The Evolving Role of Internal Audit in Risk Management
Risk is inherent in any business — without risk, there is no reward.
The last two years, however, have sharply intensified the focus
of organizations on their risk profile and how they are managing
One of the critical elements of a robust risk management system
is an internal audit department that has a well-defined charter,
supports the identification and monitoring of risks, and carefully
allocates its resources to give the highest value to the organization.
There is no “best” way to operate an internal audit department;
the charter and execution of the internal audit function must be
tailored to each organization. However, every organization should:
- Carefully consider how it staffs its department
- Determine if it has the appropriate talent and resource levels
to monitor risks
- Develop an execution strategy that can evolve as the organization
and its risk profile change over time
- Do all of this in the context of our challenging financial times
Sourcing of Internal Audit
Internal audit functions can be sourced in a variety of ways. Perhaps
the most common are:
- Employee-Based Model – All members of the internal audit department
are employees of the company.
- Co-Sourced Model – The Chief Audit Executive and many members
of the internal audit department are employees, but contractors
are used for specific projects, skill sets or geographic locations.
- Outsourced Model – An employee performs the Chief Audit Executive
role, but all other resources are contracted to an outside firm.
Based on the results of surveys returned by over 9,000 respondents
from 91 countries, the Institute of Internal Auditors Research Foundation
published “A Global Summary of the Common Body of Knowledge 2006”
in 2007. The survey concluded:
- The typical internal audit organization is relatively small,
with 44 percent of those organizations surveyed having two to
five general audit staff members.
- Sixty-one percent of organizations are required by law or regulation
to have an internal audit function.
- Seventy percent of respondents outsource at least some of their
- Approximately 18 percent outsource 20 percent or more of their
- Less than 5 percent outsource 60 percent or more of the internal
audit work at their company.
One of the reasons that internal audit organizations use at least
some contract help is the need for specialized skill sets to effectively
audit some portions of their organization. This is especially true
in areas that are seasonal, complex, highly automated and/or dependent
on information technology internal controls. Hiring and retaining
these specialized personnel, and then providing a career path for
them, is difficult, especially for small organizations. Having a
relationship with an outside audit provider allows access to these
skills for the time needed, and may provide specialized skills at
a more reasonable cost than trying to maintain them in-house.
Another reason that some audit organizations look to outside help
is for specialized tools. The use of methodologies and tools tailored
to the situation can lead to both more effective and efficient audits.
Developing these in-house may be prohibitively expensive.
In some situations, it may be perceived that outside professionals
bring a special degree of independence or expertise that lends credibility
to the findings of the internal audit group.
Finally, the ability to expand and contract the staff almost at
will through sourcing contracts allows an organization to use outsourcing
or co-sourcing to help manage budgets. In today’s economy, outsourcing
or co-sourcing may allow a company to maintain an audit function,
while simultaneously reducing costs until the economic outlook improves.
Key Questions for CEOs to Ask About Risk Governance and Internal
- Do I know what key risks (financial, operational, regulatory,
contractual) my organization faces?
- Has the performance of the company been negatively impacted
by a risk that was not anticipated?
- Does the internal audit plan focus resources on the identified
risks? Does internal audit reallocate resources to emerging risks
- Does the internal audit department have the specialized resources
needed to audit new technologies, complex areas or new business
- Is there a better way to staff the internal audit department
in light of budget constraints?
- Does the internal audit department have the tools it needs to
do its work?
- Does the internal audit department understand the digital risks
the company is facing?
- Have changes in information systems been adequately reviewed
to make sure that adequate internal controls remain in place within
- Do management and the board get adequate communication from
the internal audit department?
- Is the risk appetite adequately defined and monitored?
- Are red flags occurring in business operations that need additional
- Have findings from prior internal audits been corrected and
incorporated into the risk governance process as appropriate?
- Does the risk identification and monitoring system look at
emerging risks — not just those that are well-known?