Memo To Internal Auditors: Stay Out of Risk Management!

by Paul Proctor

One of my favorite scenes in The Big Lebowski is when he runs afoul of the Sheriff in Malibu who tells him very clearly, “Stay out of Malibu Lebowski!”. To be clear, it is management’s role to assess and address risk appropriately and audit’s role to provide assurance. It is not audit’s role to step in and fill the gap if the-big-lebowski-movie-poster-1998-1020196337management is doing a poor job with risk management. In a phrase, “Stay out of Risk Management, Audit!”

There has been a drumbeat for the last 10 years for internal audit professionals to improve their risk management skills and get “appropriately” integrated with risk management activities. This seems admirable on the surface, but the dark underbelly is that they are increasingly acting like risk managers.

To their credit the Institute of Internal Auditors (IIA) gets it, but some of their language can be twisted by the opportunists. In the 2004 position statement from the Institute of Internal Auditors: The Role of Internal Audit in Enterprise-Wide Risk Management you can see how words like “Developing risk management strategy,” “Coordinating ERM activities,” and “Maintaining and developing the ERM framework” make what they call “legitimate” auditor activities look a lot like risk management responsibilities.

And their internal audit standard 2120 also contains language that can be misconstrued by gung ho auditors looking to increase their influence.

Before I get a bunch of cards and letters saying that I don’t understand the official position, I do. My problem is with my own experience with Gartner clients (greater than 60,000 organizations globally):

    Audit superseding legitimate business decisions to accept a risk by writing a finding anyway.
    Too many organizations have audit and IT Risk organizations reporting into the same executive, or worse, their risk and security people reporting into audit! Talk about conflict of interest.
    Organizations that rely on internal audit to identify their risks, and put their focus on addressing audit findings as the primary mechanism to protect the organization.

The issue is punctuated by a recent PWC 2013 State of Internal Audit Profession Study which laments “internal audit needs to step outside of its traditional comfort zone, and contribute to the organisation in a more meaningful way, or fall into obsolescence as other risk-management functions outpace them.”

It goes on to support gems such as this:

  • Problem-solving internal audit functions are lever­aging expertise and technology-enabled analysis to identify root causes to help management under­stand and solve specific issues. They also are more integrated with other risk management functions in the organization to ensure risks are well managed.
  • Companies must collec­tively confirm the organization’s risk profile and internal audit’s contribution to helping to monitor it.
  • Ask how key business risks are addressed by internal audit in the context of the organi­zation’s aggregate risk coverage.

In a recent WSJ blog on the PWC survey