He needed to know more than whether a control was passing or failing. He needed to understand how big a risk a failing control was, whether management knew about it and what they’re doing to fix it.
Summary: Senior executives should encourage their Internal Audit function to provide a three-dimensional perspective of risk that includes control ratings, inherent risk and management preparedness.
When Gerry Dixon, Ernst & Young’s Global Risk Leader, visited one of his clients recently, he heard a familiar complaint. The CFO knew that his Internal Audit function was doing a good job overall, but it needed to place the information it was giving to members of the C-suite and the Audit Committee in a better context.
“The internal controls information Internal Audit was providing wasn't enough for the CFO to truly gauge the health of the organization,” he said. “He needed to know more than whether a control was passing or failing. He needed to understand how big a risk a failing control was, whether management knew about it and what they’re doing to fix it.”
Our new series, 5: insights for executives, explores five questions regarding Internal Audit:
- Why the push for internal control ratings?
- What does a three-dimensional control ratings approach consist of?
- Why consider a three-dimensional control ratings approach?
- What needs to happen to make it work?
- What's the bottom line?
