This article was reprinted with permission from the April 2015 issue of Internal Auditor magazine, published by The Institute of Internal Auditors, Inc., InternalAuditor.org.
Read Part 1 here.
Implications for Internal Auditing
The changes described are causing regulators, Boards and senior executives to reconsider and reshape what they want and expect from internal audit. What once constituted fine, even laudable deliverables from internal audit in the minds of many Boards, C-level executives and regulators is being reshaped by increasing expectations that internal audit play a key role in helping Boards demonstrably oversee management’s risk appetite and tolerance.
Risk Reporting
The FSB has defined roles for the Board, senior management and internal audit that call for a fundamental accountability shift — a shift that would require management to continuously assess and report upward on risk status. Moreover, it would require internal audit to help management build and maintain systems for this purpose, as well as assess and report opinions to the Board on how well management is discharging its assigned risk governance responsibilities. This new paradigm requires fundamental shifts in existing internal audit educational resources. The IIA modified its Performance Standard 2120: Risk Management in 2010 specifically to provide support for the shift, and in 2012 it also began offering the Certification in Risk Management Assurance designation globally.
Internal audit departments that aren’t doing so already need to evolve beyond the business of performing traditional, point-in-time, direct-report audits and providing subjective opinions on “control effectiveness” for a small percentage of their organization’s total risk universe. Instead, they need to focus substantially more resources on providing assurance to Boards that senior management is creating and maintaining what is increasingly being referred to as an effective risk appetite framework.
Educating the Board
Regulatory, director, senior management and common law expectations are likely to evolve at varying speeds and intensity in different countries. Not all senior management and Board members have been actively following the evolution of these expectations, and not all national regulators — including the U.S. Securities and Exchange Commission — have codified risk governance expectations with the clarity and simplicity of the 2014 UK Corporate Governance Code to spur the needed transition. Moreover, not all CEOs and Chief Financial Officers are likely to welcome direct responsibility for creating and maintaining effective risk appetite frameworks and providing formal and candid reports on enterprise residual/retained risk status to their Boards — especially those outside the financial services industry — on which the FSB framework is focused.
Some CEOs may be particularly upset with the FSB recommendation that internal audit report to Boards on the reliability of the organization’s risk appetite frameworks and especially so with the recommendation that CEO/senior management report to the Board on enterprise risk status.
Nonetheless, internal audit needs to ensure Boards and senior management are aware of these developments and the global push to hold Boards and the C-suite more accountable for overseeing management’s risk appetite/tolerance.
New Competencies
If internal auditors are to assume the type of responsibilities defined by the FSB, the Financial Reporting Council and other national regulators that elect to follow the UK’s lead, they must retool their knowledge and skills. Instead of emphasizing opinions on control effectiveness, internal auditors must be able to assess and report on the reliability of management’s risk appetite framework, including CEO/management reports to the Board on enterprise retained/residual risk status. Making this transition involves learning the type of vocabulary defined by the FSB in its guidance, Principles for an Effective Risk Appetite Framework, and the International Organization for Standardization’s ISO 31000 and ISO Guide 73.
Internal auditors should also monitor closely the enterprise risk management framework update currently under development by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), scheduled for completion in late 2016. One of COSO’s stated reasons for the update is to respond to escalating risk governance reporting requirements.
Auditors will also need to gain the knowledge and skills required to identify the organization’s full range of risks and risk treatments linked to key objectives and to obtain a picture of residual risk status — as opposed to the much narrower strategic and foundational objectives is currently within the Board and senior management’s risk appetite and tolerance — assuming internal audit has been provided with enough information from the Board and C-suite to take on this task. Internal audit can also play a key role in alerting Boards to risk acceptance situations that warrant active discussion with senior management and the Board.
The Need for Change
Quantum change in the current internal audit paradigm will be needed to address shifting client and regulatory demands. And, while human nature is to resist radical change in favor of smaller, more incremental steps, meeting these demands will require internal audit to adapt quickly. The well-known adage “necessity is the mother of invention” applies well to current circumstances: the internal audit profession needs to reinvent itself to satisfy key customers — particularly Board members. Change of this magnitude constitutes no small task to be sure, but it’s imperative for ensuring the future of the profession.
