Skip to Content

Building a Better Auditor: Powering Risk Integration

Blogs Dan Fornelius, CIA Jul 01, 2025

Over the years, I’ve worked with a variety of organizations — from global enterprises to high-growth companies — all with well-established internal audit functions and mature enterprise risk management (ERM) capabilities. On paper, each of the functions had clear processes, strong leadership, and executive visibility. But in practice, they often operated independently, using different risk taxonomies, scoring models, and reporting structures. While both functions were effective on their own, the lack of integration often led to missed opportunities to deliver cohesive, strategic insight to management and the board.

Many organizations have both a functioning ERM capability and a good internal audit function. But often, these functions operate in silos:

  • They may have a different focus. ERM may focus on top-down, strategic risks, while internal audit emphasizes bottom-up control evaluations or policy compliance.
  • Risk terminology may differ. What ERM staff call “third-party risk,” internal auditors may call “vendor management.”
  • Risk scoring is inconsistent, making it difficult to align mitigation efforts.
  • Assurance activities can be redundant across audit, compliance, and risk functions because of a lack of coordination.

These disconnects limit the value each function delivers. At worst, they result in fragmented messaging and missed opportunities to focus attention where it’s needed most. Internal audit and risk functions should look for ways to integrate their approaches.

Champion Integration

Internal auditors are well-positioned to influence integration. They typically have cross-functional access, a line to the audit committee, and visibility into both control weaknesses and emerging risk trends. However, to step into a more strategic role, they must frame their work in the context of enterprise risk.

The Global Internal Audit Standards reinforce this by emphasizing collaboration across the lines of defense and deeper engagement in governance and risk oversight. These principles serve as a guide for audit functions that seek to have greater relevance and impact.

Rather than presenting findings in isolation, internal auditors should ask:

  • How does this issue tie to enterprise objectives or risks?
  • Are priorities aligned with risk appetite and tolerance?
  • Could risk categorization and reporting be better aligned with ERM?

Auditors who adopt this mindset evolve from isolated evaluators to enterprise enablers who are key contributors to governance, risk, and strategic alignment.

Build an Integrated Risk Model

Based on my experience across organizations — some early in their ERM journey, others more advanced — internal audit can recommend several practices:

  • Adopt a shared risk taxonomy. Align definitions and categories among audit, ERM, compliance, and other risk functions. A shared language enables clearer communication and improves board-level reporting.
  • Use consistent risk scoring models. Define shared likelihood and impact criteria to standardize what constitutes high, medium, and low risk. This alignment helps synchronize audit planning with enterprise risk priorities.
  • Coordinate risk reporting. Create integrated dashboards or heat maps that blend control issues, open findings, and enterprise risk exposure. Presenting one narrative enables executives to better understand and act on insights.
  • Participate in ERM governance. Joining risk committees, planning groups, and operational forums helps ensure assurance efforts align with strategic goals and risk appetite.
  • Support integrated assurance models. Map responsibilities across internal audit, compliance, legal, and risk functions. This reduces duplication, clarifies accountability, and boosts board confidence in overall assurance coverage.
  • Leverage governance, risk, and control (GRC) technologies to enable integration. Many organizations use GRC platforms to centralize risk and control data, track issues, and connect assurance teams. Internal audit’s participation enhances transparency and aligns activities across the lines of defense.

As automation and artificial intelligence (AI) capabilities mature, internal audit can harness them to detect risk signals earlier, align remediation across teams, and streamline efforts through predictive analytics and workflow automation. These tools accelerate integration and elevate internal audit’s strategic relevance.

These practices are more than operational upgrades — they are pathways to strengthening internal audit’s value and visibility.

Have a Broader Perspective

Today’s internal auditors are expected to do more than test controls. They must connect the dots and communicate about risk in context. That requires them to shift their mindset from viewing audits as standalone reviews to seeing them as part of a broader risk and governance ecosystem.

Regardless of experience level, auditors can bridge the gap between the audit and ERM functions. To do so, they must understand how the business frames its risk appetite, how audit work supports or challenges strategic goals, and how to collaborate across compliance, risk, and operations to ensure insights are timely and actionable.

Auditors who embrace this approach ask sharper questions, uncover deeper insights, and deliver outcomes that go well beyond the audit report. And when supported by GRC tools, automation, and aligned frameworks, they can help drive efficiency, consistency, and integration across the organization.

In today’s fast-moving risk environment, integration isn’t just an organizational goal — it’s a personal differentiator. The better auditor is one who understands the business, speaks the language of strategy, and delivers assurance that informs decisions.

The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of The Institute of Internal Auditors (The IIA). The IIA does not guarantee the accuracy or originality of the content, nor should it be considered professional advice or authoritative guidance. The content is provided for informational purposes only.

Dan Fornelius, CIA

Dan Fornelius is director of Integrated Risk Management at CrossCountry Consulting in New York.