No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

Reinventing Internal Audit, Part 2

by Tim Leech
May 22, 2015
in Uncategorized
Reinventing Internal Audit, Part 2

This article was reprinted with permission from the April 2015 issue of Internal Auditor magazine, published by The Institute of Internal Auditors, Inc., InternalAuditor.org.

Read Part 1 here.

Implications for Internal Auditing

The changes described are causing regulators, Boards and senior executives to reconsider and reshape what they want and expect from internal audit. What once constituted fine, even laudable deliverables from internal audit in the minds of many Boards, C-level executives and regulators is being reshaped by increasing expectations that internal audit play a key role in helping Boards demonstrably oversee management’s risk appetite and tolerance.

Risk Reporting

The FSB has defined roles for the Board, senior management and internal audit that call for a fundamental accountability shift — a shift that would require management to continuously assess and report upward on risk status. Moreover, it would require internal audit to help management build and maintain systems for this purpose, as well as assess and report opinions to the Board on how well management is discharging its assigned risk governance responsibilities. This new paradigm requires fundamental shifts in existing internal audit educational resources. The IIA modified its Performance Standard 2120: Risk Management in 2010 specifically to provide support for the shift, and in 2012 it also began offering the Certification in Risk Management Assurance designation globally.

Internal audit departments that aren’t doing so already need to evolve beyond the business of performing traditional, point-in-time, direct-report audits and providing subjective opinions on “control effectiveness” for a small percentage of their organization’s total risk universe. Instead, they need to focus substantially more resources on providing assurance to Boards that senior management is creating and maintaining what is increasingly being referred to as an effective risk appetite framework.

Educating the Board

Regulatory, director, senior management and common law expectations are likely to evolve at varying speeds and intensity in different countries. Not all senior management and Board members have been actively following the evolution of these expectations, and not all national regulators — including the U.S. Securities and Exchange Commission — have codified risk governance expectations with the clarity and simplicity of the 2014 UK Corporate Governance Code to spur the needed transition. Moreover, not all CEOs and Chief Financial Officers are likely to welcome direct responsibility for creating and maintaining effective risk appetite frameworks and providing formal and candid reports on enterprise residual/retained risk status to their Boards — especially those outside the financial services industry — on which the FSB framework is focused.

Some CEOs may be particularly upset with the FSB recommendation that internal audit report to Boards on the reliability of the organization’s risk appetite frameworks and especially so with the recommendation that CEO/senior management report to the Board on enterprise risk status.

Nonetheless, internal audit needs to ensure Boards and senior management are aware of these developments and the global push to hold Boards and the C-suite more accountable for overseeing management’s risk appetite/tolerance.

New Competencies

If internal auditors are to assume the type of responsibilities defined by the FSB, the Financial Reporting Council and other national regulators that elect to follow the UK’s lead, they must retool their knowledge and skills. Instead of emphasizing opinions on control effectiveness, internal auditors must be able to assess and report on the reliability of management’s risk appetite framework, including CEO/management reports to the Board on enterprise retained/residual risk status. Making this transition involves learning the type of vocabulary defined by the FSB in its guidance, Principles for an Effective Risk Appetite Framework, and the International Organization for Standardization’s ISO 31000 and ISO Guide 73.

Internal auditors should also monitor closely the enterprise risk management framework update currently under development by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), scheduled for completion in late 2016. One of COSO’s stated reasons for the update is to respond to escalating risk governance reporting requirements.

Auditors will also need to gain the knowledge and skills required to identify the organization’s full range of risks and risk treatments linked to key objectives and to obtain a picture of residual risk status — as opposed to the much narrower strategic and foundational objectives is currently within the Board and senior management’s risk appetite and tolerance — assuming internal audit has been provided with enough information from the Board and C-suite to take on this task. Internal audit can also play a key role in alerting Boards to risk acceptance situations that warrant active discussion with senior management and the Board.

The Need for Change

Quantum change in the current internal audit paradigm will be needed to address shifting client and regulatory demands. And, while human nature is to resist radical change in favor of smaller, more incremental steps, meeting these demands will require internal audit to adapt quickly. The well-known adage “necessity is the mother of invention” applies well to current circumstances: the internal audit profession needs to reinvent itself to satisfy key customers — particularly Board members. Change of this magnitude constitutes no small task to be sure, but it’s imperative for ensuring the future of the profession.

Click here for a preview of Tim Leech’s presentation this summer at The IIA’s 2015 International Conference.


Tags: Data GovernanceHIPAA
Previous Post

Trade Compliance for 2015: Current Issues, Risks and Challenges in Export Controls

Next Post

Organizational Culture in Corrupt Companies

Tim Leech

Tim Leech

Tim LeechTim J. Leech, FCPA, CIA, CFE, CRMA, is Managing Director at Risk Oversight Solutions Inc. Risk Oversight Solutions focuses on helping companies more effectively manage risk and assurance to meet escalating Board risk oversight expectations and add real value.  He has more than 25 years of experience in the Board risk oversight, ERM, internal audit and forensic accounting fields, including expert witness testimony in civil and criminal proceedings and global experience helping public and private sector organizations with ERM and internal audit transformation initiatives and the design, implementation and maintenance of integrated GRC/ERM frameworks.  Leech has provided training for tens of thousands of public and private sector Board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the U.S., the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer.  His newest breakthrough methodology, “Board & C-Suite Driven/Objective Centric ERM and Internal Audit,” has been licensed by the IIA for global deployment starting in the fall of 2014 and his article “Reinventing Internal Audit,” featured in the April 2015 issue of Internal Audit, has received global recognition.

Related Posts

abc blocks

Data Privacy Rules Even a Kindergartener Can Understand

by Arlo Gilbert
May 3, 2023

Regulations on consumer data privacy can get complex, but one thing should remain simple: Responsible data governance means simply doing...

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

Next Post
Organizational Culture in Corrupt Companies

Organizational Culture in Corrupt Companies

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT