The board has essentially said to management, "Here are the lanes to follow.
Stay within these lanes."But what happens when management intentionally veers from the established risk appetite and, worse, misleads the board about the real risks associated with a particular behavior or business strategy? It should be acknowledged that, at times, an organization can inadvertently swerve outside the risk appetite lanes.
The "When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management.
If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board."While the primary purpose of Standard 2600 is to address resolution of disagreements between internal audit and management over internal audit results, I believe that it also provides internal auditors with the mandate to ensure the board is aware of management actions involving "unacceptable" levels of risks.
Workplace bullying is a global problem affecting all professions and sectors.We don't hear much about negative team behavior in remote teams because it seldom takes the form of overt bullying.Sure, people may berate each other on conference calls, but often the most pervasive and insidious behavior is aggressive, purposeful and destructive silence.Identifying and mitigating risks through a sound risk-based internal audit process benefits all organizations, from mom-and-pop businesses to Fortune 500 corporations.Failure to do so invites almost guaranteed problems at some level of the organization.