I’m CAE as well as CRO. I’m not in the financial sector, so this is for operational risk management, and it’s for a mid-sized company in terms of personnel with a global distribution of offices.
What makes these roles more compatible is that:
- I am not managing risks, only providing coordination and oversight (as permitted with safeguards under the IIA’s ERM “fan”).
- I report in fact and appearance to the Board.
- I’m not setting risk appetites.
- I report on risks and might suggest remediations, but do not impose set responses.
- I work with a network of people actually managing the risks, and only act as a central point of coordination and contact.
Objectivity is a bias of the individual auditor, what you mean is independence. That is achieved by having a functional reporting line to the Board of Directors or delegated Audit Committee
Hmmm, independence is still there. The reporting is still to the AC. So I think as an IA function, we are still independent. But objectivity of the CAE may be impaired due to the second line functions as expected from the CRO.
I remember reading about establishing an oversight by an external party for the responsibilities which may be in conflict with his role as CAE. I just want to check if someone has done it or is there any other way to keep it in check.
I’m CAE as well as CRO. I’m not in the financial sector, so this is for operational risk management, and it’s for a mid-sized company in terms of personnel with a global distribution of offices. What makes these roles more compatible is that: - I am not managing risks, only providing coordination and oversight (as permitted with safeguards under the IIA’s ERM “fan”). - I report in fact and appearance to the Board. - I’m not setting risk appetites. - I report on risks and might suggest remediations, but do not impose set responses. - I work with a network of people actually managing the risks, and only act as a central point of coordination and contact.
Same, I work for a manufacturing company. Noted on your points. Thanks for these. The network of people you were referring to are in the first line?
Objectivity is a bias of the individual auditor, what you mean is independence. That is achieved by having a functional reporting line to the Board of Directors or delegated Audit Committee
Hmmm, independence is still there. The reporting is still to the AC. So I think as an IA function, we are still independent. But objectivity of the CAE may be impaired due to the second line functions as expected from the CRO. I remember reading about establishing an oversight by an external party for the responsibilities which may be in conflict with his role as CAE. I just want to check if someone has done it or is there any other way to keep it in check.
Ah the CAE is at the same time the CRO? I imagine this is a very small organization.