In the sixth in our series of blogs about independent assurance Tony and John discuss the importance of reporting to the Board and Management and why speed and completeness is a strong indicator of a firm’s risk culture. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
Having established the plan and put it into action, it is internal audit’s job to report its progress and significant issues to the board and to senior management for action. Auditors must be ready to report issues beyond the standard and agreed framework and, if they have something especially sensitive to report, there must be a clear line of communication from them to whoever is appropriate – the chairman, chair of the audit committee or senior independent non-executive director.
To be an effective part of the risk management process, audit reports should be prompt and concise, with issues prioritised according to their materiality and significance. Reporting is not a comprehensive exercise in blame avoidance, but a pointer for the board and management to take action. As with so much risk management activity, there is little point in doing it unless it results in action.
Reporting to the board, audit committee or other committees should include:
- Significant control weaknesses, including robust root cause analysis
- Thematic issues identified across the organisation
- Independent view of management’s reporting on the risk management of the organisation
- A review of the relevant controls if a significant adverse event has occurred, including lessons learned
- An assessment of the overall effectiveness of the governance, of the risk and control framework and whether or not the risk appetite framework is being adhered to.
Once internal audit’s recommendations are accepted as action points by management, it is then the role of internal audit and the board to monitor whether they are completed satisfactorily and to time. Speed and completeness of clearing audit queries is a powerful key risk indicator of the firm’s risk culture.
It is also a good plan for internal audit, apart from its regular reports to the audit committee, to report to the board at least annually, not just with an overview of its activities and performance against objectives, but to provide a ‘state of the union’ message of its views of the state of the risk and control environment within the firm.
In our next blog Tony and John discuss internal audit as a consultant and how to handle investigations.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com