Why Internal Audit reports to the board are a powerful risk indicator

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

In the sixth in our series of blogs about independent assurance Tony and John discuss the importance of reporting to the Board and Management and why speed and completeness is a strong indicator of a firm’s risk culture. Operational Risk Software can be key to supporting this discipline.   

Taken from: Mastering Risk Management 

Having established the plan and put it into action, it is internal audit’s job to report its progress and significant issues to the board and to senior management for action. Auditors must be ready to report issues beyond the standard and agreed framework and, if they have something especially sensitive to report, there must be a clear line of communication from them to whoever is appropriate – the chairman, chair of the audit committee or senior independent non-executive director. 

To be an effective part of the risk management process, audit reports should be prompt and concise, with issues prioritised according to their materiality and significance. Reporting is not a comprehensive exercise in blame avoidance, but a pointer for the board and management to take action. As with so much risk management activity, there is little point in doing it unless it results in action. 

Reporting to the board, audit committee or other committees should include: 

  • Significant control weaknesses, including robust root cause analysis
  • Thematic issues identified across the organisation
  • Independent view of management’s reporting on the risk management of the organisation
  • A review of the relevant controls if a significant adverse event has occurred, including lessons learned
  • An assessment of the overall effectiveness of the governance, of the risk and control framework and whether or not the risk appetite framework is being adhered to. 

Once internal audit’s recommendations are accepted as action points by management, it is then the role of internal audit and the board to monitor whether they are completed satisfactorily and to time. Speed and completeness of clearing audit queries is a powerful key risk indicator of the firm’s risk culture. 

It is also a good plan for internal audit, apart from its regular reports to the audit committee, to report to the board at least annually, not just with an overview of its activities and performance against objectives, but to provide a ‘state of the union’ message of its views of the state of the risk and control environment within the firm. 

In our next blog Tony and John discuss internal audit as a consultant and how to handle investigations.  

 Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317    

For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com 

Related Posts

Actionable Insights: Automating Workflows and Assigning Tasks for Effective Operational Risk Management
In the dynamic financial services landscape, operational risk data has emerged as a strategic asset for organizations seeking to strengthen their resilience and business performance. By harnessing all available data sources, including expert-driven assessments like Risk and Control Self-Assessments (RCSAs), and integrating them into robust technology platforms, firms can gain unparalleled insights into their risk …

Actionable Insights: Automating Workflows and Assigning Tasks for Effective Operational Risk Management Read More »

Data is King: Building a Golden Source of Risk and Control Information for Banks
In the ever-evolving world of financial services, data has emerged as the new ruler, holding the capability to unlock operational proficiency, mitigate dangers, and confirm adherence to regulations. For banks, possessing a centralized, thorough, and easily accessible collection of risk and oversight material is no longer an extravagance; it’s an indispensable necessity for survival and …

Data is King: Building a Golden Source of Risk and Control Information for Banks Read More »

Top six characteristics of a great Internal Auditor
In our final blog about independent assurance we discuss what makes a an effective internal auditor. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Given its key role in relation to internal audit, what are the qualities an audit committee chair might look for in a new head …

Top six characteristics of a great Internal Auditor Read More »