Redefining the Role of Internal Audit, Continuation 2
Shifting the Internal Audit Paradigm: Adapting to Evolving Risk Governance Expectations
The world of business is witnessing a significant shift in the role of internal auditors, as they are being called upon to adapt to new responsibilities in managing and reporting on risk. This transformation, while challenging, is essential for the future of the internal audit profession.
The Financial Stability Board (FSB) has outlined new roles for Boards, senior management, and internal audit, requiring a fundamental change in accountability. The FSB framework calls for internal audit to assess and report opinions to the Board on how well management is discharging its assigned risk governance responsibilities.
Not all CEOs and Chief Financial Officers may welcome this direct responsibility for creating and maintaining effective risk appetite frameworks, and providing formal and candid reports on enterprise residual/retained risk status to their Boards. However, the need for this change is clear.
Internal auditors need to retool their knowledge and skills to assess and report on the reliability of management's risk appetite framework. This includes gaining the knowledge and skills to identify the organization's full range of risks and risk treatments linked to key objectives and obtaining a picture of residual risk status.
The Internal Audit Industry (IIA) has already begun this shift, modifying its Performance Standard 2120: Risk Management in 2010 to support this change. The IIA also began offering the Certification in Risk Management Assurance designation globally in 2012.
The focus of internal auditors should shift from opinions on control effectiveness to assessing the reliability of management's risk appetite framework and enterprise risk status reports. This requires internal audit departments to evolve beyond traditional, point-in-time, direct-report audits and focus more on providing assurance to Boards about senior management creating and maintaining an effective risk appetite framework.
Meeting these demands requires internal audit to adapt quickly, as the internal audit profession needs to reinvent itself to satisfy key customers, particularly Board members. Regulatory, director, senior management, and common law expectations may evolve at different speeds and intensities in different countries.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is developing an update to the enterprise risk management framework, scheduled for completion in late 2016, which internal auditors should monitor closely.
The need for data governance may become more important in the context of the evolving internal audit responsibilities, but specific details about this aspect were not provided in the current paragraph.
Not all senior management and Board members have been actively following the evolution of these expectations, and not all national regulators have codified risk governance expectations with the same clarity as the 2014 UK Corporate Governance Code. However, internal auditors can play a key role in alerting Boards to risk acceptance situations that warrant active discussion with senior management and the Board.
The responsibility for the development and publication of the HIPAA (Health Insurance Portability and Accountability Act) privacy law was assumed by the U.S. Department of Health and Human Services (HHS) as part of the U.S. federal legislation framework. The law covers protected health information and dictates standards for notification and privacy related to healthcare data.
This quantum change in the current internal audit paradigm is needed to address shifting client and regulatory demands. It constitutes no small task, but it's imperative for ensuring the future of the internal audit profession. Internal auditors must learn the vocabulary defined by the FSB in its guidance, Principles for an Effective Risk Appetite Framework, and the International Organization for Standardization's ISO 31000 and ISO Guide 73 to navigate this new landscape.
Read also:
- EPA Administrator Zeldin travels to Iowa, reveals fresh EPA DEF guidelines, attends State Fair, commemorates One Big Beautiful Bill
- Musk announces intention to sue Apple for overlooking X and Grok in the top app listings
- Cybertruck's Disappointing Setback, Musk's New Policy, Mega-Pack Triumphs, Model Y's Anticipated Upgrade Prior to Refresh (Week of January 25 for Tesla)
- Innovative Company ILiAD Technologies Introduces ILiAD+: Boosting Direct Lithium Extraction Technology's Efficiency Substantially
