- Assurance on the effectiveness of governance, risk management, and internal control,
- Advisory services for improvement for the risk management processes (RMP).
Clearly, internal auditing plays a very important role in improving the maturity of risk management with respect to effective risk management, including:
- Raising the profile of risk in organizational decision-making and planning at all levels.
- Providing training and guidance to other managers and staff.
- Making recommendations for improvement to risk-based controls.
- Keeping up-to-date with the latest thinking and serving as a source of risk expertise for the organization.
- Ensuring risk management is consistent and well-coordinated on an enterprise-wide basis.
- Providing assurance on risk management and its processes.
- Reporting on the level of operational risk as part of routine audit work.
- Championing risk and advocating enhanced risk maturity.
- Leading risk identification workshops.
- Providing practical tools that may assist risk management processes.
- Providing training for audit committees and management on all aspects of risk.
- Offer consulting services in support of those charged with risk management.
- Evaluate strategic risk management by determining whether strategic risks are known, responded to appropriately, and monitored accordingly.
- Develop the expertise of the internal audit function to maximize its competency in risk.
- Supplement risk-related skills of the internal audit team (as required) by drawing upon third- party support.
As enterprise-wide risk management becomes established in organizations, the internal audit activity can progress from being risk-based to being ERM-based. It important for audit planning to be ERM-based rather than simply risk-based.
The chief audit executive (CAE) is responsible for developing a risk-based plan.
- The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board.
- The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
- With an effective, integrated, enterprise-wide approach to risk management, internal audit no longer needs to identify the risk universe.
- Management takes on that responsibility, and the internal auditors adopt it as the basis for describing the internal audit universe (the summation of all possible internal audits).
- The audit universe will normally be influenced by the results of the risk management process. The CAE prepares the internal audit activity’s audit plan based on the audit universe, input from senior management and the board, and an assessment of risk and exposures affecting the organization. Of course, this assumes the internal auditors are confident about the ERM processes used to develop the risk universe.
- ERM can help identify and prioritize the risks that may then direct risk-based audit planning. However, to maintain its independence and objectivity, the internal audit activity must never be wholly dependent on ERM, and the internal auditors must exercise their own judgment about internal audit priorities.
Internal audit draws upon ERM for its risk-based approach.
The internal auditors are responsible for assessing enterprise risk management—which is part of the risk universe—and providing assurance on it.