ENTERPRISE RISK MANAGEMENT
ERM AND THE INTERNAL AUDITOR
What is the role for a corporation’s internal auditor in the ERM era?
By Michael J. Moody, MBA, ARM
Enterprise risk management (ERM) is beginning to get more ingrained into the corporate culture of many of the major corporations. As this occurs, it either gains supporters or detractors within the corporate hierarchy. ERM is, after all, a major change agent in most organizations and, as such, it is bound to "ruffle a few feathers." As a result, people in some corporate functions are having difficulty working with the corporate risk professionals. Much of this friction is caused by a lack of clearly defined roles, frequently leaving unresolved lines of authority and reporting relationships.
In many companies there is the potential for conflict between the internal auditors and those who are responsible for the ERM initiative. The Institute of Internal Auditors (IIA), in an attempt to circumvent any prospective concerns, issued a position statement shortly after COSO released its Enterprise Risk Management—Integrated Framework in 2004. The acknowledged purpose of IIA's statement was "to assist chief audit executives in responding to enterprise risk issues in their organization." Its primary approach was to "suggest ways for internal auditors to maintain the objectivity and independence required by the IIA's International Standards for the Professional Practice of Internal Auditing when providing assurance and consulting services."
It's a black and white issue
IIA's position statement goes into significant detail about what role internal auditors should take regarding a number of specific corporate functions. However, in summary it indicates:
"Internal auditing's core role with regard to ERM is to provide objective assurance to the board on the effectiveness of an organization's ERM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively."
As noted previously, the key here is being able to maintain the internal auditor's independence and objectivity. Specifically, the IIA notes that internal auditors should not undertake:
• Setting the risk appetite
• Imposing risk management processes
• Management assurance on risks
• Taking decisions on risk responses
• Implementing risk responses on management's behalf
• Accountability for risk management
Through the issuance of the position statement, the IIA makes clear that, "Internal auditors should provide advice, and challenge or support management's decisions on risk, as opposed to making risk management decisions."
Not always back and white
While many of the core roles of the internal auditors have remained the same, the March 2011 IIA Research Foundation publication continues to express that a division should continue to exist between internal audit and enterprise risk management. "Internal auditors are finding they have important roles in risk management, but there are many roles that internal audit activities are either not ready to pursue or are not proactive in pursuing." They also note that since the financial crisis of 2008, many internal auditors are now less certain about their specific role regarding ERM. The IIA prepared a new white paper titled Internal Auditing Role in Risk Management to provide some input into this situation.
The paper, according to IIA, "examines data from surveys conducted over the past two years and provides analysis and insight" into a variety of risk management-related issues. Among the issues it addresses are:
• The direction chief audit executives receive from audit committees and management
• The risk management activities internal audit is currently performing and those they expect to be performing in the coming years
• Internal auditing's role in identifying and assessing the organization's strategic risks
• The skills internal auditors need to keep pace with evolving roles in risk management
• Opportunities to add greater value to their organization around risk management
There are a number of interesting findings contained in this report, and since most of them are provided from an internal audit/audit committee standpoint, they can offer some excellent feedback for corporate risk professionals. For example, they note that while recent audit committee surveys confirm that risk management is clearly on their radar, the committee "may not have high expectations as to what role internal auditors should play." Less than a quarter of the participating companies have asked internal audit to provide an opinion on the organization's overall risk management process. Nor has the audit committee requested internal auditors to perform specific audits of any components of risk management.
Additionally, however, the study points out that the internal auditors' roles within risk management "are not as high as might be expected, indicating that management may not be aggressively pushing for internal auditing to play a more prominent role in risk management." Overall, the study concludes, "The direction from the top is not building a compelling case for internal auditors to be viewed as an integral part of the risk management success."
Part of the concern regarding internal auditor participation within risk management centers around the level of skills auditors can bring to the risk management process. For the most part, the study points towards a general lack of specific skill sets that center on risk management. However, it points out, "All internal auditors should continue expanding their risk management skills." This expanded scope of knowledge is necessary, the study concludes, since one of the key findings "was that 80% of the respondents expect that the internal auditor's role in risk management will increase over the next five years."
While the lines between risk management and internal audit have blurred, internal auditors, in general, have a pretty good grasp of what their role in enterprise risk management should be. Certainly, just as ERM is still evolving, internal audit's role will no doubt also evolve. Risk management professionals need to realize that at this point in time, they have been given the primary roles in the enterprise risk management process. However, the final paragraph in the March 2011 white paper should provide little comfort to any risk management professional.
"Now is not the time for chief audit executives to be passive and reactive. Someone will fill the knowledge void within organizations to help advance the risk management efforts. With the head start that most internal audit activities have in terms of training and disciplined risk thinking, this is the time to seize the day and be recognized as a valued and respected part of the organization."
Consider yourself forewarned.