By Peter Miller
Just the other week, I heard the IIA President, Richard Chambers, present on “What’s Next for Internal Audit.” It was a very good presentation that brought up some interesting points and lessons learned from the current economic downturn. What stood out in my mind was the role Internal Audit departments were playing in assessing the effectiveness of and contributing to their organizations’ risk management processes.
The issue that interested me wasn’t whether or not better risk management could have prevented the current economic crisis, but rather how well Internal Audit departments have embraced their role in assessing Risk Management.
A recent IIA survey results showed that 76% of polled audit shops currently prepare an organization-wide risk assessment. Not too bad, I thought. But then I was reminded that according to the International Professional Practices Framework of 2009 (IPPF) Standard 2120, it was a requirement! Further, the survey indicated that only 27% of respondents provided risk assurance through written audit reports over the risk management process. Were all the others just chatting about it around the water cooler?
The IPPF standards are clear and unambiguous. There’s lots of “must do’s” for Internal Audit with respect to evaluating the risk management process, and being alert to and reporting of the existence of other significant risks. So why is it that a third of respondents perceive that assessing risk management is is beyond the scope of Internal Audit?
My theory is that too many audit shops have had “tick-the-SOX-check-box-itis,” and that operational auditing activities such as risk assessment have fallen to the wayside. With the economic downturn causing a swift and dramatic shift in what is expected from Internal Audit departments, new challenges are surfacing.
Find out more: ACL Blog