Governance, Strategic Risk, Internal Audit: What Auditors Need to Know

Abstract

According to Richard Chambers, President and CEO of the Institute of Internal auditors (IIA), ideally internal audit should follow the risks. Yet as strategic business risks rank near the top of executive and audit committee concerns, Chief Audit Executives (CAEs) reported that such risks account for only 4 percent of audit plan coverage overall. It is not surprising that strategic risk is top of mind for boards and senior management. As regulators around the world increase expectations, many suggest objective, independent evaluation is a critical component that boards should take advantage of in fulfilling their oversight role. These developments present tremendous opportunity for internal auditors to provide much needed assurance on strategic risk. Taking advantage of this opportunity requires that internal auditors not only apply their expertise in effective risk governance, but also demonstrate their knowledge of strategy, and perhaps more importantly, their understanding of the relationship between risk and strategy. Given the changing landscape of the field of strategy and risk management, some internal auditors may feel that contributing to strengthening this area is beyond their capacity. However many tools are available to support auditors. Developing competency requires not only knowledge of the organization's strategy and associated risks, but also staying current on emerging thinking and best practices in the field of strategy and risk management as well as emerging expectations of regulators and standard setters. Providing assurance on strategic risk is a challenge, however one that is within our grasp through thoughtful, deliberate planning and action.