- Educator: Many senior executives don’t understand ERM. The CAE can help them understand and use the COSO ERM framework through periodic education over time. If the CAE chooses to deploy the COSO ERM framework when developing focused audit plans, communicating audit results and making presentations, he or she will educate executives and directors in the various components of ERM.
- Facilitator: ERM requires quality risk assessments. Internal audit can play a lead role within the organization by facilitating risk assessments and formulating risk responses. Internal audit also can play a consultative role when assisting the organization in translating risk assessments into risk responses.
- Coordinator: To the extent that the organization’s ERM solution utilizes a common language and other “enabling frameworks,” internal audit can play a value-added coordination role to ensure consistent deployment across the enterprise. The CAE can be a proponent of a common language.
- Integrator: Internal audit can assist with (a) the collection, analysis and synthesis of risk-related data fed from multiple sources across the enterprise and (b) the reporting of exposures and audit results on an aggregate enterprisewide basis.
- Evaluator: Internal audit can use components of the COSO ERM framework to evaluate risk management, either for the organization as a whole or for a division, subsidiary or unit.
The above roles are consistent with the assurance and consulting activities envisioned by The Institute of Internal Auditors (The IIA) in its definition of internal auditing. The IIA has asserted the following point of view:
Organizations should fully understand that management remains responsible, and internal auditors should provide advice and challenge or support management’s decision making, as opposed to making risk management decisions. The nature of internal auditing’s responsibilities should be documented in the audit charter and approved by the audit committee.
Consistent with the above point of view, The IIA has identified core roles for internal audit in ERM implementation as well as roles that are not appropriate for internal audit. Examples of core internal audit roles include the following:
- Giving assurance on the risk management process
- Giving assurance that risks are correctly evaluated
- Evaluating risk management processes
- Evaluating the reporting of key risks
- Reviewing the management of key risks
The roles that The IIA indicated internal audit not undertake include:
- Setting the risk appetite
- Authoring and dictating the implementation of risk management processes
- Assuming the role of management when providing assurance on risks and risk management performance
- Making decisions on risk responses
- Implementing risk responses on management’s behalf
- Accepting accountability for risk management
In addition, between these two extremes, The IIA has noted that there are other “legitimate internal audit roles,” provided there are appropriate safeguards in place. These roles include:
- Facilitating the identification and evaluation of risks
- Coaching management in responding to risks
- Coordinating ERM activities
- Consolidating reporting on risks
- Maintaining and developing the ERM framework
- Championing establishment of ERM
- Developing a risk management strategy for board approval
Risk matrix templates are helpful tools for internal audit when facilitating ERM conversations within the organization.
You can read more on this topic in Protiviti’s Guide to Enterprise Risk Management and by exploring these related tools on KnowledgeLeader: