The Role of Internal Audit in Corporate Risk Management
In recent years, the importance of risk management for effective corporate governance has been increasingly recognized. It is imperative that organizations identify all the social, ethical, environmental, financial, and operational risks to which they are exposed and explain how they maintain them at an acceptable level.
At the same time, the use of integrated enterprise risk management frameworks has grown as organizations understand that these frameworks are more effective than less coordinated approaches.
In its insurance and advisory role, internal audit contributes to risk management in a number of ways. In 2002, the Institute of Internal Auditors, United Kingdom and Ireland (IIA) published a position paper on the role of internal audit in risk management [ The Role of Internal Audit in Risk Management ] in order to" explain to its members the roles that were acceptable and the precautions to be taken to protect the independence and objectivity of internal audit. This revised position replaces the previous one and takes into account recent global developments in the area of risk management and internal audit.
What is business risk management?
Risk management activities serve to identify, assess, manage, and control risks in all situations and for all events. The range ranges from single projects or very specific risk categories, for example, market risk, to threats and opportunities facing an organization as a whole. The principles set out in this position paper can serve as a benchmark for the work of internal audit in all forms of risk management.
Enterprise risk management is a structured, consistent, and continuous process operating across the organization, which identifies and assesses risks, decides on actions to be taken, and reports on opportunities and threats. That affects the achievement of organizational goals.
Responsibility for enterprise risk management
The Board is generally responsible for risk management. In practice, the Board delegates the operation of the risk management framework to the senior management team, which will be responsible for carrying out the activities. The company may have planned a separate function for project coordination and management, entrusted to specialists.
All employees have a role to play in making risk management organization-wide success, but management has primary responsibility for identifying and managing risks.
Benefits of enterprise risk management
Risk management can decisively help the organization to manage its risks and achieve its objectives. Here are its advantages:
- Better chances of achieving goals.
- Consolidated communication of disparate risks at the Board level.
- A better understanding of the main risks and all their consequences.
- Identification and communication of transversal risks within the company.
- Refocusing attention on the aspects that really matter.
- Fewer surprises or crises.
- Greater willingness to do the right thing right.
- Better chances of making changes happen.
- Ability to accept greater risks for greater benefits.
- Risk-taking and more informed decision-making.
Activities involved in the management of company risks
- Formulate and communicate the objectives of the organization.
- Determine the risk appetite of the organization.
- Establish an appropriate internal environment with a risk management framework.
- Identify potential threats to the achievement of objectives.
- Evaluate the risk, i.e., the probability of the event occurring and its impact.
- Select and implement reactions to the risk.
- Implement controls and any other reaction to the risk.
- Informing about risks in a consistent manner at all levels of the organization.
- Monitor and coordinate risk management and its outcomes centrally, and
- Provide assurance that risks are managed effectively.
The role of internal audit in the management of company risks:
Provide insurance on the ERM
One of the main tasks of the Board (or its equivalent) is to ensure that risk management processes are functioning properly and that the main risks are kept at an acceptable level.
It is likely that this assurance will come from different sources. Among these sources, assurance from management is fundamental but must be complemented by objective assurance, mainly from internal audit. The other sources are the external audit and the reviews by independent experts. Internal audit normally provides assurance in three areas:
- Risk management processes, both in terms of their design and operation.
- The management of risks classified in the "major" category, including the effectiveness of controls and other risk control measures, and
- The reliability and quality of risk assessment and communication and the status of controls.
The role of internal audit in risk management
An internal audit is an independent activity that provides objective advice and assurance. With regard to risk management, its main role is to provide the Board with objective assurance that risk management is effective. Research has shown that board members and internal auditors agree that the two most valuable internal audit activities for organizations are: providing objective assurance that the main risks are well managed and provide assurance that the risk management and internal control framework is functioning properly.
The main questions to be asked in defining the role of internal audit are: does the activity constitute a threat to the independence and objectivity of internal auditors, and can it improve risk management, organizational controls, and governance?
Main roles of internal audit in the risk management process:
• Provide assurance on risk management processes.
• Provide assurance that risks are properly assessed.
• Evaluate risk management processes.
• Evaluate the communication of major risks.
• Examine the management of the main risks.
Legitimate roles of internal audit, subject to taking the necessary precautions:
• Facilitate the identification and assessment of risks.
• Support management in its reaction to risks.
• Coordinate risk management activities.
• Consolidate risk reporting.
• Update and develop the risk management framework.
• Promote the implementation of risk management.
• Develop a risk management strategy to be validated by the Board.
Roles that internal audit should not play:
• Define risk appetite.
• Define risk management processes.
• Manage risk insurance.
• Decide on how to react to risks.
• Implement risk control measures on behalf of management.
• Take responsibility for risk management.
Internal audit can provide consulting services that improve governance, risk management, and controls within an organization. The extent of the advisory activity of the internal audit within the framework of risk management will depend on the resources, internal and external, available to the Board, and on the maturity of the organization in terms of risk.
It can vary over time. Due to its expertise in the field of risk management, its understanding of the relationships between risks and governance, and its facilitation capacities, internal audit is ideally placed to promote risk management, or even to lead a risk management project, especially during the early stages.
As the organization matures in terms of risk, and as risk management becomes more deeply rooted in its activities, this role of the promoter will become less important. Likewise, if an organization uses the services of a specialist, or a specialized function, in risk management, it will be more interesting for internal audit to focus on its role of assurance, rather than providing redundant advice.
However, if an internal audit has not yet adopted the risk-based approach represented by the insurance business, it is likely not yet equipped to carry out the advisory business.
In general, the Auditor must take precautions to preserve his independence and objectivity. Here are some of the advisory roles internal audit can perform:
- Provide management with the tools and techniques used by internal audit to analyze risks and controls.
- Promote the introduction of risk management in the organization take advantage of its know-how in risk management and controls and its overall knowledge of the organization.
- Provide advice, facilitate work in workshops, support the organization on the issue of risks and controls, and promote the development of a common language, framework, and design.
- Centralize the coordination, monitoring, and communication of risks, and
- Support the hierarchy when it tries to identify the best way to mitigate risk.
In deciding whether consulting services are compatible with the assurance role, it is imperative to determine whether the internal Auditor has managerial responsibility.
In the case of risk management, internal audit can provide consulting services insofar as it does not participate in risk management, that is to say where it does not have a management function, and to the extent that the company's management supports risk management and actively adheres to it.
Whenever internal audit helps the management team to implement or improve risk management processes, their work plan should include a clear strategy and timeline for transferring these responsibilities to the management team.
Internal audit can extend its participation in risk management, under certain conditions:
- It should be clear that top management remains responsible for managing risk.
- The nature of the internal audit responsibilities must be recorded in the audit charter and validated by the Audit Committee.
- Internal audit should not manage risk on behalf of management.
- Internal audit should advise, challenge, or on the contrary, support the decisions of management, but in no case itself make decisions regarding risk management.
- Internal audit cannot provide objective assurance as to any aspect of the risk management framework for which it is responsible. It is other qualified parties who will have to provide such assurance.
- Any task outside the scope of insurance activities must be considered as an advisory mission, which gives rise to compliance with the Standards governing this type of mission.
Qualifications and knowledge
Internal auditors and risk management specialists share certain knowledge, skills, and values. These two professions understand the imperatives of corporate governance, have management, analytical and facilitation skills, and are committed to balancing risks, as opposed to extreme risk-taking or, on the contrary, avoidance behaviors.
However, risk management specialists report only to the organization's management and do not have to provide independent and objective assurance to the audit committee. Internal auditors looking to expand their role in risk management should also not underestimate the specialized knowledge of risk managers (e.g., on risk transfer or quantification and modeling techniques), which is usually beyond the knowledge of most internal auditors.
Any internal auditor who cannot prove that he has the appropriate qualifications and knowledge should refrain from participating in risk management. In addition, the chief audit executive should not provide consulting services in this area if the required qualifications and knowledge are not available within the internal audit function, and if it is not possible.
Risk management is a fundamental element of corporate governance. Management must establish a risk management framework and make it work at the request of the Board.
Enterprise risk management can be very useful in many ways because of its structured, coherent, and coordinated approach. In the context of risk management, the essential role of internal audit must be to provide management and the Board with the assurance of the effectiveness of risk management. When internal audit extends its activities beyond this central role, it must take certain precautions, and in particular, treat the missions as consulting services, and therefore comply with all the related Standards.
Internal audit thus protects the independence and objectivity of its insurance services. In this context, risk management can help raise the profile and accentuate the effectiveness of the internal audit.
Author: Vicki Lezama