Assurance on Risk Management Effectiveness: What Are We Waiting For?

For almost four years now, I have been advocating that the internal audit profession embrace the challenge of providing assurance on the effectiveness of risk management. I believe it is the most significant opportunity for our profession in a generation. Yet, recent survey data would indicate that we are reluctant to make such assurance an integral part of our portfolios of internal audit coverage. I have but one question: What are we waiting for?

There is widespread agreement that failures of risk management in the late 2000s (particularly in the financial services sector) were a major contributor to the lingering global economic crisis. One of the legacies of this crisis will be a myriad of new regulations and statutes around the world designed to pressure management to become more effective in managing risks and boards to become more effective in an oversight role. As boards, in particular, struggle to demonstrate that they are effective in their oversight role, who will they turn to for assurance? Surely they cannot rely strictly on such assurance from management, for management cannot be fully objective in providing assurance about its own performance.

I believe the most obvious source of assurance on the effectiveness of risk management for boards is the organization’s internal auditors. Yet, the Audit Executive Center’s recent Global Pulse of the Profession survey reveals we are barely scratching the surface of this important opportunity. In fact, on average only 4 percent of internal audit plans worldwide are dedicated to providing assurance on the effectiveness of risk management. Amazingly, 52 percent of respondents, globally, indicate they are dedicating no resources to such assurance in 2012; and 92 percent indicate that such assurance comprises less than 10 percent of their audit plans. The only good news (if you can call it that) is that 38 percent indicate they are increasing coverage over 2011 levels.

The IIA remains convinced that assurance over risk management will be a key imperative for our profession in the decade ahead. In fact, we are so convinced that we launched the Certification for Risk Management Assurance​ (CRMA) in late 2011. This certification is designed to afford internal auditors worldwide the opportunity to demonstrate their proficiency in providing assurance on risk management effectiveness. The response has been amazing! More than 4,000 internal audit professionals worldwide have added CRMA to their resumes/CVs in the past year. By the end of 2012, it is likely to be The IIA’s second most widely held certification, behind only the CIA.

So why aren’t chief audit executives, who play a major role in setting internal audit priorities, embracing the challenge and leveraging all of the newly qualified resources? I still believe it is a matter of their “comfort zones.” This has simply not been a priority for the profession in the past, and many CAEs don’t feel comfortable raising their hands to take on a new role. It should also be noted that boards and management are not clamoring for internal audit to assume this new role either. Perhaps with a better awareness campaign on the part of CAEs, more demand would present itself. Either way, a comprehensive risk assessment in the annual/continuous internal audit planning process should highlight the gap in risk management assurance coverage.

It’s ironic that all of this is coming at a time when internal auditors are clamoring for a “seat at the table.” It is argued that such a “seat” will afford internal auditors a better understanding of key business and strategic risks. Perhaps it was bit harsh, but I couldn’t help but smile when noted thought leader, Norman Marks, recently observed on Twitter that “internal auditors who don’t provide assurance on risk management deserve a seat at the ‘children’s table.’” Ouch!

I have shared my thoughts on this important topic. I welcome yours.