When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive should discuss the matter with senior management.
IIA Standard 2600
The topic of risk appetites goes to the heart of the relationship between the board, management, and the internal auditor. The board sets a so-called risk appetite, which management subscribes to by installing suitable controls to contain risk. Meanwhile, the internal auditor will furnish objective reports on the system of internal control. These audit reports will review the extent to which residual risk, after taking account of controls, is acceptable, and that in turn means whether this risk falls in line with the defined risk appetite. This dependency cycle is extremely important and hinges on respective perceptions of risk appetite. Bearing this in mind, Sawyer has already set the challenge for the internal auditor:
Every entity is subject to its own inherent risks and the internal auditor should catalogue them for use in risk assessment. The internal auditor's position as part of the organization offers an opportunity to observe inherent risks over an extended time period. The internal auditor should be aware of the differing inherent risks present in different parts of the organization.1
The challenge, then, for the audit world is simple: To help get ERM in place and working well:
The internal audit activity ...