04.05. Internal Audit’s Role in ERM

Key Questions

Briefly reflect on the following before we begin:

• How does an internal audit assure the effectiveness of risk management practices?
• In what ways can internal audit advise on improvements to risk management frameworks?
• How can internal audit facilitate risk awareness and education across the organization?
• What are the evolving expectations for internal audit’s role in a risk-oriented landscape, and how can auditors meet these expectations?

In today’s dynamic business environment, effective enterprise risk management (ERM) has become a cornerstone of organizational success, necessitating the active involvement of internal audit functions. This section explores the role of internal audit in ERM and its significance in bolstering organizational resilience against emerging risks. Internal audits provide assurance of the effectiveness of risk management practices and conduct independent assessments to evaluate the adequacy and robustness of risk management frameworks. By offering objective insights, internal audit functions assist organizations in identifying potential gaps and vulnerabilities in their risk management processes, thereby enhancing risk oversight and governance. Moreover, internal audit’s involvement in developing risk management strategies ensures alignment with organizational objectives and fosters a proactive approach toward risk identification, assessment, and mitigation.

Internal audits also assess the integration of ERM with corporate governance, ensuring that risk management practices are seamlessly woven into the fabric of organizational decision-making processes. Internal auditors advise on how to improve risk management frameworks. Internal auditors also leverage their expertise to enhance risk management capabilities and strengthen organizational resilience.

Internal audit functions facilitate risk awareness and education across the organization, equipping stakeholders with the necessary knowledge and tools to navigate risks effectively. Collaborating closely with risk management functions, internal audit delineates clear roles and boundaries, fostering synergies and optimizing risk management efforts to mitigate threats and capitalize on opportunities. As organizations navigate an increasingly complex and interconnected risk landscape, the evolving role of internal audit as a strategic partner in risk management underscores its relevance in safeguarding organizational value and promoting sustainable growth.

Providing Assurance on the Effectiveness of Risk Management Practices

In enterprise risk management (ERM), internal audits play a crucial role in assuring the effectiveness of risk management practices within an organization. This involves assessing whether the established risk management processes function as intended and contribute to achieving the organization’s objectives while managing risks.

By providing independent assurance on the effectiveness of risk management practices, internal audit instills confidence in stakeholders, including the board of directors, executive management, and external parties. Internal audit identifies areas for improvement in risk management processes and controls, enabling the organization to enhance its ability to manage risks effectively and achieve its objectives. By delivering timely and relevant insights into the organization’s risk landscape, internal audit enables decision-makers to make informed choices that balance risk and reward.

Evaluation of the Risk Management Framework

An internal audit evaluates the organization’s risk management framework to ensure it is well designed and effectively implemented. This includes assessing the clarity of risk management policies, procedures, and guidelines and their alignment with industry standards and best practices.

Risk Identification and Assessment

Internal audit reviews the processes for identifying, assessing, and prioritizing risks to determine their adequacy and comprehensiveness. This involves evaluating the methodologies used for risk assessment, the accuracy of risk identification, and the rigour of risk analysis.

Effectiveness of Risk Mitigation and Control

Internal audit examines the effectiveness of the organization’s risk mitigation strategies and control measures. This includes assessing the design of controls and the effectiveness of the organization’s operations to mitigate identified risks and prevent or minimize potential negative impacts.

Monitoring and Reporting

Internal audits monitor the effectiveness of risk management practices by conducting periodic reviews and audits. It evaluates the timeliness and accuracy of risk reporting mechanisms, ensuring that key stakeholders receive relevant and actionable information to support decision-making.

Common Risk-Management Assurance Activities

Some of the more commonly performed assurance activities focusing on risk management include:

• Conducting risk-based audits and assessments to evaluate the effectiveness of risk management practices across different functions and business units.
• Performing independent evaluations of specific risk areas or processes to identify control weaknesses, gaps, or deficiencies.
• Reviewing risk management documentation, such as risk registers, control frameworks, and mitigation plans, to ensure they are comprehensive and up to date.
• Testing the operating effectiveness of critical controls to verify their ability to mitigate identified risks and achieve desired outcomes.
• Providing recommendations for improvement based on audit findings and best practices to enhance the organization’s overall risk management capabilities.

Assessing the Integration of ERM with Corporate Governance

Corporate governance and enterprise risk management (ERM) are closely intertwined, with effective governance structures providing the foundation for robust risk management practices within an organization. Internal audit plays a crucial role in assessing the integration of ERM with corporate governance to ensure that risk management processes align with the organization’s overall governance framework. Here’s how the internal audit function assesses this integration:

• Reviewing Governance Structures: Internal audit begins by reviewing the organization’s governance structures, including the roles and responsibilities of the board of directors, executive management, and other governance bodies. This involves examining governance policies, charters, and frameworks to understand how they address risk oversight and management responsibilities.
• Evaluating Risk Oversight Mechanisms: Internal audit assesses the effectiveness of risk oversight mechanisms established by the board and executive management. This includes reviewing board committees responsible for risk oversight, such as audit or risk committees, to ensure they have clear mandates, appropriate expertise, and sufficient authority to oversee ERM activities effectively.
• Assessing Risk Appetite and Tolerance: Internal audit evaluates the organization’s risk appetite and tolerance statements to ensure they align with the organization’s strategic objectives and corporate governance principles. This involves assessing how risk appetite is defined, communicated, and integrated into decision-making processes across the organization.
• Examining Risk Reporting Mechanisms: Internal audit reviews the organization’s risk reporting mechanisms to assess the quality and timeliness of risk information provided to key stakeholders, including the board and executive management. This involves evaluating the content, format, and frequency of risk reports to ensure they facilitate informed decision-making and accountability.
• Encouraging Accountability and Transparency: Internal audit encourages accountability and transparency in the organization’s risk management practices. This includes evaluating the clarity of roles and responsibilities related to risk management and the transparency of risk-related disclosures in financial reports and other communications to stakeholders.
• Providing Recommendations for Improvement: Based on its assessment, the internal audit provides recommendations for improving the integration of ERM with corporate governance. This may include suggestions for enhancing board oversight, strengthening risk reporting mechanisms, clarifying risk management roles and responsibilities, or improving risk culture and awareness across the organization.

Assessing the integration of ERM with corporate governance helps strengthen risk oversight mechanisms, ensuring that risks are identified, evaluated, and managed effectively at all levels of the organization. Organizations can make more informed and strategic decisions by considering opportunities and threats to achieve their objectives by aligning risk management practices with corporate governance principles. Lastly, integrating ERM with corporate governance enhances stakeholder confidence by demonstrating a commitment to sound risk management practices, transparency, and accountability. By doing so, internal audit plays a critical role in assessing the integration of ERM with corporate governance, ensuring that risk management practices are aligned with the organization’s governance framework and contribute to its overall success and sustainability.

Advising on Improvements to Risk Management Frameworks

Internal audits advise on improving risk management frameworks within organizations. By leveraging their expertise in risk assessment, internal auditors can provide valuable insights and recommendations to enhance the effectiveness and efficiency of risk management processes.

Internal auditors review the organization’s risk management frameworks, policies, and procedures. This involves the following functions:

• Assessing the comprehensiveness and effectiveness of current practices in identifying, evaluating, mitigating, and monitoring risks across various business functions and processes.
• Conducting risk assessments and process evaluations to identify gaps, weaknesses, and areas for improvement in the organization’s risk management frameworks. This may include deficiencies in risk identification, inadequate controls, lack of risk monitoring mechanisms, or inconsistencies in risk reporting practices.
• Benchmarking the organization’s risk management practices against industry standards and best practices. This comparative analysis helps identify areas where the organization may need to catch up or where opportunities exist for adopting leading-edge risk management techniques and methodologies.

Based on their findings, internal auditors provide actionable recommendations to strengthen the organization’s risk management frameworks. These recommendations may include all or some of the following:

• Enhancements to risk identification processes
• Improvements to control design and implementation
• Creation of new or updates to existing risk monitoring and reporting mechanisms
• Updates to risk management policies and procedures

The internal audit function follows up on its recommendations to assess the implementation and effectiveness of proposed improvements to risk management frameworks. This involves monitoring the organization’s progress in addressing identified gaps and verifying whether the recommended changes have been successfully implemented and are achieving the desired outcomes.

Internal audit fosters a culture of continuous improvement by encouraging ongoing reviews and updates to the risk management frameworks. This includes staying abreast of emerging risks, regulatory changes, and industry trends to ensure that risk management practices remain relevant and effective in addressing evolving threats and opportunities.

Organizations can enhance their ability to identify, assess, and mitigate risks effectively, reducing the likelihood and impact of adverse events by identifying and addressing gaps in risk management frameworks. Strengthening risk management frameworks helps organizations comply with regulatory requirements and corporate governance standards, enhancing transparency, accountability, and stakeholder confidence.

Moreover, organizations can optimize resource allocation by streamlining risk management processes and controls to ensure that resources are allocated efficiently to address the most significant risks and opportunities.

Facilitating Risk Awareness and Education Across the Organization

Internal audit is crucial in facilitating risk awareness and education across the organization. Specifically, internal audit designs and delivers training programs to increase awareness of risk management principles and practices among employees at all levels of the organization. These training sessions cover identifying risks, assessing their impact, and implementing mitigation strategies. Internal audits also conduct workshops and seminars to provide employees with in-depth knowledge of specific risk areas relevant to their roles and responsibilities. These sessions often include case studies, interactive discussions, and practical exercises to help employees understand how to manage risks effectively.

Internal audits establish effective communication channels through which information about risks and risk management initiatives across the organization can be disseminated. This may include newsletters, intranet portals, and other communication tools to ensure that employees are informed about the latest developments in risk management. Internal audit organizes awareness campaigns to highlight the importance of risk management and encourage a culture of risk awareness and accountability throughout the organization. These campaigns may involve posters, emails, and other promotional materials to reinforce key messages about risk management.

Internal audit facilitates the sharing of best practices and lessons learned related to risk management by showcasing success stories and highlighting areas for improvement. This fosters a continuous learning and improvement culture, where employees are encouraged to adopt effective risk management practices from other parts of the organization. Internal audits collaborate with human resources, compliance, and legal functions to integrate risk awareness and education efforts into broader organizational initiatives. By working together, these functions can leverage their expertise to develop comprehensive risk management training programs and initiatives.

Internal audit helps cultivate a risk-aware culture where employees are proactive in identifying and managing risks within their areas of responsibility by raising awareness about risks and their potential impact on the organization. Increased knowledge and understanding of risk management principles lead to improved risk management practices across the organization, resulting in better decision-making and, ultimately, enhanced performance and resilience. Lastly, when employees are well-informed about risks and how to mitigate them, the organization is better equipped to prevent incidents and losses, safeguarding its reputation, assets, and stakeholders’ interests.

Collaborating with Risk Management Functions: Roles and Boundaries

Collaboration between internal audit and risk management functions is essential for effective enterprise risk management (ERM). Here we present an overview of how internal audit collaborates with risk management functions, along with the roles and boundaries of the internal audit and risk management functions.

Roles of Internal Audit Functions

Risk Assessment and Assurance

Internal audits conduct risk assessments independently or in collaboration with risk management to identify and prioritize risks. The internal audit function assures the board and senior management of the effectiveness of risk management practices and the adequacy of controls in mitigating risks.

Audit Planning and Execution

The internal audit function develops plans based on risk assessments and collaborates with risk management to align audit objectives with organizational risk priorities. During audit execution, an internal audit examines the design and operating effectiveness of risk management processes and controls.

Independent Review

Internal audit performs independent reviews of risk management activities to ensure compliance with policies, procedures, and regulatory requirements. An internal audit evaluates the reliability and integrity of risk data and the effectiveness of risk monitoring and reporting mechanisms.

Roles of Risk Management Functions

Risk Identification and Assessment

Risk management functions identify, assess, and prioritize organizational risks. They use techniques such as risk registers, risk assessments, and scenario analysis to understand the nature and magnitude of risks and their potential impact on business objectives.

Risk Mitigation and Control

Risk management functions develop and implement risk mitigation strategies and control measures to manage identified risks effectively. They work closely with business units to design controls that address specific risk exposures and monitor the effectiveness of these controls over time.

Risk Reporting and Monitoring

Risk management functions report risk information to senior management and the board. They provide regular updates on risk exposure, emerging risks, and the effectiveness of risk management activities. They also monitor key risk indicators (KRIs) to track changes in risk levels and trends.

Collaboration and Boundaries

Information Sharing

Internal audit and risk management functions share information, insights, and findings to understand risks and controls comprehensively. This collaboration helps avoid duplication of efforts and facilitates a more integrated approach to risk management.

Independent Assessment

While internal audit collaborates with risk management functions, it maintains independence and objectivity in its assessments. Internal audits conduct reviews and evaluations without undue influence from management or other functions to provide impartial assurance to stakeholders.

Specialized Focus Areas

Internal audit focuses on assuring the effectiveness of risk management practices and the adequacy of controls, whereas risk management functions concentrate on identifying, assessing, and mitigating risks to achieve organizational objectives. Collaboration ensures that these complementary roles support overall risk management efforts effectively.

The Evolving Role of Internal Audit in a Risk-Oriented Landscape

As organizations face increasingly complex and dynamic risk landscapes, the role of internal audit in enterprise risk management (ERM) is evolving. At the onset, an internal audit aligns its activities more closely with organizational strategies and objectives. Instead of focusing solely on compliance and financial audits, internal audits integrate risk assessments into their strategic planning processes. By understanding the organization’s strategic priorities, internal audit can tailor its risk assessments and audits to address the most significant risks to achieving those objectives. Internal audits are becoming more involved in the organization’s risk management processes. Rather than functioning as a separate entity, internal audits collaborate closely with risk management functions to ensure the effectiveness of risk management practices. This integration allows internal audits to leverage risk management expertise and better understand the organization’s risk profile.

With the increasing volume and complexity of data, internal audit is leveraging data analytics and technology to enhance risk assessment and audit processes. Data analytics tools enable internal audits to analyze large datasets more efficiently and identify patterns and trends indicative of emerging risks. Additionally, technology such as artificial intelligence and machine learning is being used to automate routine audit tasks and enhance the accuracy and depth of audit findings. Internal audits pay greater attention to emerging risks that may impact the organization’s future performance and resilience. By actively monitoring external trends, regulatory changes, and industry developments, internal audits can anticipate potential risks and advise management on proactive risk mitigation strategies. This forward-looking approach helps the organization stay ahead of emerging threats and opportunities.

Internal audit is improving its communication and reporting practices to ensure that audit findings are effectively communicated to key stakeholders. Instead of relying solely on traditional audit reports, internal audit is adopting more interactive and dynamic reporting formats, such as dashboards and visualizations, to convey complex risk information in a clear and actionable manner. This enhances transparency and enables management to make informed decisions based on audit insights. In a rapidly changing business environment, internal audit embraces agility and adaptability to respond to evolving risks and challenges. Internal audit teams are becoming more flexible, adapting audit plans and methodologies to address emerging risks and changing priorities. By staying nimble, internal audits can effectively support the organization in managing known and unknown risks.

By embracing these changes, internal audits can continue to add value to the organization by providing assurance, insight, and guidance on managing risks effectively in today’s dynamic business environment.