Risk: A Complementary Approach

COSO’s Enterprise Risk Management–Integrating With Strategy and Performance, helps management identify risks to the organization’s success, providing a top-down view of enterprise risks. While management is responsible for this process, the board of directors provides oversight of the organization’s risk management.

Internal audit functions can enhance their value proposition by ensuring risk assessment activities are integrated with their organization’s ERM program. With an ERM program, an organization’s risks are assessed and monitored. Management can identify the risks to the company’s strategy and objectives by assessing factors such as the probability of the identified risk occurring and what that impact will be, and determining the top risks that could prevent the organization from meeting its stated goals. Management further assesses these factors to determine which risks the organization is willing to accept and the process of managing the risks within its defined risk appetite.

Organizations strive to increase their value. To that end, the internal audit function provides objective assurance, insight, and advice to protect and increase said value. However, the pursuit of organizational value does not occur in a vacuum. Risk dynamics are constantly influencing this pursuit. Hence, the internal audit function should holistically consider these risk elements and ensure alignment with the ERM program. This includes the entire audit cycle from its own risk assessment phase to board reporting. Taking a more holistic approach will help internal audit better prioritize risks to the company and provide valuable risk-based assurance across the highest risk business areas.

Alignment With ERM Through the Audit Cycle

Internal audit functions can align their activities to ensure their risk coverage complements ERM risks in three key areas.

Risk Assessment Aligning the internal audit risk assessment strategy to the ERM process means leveraging the results of the latter as a factor of the internal audit risk assessment approach. This includes using the same risk definitions and terms to ensure internal audit and senior executives are on the same page. The outcome of the risk assessment process and the audit plan is thus positioned to be an evaluation of the organization’s ability to deliver on its set objectives.

Internal audit should strive to adopt a dynamic risk assessment process. In this approach, internal audit continuously monitors the company’s operations in real time to identify changes to risks that may require immediate attention. This approach can increase internal audit’s responsiveness to changing risk conditions by making the audit plan more agile. Aligning the internal audit risk  assessment strategy to ERM also has benefits for internal audit, such as:

It becomes easier to highlight value to audit clients because processes and controls are assessed in conjunction with the viewpoint of business leaders who created them.

Business leaders embrace internal audit as their eyes on the ground and are more likely to buy into its value proposition when audit engagements clearly align with processes that leaders consider critical to success.

Performing a completeness check of the company’s risk register calls out additional risks, determines whether risks have been considered by business leaders, and considers whether they will provide insight into emerging risks.

Audit Execution When assessing risks at the audit project level, each risk should also be mapped to an enterprise risk. For example, in Company ABC, the top ranked enterprise risks include cybersecurity (ranked first) and culture (ranked fifth). When executing an audit for human resources, risks related to the hiring process and access to payroll systems may be respectively mapped to the culture and cybersecurity risks.

This provides another opportunity for a completeness check. The inability to link a process-level risk to enterprise-level risk could be an indicator of a risk that senior executives may not have considered or an emerging risk. However, it also could indicate the risk is not as impactful at the enterprise level and that audit resources should be reassigned to a risk that is more aligned with business objectives. This audit approach is more likely to be embraced by business teams and produce high-quality findings that management perceives as adding value to the company. 

Audit Reporting The International Standards for the Professional Practice of Internal Auditing requires communications be clear and concise. The Standards specify that “clear communications are easily understood and logical” while “concise communications are to the point and avoid unnecessary elaboration.”

Where opportunities exist, aligning the reporting process to ERM can improve the clarity and conciseness of audit reports and provide more effective communication with stakeholders. This can enable internal audit to incorporate valuable insight and foresight that directly address the most important risks to their companies. For example, audit reports may include a summarized table of audit findings showing alignment to the enterprise risk as a simple yet effective visual for business leaders.

Enterprise risk rankings also could be factored into the audit findings rating and impact the overall audit report rating. Also, reports to the board should include visuals and analyses of audit issues mapped to enterprise risks across the audit plan. This can communicate how the audit findings directly impact the company’s ability to achieve its stated objectives and is more likely to resonate with the board.

A Top-down Assessment

Organizations need to create and consistently increase value for their stakeholders. To help them, internal audit needs a holistic approach that aligns with the ERM program. This approach can enable a top-down assessment of the organization’s risks that is linked to a relevant audit plan and a complete perspective in executing audit projects. In doing this, internal audit can enhance the value of its assurance by providing a more relevant view of the organization’s ability to meet its objectives.

IIA Resources

COSO Enterprise Risk Management Certificate Program

Certificate - Seminar

Certificate - OnDemand