Q&A: Board driven internal audit and ERM: next generation assurance

Are we saying the internal audit dept. is losing value?

My analysis is that if internal audit continues to perform traditional direct report
audits and provide subjective opinions on control effectiveness they are not providing
what their primary client, the board, needs to discharge their responsibility to oversee
managements risk appetite and tolerance. This means they risk becoming
increasingly irrelevant.

Can you please provide some practical examples of residual/retained risks that
IA or ERM is not considering?

Currently its my experience that few internal audit departments complete formal risk
assessments on their companys top strategic objectives. I am currently working
with a London financial services firm on a risk assessment of a publicly stated
objective of producing long term returns to shareholders 5% above specified market
indices. In traditional IA areas like reliable financial statements I see few IA
departments that reporting to boards on the income statement/balance sheet/notes
with the highest composite retained risk positions.

Do you ever see the IIA adopting something akin to the approach to board
driven / objective centric internal audit and ERM that you're outlining here? IA
depts. will be driven by the standards and approaches handed down by IIA.

Its true that the IIA standards are still largely founded on the traditional direct
report/subjective opinions on control effectiveness paradigm. This is changing but
very slowly. The new IIA IPPF Standard 2120 requiring IA report on effectiveness of
risk management processes in totality and the launch of the CRMA certification are
positive developments. Richard Chambers and the new IIA Chair Paul Sobel are
both calling on the profession to change but its true the majority of standards are still
largely supportive of status quo IA approaches. The IIA has provided me with
opportunities to present board driven/objective centric IA paradigm at conferences
and via webinars. I am cautiously optimistic the IIA will officially recognize that
traditional IA approaches are not well suited to meet emerging board risk oversight
expectations. I encourage you to view the Oct 8

2013 IIA webinar I presented. It can
be found at: http://bit.ly/1gIueQk

Are there any successful large organisations that do not practise risk
management?

Many organizations that have suffered debilitating losses were considered by many
to be successful before the event(s) occurred. All organizations manage risk. The
challenge today is to be able to demonstrate to a third party that the company and
the board have effective risk management and governance. Surveys and my own
observations suggest there is a lot of room for improvement. Watch for a new
Conference Board Director Notes article that I am working on with Parveen Gupta.
Its scheduled for release in December. A draft can be downloaded from
www.riskoversight.ca.



How can we reduce the business risk in Call Centre or Web Based Marketing
Industry in Companies Like Digital Globe Services Inc.?

Although a lot of the focus has been reforms in the financial services sector I believe
all for profit and not for profit sectors would benefit from the approach to ERM and
internal audit we are promoting.

Should head of internal audit attend board of director meetings?

I dont believe a CAE should attend all board meetings but should definitely provide
regular reports to the companys board.