Chapter 04. Risk Management
04.05. Internal Audit’s Role in ERM
Key Questions
Briefly reflect on the following before we begin:
- How does an internal audit assure the effectiveness of risk management practices?
- In what ways can internal audit advise on improvements to risk management frameworks?
- How can internal audit facilitate risk awareness and education across the organization?
- What are the evolving expectations for internal audit’s role in a risk-oriented landscape, and how can auditors meet these expectations?
In today’s dynamic business environment, effective enterprise risk management (ERM) has become a cornerstone of organizational success, necessitating the active involvement of internal audit functions. This section explores the role of internal audit in ERM and its significance in bolstering organizational resilience against emerging risks. Internal audits provide assurance of the effectiveness of risk management practices and conduct independent assessments to evaluate the adequacy and robustness of risk management frameworks. By offering objective insights, internal audit functions assist organizations in identifying potential gaps and vulnerabilities in their risk management processes, thereby enhancing risk oversight and governance. Moreover, internal audit’s involvement in developing risk management strategies ensures alignment with organizational objectives and fosters a proactive approach toward risk identification, assessment, and mitigation.
Internal audits also assess the integration of ERM with corporate governance, ensuring that risk management practices are seamlessly woven into the fabric of organizational decision-making processes. Internal auditors advise on how to improve risk management frameworks. Internal auditors also leverage their expertise to enhance risk management capabilities and strengthen organizational resilience.
Internal audit functions facilitate risk awareness and education across the organization, equipping stakeholders with the necessary knowledge and tools to navigate risks effectively. Collaborating closely with risk management functions, internal audit delineates clear roles and boundaries, fostering synergies and optimizing risk management efforts to mitigate threats and capitalize on opportunities. As organizations navigate an increasingly complex and interconnected risk landscape, the evolving role of internal audit as a strategic partner in risk management underscores its relevance in safeguarding organizational value and promoting sustainable growth.
Internal Audit in Action
Background
Carter Technologies, a burgeoning tech company, has experienced rapid growth and innovation. However, this growth has introduced new risks, prompting the need for a more structured approach to risk management. Recognizing its unique position, the internal audit function proposes an initiative to enhance the company’s ERM strategy.
Challenge
The company’s risk management efforts are fragmented, with different departments managing risks in isolation. The challenge lies in integrating these efforts into a cohesive ERM framework that aligns with the company’s strategic objectives and fosters a culture of risk awareness.
Action Taken
The Chief Audit Executive (CAE) spearheads a project to collaborate with department heads and the risk management team to develop an integrated ERM framework. This involves the following activities:
- Conducting workshops to map out current risk management practices and identify gaps.
- Providing assurance on the effectiveness of existing risk management practices and suggesting improvements.
- Advising on developing a unified risk language and risk appetite statement to ensure consistency across the organization.
- Facilitating the integration of risk management into strategic planning and decision-making processes.
- Implementing a continuous education program on risk awareness for all employees.
Outcome
Through proactive internal audit involvement, Carter Technologies successfully implements a comprehensive ERM framework aligned with its strategic goals. The framework facilitates better risk visibility, enabling senior management to make more informed decisions. The culture of risk awareness permeates the organization, leading to proactive risk identification and management. The internal audit’s ongoing assurance and advisory role ensures that the ERM framework remains dynamic, adapting to new risks and opportunities.
Reflection
This scenario highlights the critical role internal audit plays in enhancing ERM practices. By providing assurance and advice and facilitating a risk-aware culture, Carter Technologies’ internal audit function has been instrumental in embedding risk management into the organization’s fabric, strengthening governance and supporting strategic objectives.
Providing Assurance on the Effectiveness of Risk Management Practices
In enterprise risk management (ERM), internal audits play a crucial role in assuring the effectiveness of risk management practices within an organization. This involves assessing whether the established risk management processes function as intended and contribute to achieving the organization’s objectives while managing risks.
By providing independent assurance on the effectiveness of risk management practices, internal audit instills confidence in stakeholders, including the board of directors, executive management, and external parties. Internal audit identifies areas for improvement in risk management processes and controls, enabling the organization to enhance its ability to manage risks effectively and achieve its objectives. By delivering timely and relevant insights into the organization’s risk landscape, internal audit enables decision-makers to make informed choices that balance risk and reward.
Evaluation of the Risk Management Framework
An internal audit evaluates the organization’s risk management framework to ensure it is well designed and effectively implemented. This includes assessing the clarity of risk management policies, procedures, and guidelines and their alignment with industry standards and best practices.
Risk Identification and Assessment
Internal audit reviews the processes for identifying, assessing, and prioritizing risks to determine their adequacy and comprehensiveness. This involves evaluating the methodologies used for risk assessment, the accuracy of risk identification, and the rigour of risk analysis.
Effectiveness of Risk Mitigation and Control
Internal audit examines the effectiveness of the organization’s risk mitigation strategies and control measures. This includes assessing the design of controls and the effectiveness of the organization’s operations to mitigate identified risks and prevent or minimize potential negative impacts.
Monitoring and Reporting
Internal audits monitor the effectiveness of risk management practices by conducting periodic reviews and audits. It evaluates the timeliness and accuracy of risk reporting mechanisms, ensuring that key stakeholders receive relevant and actionable information to support decision-making.
Common Risk-Management Assurance Activities
Some of the more commonly performed assurance activities focusing on risk management include:
- Conducting risk-based audits and assessments to evaluate the effectiveness of risk management practices across different functions and business units.
- Performing independent evaluations of specific risk areas or processes to identify control weaknesses, gaps, or deficiencies.
- Reviewing risk management documentation, such as risk registers, control frameworks, and mitigation plans, to ensure they are comprehensive and up to date.
- Testing the operating effectiveness of critical controls to verify their ability to mitigate identified risks and achieve desired outcomes.
- Providing recommendations for improvement based on audit findings and best practices to enhance the organization’s overall risk management capabilities.
Assessing the Integration of ERM with Corporate Governance
Corporate governance and enterprise risk management (ERM) are closely intertwined, with effective governance structures providing the foundation for robust risk management practices within an organization. Internal audit plays a crucial role in assessing the integration of ERM with corporate governance to ensure that risk management processes align with the organization’s overall governance framework. Here’s how the internal audit function assesses this integration:
- Reviewing Governance Structures: Internal audit begins by reviewing the organization’s governance structures, including the roles and responsibilities of the board of directors, executive management, and other governance bodies. This involves examining governance policies, charters, and frameworks to understand how they address risk oversight and management responsibilities.
- Evaluating Risk Oversight Mechanisms: Internal audit assesses the effectiveness of risk oversight mechanisms established by the board and executive management. This includes reviewing board committees responsible for risk oversight, such as audit or risk committees, to ensure they have clear mandates, appropriate expertise, and sufficient authority to oversee ERM activities effectively.
- Assessing Risk Appetite and Tolerance: Internal audit evaluates the organization’s risk appetite and tolerance statements to ensure they align with the organization’s strategic objectives and corporate governance principles. This involves assessing how risk appetite is defined, communicated, and integrated into decision-making processes across the organization.
- Examining Risk Reporting Mechanisms: Internal audit reviews the organization’s risk reporting mechanisms to assess the quality and timeliness of risk information provided to key stakeholders, including the board and executive management. This involves evaluating the content, format, and frequency of risk reports to ensure they facilitate informed decision-making and accountability.
- Encouraging Accountability and Transparency: Internal audit encourages accountability and transparency in the organization’s risk management practices. This includes evaluating the clarity of roles and responsibilities related to risk management and the transparency of risk-related disclosures in financial reports and other communications to stakeholders.
- Providing Recommendations for Improvement: Based on its assessment, the internal audit provides recommendations for improving the integration of ERM with corporate governance. This may include suggestions for enhancing board oversight, strengthening risk reporting mechanisms, clarifying risk management roles and responsibilities, or improving risk culture and awareness across the organization.
Assessing the integration of ERM with corporate governance helps strengthen risk oversight mechanisms, ensuring that risks are identified, evaluated, and managed effectively at all levels of the organization. Organizations can make more informed and strategic decisions by considering opportunities and threats to achieve their objectives by aligning risk management practices with corporate governance principles. Lastly, integrating ERM with corporate governance enhances stakeholder confidence by demonstrating a commitment to sound risk management practices, transparency, and accountability. By doing so, internal audit plays a critical role in assessing the integration of ERM with corporate governance, ensuring that risk management practices are aligned with the organization’s governance framework and contribute to its overall success and sustainability.
Advising on Improvements to Risk Management Frameworks
Internal audits advise on improving risk management frameworks within organizations. By leveraging their expertise in risk assessment, internal auditors can provide valuable insights and recommendations to enhance the effectiveness and efficiency of risk management processes.
Internal auditors review the organization’s risk management frameworks, policies, and procedures. This involves the following functions:
- Assessing the comprehensiveness and effectiveness of current practices in identifying, evaluating, mitigating, and monitoring risks across various business functions and processes.
- Conducting risk assessments and process evaluations to identify gaps, weaknesses, and areas for improvement in the organization’s risk management frameworks. This may include deficiencies in risk identification, inadequate controls, lack of risk monitoring mechanisms, or inconsistencies in risk reporting practices.
- Benchmarking the organization’s risk management practices against industry standards and best practices. This comparative analysis helps identify areas where the organization may need to catch up or where opportunities exist for adopting leading-edge risk management techniques and methodologies.
Based on their findings, internal auditors provide actionable recommendations to strengthen the organization’s risk management frameworks. These recommendations may include all or some of the following:
- Enhancements to risk identification processes
- Improvements to control design and implementation
- Creation of new or updates to existing risk monitoring and reporting mechanisms
- Updates to risk management policies and procedures
The internal audit function follows up on its recommendations to assess the implementation and effectiveness of proposed improvements to risk management frameworks. This involves monitoring the organization’s progress in addressing identified gaps and verifying whether the recommended changes have been successfully implemented and are achieving the desired outcomes.
Internal audit fosters a culture of continuous improvement by encouraging ongoing reviews and updates to the risk management frameworks. This includes staying abreast of emerging risks, regulatory changes, and industry trends to ensure that risk management practices remain relevant and effective in addressing evolving threats and opportunities.
Organizations can enhance their ability to identify, assess, and mitigate risks effectively, reducing the likelihood and impact of adverse events by identifying and addressing gaps in risk management frameworks. Strengthening risk management frameworks helps organizations comply with regulatory requirements and corporate governance standards, enhancing transparency, accountability, and stakeholder confidence.
Moreover, organizations can optimize resource allocation by streamlining risk management processes and controls to ensure that resources are allocated efficiently to address the most significant risks and opportunities.
Facilitating Risk Awareness and Education Across the Organization
Internal audit is crucial in facilitating risk awareness and education across the organization. Specifically, internal audit designs and delivers training programs to increase awareness of risk management principles and practices among employees at all levels of the organization. These training sessions cover identifying risks, assessing their impact, and implementing mitigation strategies. Internal audits also conduct workshops and seminars to provide employees with in-depth knowledge of specific risk areas relevant to their roles and responsibilities. These sessions often include case studies, interactive discussions, and practical exercises to help employees understand how to manage risks effectively.
Internal audits establish effective communication channels through which information about risks and risk management initiatives across the organization can be disseminated. This may include newsletters, intranet portals, and other communication tools to ensure that employees are informed about the latest developments in risk management. Internal audit organizes awareness campaigns to highlight the importance of risk management and encourage a culture of risk awareness and accountability throughout the organization. These campaigns may involve posters, emails, and other promotional materials to reinforce key messages about risk management.
Internal audit facilitates the sharing of best practices and lessons learned related to risk management by showcasing success stories and highlighting areas for improvement. This fosters a continuous learning and improvement culture, where employees are encouraged to adopt effective risk management practices from other parts of the organization. Internal audits collaborate with human resources, compliance, and legal functions to integrate risk awareness and education efforts into broader organizational initiatives. By working together, these functions can leverage their expertise to develop comprehensive risk management training programs and initiatives.
Internal audit helps cultivate a risk-aware culture where employees are proactive in identifying and managing risks within their areas of responsibility by raising awareness about risks and their potential impact on the organization. Increased knowledge and understanding of risk management principles lead to improved risk management practices across the organization, resulting in better decision-making and, ultimately, enhanced performance and resilience. Lastly, when employees are well-informed about risks and how to mitigate them, the organization is better equipped to prevent incidents and losses, safeguarding its reputation, assets, and stakeholders’ interests.
Collaborating with Risk Management Functions: Roles and Boundaries
Collaboration between internal audit and risk management functions is essential for effective enterprise risk management (ERM). Here we present an overview of how internal audit collaborates with risk management functions, along with the roles and boundaries of the internal audit and risk management functions.
Roles of Internal Audit Functions
Risk Assessment and Assurance
Internal audits conduct risk assessments independently or in collaboration with risk management to identify and prioritize risks. The internal audit function assures the board and senior management of the effectiveness of risk management practices and the adequacy of controls in mitigating risks.
Audit Planning and Execution
The internal audit function develops plans based on risk assessments and collaborates with risk management to align audit objectives with organizational risk priorities. During audit execution, an internal audit examines the design and operating effectiveness of risk management processes and controls.
Independent Review
Internal audit performs independent reviews of risk management activities to ensure compliance with policies, procedures, and regulatory requirements. An internal audit evaluates the reliability and integrity of risk data and the effectiveness of risk monitoring and reporting mechanisms.
Roles of Risk Management Functions
Risk Identification and Assessment
Risk management functions identify, assess, and prioritize organizational risks. They use techniques such as risk registers, risk assessments, and scenario analysis to understand the nature and magnitude of risks and their potential impact on business objectives.
Risk Mitigation and Control
Risk management functions develop and implement risk mitigation strategies and control measures to manage identified risks effectively. They work closely with business units to design controls that address specific risk exposures and monitor the effectiveness of these controls over time.
Risk Reporting and Monitoring
Risk management functions report risk information to senior management and the board. They provide regular updates on risk exposure, emerging risks, and the effectiveness of risk management activities. They also monitor key risk indicators (KRIs) to track changes in risk levels and trends.
Collaboration and Boundaries
Information Sharing
Internal audit and risk management functions share information, insights, and findings to understand risks and controls comprehensively. This collaboration helps avoid duplication of efforts and facilitates a more integrated approach to risk management.
Independent Assessment
While internal audit collaborates with risk management functions, it maintains independence and objectivity in its assessments. Internal audits conduct reviews and evaluations without undue influence from management or other functions to provide impartial assurance to stakeholders.
Specialized Focus Areas
Internal audit focuses on assuring the effectiveness of risk management practices and the adequacy of controls, whereas risk management functions concentrate on identifying, assessing, and mitigating risks to achieve organizational objectives. Collaboration ensures that these complementary roles support overall risk management efforts effectively.
The Evolving Role of Internal Audit in a Risk-Oriented Landscape
As organizations face increasingly complex and dynamic risk landscapes, the role of internal audit in enterprise risk management (ERM) is evolving. At the onset, an internal audit aligns its activities more closely with organizational strategies and objectives. Instead of focusing solely on compliance and financial audits, internal audits integrate risk assessments into their strategic planning processes. By understanding the organization’s strategic priorities, internal audit can tailor its risk assessments and audits to address the most significant risks to achieving those objectives. Internal audits are becoming more involved in the organization’s risk management processes. Rather than functioning as a separate entity, internal audits collaborate closely with risk management functions to ensure the effectiveness of risk management practices. This integration allows internal audits to leverage risk management expertise and better understand the organization’s risk profile.
With the increasing volume and complexity of data, internal audit is leveraging data analytics and technology to enhance risk assessment and audit processes. Data analytics tools enable internal audits to analyze large datasets more efficiently and identify patterns and trends indicative of emerging risks. Additionally, technology such as artificial intelligence and machine learning is being used to automate routine audit tasks and enhance the accuracy and depth of audit findings. Internal audits pay greater attention to emerging risks that may impact the organization’s future performance and resilience. By actively monitoring external trends, regulatory changes, and industry developments, internal audits can anticipate potential risks and advise management on proactive risk mitigation strategies. This forward-looking approach helps the organization stay ahead of emerging threats and opportunities.
Internal audit is improving its communication and reporting practices to ensure that audit findings are effectively communicated to key stakeholders. Instead of relying solely on traditional audit reports, internal audit is adopting more interactive and dynamic reporting formats, such as dashboards and visualizations, to convey complex risk information in a clear and actionable manner. This enhances transparency and enables management to make informed decisions based on audit insights. In a rapidly changing business environment, internal audit embraces agility and adaptability to respond to evolving risks and challenges. Internal audit teams are becoming more flexible, adapting audit plans and methodologies to address emerging risks and changing priorities. By staying nimble, internal audits can effectively support the organization in managing known and unknown risks.
By embracing these changes, internal audits can continue to add value to the organization by providing assurance, insight, and guidance on managing risks effectively in today’s dynamic business environment.
Internal Audit in Action
Background
Chang Sustain Inc., an environmental consultancy, faces evolving environmental regulations and market demands. Recognizing the need to manage these external risks better, the board seeks the internal audit’s expertise to revitalize the company’s risk management framework.
Challenge
Chang’s risk management framework needs to be updated to fully account for the complex regulatory and market risks it now faces. The challenge is to update the framework to be more forward-looking and capable of addressing new and emerging risks.
Action Taken
The CAE undertakes a comprehensive review of the existing risk management framework in collaboration with the risk management team. Key actions include:
- Assessing the current framework’s effectiveness in identifying, assessing, and responding to regulatory and market risks.
- Advising on the adoption of advanced risk assessment tools and techniques to better predict emerging risks.
- Enhancing the reporting mechanisms to provide timely and actionable risk information to the Board and management.
- Building bridges between the risk management function and other departments to ensure a unified approach to managing external risks.
- Leading efforts to embed risk considerations into strategic planning and project management processes.
Outcome
The revitalized risk management framework enables Chang to proactively manage its regulatory and market risks. Advanced risk assessment tools improve the prediction and mitigation of emerging risks. Enhanced reporting mechanisms ensure the board and management have the information to respond effectively. The company has become more agile and capable of adjusting its strategies in response to external pressures. The role of internal auditors in leading this revitalization cements their position as critical advisors on risk management issues.
Reflection
This scenario illustrates the vital role of internal audit in revitalizing an organization’s risk management framework. Through its assurance and advisory roles, the internal audit function at Chang has improved the company’s ability to manage external risks and enhanced its strategic agility. The internal audit’s involvement ensures that risk management practices are continuously aligned with the organization’s objectives and external environment.
Key Takeaways
Let’s recap the concepts discussed in this section by reviewing these key takeaways:
- Internal audits evaluate the design and implementation of risk management processes and play a crucial role in risk management practices by conducting risk-based audits and assessments.
- By leveraging their risk assessment and control evaluation expertise, internal audit professionals collaborate with management and other stakeholders to identify and prioritize strategic risks. Internal audit involvement in strategic risk discussions helps align risk management initiatives with organizational objectives.
- Internal auditors also evaluate the alignment of risk management practices with corporate governance principles and regulatory requirements. This includes assessing the effectiveness of risk oversight structures, such as board oversight committees and risk management frameworks.
- Internal audit also provides recommendations for strengthening risk management frameworks, such as enhancing risk identification processes, improving risk monitoring and reporting mechanisms, and implementing robust controls. By offering actionable insights and best practices, internal audit supports continuous improvement in risk management practices.
- Internal audit conducts training sessions, workshops, and awareness campaigns to educate employees about the importance of risk management and the employee’s role in identifying and mitigating risks. This fosters a risk-aware mindset and promotes a culture of accountability and risk ownership throughout the organization.
- Internal audit adapts to emerging risks, regulatory changes, and technological advancements to enhance the effectiveness of the audit. As organizations navigate increasingly complex risk landscapes, internal audit’s role continues to evolve, ensuring it remains relevant in safeguarding organizational value.
Knowledge Check
Review Questions
- Explain the role of internal audit in assuring the effectiveness of risk management practices.
- How does internal audit contribute to developing risk management strategies within organizations?
- Discuss the importance of integrating ERM with corporate governance and the role of internal audit in this integration.
- How does internal audit advise on improvements to risk management frameworks?
- Describe the role of internal audit in facilitating risk awareness and education across the organization.
Essay Questions
- Explain the significance of internal audit’s role in assessing the integration of enterprise risk management (ERM) with corporate governance. Provide examples of how internal audit ensures alignment between ERM and corporate governance principles.
- Discuss the evolving role of internal audit in a risk-oriented landscape and its impact on organizational risk management practices. Provide examples of how internal audits adapt to emerging risk trends and technologies to enhance risk management effectiveness.
Mini Case Study
You are a senior internal auditor in a multinational corporation tasked with assessing the integration of enterprise risk management (ERM) with corporate governance. During your audit, you observe that the organization needs a formal mechanism for monitoring risk appetite and tolerance levels. Additionally, you notice discrepancies between the risk reporting practices and the expectations outlined in the corporate governance framework.
Required: How would you address these findings, and what recommendations would you provide to improve the alignment between ERM and corporate governance?
A comprehensive approach to identifying, assessing, managing, and monitoring risks across an organization to maximize value and achieve objectives.
Evaluations of an organization's financial statements and related operations to ensure accuracy, completeness, and compliance with accounting standards.