Why Risk & Internal Audit Struggle to Share a Purpose

Key Takeaways

• Legacy Mindsets: Risk and internal audit still operate from outdated, profession-centric models that were not designed to inform decision-making on mission critical objectives.
• Economic Incentives: Certifications, training programs, and frameworks tied to legacy models create strong institutional resistance to redefining purpose.
• Turf and Identity: A shared purpose would require shared ownership, reducing the structural and psychological boundaries that define each profession.
• Accountability Exposure: Acknowledging a shared purpose means acknowledging that most boards are not receiving reliable, decision-useful insight on mission critical objectives today.
• Purpose Cascades: Where board purpose is vague, risk and audit purpose will be vague; clarity must begin at the top.

Deep Dive

In my recent post, I suggested that risk management and internal audit would better serve management, boards, and stakeholders if they operated from a shared purpose. The idea is straightforward: both functions should focus on ensuring leadership receives reliable, decision-useful information about the uncertainties that affect the organization’s mission critical objectives. If they did that consistently, organizations would make better decisions and achieve better outcomes.

Yet despite clear logic, broad agreement in principle, and decades of discussion, this shift has not happened.

A major reason is that both professions are built on legacy paradigms developed for different times and different expectations. Risk management is still largely anchored in identifying and reporting risks, often resulting in long lists or heat maps that are disconnected from strategic decision-making. Internal audit is still anchored in identifying and reporting control issues, often focusing on individual process weaknesses rather than their effect on the achievement of major objectives. Neither model starts where decision-makers actually make decisions: with the objectives that matter most.

This misalignment persists because the legacy models support powerful institutional incentives. Certifications, training curricula, consulting services, and professional identities are tied to the old approaches. Rewriting purpose means rewriting standards, rethinking competency models, and acknowledging that some of what has been taught and rewarded for decades does not meet the governance needs of today’s organizations. Institutions rarely volunteer to do that.

A shared purpose also requires the two professions to share ownership of the work. That means looking at the same objectives, assessing the same uncertainties, and providing combined insight, not sequential reporting. It reduces turf boundaries. And professional identity in both fields has been built, consciously or not, on turf.

There is another factor that is less comfortable to acknowledge. If risk and internal audit agree that their shared purpose is to ensure boards receive reliable, decision-useful insight on mission critical objectives, then we must also acknowledge that most boards do not receive that insight today. That raises accountability questions for chief risk officers, chief audit executives, and the standards intended to guide their roles. Many know this. Silence is easier.

Finally, the issue often starts one level higher. Most boards do not define their own purpose with clarity. When board purpose is unclear, risk and audit purpose becomes diffuse. Purpose always cascades downward.

The shift will come when boards and CEOs begin asking a different kind of question, “Tell us, with evidence, how well we are positioned to achieve our mission critical objectives, and where uncertainty could materially alter the outcome.”

When that becomes the expectation, purpose will align very quickly.

The barrier has never been the idea. The barrier has been the willingness to confront what the idea reveals.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.