Internal Audit Maldives

Independent articles, insights, perspectives, and discussions dedicated to advancing the internal auditing profession in the Maldives.

Internal Audit’s Role in Risk Management: The Conversation Organizations in the Maldives Need to Have

There is a question that internal auditors in the Maldives have been asking each other for a long time. We ask it at trainings. We ask it among friends in the profession. But we rarely discuss it openly.

The question is this: Should internal audit help with risk management, or should we stay away from it completely?

In many organizations in the Maldives, management has asked the internal audit team to help with risk management. To prepare the risk register. To do the risk assessment. To help start ERM (enterprise risk management), because there is no one else to do it.

And in many case and some of the organization, internal audit has said no.

Why do we say no?

The reason we give is always the same: independence and objectivity. We say, “We cannot audit something we created ourselves.” We say, “Risk management is a second line job. We are the third line.” These concerns are real and they come from a good place. Independence is the foundation of our profession, and protecting it is the right instinct.

But here is the difficult part we need to think about honestly.

In most Maldivian organizations, there is no risk department. There is no chief risk officer. There is no second line at all. So when internal audit says no, risk management does not go to someone else. It simply does not happen.

This means we end up protecting our independence over risk management processes that do not exist. We stay pure, but the organization stays unprotected. Is that really the outcome our profession wants? Deep down, I think most of us know the answer.

Good news: The IIA has now given us a clear answer

The IIA has just released two new Statements of Position, the updated Three Lines Model and a new statement on the Role of the Internal Audit Function in Enterprise Risk Management. Together, they finally settle this long debate. And the answer is very encouraging for us in the Maldives.

Here is what the IIA now says, in simple terms:

1. Independence does not mean isolation. The Three Lines statement says clearly that independence should not cut us off from the rest of the organization. We can stay independent and still work closely with management.

2. Internal audit CAN help build risk management. The ERM statement says that in organizations without a risk department, management may rely on internal audit’s risk work, and the head of internal audit may help management set up ERM activities as the organization grows. The IIA even wrote a full scenario about smaller organizations where internal audit performs risk management activities, and it does not say this is wrong. It says this can be practical and useful, especially as a temporary step.

3. Internal auditors have the right skills for this. The IIA says internal auditors are well suited to help with risk management because we already know how to identify risks, assess them, and report on them. Our skills are exactly what a young ERM program needs.

4. But there are safeguards, and they protect us. This is the most important part. The IIA says we can take on this role only with proper protections in place:

  • The board or audit committee must formally approve the arrangement, and it should be written in the internal audit charter.
  • Internal audit gives advice and support, but management always makes the risk decisions. We never decide how a risk should be handled.
  • We do not audit something we designed or operated within the last 12 months.
  • Someone independent (from inside or outside) gives assurance over the risk work that we perform.
  • The arrangement is reviewed from time to time, with a plan to hand risk management back to management as the organization matures.

Notice something important here. These safeguards do not weaken our independence. They protect it, while still letting us help the organization. This is the balance our profession has been looking for.

This is not a threat to our profession. It is an opportunity.

In my first article on this site, I wrote that internal auditing in the Maldives must evolve. We must move from being a compliance checker to being a strategic partner that adds real value.

This is one clear and practical way to do exactly that.

Think about what it means when an internal audit team says: “Yes, we can help you build risk management. Here is what we can do, here is what we cannot do, here are the safeguards the IIA requires, and here is the plan to hand it over to you as the organization grows.”

That team is no longer just checking receipts and reports. That team is helping the organization see its risks, make better decisions, and protect its future. That team has a seat at the table. That is what adding value looks like. That is what evolving looks like.

And there is a bigger picture too. The world of internal auditing is changing fast. The organizations of tomorrow will expect their internal auditors to understand risk, strategy, and governance, not just compliance. If we build these skills now, the Maldivian internal audit profession will be future ready. If we wait, we will be left behind.

A fair word for the careful ones

Some auditors worry that if internal audit takes the risk management role, it will become permanent. Management will never build its own risk capability, and internal audit will be stuck doing two jobs forever.

This is a fair and wise concern. But the answer is not to refuse. The answer is to use the IIA’s safeguards fully, especially board approval, the written charter, and the regular review with a handover plan. These safeguards exist exactly to prevent “temporary” from becoming “forever.” In other words: we should treat this risk the same way we tell our auditees to treat theirs, not by hiding from it, but by managing it well.

Let us start the conversation

The IIA Global has spoken clearly. The old excuse is gone, but so is the old confusion. We now have a roadmap that lets us help our organizations and protect our independence at the same time.

So here is my message to fellow internal auditors across the Maldives: let us not be afraid of this role. Let us learn the two new Statements of Position well. Let us bring them to our audit committees. And let us show our organizations that internal audit is ready to lead, ready to add value, and ready for the future.

What is your experience? Has your organization asked internal audit to take on risk management? I would love to hear your views, this is a conversation our whole profession should be having.

Leave a Reply

Your email address will not be published. Required fields are marked *