Magazine article The Journal of Lending & Credit Risk Management

Auditing Risk Management

Magazine article The Journal of Lending & Credit Risk Management

Auditing Risk Management

Article excerpt

The role of today's internal bank auditor, as defined in a 1996 Joint Policy Statement of the banking regulatory agencies, has expanded to risk overseer. For this to succeed, the auditor must be viewed at once as creative partner and cop on the beat. This month, Ed Furash explores the internal auditor's expanded role and implications for skill sets banks must seek.

Nearly two years ago, federal regulatory agencies issued a joint policy statement on internal control, review, and audit of the risk management process in banks (see sidebar). The statement expanded their expectations as to the role of internal and external auditors in monitoring and evaluating a bank's risk. Some banks have responded by putting internal audit in charge. Others have set up separate risk management functions while, at the same time, framing a new role for internal auditors in risk oversight. And all have been struggling with how to ensure the wisdom of auditors to perform this new role. This is because monitoring risk management is more than just affirming that a good process is in place. It requires the ability to assess the quality and efficacy of the process. And this, in turn, demands that internal auditors understand well the role of risk in each line of business, particularly now that risk warfare has become widespread in financial services competition.

The Challenge

Traditionally, internal audit has been the "cop on the beat." Boards look to audit to tell them what is really going on in management. Examiners often appear happier if audit is hammering management with a baseball bat. And top management looks to audit to keep them out of trouble by ensuring they are "doing things right," while line managers often chafe under the constraints and criticisms of internal auditors.

These tensions have never been easy to resolve. While auditors are expected to be helpful, friendly, and even "partnering," they can't be too much so lest they lose their objectivity. As Gilbert and Sullivan have put it, "A policeman's lot is not a happy one." During the past decade the audit function has been asked to be "more creative and innovative." And the solutions to date have centered on keeping everyone informed as to what is going on, a greater emphasis on more predictive and innovative auditing techniques, and working patiently to get "buy-in" on criticisms and change - all without losing independence and objectivity.

Involving audit in risk management is a must do, but it also challenges objectivity even further. The challenge is how to have auditors understand risk and, at the same time, not get sucked into management's point of view - how to both understand and critique in a field where risk is an endemic part of how a business is managed and where the act of oversight is highly likely to be seen as meddling in management and harming earnings.


If auditors are to be respected and accepted as risk overseers, they must have independent credibility, be viewed as creative partners with line managers, and, at the same time, still be the effective cop on the beat, albeit a more benevolent one. This will require knowledge, sagacity, interpersonal savvy, and conceptual ability over and above technical auditing skills. It requires a level of understanding that is equal in every respect to management's. This is a sensitivity to and a comprehension of risk in all its dimensions, a skill level never demanded of them until now. What are the hallmarks of tomorrow's risk management auditor?

* Industry Scholar. Risk has to be evaluated in the context of industry trends, market conditions, competition, and the general economic, interest rate, and business cycle at any given point in time. Possessing an industry and economic framework is a critical faculty when assessing risk.

* Business Scholar. Understanding how risk is used to produce' earnings in a line of business is extraordinarily important to understanding the business's real versus theoretical risk profile. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.