New Risk Certification Debuts

IIA Launches Risk Management Assurance
New Risk Certification Debuts
The Institute of Internal Auditors has unveiled a new certification in risk management assurance, known as CRMA. This new program is aimed at allowing internal audit professionals to demonstrate their ability in assessing key risks to the business and providing assurance to senior management that risk and governance processes are effective.

"The genesis of this certification has essentially come from the evolving role of internal auditing in the risk management process within an organization," says Cyndi Plamondon, vice president of certifications at the IIA.

With this approach, the auditor must first understand the company's mission/vision, strategies, objectives, products, services and high profit areas. Then the auditor must identify and analyze the risks (risk assessment) to the business. The auditor also determines whether controls are in place (or test of design) and whether such controls are effectively working as designed to address key business risks.

"The risk focus helps position internal audit at the table with other C-level executives," Plamondon says.

The CRMA is designed for internal auditors and others interested in risk management assurance. The credential enables internal auditors to:

  • Provide assurance on core business processes in risk management and governance;
  • Educate management and the audit committee on risk assessment and management concepts;
  • Analyze and quantify risk factors in new business ventures and strategies;
  • Provide assurance to management that risks are correctly evaluated; and
  • Focus on strategic organizational risks.

Heightened Awareness

Denny Beran, senior vice president of audit for J.C. Penney, a retail chain of department stores, is already an applicant for the CRMA. "The CRMA certification will give us a heightened awareness of our responsibility in not just evaluating operational or compliance risks, but understanding strategic risks to the business," Beran says.

For Karine Wegrzynowicz, chief audit executive for Crocs, an international retailer and manufacturer of footwear, the reason to take up this certification is to evolve with the profession and become more risk focused, as opposed to using the checklist and controls approach. "This credibility will help internal audit demonstrate their understanding for assessing both current and emerging risks to the business."

She further says that as head of audit for a multinational company, for example, supporting a management decision about whether to expand a product line in a particular country will need focus beyond controls and a traditional audit approach. Today, she will need to understand the business aspect and risks of introducing this product, as well as the risk management framework and how that is influenced by new technologies and regulations in these regions.

"For my position to be valuable, I need to first understand the key risks to the business and then assess how we can implement controls and processes to mitigate those."

Meeting the Need

Financial scandals, new legislation, technological advancement and economic fluctuations are all factors pushing the involvement of internal audit into risk management within organizations.

In addition, demands from the board, executive management and regulators have triggered a shift in the focus of internal auditing beyond regulatory compliance issues to major strategic, regulatory, financial and operational risks that confront an organization.

The role of internal audit in risk management provides assurance to stakeholders that its risks are appropriately managed and mitigated, says Beran. "Our involvement provides comfort level to senior management that we are mindful of the risks and know how to develop appropriate ways of assessing, controlling and mitigating these risks."

As a senior manager in the public accounting firm of Crowe Horwath, Steve Hunt finds that his clients are looking for additional guidance on risk management and governance best practices and assistance with their implementation and assurance.

"Many times I see cases where clients are over-controlled on some risks and under-controlled on others," he says. "Having the CRMA designation will help auditors not only tell clients if their internal controls are working or not, they can also help them understand the enterprise-wide risk framework and how controls are managed across the company."

According to Plamondon a big benefit is raising the awareness levels of the role of internal audit within a company. "Auditors play a vital role in delivering increased value to the organizations in terms of cost savings and covering all the risks that matter."

Countdown to Exams

The first CRMA exams will be held in June 2013. However, applications are currently open for a limited time through CRMA's professional experience recognition program, which selects qualified candidates based on their education, work experience and risk management exposure to obtain the certification before the exam is offered in June 2013.

This certification is available globally across 65 countries, and so far more than 200 applicants have applied for the certification program.

"The IIA is bringing the profession to a matured risk domain, and if professionals get this proficiency, they will be able to understand the risk side far better," Wegrzynowicz says.


About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network