Internal Auditors' Role in Risk Management

Michael Nyhuis
Risk management is a fundamental foundation of any organization's governance, risk and compliance program. With regulatory pressures ever-increasing, the need to take a consistent, efficient and effective approach to risk has never been greater.

A successful risk management program can be attributed to a number of roles ' including chief compliance officer, general counsel risk manager ' but here we explore specifically the role of internal audit.

What responsibility do internal auditors have for risk, and how can organizations ensure that their approach to internal audit supports and reinforces their risk management procedures?

What Is Risk Management?

Risk management ' sometimes referred to as enterprise-wide risk management, or ERM ' can encompass a range of risk control activities. It is used to identify, assess, manage and control risks ' sometimes relating to single projects or very specific risks; sometimes more widely to assess and mitigate risks facing an entire organization.

These risks often relate to regulatory compliance; governance, risk and compliance are intrinsically linked, and with compliance in the spotlight, both within and across industries, compliance risk is often a key focus of the risk management program. The need to measure compliance performance dovetails neatly with the ever-increasing desire for robust, data-driven risk management.

An effective risk management program enables an organization to understand its risk appetite, and take strategic decisions accordingly. It helps leaders to put in place appropriate risk management frameworks and actions, communicate risk information consistently internally, and to put in place ongoing measurement that enables risk mitigation approaches to be refined and fine-tuned.

A robust and comprehensive approach to risk management helps organizations to manage their risks by:

  • Enabling consistent and full reporting of risks.
  • Helping organizations and their boards understand the full range of risks they face, and their implications.
  • Allowing business leaders prioritize risk mitigation actions.
  • Better oversight of risk programs and potential threats.
  • Continuous improvement of risk management programs.
  • An ability to approach business decisions fully informed regarding their potential risk.

What Is the Role of the Internal Auditor in Risk Management?

While the board takes overall responsibility for managing risk, specific tasks and accountabilities tend to be delegated to other roles.

AccountingEdu.org identifies one of the internal auditor's primary roles as the need to 'Evaluate the efficacy of risk management procedures that are currently in place.'

Internal auditors can be responsible for carrying out regular ' annual, in many cases ' assessments of an organization's risk management program, particularly as they relate to regulatory compliance.

The audit compliance report produced forms the basis of continuous improvement, identifying any shortcomings and enabling compliance teams to put in place remedial actions, while developing an effective compliance audit strategy should be a central part of any compliance program.

Having this level of compliance monitoring gives the business assurance that the risks they face are being tackled, and that appropriate steps are being taken to identify and manage the full range of business risks.

Key to this is the ability of compliance and internal audit teams to work together in order to deliver a 360-degree solution to risk assessment and mitigation as they relate to regulatory compliance requirements.

One frequently asked question relates to the distinct roles held by compliance and internal audit teams during this process. If the compliance team is carrying out regular compliance monitoring, why the need for internal audit to duplicate this?

In fact, the roles should be quite different. While the compliance team carries out ongoing measurement of their processes and effectiveness, the audit process is more a snapshot of compliance at a given time; perhaps a once-a-year event that takes an objective and independent look at compliance and risk management.

When it comes to risk, the internal audit function is primarily to give the organization's board and senior leadership assurance that the business is managing risk successfully.

Ideally, this assurance is two-fold: confirming that the organization's biggest business risks are being managed effectively, and that the processes that govern and monitor this are themselves effective.

The internal auditor may also play a consultative role; not just delivering verdicts on the effectiveness of current risk management approaches, but advising on ways to improve them.

Here, certain precautions may be needed to ensure that the auditor remains objective ' more of which below ' as the lines between audit and implementation potentially blur. While advising on best practice risk management processes should cause no issues, auditors who assume any kind of management responsibility for implementing these processes risk conflicts of interest when also reviewing them.

Why Are Internal Auditors Well-Placed to Conduct Risk Management?

In many ways, the internal audit function is ideally placed to lead on risk. Internal auditors have an understanding of risk and its implications on a par with their risk manager colleagues; in fact, they have a comprehensive oversight of all things governance, risk and compliance.

Typically, internal auditors are objective and analytical ' also key competencies for anyone providing impartial assessment. They tend to take a moderate approach to risk, demonstrating neither extremely risk-averse or high-risk behaviors.

Are There Any Risk Management Roles the Internal Auditor Shouldn't Undertake?

There's one key factor to consider when deciding whether your internal audit team should undertake a specific risk management audit task: does it compromise their ability to deliver an objective response?

If the internal auditor is responsible for assessing your risk management processes they should not also play a role in developing these processes. Doing so will obviously create a conflict of interest when reviewing their effectiveness. Similarly, internal auditors who provide assurance on risk management should not also be involved in deciding whether these assurances are adequate.

Implement Effective Internal Audit Processes to Minimize Business Risk

When reviewing risk management processes, it's vital that internal audit is able to access a full picture of current performance, and the procedures in place to manage and respond to the risks identified.

All too often, risk data is collated inconsistently, and obligations not clearly defined ' causing headaches for any auditor trying to build a complete overview. Increasingly, compliance, risk and internal audit teams are turning to compliance software solutions to deliver comprehensive compliance and risk management programs, facilitating implementation, management and monitoring.

Learn more about how Diligent Compliance can help improve your organization's regulatory compliance, risk management and internal audit.
Related Insights
Michael Nyhuis
Michael Nyhuis is the former Director of Audit & Compliance at Diligent and a modern governance expert with over 25 years of experience.