Embedding Enterprise Risk Management Into the Internal Audit Process
PrintEmbedding Enterprise Risk Management Into the Internal Audit Process
Internal auditors can add strategic value to their organizations' ERM programs by synchronizing ERM and internal audit work, helping develop the ERM strategy, and giving proactive advice while being flexible and responsive.
JENNIFER F. BURKE, CPA, CRP, CFS
EXECUTIVE, CROWE HORWATH LLP
Internal auditors are increasingly relied upon to support the enterprise risk management (ERM) process in their organizations. The relationship between internal auditing and ERM is critical; unfortunately the internal audit approach and ERM process are not always in sync. Internal auditors often are at a more advanced stage in the risk assessment evolution than the organization as a whole. To be a catalyst for effective ERM, internal auditors must learn to embed ERM concepts into the internal audit process.
A BRIEF HISTORY OF ERM
In response to a need for principles-based guidance to help organizations design and implement effective enterprisewide approaches to risk management, The Committee of Sponsoring Organizations (COSO) issued the Enterprise Risk Management-Integrated Framework in 2004. The framework defines essential components, discusses key principles and concepts, suggests a common language, and provides clear direction and guidance for ERM. COSO defines its ERM framework as "a process, effected by an organization's board of directors, management, and other personnel, that is applied in strategy setting and across the enterprise. The goal of ERM is to provide reasonable assurance regarding the achievement of organizational objectives by identifying events that may effect the organization and managing risk to be within the organization's risk appetite."
ERM isn't just another theoretical guide, however. Once integrated into an organization's processes, ERM can provide enhanced capabilities to:
- Align risk appetite and strategy.
- Link growth, risk, and return.
- Enhance risk response decisions.
- Minimize operational surprises and losses.
- Identify and manage cross-enterprise risks.
- Provide integrated response to multiple risks.
- Seize opportunities.
- Rationalize capital.
But before an organization can move toward implementing ERM, roles and responsibilities need to be defined.
ERM RESPONSIBILITIES
Everyone in an organization is responsible for ERM. While management is accountable to the board, which provides governance, guidance, and oversight, management owns the ERM system and sets the tone. The chief executive officer is ultimately responsible for ERM efforts, but the risk officer works with other managers in establishing and maintaining risk management in their areas of responsibility. Internal auditors are responsible for monitoring ERM and quality of performance as part of their regular duties.
Internal auditing needs a process to evaluate the effectiveness of risk management in organizations that is based on The IIA's International Standards for the Professional Practice of Internal Auditing (Standards). The IIA also issued a document, "FAQs for COSO's Enterprise Risk Management-Integrated Framework," which answers the questions, "What is the role of internal auditors in enterprise risk management? How will this framework help them?" This document includes the diagram in Figure 1, which illustrates the variety of roles internal auditing can assume regarding ERM. As Figure 1 illustrates, there are five core roles internal auditing can play in the ERM process:
- Giving assurance on the risk management process.
- Giving assurances that risks are correctly evaluated.
- Evaluating risk management processes.
- Evaluating reporting of key risks.
- Reviewing management of key risks.
 |
Figure 1: Internal auditing's role in ERM
There are seven additional roles internal auditing can assume, beyond the five core roles to add value to the ERM process:
- Facilitate identification and evaluation of key risks.
- Coach management in responding to risks.
- Coordinate ERM activities.
- Consolidate reporting on risks.
- Maintain and develop the ERM framework.
- Champion establishment of ERM.
- Develop an ERM strategy for the board.
Conversely, there are six ERM roles that would impair internal auditing's independence and require it to take on a managerial role in the ERM process. Internal auditing should not:
- Set risk appetite.
- Impose risk management processes.
- Provide management assurance on risks.
- Make decisions on risk responses.
- Implement risk responses on management's behalf.
- Accept accountability for risk management.
Internal auditing can perform the core roles illustrated in Figure 1 through assessing the adequacy of the ERM process. This can be accomplished by reviewing whether and how management performs the key elements of the process.
HOW INTERNAL AUDITING CAN EXECUTE ON ERM ROLES
As Figure 2 illustrates, ERM is closely tied to the COSO Internal Control Framework, which includes eight components, five of which are the same as, or closely related to, Enterprise Risk Management-Integrated Framework. This contributes to the ability of internal auditing to incorporate a number of the ERM concepts into the internal audit approach. According to Andrew Jackson, a member of the Project Advisory Council to COSO, "We view the ERM Framework as a turbo-charged or deluxe version of Internal Control-Integrated Framework."
 |
Figure 2: Framework overview
As Figure 3 shows, there are five major components of an effective ERM process: analyzing risk, developing a strategy, implementing a strategy, auditing the process, and communication. Internal auditing can play a significant role in each of these components of the ERM process.
 |
Figure 3: The ERM process
Risk Analysis
Internal auditing can facilitate identification and evaluation of key risks by leveraging internal audit risk assessments, facilitating the development of management's risk model, and assuring ownership by management. During this phase, internal auditors can assist management in documenting, sourcing, and understanding the magnitude of each risk. Internal auditing performs its own independent risk assessment in the preparation of the annual plan, and as a part of the plan's preparation, internal auditors identify internal environmental factors (e.g., tone at the top), facilitate identification of key risks and processes, including nontraditional risks, and create a risk model. Figure 4 presents example of financial institution risks.
 |
Figure 4: Sample ERM risk model for financial institutions
This independent risk assessment is similar to the processes management will cover in the analysis phase of the ERM process. Therefore, internal auditing can independently validate management's process of analyzing risk without performing significant additional work because the annual planning process involves a similar analysis.
Developing and Implementing a Strategy
Although developing and implementing a strategy represent two components in the ERM diagram (Figure 3), these steps go hand-in-hand. As management develops its ERM strategy, internal auditors can assist in the process. For example, internal auditing may encourage leadership from the top and review strategic objectives. Auditors also can assist in developing standards and process flow documentation, facilitate setting risk appetite and tolerance levels, and assist process owners in understanding, assessing, designing, and documenting controls. At this point, internal auditors can help develop a common risk language and coach management in risk response. Given that internal auditors, by definition, are experts in the risk assessment process and see risks across the entire organization throughout the audit process, they are uniquely positioned to provide an independent validation of the risks identified by management.
Auditing the Process
Internal auditing can use risk assessment results to help develop a plan and perform oversight to provide recommendations on how to further manage risks. During audits, auditors should incorporate a validation of the risks identified in the business line, the manager's understanding of those risks, and the impact of those risks on achievement of organizational strategies. Internal auditing also can assess the effectiveness of managing risks in the business line and the accuracy of the reporting of those risks. Another key role internal auditing performs through the execution of the audit is assessing the adequacy of the control activities in light of continually changing risks.
Communication
Communication is an essential part of any process. Although the board, management, and internal auditing should be communicating throughout the entire ERM process, it's especially important for internal auditors to communicate the audit results to participants and other stakeholders throughout the organization. This promotes risk management awareness, including strategies to manage risks and risk owners. Auditors also should facilitate communication with the audit committee, external auditors, and executive management on risks and provide monitoring feedback on the risk process.
EMBEDDING ERM INTO THE INTERNAL AUDIT PROCESS
By simply including a few ERM concepts in their audits, internal auditors can play a key role in the ERM process. Examples of how internal auditing can embed ERM into the each audit phase inlclude:
- Annual Planning:
- Compare internal auditing's evaluation of business risk and changing landscape to the ERM risk identification process.
- Tie the internal audit plan to the organization's strategies identified through the ERM process.
- Use the ERM risk assessment to validate the completeness of internal auditing's risk identification process.
- Use the audit universe identified by internal auditing to validate the completeness of the ERM risk universe.
- As the audit plan is modified due to changes in the risk environment or other factors, determine whether the ERM process also reflects these changing risks.
- Audit Execution:
- Build a review of the risks assessed by management into the line of business audits and validate the completeness and accuracy of those risks.
- Review the line of business strategy and its link to corporate strategy and report on any disconnects.
- Evaluate management's understanding of the line of business risks and their link to the successful achievements of the overall strategy.
- Internal Audit Reporting and Communication:
- Tie risk-based audit report results to ERM risks.
- Compare risks identified by internal audit to risks reported through the ERM process.
- Communicate any ERM inconsistencies identified through the internal audit process to management and the audit committee and board.
Adding these simple steps throughout the internal audit process can significantly enhance internal auditing's role in ERM, and will more closely align internal auditing to an organization's strategies.
TYING IT ALL TOGETHER
There are numerous wins for internal auditing in the ERM process besides the obvious benefits ERM brings to an organization as a whole. Partnering with management to implement a successful ERM process builds department credibility, increases the department's visibility and profile, and showcases internal auditing's expertise in understanding and assessing risk.
A successful ERM process also offers greater alignment of the audit plan with organization objectives and provides a more robust risk assessment process, which assists the organization in avoiding regulatory criticism. To meet the challenge, internal auditors need to synchronize ERM and internal audit work, assist in developing the ERM strategy, and seize the opportunity to give proactive advice while being flexible and responsive.