Norman Marks, CRMA, CPA, was a CAE and Chief Risk Officer at major global corporations for more than 20 years.
He reviews the Dutch Internal Audit Ambition Model on the website of Internal Auditor Magazine:
- I like the fact that they mention continuous risk assessment (and presumably continuous updating of the audit plan).
- However, I dislike the reference to annual and, especially, multi-year plans.
- I also have reservations about their focus on the bureaucratic aspect of internal auditing: not so much the charter as the formalization of audit procedures. We need to empower people to take innovative approaches in this dynamic environment.
- I am nervous about the idea of providing an opinion on "the overall adequacy of governance, risk management, and control". I prefer to provide an opinion whether there is reasonable assurance that the more significant risks will be managed as desired. The sources of those risks may lie in failures in internal control or in governance processes. But providing an opinion on the overall adequacy of governance is one step too far. It is not our job to assess the performance of the board. We have to be careful in our language as we assess governance processes where the risk to corporate objectives may be high.