For a smaller, non-public company in the financial services industry, can the Chief Audit Officer also be the Chief Risk Officer? If so, how do they typically navigate around independence requirements? Is this a common practice?
Sort By:
Oldest
VP of Finance in Bankinga month ago
Thank you, Martin. This was very helpful.
Director of Finance5 months ago
You can find helpful delineation of activities in the Internal Audit Institute article"the role of internal auditing in enterprise wide risk management.
CFO5 months ago
I would not recommend combining those roles. First of all, they require different skill sets. Second, there would be the appearance of potential for conflict. Third, one's judgment could be questioned even if one is trying their very best to be objective.VP of Finance in Travel and Hospitality5 months ago
Chief Auditors are taking on the responsibility of Chief Risk Officer in companies large and small. It makes sense to me because the skillsets are very similar. A big caveat is to address this in the audit committee charter (for publicly traded companies). You can wear the two hats (I do in my middle market organization), but you have to be careful with how you manage the independence and objectivity. In short, it's doable and more common than you'd think.
To address independence, when we've conducted audits of the risk management function when it also reports up through the CAE, we've typically had the audit team seconded to another leader in the organization for that audit only. Typically, this has been the General Counsel. On a few occasions I've also seen organizations out/co-source the audit of risk management, to further ensure independence exists.