Internal Audit & Risk Management

The Relationship

The profession of internal audit has developed and acquired shape according to the needs of organizations and developments in the business world since the years it first emerged. Inability of the internal audit to prove its inherent potential with existing approaches led to exploration of new approaches to increase added value of the internal audit.

Internal audit's primary role in ERM is to provide assurance to management regarding the effectiveness of ERM activities to help ensure that significant risks are properly managed, as well as the effective functioning of the organization's internal control system.

Standard 2120 – Risk Management states that “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” Specifically, the standard requires the internal audit activity to assess whether:

1. The organization’s objectives align with its mission.
2. Management assesses significant risks.
3. Management’s risk responses align risks with the organization’s risk appetite.
4. Relevant risk information is captured and communicated timely throughout the organization, including to the board.

The role of internal audit in ERM may differ from organization to organization. In practice, internal audit's duties may include some or all of the following:

• Focusing on key risks identified by management and overseeing the organization-wide risk management process,
• Verifying that risk management is done correctly,
• Actively participating and supporting the risk management process,
• Facilitate risk identification/assessment processes and train personnel on risk management and internal control,
• Coordinating risk reports submitted to the board and audit committee.

Parallel to these developments, the internal audit's perspective on risk and controls has changed and a shift towards risk-based internal auditing has been made in order to create more value for internal auditors. With the introduction of this approach, internal auditors have begun to examine how managements deal with risk and have become more sensitive to any changes that occur within and around the organization.

While internal audit engagement in ERM can add value to the organization, there is also a risk that it could lead to a compromise of independence and objectivity. Recognizing this possibility, the IIA issued a position paper addressing the core roles of internal audit in regard to ERM, the roles that internal audit can legitimately undertake providing safeguards are in place, and roles that internal audit should not undertake.

Having the internal audit and risk management functions report to one manager who then, presumably, presents both sets of reports and represents both functions to the Audit Committee and Risk Committee is very difficult. While internal audit and risk management have to work together, I believe it is essential that they report to separate senior managers, for clear governance purposes and to ensure that neither role is compromised. Those Chief Risk Officers who must balance internal audit, risk management and compliance portfolios often struggle with this in practice.

Joint Internal Audit and Risk Management Functions

1. Ensuring that internal audit provides independent and objective assurance on risk management,
2. Risk control is vital for risk to be managed effectively,
3. Combining risk and internal audit activities raises issues about the objectivity of internal audit’s assurance on risk management,
4. In the case where separate internal audit and risk teams are managed by a joint Head of Audit and Risk there needs to be a mechanism, appropriate to the organization, to ensure that the audit committee and senior management are getting separate, clear and objective messages from each function,
5. In cases where internal audit is asked to give advice or assistance on risk management, e.g. as part of its consultancy role, safeguards are needed to ensure that boards are still receiving the objective assurance on risk that they require,
6. Where the internal audit and risk functions are fully combined (in smaller organizations), the board will also need to ensure that the internal audit role is not undermined.

Apart from governance matters of the kind discussed above, there are clear management and cultural reasons for separating internal audit and risk management.

Risk management is a line management function – line managers are the people ultimately responsible for delivering business outcomes, and they are responsible for managing the risks in their areas of the organization. Having risk management separated from the line and located in a central, compliance-related area sends mixed messages to the organization.

In my opinion, it is far better to ensure a distinct separation of internal audit and risk management, with the central risk management team having custodianship of the overall risk management framework, but line managers having clear responsibility for risk management. The risk management function can then act as a trainer and mentor to management, to support them in their role.