Yesterday I came across a discussion piece in a Risk Managers group that I am a member of. The topic was about the relationship between Internal Audit and Risk Management. I found this interesting as, even now, companies still tend to confuse these two roles. Though there is a relationship, the Internal Audit and the Risk Management functions are distinct and mutually exclusive.

I won’t be surprised if some disagree with me as I’ve seen companies where the Chief Risk Officer (CRO) also served as the Head of Internal Audit. The justification is usually that it is different in practice than it is on paper. In my opinion, this presents a questionable case regarding accountability. The Head of Internal Audit reports directly to the Audit Committee of the Board while the CRO reports to the CEO (who also reports to the Board).

What then happens when these two roles are performed by the same person? It’s like a child with two fathers, where one of his fathers is the also the son of the other father. Somewhat confusing right? Think about it, or even better take a look at this table highlighting the duties of both functions:

Clearly these two roles are distinct as the audit function ideally provides assurance of the adequacy of the risk management function. How then can a CRO and Internal Audit Head be one in the same? Just a little something to think about…...