The internal audit profession is divided. Two camps sit diametrically opposed on how far internal auditors can get involved in risk management before compromising their independence.
This debate has been amplified by the appointment of new Institute of Internal Auditors (IIA) president Terry Cunnington, who is the first to admit that his views on the subject are 'radical and controversial'.
'I very much believe that internal audit should not be operating on the fringes of an organisation, looking for minor control improvements,' he says. 'It should be risk-focused, looking at the major risks that can prevent the organisation from achieving its goals. It needs to be in the mainstream rather than the backwater where it's traditionally been.'
Cunnington is a big proponent of 'enterprise-wide risk management' (ERM) - which is the new buzzword for total business risk management, looking at risk from the top down, right across the organisation in a consistent manner, and thus providing boards with a 'very powerful tool'.
He introduced ERM at his company, Euronext.liffe, seven years ago, and believes he was one of the first, if not the first, to adopt it. Although he estimates that less than 20% of organisations have followed suit, he thinks many more will soon 'because it just makes sense, it helps governance and it demonstrates good risk stewardship which will do wonders for shareholder value'.
However, Mary Hardy, director of internal audit at Transport for London, counters that ERM is just a new name for something that's always been done. 'I'm sure most companies are doing it, they just don't recognise it for what it is and don't call it that.'
What role to play?
Nevertheless, the general consensus is that ERM can only be a good thing.
The debate focuses on the part internal audit should play in it. One camp firmly believes that internal auditors should facilitate risk management - by helping management to identify risk as well as recommending and reviewing controls. But, they insist, responsibility for risk management should lie solely with management.
'Internal auditors are there to help management through the thought process to identify risk and work out what key controls there should be, and then check they're working properly,' says Hardy.
'They clearly should not cross over into a management decision implementation role - but it's very easy to cross that line and not realise you've done it.'
Joyce Drummond-Hill, head of internal audit at HM Prison Service, adds: 'I've heard of internal auditors doing what risk managers do, and I think that probably compromises their objectivity.
'I know Terry Cunnington is very much in favour of auditors being right in the thick of it and being very involved - but he's an example to me of someone who's gone a bit too far.'
Indeed, Cunnington's job title at Euronext.liffe reveals much about the depth of his involvement - he is director, risk management. However, despite what his title implies, Cunnington is adamant that he does not hold responsibility for risk management, and therefore his independence is not compromised.
'We state clearly that it's management's responsibility to manage risk, not ours. We do not manage any risks on their behalf and we do not impose any risk management processes on them,' he explains.
'All we do is provide a framework so that we can coordinate risk management, make sure that managers are properly skilled in identifying and managing risks, and provide a mechanism for reporting at board level. We monitor risk right across the organisation so that the right hand knows what the left hand's doing.
'I and my team get a lot more satisfaction out of helping management get it right first time rather than coming along afterwards and criticising,' he adds. 'There should be more emphasis on prevention rather than cure.'
More on Terry Cunnington, People moves, p126.