Internal audit and risk management

The results from my recent survey (thanks to the 75 internal audit practitioners who responded) are interesting. (You can see the results of the earlier survey here.)

First, I will review the answers about auditing risk management.

Q1: Does your internal audit function audit the organization’s management of risk?

62 (83%) indicated that they do, in one form or another. That’s good news.

Skipping the next two for a moment:

Q4. If you audit risk management, which of these is your approach? Check all that apply.

• 37 (50%) said “We assess whether risk management practices meet the needs of the organization for decision-making”. That is my favorite answer.
• 42% (56%) audit compliance with policies and procedures. Maybe necessary, but not sufficient IMHO.
• 29 (39%) assess the accuracy of management’s risk reporting. I have an issue with this if internal audit is seen as knowing better than management what the level of risk is. It’s also a moving target, so I would have to see what these functions are doing.
• 22 (29%) use a maturity model. I like this approach and included one in Risk Management for Success.
• 36 (48%) use a standard or framework:
  • 16 use the ISO 31000 risk management standard
  • 13 prefer…