The thin line between audit and risk management

Internal audit executives report on all sorts of things, and that’s not going to change. To whom all those things should be reported, however, is an open question.

On one hand, audit executives are being asked to do more. They are expected to be trusted advisors, counseling the board about risk. They’re to embrace new technologies that allow better analytics and more perceptive monitoring of risk throughout the enterprise.

At the same time, boards are under pressure. Regulators, shareholders, customers, business partners, and others all want them to do a better job at governing risk — not just reviewing it or setting tolerances for it. Stakeholders want to hold boards more accountable, all the time.

Think about what that means. If the audit executive and the board are both being challenged to do better at the same tasks — assessing risk, and building a capability to intervene when a risk stretches beyond the comfort zone — a tangle of questions are raised about corporate governance, risk assurance, and the role of the chief audit executive.

For example, should corporate boards establish risk committees? If so, what issues does the audit executive report to them? If the CAE discusses some issues with the risk committee but other issues with the audit committee, is that wise? Should the CAE’s role be split? Or is the converse true: that modern technology is fusing internal audit and risk management into one larger risk assurance function?

Read more at Tone at the Top June 2019