New to internal auditing? Build a strong foundation with Tools for New Auditors! This course covers essential skills, industry best practices, and practical insights to help you succeed in the profession. Enroll today and take the first step in your internal audit journey!
View our Podcasts & Video page for more related content!
00:00:03 The IIA
Hello, welcome to Getting Started With, where our job is to make your job easier.
00:00:09 The IIA
On this episode, we're getting started with Enterprise Risk Management 101 for internal auditors.
00:00:15 The IIA
In this video, you'll learn what enterprise risk management is, why it matters, and how it connects to the work of internal audit.
00:00:23 The IIA
So let's get started.
00:00:26 The IIA
Think about a ship's captain crossing the ocean.
00:00:29 The IIA
They're not just watching one wave.
00:00:30 The IIA
They're tracking the weather ahead, the depth of the water below, the fuel levels, the crew's schedule, and a dozen other things at once.
00:00:39 The IIA
If they only focused on what was directly in front of them, they'd miss the storm building on the horizon.
00:00:44 The IIA
That's what enterprise risk management is all about.
00:00:47 The IIA
It's the process an organization uses to see the full picture of what could go wrong and what opportunities it might be missing, so it can make smarter decisions.
00:00:58 The IIA
Here's our first term to learn, Enterprise Risk Management, or ERM.
00:01:03 The IIA
The Global Internal Audit Standards define risk management as a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
00:01:17 The IIA
When that process happens at the scale of the whole organization, across every department, every function, every level of the business, that's enterprise risk management.
00:01:28 The IIA
In plain terms, ERM is how an organization keeps its eyes open to everything that could knock it off course, and then does something about it.
00:01:37 The IIA
ERM is management's job.
00:01:40 The IIA
It's the organization's leadership, the board, senior management, and the people responsible for risk functions who own the ERM program.
00:01:48 The IIA
They set the strategy.
00:01:50 The IIA
They identify the risks.
00:01:51 The IIA
They decide what to do about them.
00:01:54 The IIA
So where does internal audit fit in?
00:01:56 The IIA
Internal audit provides independent assurance that the ERM program is working.
00:02:01 The IIA
We're not the ones running the ship.
00:02:03 The IIA
We're the ones checking whether the navigation system is reliable.
00:02:07 The IIA
That distinction matters a lot, and we'll come back to it.
00:02:11 The IIA
Why ERM matters to internal auditors comes down to Standard 9.1, understanding governance, risk management, and control processes.
00:02:20 The IIA
The global internal audit standards are clear on this point.
00:02:23 The IIA
Standard 9.1 requires that the chief audit executive must understand the organization's governance, risk management, and control processes in order to develop an effective internal audit strategy and plan.
00:02:36 The IIA
That means ERM isn't background knowledge.
00:02:39 The IIA
It's foundational.
00:02:41 The IIA
If you don't understand how the organization identifies and manages risk, you can't build a meaningful audit plan.
00:02:47 The IIA
You won't know which risks are most significant, which areas to prioritize, or where the gaps in coverage might be.
00:02:54 The IIA
ERM is the wide-angle lens through which internal audit sees the entire organization.
00:03:00 The IIA
Here's another term to learn: risk appetite.
00:03:04 The IIA
The standards define risk appetite as the types and amount of risk that an organization is willing to accept in the pursuit of its strategies and objectives.
00:03:13 The IIA
In plain terms, it's the organization's answer to the question, how much risk is too much?
00:03:19 The IIA
Every organization has a different risk appetite.
00:03:22 The IIA
A startup might be willing to take big risks to grow fast.
00:03:25 The IIA
A hospital might have an extremely low appetite for risks involving patient safety.
00:03:31 The IIA
Internal auditors need to understand where the organization has drawn those lines, because that's what gives us context when we evaluate whether risks are being managed appropriately.
00:03:42 The IIA
ERM isn't a one-time event.
00:03:44 The IIA
It's an ongoing cycle.
00:03:46 The IIA
Organizations continuously identify risks, assess how significant they are, decide how to respond, then monitor whether those responses are working.
00:03:56 The IIA
Think of ERM like the gauges on a car dashboard.
00:03:59 The IIA
The driver doesn't check the fuel gauge once at the start of a road trip and forgets about it.
00:04:04 The IIA
They keep an eye on it throughout the journey.
00:04:06 The IIA
If a warning light comes on, they respond.
00:04:10 The IIA
ERM works the same way.
00:04:11 The IIA
The organization is always monitoring, always adjusting.
00:04:16 The IIA
When organizations identify and assess risks, they typically think across four key risk categories.
00:04:23 The IIA
Strategic, operational, financial, and compliance.
00:04:28 The IIA
Strategic risks relate to the organization's overall direction and goals.
00:04:32 The IIA
Operational risks relate to processes, people, and systems.
00:04:37 The IIA
Financial risks involve financial reporting, liquidity, and asset protection.
00:04:43 The IIA
And compliance risks relate to laws, regulations, and internal policies.
00:04:49 The IIA
The Global Internal Audit Standards highlight all four of these areas as key risk categories internal auditors should consider.
00:04:57 The IIA
Let's learn one more term, risk tolerance.
00:05:00 The IIA
The standards define risk tolerance as acceptable variations in performance related to achieving objectives.
00:05:07 The IIA
If risk appetite is the organization's general comfort level with risk, risk tolerance is more specific.
00:05:14 The IIA
It's the wiggle room.
00:05:16 The IIA
How much can actual performance vary from the plan before someone needs to escalate it?
00:05:21 The IIA
In plain terms, risk appetite sets the boundary, and risk tolerance tells you how close to the edge you're allowed to get.
00:05:28 The IIA
Internal auditors need to know both concepts because they help us evaluate whether management is operating within the limits the board has approved.
00:05:38 The IIA
Not all ERM programs are created equal.
00:05:41 The IIA
Some organizations have a formal, well-documented risk management framework with a chief risk officer, a risk register, defined risk owners, and regular reporting to the board.
00:05:53 The IIA
Others are at an earlier stage where risk conversations happen informally and there's no centralized structure.
00:06:00 The IIA
As an internal auditor, one of your first jobs is to understand the maturity of the ERM program you're working with.
00:06:06 The IIA
The standards require the chief audit executive to assess the maturity of the organization's risk management processes.
00:06:13 The IIA
A more mature program gives you more to rely on.
00:06:16 The IIA
A less mature one may require more caution and more original work by the audit team.
00:06:23 The IIA
Here's a pro tip.
00:06:24 The IIA
Don't assume the presence of a formal ERM program means the program is effective.
00:06:29 The IIA
Your job is to evaluate whether it's working, not just whether it exists.
00:06:35 The IIA
A well-documented program that nobody follows is just paperwork.
00:06:39 The IIA
Look for evidence that risk owners are active, that risk assessments are being updated, and that the results are influencing decisions.
00:06:48 The IIA
There are three distinct ways internal audit engages with ERM, and it's important not to confuse them.
00:06:54 The IIA
First, internal audit uses ERM information to build the audit plan.
00:06:59 The IIA
The chief audit executive reviews the organization's risk assessments, risk registers, and risk appetite statements to understand where the significant risks are.
00:07:09 The IIA
In fact, standard 9.4 requires that the internal audit plan be based on a documented assessment of the organization's strategies, objectives, and risks.
00:07:20 The IIA
So ERM isn't just useful context.
00:07:22 The IIA
It's the foundation the plan has to be built on.
00:07:26 The IIA
Second, internal audit evaluates ERM.
00:07:29 The IIA
Internal auditors assess whether the governance, risk management, and control processes are effective.
00:07:36 The IIA
And third, internal audit does not replace ERM.
00:07:40 The IIA
If internal auditors start managing risks on behalf of the organization, they lose their objectivity.
00:07:46 The IIA
The standards are clear.
00:07:48 The IIA
It is not internal audit's responsibility to resolve the risk.
00:07:52 The IIA
Our job is to report on it.
00:07:54 The IIA
Here's a bright idea.
00:07:55 The IIA
Map your audit plan directly to the organization's risk register to make the connection between audit work and organizational risk visible to stakeholders.
00:08:05 The IIA
When stakeholders can see that each audit engagement connects to a specific identified risk, it makes the value of internal audit much clearer.
00:08:13 The IIA
It also helps the chief audit executive explain to the board why certain areas were prioritized and others weren't.
00:08:20 The IIA
It transforms the audit plan from a list of projects into a strategic response to the organization's risk landscape.
00:08:29 The IIA
When internal audit formally evaluates an ERM program, there are several key questions internal auditors ask.
00:08:36 The IIA
Are significant risks identified and assessed?
00:08:39 The IIA
Are risk owners clearly assigned?
00:08:42 The IIA
Do risk responses align with the risk appetite?
00:08:46 The IIA
Is the board receiving timely and accurate risk information?
00:08:50 The IIA
And are new and emerging risks being captured?
00:08:53 The IIA
The standards also reminds us to consider risks that cross multiple business units, like fraud, technology, and third-party risk, because these can be easy to miss when each department is only looking at its own slice of the organization.
00:09:08 The IIA
Here are some common ERM weaknesses to watch out for.
00:09:12 The IIA
Risks identified but never assigned an owner.
00:09:15 The IIA
A risk register not updated regularly.
00:09:19 The IIA
Risk appetite not formally defined by the board.
00:09:22 The IIA
ERM operating in silos with no enterprise-wide view.
00:09:27 The IIA
And management accepting risks that exceed the appetite without escalating.
00:09:32 The IIA
That last one carries real weight.
00:09:35 The IIA
Standard 11.5 of the Global Internal Audit Standards requires the chief audit executive to communicate unacceptable levels of risk.
00:09:43 The IIA
If management isn't escalating, internal audit may need to.
00:09:48 The IIA
One more term before we wrap up.
00:09:50 The IIA
Residual risk.
00:09:52 The IIA
The standards define residual risk as the portion of inherent risk that remains after the management actions are implemented.
00:09:59 The IIA
In plain terms, it's what's left over after the organization has done everything it plans to do about a risk.
00:10:05 The IIA
If the controls are working, residual risk should be lower than the inherent risk.
00:10:10 The IIA
If residual risk is still above the organization's risk tolerance, that's a problem worth flagging.
00:10:16 The IIA
Internal auditors often look at residual risk to evaluate whether the controls in place are making a meaningful difference.
00:10:24 The IIA
Thanks for watching Getting Started with Enterprise Risk Management 101 for Internal Auditors.
00:10:30 The IIA
Next, check out our episodes on Getting Started with Third-Party Risk and Getting Started with the Audit Plan, which both connect directly to what we covered today.
00:10:40 The IIA
You can find these and other helpful resources, including tools, podcasts, and training, at the links below.
