• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Misunderstanding risk and internal audit

By Occasional Contributors | 2 Minutes Read March 23, 2016

Misunderstanding risk and internal audit

sirenvoicesThere are many voices urging people to act when it comes to the topics of risk management and the role of internal audit. Unfortunately, most of these voices are like sirens, tempting you to go the wrong way.
A recent piece on AcountingWeb entitled More boards count on internal audit to identify risks has good intentions, but could lead people astray.
For a start, it is not internal audit’s role to identify risks. That is most definitely management’s responsibility. Internal audit should:

  • Audit and assess management’s ability to identify, assess, and manage the more significant risks that can affect (positively or negatively) the achievement of objectives. That assessment should be communicated formally to the board and top management on at least an annual basis
  • Audit and assess the adequacy of the controls relied upon to manage the risks that matter to the achievement of objectives, reporting same to board
  • Ensure the board understands where the controls are not adequate and that failure raises the level of risk to objectives to an unacceptable level. Internal audit should (but frequently does not) identify which objectives are affected
  • Add value by providing insight and recommendations to management to improve the systems of risk management and internal control

Now, if internal audit is not doing the above there is a problem. Reading the article, it can be assumed that many internal audit departments are falling short – and that management and the board do not set the expectations for internal audit high enough.
Another assumption from the article is that many management teams do not have the capability to identify, assess, and manage risk. That is why some are defaulting to internal audit to step in. But, while internal audit can and should report situations where the risk is different to what management and the board believe, internal audit should not be the function relied upon to identify risk.
Yes, internal audit can take on additional risk management responsibilities – as a coordinator, facilitator, and evangelist. But, it must not assume management tasks such as assessing the level of risk or deciding what action is required – which would compromise its independence and objectivity.
Do you agree?
We can discuss this further in Chicago in April. See www.riskreimagined.com for details.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Ontario Court decision is first donor advised fund case and provides some certainty about DAFs - January 31, 2023
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022

Article by Occasional Contributors / Business, Finance and Accounting / internal audit, internal audit to identify risks, risk management responsibilities

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy