ERM and Internal Audit: The Right Relationship

There is much discussion and debate about how Internal Audit and Enterprise Risk Management (ERM) should be connected.

Some say ERM can be embedded within the internal audit group. I don’t fall in this group.

Internal audit standards say that internal auditors should be objective and not unduly influenced. In other words, independent. I have to ask myself, can internal auditors be objective and independent if the audit executive is responsible for both audit and ERM?

I don’t think so, which is one reason why I am a firm believer that ERM must be housed separately from Internal Audit within an organization.

The other reason? ERM is about managing risks (and opportunities), working closely with executives and management to identify and prioritize risks to allow the organization to focus resources where needed. And working closely means you can’t be independent.

To be clear, I am not against ERM and Internal Audit sharing information, especially when it comes to the biggest risks to the organization. Internal Audit should use risk information to develop and update their audit plans, to ensure audit resources are being focused appropriately.

After all, it’s not just about operational resources, it is about focusing all of the organization’s resources on the biggest risks.

Internal Audit is tasked with providing assurances that the ERM program is working effectively, that the governing documents are appropriate and current, and make recommendations for potential improvements. How can they fulfil this requirement if the audit executive (i.e., their boss) also oversees ERM? Talk about a conflict of interest!

Are there ways that ERM and Internal Audit can work together? YES!

  • ERM can reach out to Internal Audit when designing the program, discuss what they plan to do, and request feedback. This way, Internal Audit is making recommendations and has a voice but isn’t responsible for implementing the ERM program.
  • Before any risk workshops, ERM can ask Internal Audit if there are any outstanding concerns from previous audits for a specific area. ERM can bring up those concerns (without mentioning the source) during the workshop to solicit the business area’s thoughts.
  • After the risk assessments and prioritization is completed, ERM can share the results with Internal Audit. These results can be used for input into Internal Audit’s upcoming audit plan or prompt the business area to solicit Internal Audit’s feedback on the planned action plan.

Some organizations have a hard time finding a risk-minded executive who isn’t the audit executive to oversee ERM. Here are some thoughts on where to turn for finding the right ERM executive:

  • Chief Financial Officer: CFOs automatically think about risk due to their responsibilities for financial statements, budgeting, and Sarbanes-Oxley requirements. They tend to be conservative about risk or naturally focus on financial risks. Therefore, this is a good option for many organizations, especially those with a conservative board or a lot of financial risks.
  • Strategy and planning: Many organizations will have an individual responsible for strategic planning and annual planning. Due to the strong linkages between ERM and Strategy, this person would provide valuable insights and perspective for ERM. However, be careful of a too-narrow focus for how ERM can be integrated throughout the organization.
  • General counsel: Lawyers also automatically think about risk, being very compliance-minded, in all of the advice they provide to the organization. A benefit of having General Counsel as head of ERM is the possibility of protecting information under attorney-client privilege. However, be cautious about the extreme conservative risk behavior and how that may influence the risk prioritization for the organization.

The key is to make it work for your organization, its executives, and the culture, because every organization is different. The ERM Program must be tailored to fit its needs.

Where is ERM within your organization? How is it working?

Tell me in the comments below or join the conversation on LinkedIn to share your thoughts.

If your organization needs someone to provide a new perspective on the effectiveness of your ERM program and what connection it should have with internal audit, complete the form below to be added to my consulting and coaching waitlist.


 

, , , , ,

Related Posts

10 Comments. Leave new

  • Carol, our ERM program is headed by an SVP/Risk Management. Internal Audit is a separate department within the ERM group and they report to the Supervisory Committee. The ERM Dept has 12 staff as we also cover Vendor Management, Compliance, Fraud, DR, Security, AML/CTR.

    Reply
    • Thanks for the information, Mike. Sounds like an interesting set-up with Internal Audit within the ERM group but with Internal Audit not reporting to the SVP/Risk Management.

      And it is awesome that ERM is so involved in the other areas that can greatly impact an organization. That is a whole other blog post topic!

      Reply
  • ERM is an ‘auditable entity’. That’s why the two should be separate. Internal audit needs objectivity and independence to be able assess governance/ internal controls of ERM function. Internal audit can, however, as you pointed out, provide advice to ERM, there is an IIA paper on this. Thanks

    Reply
    • Thanks for commenting, Faraz. Yes, ERM is an auditable entity. And Internal Audit can most definitely provide advice to ERM, while ERM can provide high-level risk information to Internal Audit. A relationship can exist between the two, but I caution organizations against having them under the same department head.

      Reply
  • Matthew Soo
    June 28, 2018 6:08 pm

    In my health service the ERM team reports to the Quality & Performance Improvement Executive and our outsourced internal audit function reports to the CFO. I had never thought about the potential downsides of having ERM and internal audit under the same executive so this was a useful article as I see many Chief Risk Officers responsible for audit too.

    Reply
    • Thanks for commenting, Matthew. Considering you are in the health services industry, it makes total sense for you to report to quality and performance improvement. After all, that is managing risk to the company! And since internal audit is outsourced, it is interesting that they report to the function that they audit. Glad you enjoyed the article.

      Reply
  • Chukwuma Ibe
    June 29, 2018 11:48 am

    I totally share your sentiments. The proper structure is for ERM and Internal Audit to report independently. I still wonder why organizations like fusing the two functions together

    Reply
    • It is a mystery to me as well! I tend to think that sometimes, it is the most expedient way to handle things that deal with “risk.” The other reason I hear is that other executives do not know what to do with ERM, so it automatically goes to the person who uses risk as part of what they do. But that does not make it right…

      Reply
  • lovisanambahu@gmail.com
    July 6, 2018 11:08 pm

    I think there is confusion about the two role,most people think it’s one of the same.In most small organization they don’t handle risk management separately and its like obvious thing for internal audit to be responsible.if internal audit is responsible for ERM is it an ideal to get independent person to audit risk management process in the organization?

    Reply
    • Yes, there is a lot of confusion around this topic. If the organization does have internal audit and ERM under the same department head, I would suggest an outsourced auditor perform the audit on ERM and report it directly to the Audit Chairman or the CEO (with a CC to the head of Internal Audit & ERM). Otherwise, conflicts of interest appear if the external auditor reports to the head of ERM what the findings are without letting others know. Thanks for your question!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu