Over the past several decades, the spotlight on corporate governance has intensified as organizations realize the criticality of managing risk and making well-informed, strategic decisions. But despite widespread adoption and implementation of corporate governance models, the health of corporate governance isn't where it should be, according to a recent study from The IIA. OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk investigates how far the three main pillars of corporate governance--executive management, the board, and internal audit--are aligned when it comes to understanding and managing risk. The report uncovers a pervasive lack of communication and coordination among those groups in key risk areas organizations are likely to face in 2020 and beyond (see "Key Findings" on page 24).
Boards were found to be more confident than executive management that their businesses are capable of addressing threats in nearly every one of the 11 risks examined. Moreover, internal audit and the board share similar views on their organizations' level of risk management maturity, generally rating those capabilities higher than executive management in most areas. And while the findings highlight a troubling disconnect among the three groups surveyed, they also point to opportunities for internal auditors to help bridge knowledge gaps among the organization's key decision-makers.
LACK OF ALIGNMENT
Worryingly, most businesses lack alignment around the knowledge and capabilities needed to address risk. Jim Pelletier, The IIA's vice president, Professional Standards and
Knowledge, says that finding should be ringing alarm bells across corporate America. Given that the C-suite is responsible for the day-to-day management of risk and for setting a strategy to cope with those threats, their consistently more pessimistic view of their organization's capacity to do so effectively is likely to be in touch with the realities on the ground.
"What the report really points out is that internal audit is not playing the critical role it ought to play," Pelletier says. "Boards should, of course, rely heavily on management, but relying on management alone is incomplete. Boards need to turn to a source independent from management--internal audit--for assurance that the information they are receiving is complete, accurate, and reliable." While failure to do so could indicate lack of maturity of the internal audit function's role--the survey found one-third of organizations have no systematic approach 10 risk management--it also suggests the benefits an independent audit function can bring are not understood by the board.
While IIA surveys confirm that most internal audit functions report administratively to the audit committee, the reality, according to Pelletier, is that many audit committees are shirking their oversight responsibilities and pushing internal audit down in the organization. Boards that allow this to happen, he adds, are missing the critical perspective that a correctly placed, well-resourced audit function can provide.
"When the board is clear that it wants a strong, independent internal audit function that can look across the organization and ensure it is getting all of the information it needs for good decision-making, it won't get that from an audit function that is simply there to take care of complying with the requirements of the
U.S. Sarbanes-Oxley Act of 2002," Pelletier says. "Boards are missing out on the opportunity to leverage internal audit as a tool to help them become stronger."
Many survey respondents played down...