Understanding the Changing Dynamics between ERM & Audit

As is often repeated here and elsewhere, the world is changing at an incredibly fast pace. Even without this year’s coronavirus pandemic, this pace will only accelerate in the years and decades ahead as automation, AI, machine learning, and other technologies continue to develop.

ERM and audit are not immune to this change…

Internal auditors from even 10 years ago, and certainly from before the year 2000, may not recognize where this vital function stands today…ERM was just a fledgling field in the first decade of the 2000s.

While ERM has always taken a holistic view of risks and how they affect different parts of the organization (…as opposed to just considering risk within a single department or business unit), preventing failure has traditionally been its main goal.

In past times, internal audit had a similar purpose by providing assurances to the organization’s governing body that management was properly handling risks, usually in the form of compliance and financial reporting. Auditors would look at processes or certain topics and ask:

  • What risks exist?
  • What controls are in place?
  • Are the controls management says are in place actually there?
  • Are these controls actually being used?
  • Are these controls actually effective?

Like ERM, the traditional focus of internal audit has been on preventing failure rather than ensuring success. Under old ways of thinking, the job of risk managers and internal auditors was to prevent management from taking too much risk.

But in order to remain relevant to the organization’s needs, the focus of ERM and audit must change from a strict value protection role to one of value creation.

The recognition that ERM & audit must change has been around for several years, but change can be hard. As Ray Stasieczko explains:

A company becomes obsolete when they focus on bringing the past to the future instead of bringing the future to the present.

Many recognize the need for this change and have been shifting their thinking about ERM & audit. Several posts on this blog (see here, here, and here) from over the last year or more explore this change in terms of ERM.

For audit, this change in thinking can be traced back to fallout from the 2008 financial crisis where auditors were expected to understand more about risks. The Financial Stability Board issued guidance for internal auditors in 2013 urging a transition from “point-in-time” reporting on controls for a small percentage of risks to reporting on the reliability and effectiveness of the organization’s entire risk appetite framework.

While this represented some progress, it was still “risk-focused” or defensive.

To better serve the organization’s needs, ERM & audit have to think offensively by focusing on objectives and intelligent risk taking.

Rather than preventing failure, consultant Tim Leech explains that the goal of “objective-centric” ERM and audit (Tim’s label) is to:

…generate better information on the true state of retained risk to help senior management and the Board make better resource allocation decisions and drive long-term value creation and preservation.

The Institute of Internal Auditors (IIA) also recently released an updated version of its risk management and control model originally known as the “Three Lines of Defense.” One of the first significant changes with the new model is that it drops “defense” from its title.

Released in 2003, the old model explained that the job of both risk managers and internal auditors was to stop operating managers from taking too much risk.

In a post announcing the new model, IIA President and CEO Richard Chambers explains:

…the increased focus on governance supports both the value creation and protection and deals with both the offensive and defensive aspects of managing risk. This addresses one of the principal criticisms of the Three Lines of Defense model, which is its primary focus on defense.

While the new model retains the “lines” concept because of familiarity, the areas of responsibility are more about what each area does and how they collaborate. These areas include:

  • The Board – Accountability to stakeholders for oversight.
  • Management – Actions, including risk management, for achieving objectives.
  • Audit – Assurance and advice for continuous improvement.

Please note that I am only mentioning this model to illustrate changes in ERM and audit and not to introduce a new process to your organization.

What should the relationship between ERM and audit look like?

In a previous article from nearly three years ago, I discuss the proper relationship between ERM and audit mainly in the context of where the ERM function should reside in the organization’s structure. Many organizations, including ones I was quite familiar with at the time, would house the ERM function within the internal audit group, which was a mistake in my opinion.

In addition to this commentary, the article also dives into ways ERM and audit can work together in developing the risk processes and understanding any concerns audit has about a business unit and ERM’s risk assessments.

The spirit of this arrangement was one of cooperation to ensure an organization’s success.

IIA’s new model formalizes and expands somewhat on this topic when describing what the proper relationship between ERM and audit should look like. From the new Three Lines Standard:

Internal audit’s independence from management ensures it is free from hindrance and bias in its planning and in the carrying out of its work, enjoying unfettered access to the people, resources, and information it requires. It is accountable to the governing body. However, independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.

The sentence “…independence does not imply isolation” is very instructive. While audit must remain independent in order fulfill its core role, it must also actively engage with ERM and other areas of the organization.

What is one way to include audit while maintaining their independence?

If your organization has a group (or more than one group) making decisions on strategy or operational matters, internal audit can sit in on these conversations and provide advice and recommendations but not be a ‘voting’ member. What the group decides to do is ultimately up to them, but at least audit’s perspective will have been heard and hopefully factored into the decision(s).

This is just one idea of course.

Based on IIA’s new standard and commentary from thought leaders like Tim Leech and Norman Marks, the need for collaboration between ERM and audit for ensuring the company’s success has never been greater.

In order to play a significant role in the organization going forward, both ERM and audit must expand beyond their “traditional” roles of exclusively averting failure to one of informed risk taking.

With the pace of change happening in today’s world, simply focusing on minimizing and avoiding risks will eventually lead to a company’s downfall – be that within the ERM function or the audit function.

Is your organization’s audit function expanding its focus to include risk taking and not just avoidance?

What other ways can ERM and audit collaborate together to ensure the organization’s success?

Part of the purpose behind articles like this is to prompt discussion to help risk professionals learn methods and ideas they can use in their organization, so please don’t be shy. Share your perspective by leaving a comment below or joining the conversation on LinkedIn.

And if your organization’s ERM and audit functions are struggling to collaborate or shift from a strict risk avoidance mindset, reach out to me to discuss your specific situation today.

Featured image courtesy of Mediensturmer via Unsplash.com

The IIA’s Three Lines Model. Copyright © 2020 by The Institute of Internal Auditors, Inc. (“The IIA”). Used with permission. All rights reserved.

, , , , ,

Related Posts

6 Comments. Leave new

  • Diane S. Baker
    August 13, 2020 4:15 pm

    Thank you Carol for this timely article. We see every day, the results of the “disconnect” between auditors and Risk Managers.
    You may have seen the article I submitted yesterday about “Lush”; the British parent company suiing a Vancouver man who managed the US and the Canadian divisions without transparency.
    Too often, the firm providing audit services, call themselves Risk Managers when they are not that.

    • Thanks for your comment, Diane. Yes, too frequently auditors call themselves “risk managers” when they should hold themselves independent from managing anything for the organization

  • Is it good practice for a CAE to be a member of the organization’s executive committee?

    Should ERM and auditors housed together and reporting both to the CAE?

    • Hello – thank you for your comment and question. To address your first question, yes, the Audit Chief can sit in on any committees and offer advice but not have any voting rights. I reference the IIA in the article, which says “…independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.”

      As to your second question, you can refer to https://www.erminsightsbycarol.com/erm-internal-audit-relationship/. Since CAE needs to remain independent and ERM is inherently part of “management,” the two should remain separate. Also, audit is rear-facing while ERM must be forward-facing in order to be valuable to the organization.

  • Thank You Carol for this informative article. There is no doubt that Auditors need to be fully aligned with the Business and there should be more collaboration with the ERM. At very basic, audit should use the ERM Risk Register for audit planning. However, there is always a difference in the approach of both departments e.g. the way Audit department identify the risks, conduct engagement planning/ risk assessment and Risk rate the audit observations and reports. Can you please explain, how audit can aligned further on these areas and if there are any success stories around it.

    • Hi, Farhan. Great questions. Yes, there is certainly a difference in both functions in spite of the need for them to work together. Audit is more of an assurance function to provide advice on how management can improve. Management’s job is to take actions in pursuit of strategic objectives. Audit can be there to ensure management is adequately factoring risks into its decisions and any subsequent actions.

      Many times, Audit focuses on operational risks (more process oriented), and that focus could be what is driving the difference in how Audit and ERM identify risks. If ERM is focused on strategic goals and objectives, there will be a disconnect between the ERM risk register and the Audit Plan. Audit should be focusing on two things: areas that are required to be audited (regulatory and/or legal requirements) and those areas that are of interest or concern by management.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.