In July I delivered a webinar on risk-based internal auditing as part of the IIA’s series of free webinars supported by Oracle. This proved to be a popular topic, attracting a good turnout and plenty of questions from the audience. There were too many of these to cover individually during the live webcast, but many had common themes that were worth exploring further. In this, the first of three articles, I will offer additional insight into one of these themes.
Theme one: how do you see internal audit differentiating itself from the responsibilities of the risk management function? What do you consider the relationship to be between the internal audit section and a risk and assurance manager?
These questions, among others of a similar nature, appear to raise concerns that a risk-based approach to internal audit might lead to the overlapping of the roles of internal auditors with the responsibilities of risk management functions.
Although risk management functions are being established in many organisations, their nature varies enormously, as do the labels given to them. The precise nature of the relationship between internal audit and the risk management function, and the effect that this will have on the work to be done by internal audit, will therefore depend very much upon the precise remit of the risk management function and the way in which it operates.
For example, its role might focus on being a centre of excellence for risk management, embracing responsibility for the development of risk management procedures, the provision of training in risk management processes and the co-ordination of reporting on risks. Other risk management functions might have a much wider remit, including some responsibility for the completeness and accuracy of the information in the risk register and providing assurance on the management of key risks. Some of the activities performed when providing this assurance may overlap significantly with those performed by internal audit.
These questions about the interplay of the different roles and the nature of the relationship between internal audit and risk functions must be answered within the context of the individual organisation.
I was asked recently for advice on this topic while providing some one-to-one coaching for a new head of internal audit (HIA). Having met the chief risk officer (CRO) during his first week in office, the new HIA was surprised to learn that there had been no relationship between the CRO and the previous HIA.
Clearly, there must be a relationship between the two functions. International Standard 2050 on Co-ordination springs to mind: “The chief audit executive should share information and co-ordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimise duplication of efforts.”
Where a risk management function has been established, there is unlikely to be any other provider of assurance with whom the internal audit function has a more important relationship. As the potential for the roles of these two functions to overlap is huge, the potential value of effective co-ordination is also immense. Clarification of the different roles, followed by effective co-ordination of their activities, is therefore essential.
The situation is further complicated by the fact that many of the activities performed within the enterprise-wide risk management process will potentially duplicate activities that might traditionally be performed by internal audit.
A number of organisations have recognised the importance of clarifying the different roles that contribute to the provision of assurance over the management of risks. Many have documented the various responsibilities using what is sometimes called the “three lines of defence” model. Such models typically state the responsibilities of management / management control functions (as the first line of defence), risk management functions (second line) and internal audit (third line). These models depict the roles that are unique in each organisation and clearly provide a good starting point for defining the specific relationships required.
My next article, to be published in the week starting 17 September, will focus on some of the specific aspects of the different roles, which were the subject of questions raised by other members of the webinar audience.
Stephen Maycock is a trainer in internal audit and risk management. He delivers a number of the IIA training courses, particularly where these two related disciplines come together.
If you wish to explore these topics in more depth, the IIA offers a range of courses on risk-based internal auditing, the next of which will be held in October. There is a one-day course for internal audit practitioners and a more in-depth two-day course for internal audit managers. These events are also an opportunity to discuss approaches used by other organisations. In November there will also be new course providing comprehensive practical guidance on “Auditing the ERM framework”.
Click bit.ly/Nk9ySm for more information on these and other IIA courses.