CNBC Profiles Internal Audit & Risk Management Practices

Earlier this week, the Institute of Internal Auditors’ Richard Chambers was interviewed by CNBC on the evolving nature of risk management practices in light of the recent financial crisis. Mr. Chambers emphasized the need for corporate boards to set the risk appetite and work with management as well as the internal auditors to monitor the level of risks. In addition, he noted that compensation programs still need to be improved such that risk metrics are included in pay determination.  To view the entire interview, click below.


Who Is Really to Blame?

Yesterday, the infamous Jerome Kerviel was sentenced to three years in prison and ordered to repay the estimated €4.9 billion that the French financial institution Société Générale lost as a result of his failed derivative trades. What is surprising to many who have weighed-in on the verdict is the fact that the sole blame for the massive losses has been placed on the young trader.  Here’s one common view as reported in the New York Times.

“It’s a whitewash,” Bradley D. Simon, a white-collar criminal defense attorney at Simon & Partners in New York who specializes in securities and bank fraud, said of the verdict. “The evidence does not support absolving the bank completely,” he said. “This was a lot larger than Kerviel.”

Société Générale had admitted to management failures and weaknesses in its risk control systems. An internal audit published in May 2008 described Mr. Kerviel’s immediate supervisors as “deficient” and acknowledged that the bank had failed to follow through on at least 74 internal alerts about Mr. Kerviel’s trading activities dating to mid-2006.

While an appeal of the verdict is virtually guaranteed, the larger question remains. How can a situation like this unfortunate one be prevented in the future?  The answer certainly begins with stronger risk and control programs as demonstrated by the numerous weaknesses found at Société Générale.

The Quality of Internal Auditing is Critical

Over the past decade, great emphasis has been placed on determining the quality and effectiveness of risk and control programs. It started with Sarbanes-Oxley compliance and has gained new meaning and momentum as a result of the financial crisis of 2008.  However, as is often said, beauty is in the eye of the beholder. In this case, the beholder is often the Internal Audit (“IA”) function since the evaluation of the quality and effectiveness of the risk and control program typically rests with the Internal Audit function within a company. So, to ensure that your company is performing a quality evaluation, your company must have a solid understanding of the quality of its IA function.

Best practice dictated by the Institute of Internal Auditors requires an independent quality assessment of the IA function at least once every five years.  A more frequent assessment may be considered if significant changes have occurred to impact how the IA function performs its responsibilities – e.g. change in IA leadership and/or oversight, change in IA methodology, significant merger and/or acquisition, etc.

The quality assessment should address the following objectives:

  1. Assess the effectiveness of an IA function in providing assurance and consulting services to the board, senior executives, and other interested parties. This includes the adequacy of the IA activity’s charter, goals, objectives, policies and procedures as well as the IA activity’s contribution to the organization’s governance, risk management and control processes.
  2. Assess conformance to the Institute of Internal Auditors’ Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (“Standards”) and provide an opinion as to whether the IA activity generally conforms to all.
  3. Identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit Executive (“CAE”) and staff for improving their performance and services and promoting the image and credibility of the internal audit function.

In addition, a well-designed quality assessment will include an evaluation of the following key IA function elements:

  1. The expectations of the IA activity expressed by the board, executive management, and its other “customers” (i.e., management of operational and support units).
  2. The entity’s control environment and the CAE’s audit practice environment.
  3. The focus on evaluating enterprise risk, assessing organizational controls, and including aspects of the governance process in audit plans to assure that audit activities add value to the enterprise.
  4. The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the strategic objectives of the entity as a whole.
  5. The International Standards for the Professional Practice of Internal Auditing.
  6. The mix of knowledge, experience, and disciplines among the staff, including staff focus on process improvement and value-added activities.
  7. The tools and techniques employed by the department, with emphasis on the use of technology.

The final key element is often one that typically receives the least focus, but can yield the greatest benefit to the IA function and the company as a whole.  By automating the IA management processes such as scheduling, planning, workpaper preparation, reporting and issue follow-up, IA functions can dramatically increase their ability to perform their responsibilities in concert with a company’s operation and risk profile.  Open Pages’ Internal Audit Management solution is a great example of a solid platform that can support a high quality IA function.

If you are interested in learning more about conducting an IA quality assessment for your company, please email us at

Internal Audit is a Key ERM Component

In a recent webinar to the Institute of Internal Auditors, John A. Wheeler from Wheelhouse Advisors provided a view of the role that internal auditors should play in the development and sustainment of a company’s Enterprise Risk Management (“ERM”) program.  One of the main points from the webinar was that internal auditors must help management look forward to emerging risks rather than reacting to current loss events.  In the current environment, internal auditors are uniquely qualified to guide management in this direction.  A recent report on the state of the internal audit profession by PricewaterhouseCoopers confirms this view.  Here is what they had to say.

To provide the greatest value, internal audit departments, as well as a company’s risk management function, should strive to anticipate and monitor the risks that are truly relevant to the success of the business. As previously noted, the strategic and business risks that have recently lead to breathtakingly rapid drops in shareholder value have caught even the most sophisticated risk management functions by surprise. Now more than ever, companies need an objective evaluation of, and additional assurance over, their enterprise risk management functions. The forward-thinking internal audit leader will want to consider the following:

• Board members, shareholders, regulators, and rating agencies have questioned internal audit leaders about their risk management evaluation capabilities. Successful departments have the answers and play an important role in the company’s overall ERM process.

• In 2008, S&P began to formally review ERM programs and consider risk management capabilities in their credit-rating process, putting this topic on the table with boards, CEOs, CFOs, and treasurers. With risk at the center of company creditworthiness, internal audit leaders—given their knowledge of risks and controls—should be part of the solution.

• Many companies have established risk committees to lead enterprise risk management efforts. This sets up a new constituent that requires internal audit leadership attention.Internal audit will increasingly have a place at the table when it comes to identifying and managing risk within the organization. In broadening the scope of its activities beyond financial and compliance risks, internal audit can also demonstrate value by enhancing the organization’s enterprise risk management function. 

Internal audit should, therefore, align its efforts with the company’s changing risk profile, especially those strategic, operational, and IT risks that are integral to shareholder value. If properly aligned, internal audit leaders will be in a position to provide assurance over the risks that are most relevant to the company, as well as to provide assurance over the company’s ERM function itself.

Wheelhouse Advisors can help your internal audit group build a risk assessment framework and audit program to ensure your ERM efforts are solid.  Visit to learn more.


ERM Skills in Short Supply

A recent survey of internal audit executives by Ernst & Young indicates that companies may need more help with monitoring enterprise risks.  As noted in a recent article, the survey results are attributed to the excessive focus on internal controls over financial reporting by internal audit organizations.  Here is an excerpt from the article regarding the survey results.

Only 17 percent of respondents to the recent survey rated their current team’s skill at enterprise risk assessment as “very competent.” Just 19 percent said the same for fraud detection, 22 percent for use of technology and analytics, and 39 percent for business process improvement.  More than a third of respondents said it was “very difficult” to recruit people skilled at enterprise risk assessment. 

While some may view the survey results skeptically due to the fact that Ernst & Young is a provider of services related to the weaknesses, the Institute of Internal Auditors (“IIA”) concurs with the findings.  

enterprise risk assessment, fraud detection, use of technology and analytics, and business process improvement — “should be absolutely fundamental and core to any internal auditor who is trying to take his job seriously,” Dominique Vincenti, chief advocacy officer for the IIA, said.  “But we did not have a focus on those competencies over the past few years. We’re suffering from a lack of supply.”

Wheelhouse Advisors offers cost-effective enterprise risk management solutions and can help your internal audit organization climb the learning curve quickly.  Visit to learn more.