Writing a novel was fun, especially as I have been told it is quite entertaining.
But I am back to the more serious business of writing about internal auditing and risk management, this time it’s a book about how to audit risk management.
It’s a challenge. Even with my many years of risk management and internal audit experience, as I write I am challenging myself and my previous ideas.
One of those ideas was that internal audit should provide assurance on the effectiveness of risk management’s enterprise risk management processes and controls.
I still believe that….
But there’s a problem.
Risk is everywhere and changing all the time.
It has to be considered in:
- Objective and strategy-setting
- Performance reporting (any time you have forecasts)
- The thousands of strategic and tactical decisions being made all the time
- Top management and board governance and oversight
- Regulatory reporting
It is huge and reminds me of the old joke:
Just as you can’t audit all the internal controls over every single source of risk in a single audit (unless you have a time machine), you can’t audit all of risk management in a single audit.
You need to audit it one bite at a time!
For example, you might have audits of these parts of the elephant:
- Enterprise objective/strategy setting
- The cascading of performance…