What Is the Relationship Between Governance, ERM, and Internal Controls?
This question comes up quite a lot in discussions. Are they separate, or are they somehow inter-related with fuzzy borders?
I discuss my views here, including my belief that there are what I call fuzzy borders between the three. For example, there are aspects of board operations that are part of the system of internal control (look at the COSO Control Environment layer). There are parts of governance that are part of ERM (such as board approval of risk appetite). Internal control is defined by the IIA as how you manage risk, so its part of ERM. But risk assessment is one of the layers in the COSO Internal Control Framework.
My view is that Governance is the "boss." It includes ERM and internal control, both of which are required to enable effective governance by the board and top management.
What does this mean for internal auditors?
I believe we should continue to focus on providing assurance on the holistic whole rather than bits and pieces. If not, we are going to point out how individual trees are diseased when the whole forest is dying.
I would appreciate your views (and let's leave "GRC" out of the discussion for the moment — that is a different concept).
Posted on Jun 12, 2011 by Norman Marks
Share This Article: