A risky promotion: an expanded role for the CAE threatens to compromise internal auditing's independence.JOE WAS RECENTLY PROMOTED TO chief audit executive (CAE (1) (Computer-Aided Engineering) Software that analyzes designs which have been created in the computer or that have been created elsewhere and entered into the computer. ) at Wemakit Corp., a large manufacturing and wholesale firm with nearly US $2 billion in annual revenue. He believes the organization has much to gain from eliminating its functional silos and adopting an entitywide view of risk. At the chief executive officer's (CEO's) request, Joe initiated a discussion of enterprise risk management (ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. ) at an executive retreat. Although everyone in attendance acknowledged the potential value of ERM, no one was willing to champion an ERM project. Joe subsequently volunteered to lead the project himself and later drafted a proposal for developing the program. With support from the other executives, he received the audit committee's approval to proceed. Joe began the project by sending a survey to managers at all levels, asking them to identify what they considered the major strategic, operational, financial, and compliance risks facing their respective areas and the organization at large. With the help of his 11 staff members and two audit managers, Joe analyzed an·a·lyze tr.v. an·a·lyzed, an·a·lyz·ing, an·a·lyz·es 1. To examine methodically by separating into parts and studying their interrelations. 2. Chemistry To make a chemical analysis of. 3. the data and condensed con·dense v. con·densed, con·dens·ing, con·dens·es v.tr. 1. To reduce the volume or compass of. 2. To make more concise; abridge or shorten. 3. Physics a. it into a risk framework with approximately 35 categories. After some validation See validate. validation - The stage in the software life-cycle at the end of the development process where software is evaluated to ensure that it complies with the requirements. and refinement, this framework became the organization's official risk model. Using the new model, Joe facilitated an executive-level workshop to identify the company's top 10 risk areas and determine how each of these risks was managed. In a follow-up follow-up, n the process of monitoring the progress of a patient after a period of active treatment. follow-up subsequent. follow-up plan workshop, the executives evaluated this information, identified opportunities to better coordinate risk management activities, and developed action plans. The CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. asked Joe to report these results to the audit committee and monitor action plan implementation. In addition, Joe and his staff began facilitating workshops at lower levels using the same technique. After seeing preliminary results from the ERM effort, the CEO asked Joe to create and assume the position of chief risk officer (CRO), in addition to continuing his duties as CAE. The move would involve a considerable salary increase, as well as a more prestigious title. Joe is tempted by the offer, but he's afraid that accepting the increased responsibility would compromise his independence. Plus, members of his staff have reported recently that Wemakit's managers are seeing risk as the domain of internal auditing rather than taking ownership of the risk management process themselves. Joe has also observed this tendency in the workshops he's facilitated. Taking on the role of CRO may reinforce the perception that internal auditing is responsible for managing risk. What should Joe do? Should he accept the added responsibility? Whether he takes the position or not, what can he do to change management's perceptions about internal auditing's risk responsibilities and get individual managers to assume ownership of the risks in their areas? JEFFREY RIDLEY ridley: see sea turtle. , CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). Professor of Auditing London South Bank University London South Bank University is one of the oldest universities in central London with over 23,000 students and 1,700 staff based in the London Borough of Southwark. The Chancellor is the newscaster Sir Trevor McDonald and the Vice-Chancellor is the historian Professor Deian Hopkin. Joe should accept the new, combined position. His expanded role would provide an excellent opportunity for internal auditing to add value to the risk management process. Moreover, the board could use this opportunity to restate re·state tr.v. re·stat·ed, re·stat·ing, re·states To state again or in a new form. See Synonyms at repeat. re·state the audit function's independence and clarify management's responsibility for managing risk in their respective areas of oversight
Oversight may refer to:
Joe and his internal audit staff have already added significant value to the organization's ERM implementation process. As its champion, Joe has ushered the ERM initiative from its beginning stages to the creation of an official risk model and facilitation Facilitation The process of providing a market for a security. Normally, this refers to bids and offers made for large blocks of securities, such as those traded by institutions. of executive-level ERM workshops. The internal audit department has demonstrated an ability to master and manage the knowledge required to implement ERM, and the CEO's offer to appoint Joe to lead the company's risk management function is a motivating recognition of both his personal ability and the competence of his audit staff. If Joe follows The IIA's Professional Practices Framework, part of his role as CAE involves reporting to the board of directors and audit committee any issues or incidents that he feels may compromise internal auditing's independence or resources. His new position should be monitored in the same way. Before accepting the appointment, Joe should inform the audit committee and board that his expanded role may have an impact on his independence as an internal auditor Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. and the resources of the internal audit activity. He should also inform them that the position could affect the degree of ownership management assumes for risk. He should then state his wish to accept the appointment and try to seek assurances from the board that each of his concerns can be addressed. In addition, Joe should request that the board and audit committee explain to all managers that his role as CRO will not alter their personal responsibility to manage risk in their respective operations. All subsequent internal audit engagements and risk workshops should also formally address this issue. HANS NIEUWLANDS, CIA, RA Audit Manager Nuon Assetmanagement Joe is a victim of his own success. He built awareness for risk management at Wemakit and became the ERM project champion. During this process, he took on increasing responsibilities that could easily conflict with internal auditing's role of providing objective assurance to the board on the effectiveness of risk management. "The Role of Internal Audit in Enterprise-wide Risk Management," an IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. position statement, clearly indicates the roles internal auditing should not undertake, and many of these would likely fall under the CRO's job description. For example, as CRO, Joe would likely be closely involved in setting the organization's risk appetite, implementing risk responses on management's behalf, and assuming risk management accountability. Internal auditing should not undertake these tasks, as they would impair im·pair tr.v. im·paired, im·pair·ing, im·pairs To cause to diminish, as in strength, value, or quality: an injury that impaired my hearing; a severe storm impairing communications. the function's objectivity and independence. For this reason, the CRO and CAE positions should not be combined. If Joe agrees to serve as CRO, he should resign as CAE. To change the perception that risk management is auditing's responsibility, Joe should ensure that the ERM action plans are assigned as·sign tr.v. as·signed, as·sign·ing, as·signs 1. To set apart for a particular purpose; designate: assigned a day for the inspection. 2. to specific line managers and given implementation deadlines. Progress should be monitored through periodic reports to the top and reflected in management's performance evaluations Performance evaluation The assessment of a manager's results, which involves, first, determining whether the money manager added value by outperforming the established benchmark (performance measurement) and, second, determining how the money manager achieved the calculated return . In addition, ERM processes should be included in the company's annual business plan cycle. These measures will ensure that managers assume true ownership of the risk management process. When Joe and his audit team develop their audit plan, they should include a review of action plan effectiveness and adequacy of ERM processes. Joe should also consider outsourcing (1) Contracting with outside consultants, software houses or service bureaus to perform systems analysis, programming and datacenter operations. Contrast with insourcing. See netsourcing, ASP, SSP and facilities management. this audit, at least for the first two years. KEN TAHMASSEBI Internal Audit Manager O'Charley's Inc. Joe should accept the CRO position. CAEs and their internal audit functions are required to add value by identifying major strategic, operational, financial, and compliance risks throughout the organization. Hence, the CRO role may not be considered an additional responsibility. In fact, to prioritize pri·or·i·tize v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem v.tr. To arrange or deal with in order of importance. v.intr. the audit plan, CAEs must have annual discussions with senior management regarding major risk issues facing the organization. Risks identified must be presented to the audit committee, and in Joe's case, to the CEO as well. Still, Joe does need to address a few issues. As the CAE of a multi-billion dollar firm, he must preserve his independence from management. If the tone at the top is not strong enough to ensure management takes responsibility for resolving key issues identified by internal auditing, Joe should consider declining the new role. Joe must seek the CEO's assistance in sending a clear message to management regarding its responsibility for managing risk. Additionally, internal auditing's independence from management must be reinforced, and managers must understand that the auditors are responsible only for identifying entity risks and testing the design and effectiveness of established controls to mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. those risks. The
managers also need to realize that they are responsible for implementing
those controls.
To comment on this article, e-mail the editors at eelco.vanwijk@theiia.org. If you have a case that you'd like a panel of experts to review in the magazine, send it to: Eelco van Wijk FedEx Services Inc. Financial Center of Excellence, Suite 500 1790 Kirby Parkway Memphis, TN 38138 USA e-mail: ervanwijk@fedex.com EDITED BY EELCO R. VAN WIJK AND TIMOTHY R. HOLMES |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion