In the second in our series of blogs about independent assurance in risk management Tony and John explain why you need it. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
In order to fulfil its function, internal audit must be functionally independent from the activities it audits. Clearly it must be independent of the business lines and unrestricted in its role. While it may have a direct line to the CEO or CFO for pay or rations, it should not report to a functional executive. Nor should the head of internal audit report to the CRO. Since internal audit is required to provide assurance on the risk management process, reporting to the CRO presents an obvious conflict of interest. That conflict is not resolved by dotted line reporting elsewhere. Dotted lines are often a fudge and mean that there is not clear accountability. Even worse are dual lines. They are a cop-out. Delete them.
The head of internal audit should report to the chair of the audit committee, a non-executive director. The point of reporting to the non-executive directors is that internal audit must have a direct functional line to those who are there to oversee management and to assess the firm independently and objectively on behalf of shareholders.
The approach of an audit committee should be trust, with verification. Internal audit provides that independent verification. Reporting to the audit committee will protect internal audit’s organisational independence and objectivity. If internal audit reports to the CFO, or another senior executive, its independence is immediately called into question.
Maintaining independence is easier said than done, especially in the face of some regulatory demands. The Sarbanes-Oxley legislation in the USA, for instance, requires independent verification of information and for senior management sign-off. Ideally, an independent team should fulfil this function. There is a danger that if internal audit provides the independent verification of the information, it may be seen as effectively the ‘owner’ of the information rather than management. That can present an immediate conflict with the need for internal audit to be independent of the design, inputs and outputs of the process and to provide appropriate assurance.
From a risk perspective, internal auditors will normally provide assurance on:
- Risk governance and the risk management processes from board level down, looking at their design and how well they are working
- The risk appetite framework and whether breaches in the framework, the risk appetite statement and risk limits are being appropriately identified, escalated and reported
- The management and oversight process for risks, including the effectiveness of controls and other responses to them
- The accuracy and reliability of the components of the risk assessment and reporting process.
While management, and especially those providing risk management oversight, will challenge the accuracy of risk assessments provided by the business, there needs to be an independent review to ensure the reliability and robustness of the assessment process, including data inputs, assumptions and outputs.
There is no single method, partly because the nature of assessment processes, especially with non-financial risk, is so varied. Assurance concerns all aspects of the process. It tests processes to ensure that information is complete, accurate and valid. In this context, ‘valid’ means that the information is genuine and not fictitious.
A good example is the auditing of scenarios. Scenarios rely on judgemental and expert decisions, so that independent review plays a key role in reviewing the process. Here are some of the qualitative questions that could be asked about the process:
- Were all the right people involved in the scenario identification and assessment?
- Challenge by risk managers and others is an important part of the process, but were the challenges consistent across the various scenarios?
- Since they involve a significant degree of subjective judgement, scenarios are notoriously open to human biases. Have these been adequately considered and mitigated?
- Have all the causes, events and consequences been included, and included appropriately?
- Has the process been adequately documented, so that it could be replicated in a consistent manner?
In summary, business line management creates the scenarios and assumptions; risk management challenges the assumptions made in the scenarios and the outcomes; internal audit provides assurance on the process and the process by which the assumptions are derived.
In our next blog Tony and John discuss the relationship between internal and external assurance.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on email@example.com