Should internal audit perform a risk assessment?

John Fraser was asked recently whether internal audit should perform risk assessments, assuming an effective Enterprise Risk Management function exists. He argued that IA should provide assurance that ERM processes work effectively and validate that key controls assumed to be functioning actually operate as intended.

Strip away the terminology and the core purpose becomes clearer. The ultimate purpose of whatever “ERM” and “IA” are meant to mean or be can surely only legitimately be that the organisation makes the best decisions it can.

Organisational success depends on consistent quality decision-making across all levels. In Deciding, Grant and I outline a Universal Decision-Making Method applicable to all decision-makers. We call them Deciders, because that is what they are.

There is a parallel to manufacturing quality control. Processes shifted decades ago from inspecting finished products to ensuring quality throughout production. The inspection model was expensive, slow, and caught problems too late. The quality-throughout model prevented them.

Organisational monitoring should follow the same logic. Focus on decision-making quality rather than post-decision evaluation. Monitor the assumptions that decisions rest on, not the outputs that have already happened. By the time you are inspecting the output, the decision is old and the damage, if any, is done.

Governance bodies should directly assess decision-making capability rather than outsourcing reassurance to hired auditors or risk managers. The question is not “should internal audit perform a risk assessment?” The question is “are the people making decisions in this organisation doing it well, and how would we know?”