Survey outlines whats next for internal auditing as a profession. A key finding was that 80 percent of respondents expect the internal audit activitys role in risk management will increase over the next five years. However, it is important to note that the study also concluded that to play a more effective role in risk management and governance, more resources are needed. This means hiring people with the right qualifications and/or buying the necessary tools to optimize the efficiency of the audit work.13

16

MARCH 2011

Role in Risk Management

Real-World Perspective
Most internal audit activities try to go it alone
when providing risk management services, but that can be a dangerous approach. Many aspects of risk management are still relatively new and evolving. Assigning an undertrained resource on risk management projects may serve only to limit the future opportunities to add value in risk management activities. However, it is a best practice to use a combination of internal audit and thirdparty resources, or other employees with the right expertise. This approach increases the likelihood that management will see the value in these projects and it is also an excellent way for current internal auditors to get on-the-job training from the real experts.

INTERNAL AUDITINGS

While these findings focus on the activities that are typically carried out by the CAE, there may be other functions within the organization that can provide some level of support and assurance for a risk management program, such as in compliance, internal controls, or quality assurance. For example, in the GAIN Flash Survey, 60 percent of respondents answered Yes to the question, If not internal auditing, are any other functions within the organization assessing risk management?15

Real-World Perspective
The very essence of effective risk management
is to break down the silos and focus on managing risk effectively across the organization. While CAEs often feel their function is the only one that is truly independent and objective enough to provide these services, frequently there are other functions that provide some sort of advice or assurance on risk management. CAEs should seek out these functions to collaborate and synergize as much as possible.

OPPORTUNITIES TO ADD GREATER VALUE Much of this paper has focused on ways to add value by performing certain roles related to risk management. There are other findings from past research that should also be considered. In late 2010, a group of CAEs representing some of the largest organizations based in the United States met in Chicago, IL, to discuss their thoughts, recommendations, and observations as the next decade begins. The following are three out of the top 10 recommendations for CAEs as related to risk: Be the catalyst of linking board and board committee discussions of company strategy with risk discussions help them connect the dots. Be the catalyst for integrating risk assessment processes across all risk functions. Make your enterprise risk assessment activities more continuous and less episodic. The following are two of the top challenges for 2011: Helping the board fulfill its new oversight responsibilities, such as maintaining oversight of risk and the appropriateness of the system of executive compensation. Being a catalyst for establishing or regaining enterprise risk management momentum.14
MARCH 2011

Finally, although not previously discussed in this paper, readers are encouraged to review the IIA Knowledge Report from October 2009 titled 10 Risk Management Imperatives for Internal Auditing. This report provides in-depth insights into how progressive internal audit activities are embracing the opportunities to add value through risk-focused activities. Now is not the time for CAEs to be passive and reactive. Someone will fill the knowledge void within organizations to help advance the risk management efforts. With the head start that most internal audit activities have in terms of training and disciplined risk thinking, this is the time to seize the day and be recognized as a valued and respected part of the organization.

17

INTERNAL AUDITINGS

Role in Risk Management

IIA GAIN Flash Survey, Internal Auditings Role in Risk Management, August 2009. Ibid. 3 2010 IIA Global Internal Audit Survey: A Component of the CBOK Study, Report I, Characteristics of an Internal Audit Activity (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation, 2010). 4 IIA GAIN Flash Survey, Internal Auditings Role in Risk Management, August 2009. 5 Ibid. 6 Ibid. 7 IIA Position Paper, The Role of Internal Auditing in Enterprise-wide Risk Management, January 2009. 8 IIA Knowledge Report, Internal Auditing and Risk Management, October 2009. 9 IIA Knowledge Report, Navigating Competing Internal Audit Priorities, August 2010. 10 2010 IIA Global Internal Audit Survey: A Component of the CBOK Study, Report II, Core Competencies for Todays Internal Auditor (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation, 2010). 11 IIA GAIN Flash Survey, Internal Auditings Role in Risk Management, August 2009. 12 Ibid. 13 2010 IIA Global Internal Audit Survey: A Component of the CBOK Study, Report IV, Whats Next for Internal Auditing? (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation, 2011). 14 IIA Flash Alert, CAEs Discuss Challenges for 2011, October 2010. 15 IIA GAIN Flash Survey, Internal Auditings Role in Risk Management, August 2009.
1 2

18

MARCH 2011

www.theiia.org/research