The IIA Takes a Stand on ERM

The Institute issues its position regarding internal auditing's role in enterprise risk management efforts.

In conjunction with the newly released Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework, The Institute of Internal Auditors (IIA), in coordination with its institute The IIA-UK and Ireland, has issued a position statement on The Role of Internal Audit in Enterprise-wide Risk Management. Intended to assist chief audit executives (CAEs) in responding to enterprise risk management (ERM) issues within their organizations, the paper suggests ways for internal auditors to maintain the objectivity and independence that is required by The IIA's International Standards for the Professional Practice of Internal Auditing when providing assurance and consulting services. Internal auditing's core role with regard to ERM is to provide objective assurance to the board on the effectiveness of an organization's ERM activities, which will help ensure key business risks are being managed appropriately and that risk management and internal control frameworks are operating effectively.

Recommended Roles

The main factors CAEs should consider when determining the internal audit function's role are whether the activity raises any threat to their independence and objectivity, and whether it is likely to improve the organization's risk management, control, and governance processes. A range of ERM activities and the roles an effective internal audit function should, and should not, undertake with regard to those activities are included in The IIA's position:

Core internal audit roles in regard to ERM.
  • Giving assurance on the risk management processes.
  • Giving assurance that risks are correctly evaluated.
  • Evaluating risk management processes.
  • Evaluating the reporting of key risks.
  • Reviewing the management of key risks.
Legitimate internal audit roles with safeguards.
  • Facilitating identification and evaluation of risks.
  • Coaching management in responding to risks.
  • Coordinating ERM activities.
  • Consolidated reporting on risks.
  • Maintaining and developing the ERM framework.
  • Championing establishment of ERM.
  • Developing risk management strategy for board approval.
Roles internal auditing should not undertake.
  • Setting the risk appetite.
  • Imposing risk management processes.
  • Management assurance on risks.
  • Taking decisions on risk responses.
  • Implementing risk responses on management's behalf.
  • Accountability for risk management.

The Institute emphasizes that organizations should fully understand that management remains responsible for risk management. Internal auditors should provide advice and challenge or support management's decision making, as opposed to making risk management decisions. The nature of internal auditing's responsibilities should be documented in the audit charter and approved by the audit committee.

Because most internal auditors have a good understanding of corporate governance requirements, they can offer significant value to management by providing views on a healthy balance of risk. According to The IIA, those auditors who cannot demonstrate independent and objective services should refrain from undertaking work in the area of risk management.

To access the complete position statement, The Role of Internal Audit in Enterprise-wide Risk Management, and other COSO ERM related resources, visit The IIA Web site.

 
© 2010 The Institute of Internal Auditors / 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA / +1-407-937-1100 / FAX +1-407-937-1101 • www.theiia.org