growing popularity of Enterprise Risk Management (ERM), its recognition as best
practice and the acceptance of the COSO ERM framework means that internal
auditors may need to review and perhaps re-align their internal audit
strategy. This transformation can be a
challenge, exposing the organisation to a risk in ‘turf wars’ and fragmentation
within the risk management framework.
But there is a lot of common ground.
In fact, risk management and internal audit work best ‘hand-in-hand’.
The Importance of Managing Risk
achieve corporate objectives, all organisations make decisions with some degree
of uncertainty. Uncertainty about assumptions made, uncertainty about the
likelihood and impact of future events, and uncertainty of future outcomes.
is very real and it’s like a double edged sward - presenting both risks and
opportunities. Ultimately, management are responsible
for balancing between the risk and reward options as they strive towards
achieving their organisational objectives.
Risk Management is a tool that helps management to effectively deal with
uncertainty in order to achieve organisational goals.
The COSO ERM Framework
COSO ERM framework provides a structured and integrated approach to managing
risk that is consistent with risk-based audit principles. The framework aligns risk management
initiatives with organisational objectives at the
various entity, business and process levels.
promotes the use of a common language between the various entities within the
group (including internal audit) to better manage risk.
Roles and responsibilities
any effective risk management framework, including the COSO ERM framework,
there are a number of roles and responsibilities that exist to ensure various
activities are performed.
The Board: Responsible for overseeing management’s
design and operation of ERM.
Management: Responsible for
establishing the ERM framework, promoting the desired risk culture,
establishing risk appetite, establishing controls and enforcing compliance.
Responsible for establishing and maintaining an effective ERM framework,
monitoring progress and assisting the board and managers in managing risk.
Internal audit assists management, the board and/or audit committee in the
process by monitoring the entire ERM framework, evaluating controls, examining
compliance, reporting finding and recommending improvements.
internal audit is not responsible for implementing or maintaining the risk
management framework, they still play an important role.
The Auditors Role in Managing Risk
simple terms, the purpose of an internal audit is to assess the level of
compliance to predefined internal controls designed to manage risks. A risk-based approach involves gaining a
thorough understanding of the organisation, an assessment of the entities
operations and an understanding of the systems and processes in order to
develop a risk and control profile to channel audit activities to higher risk
auditing has been popular with internal auditors around the world for many
years and is the standard promoted by the
Institute of Internal
According to the Institute
of Internal Auditors
professional practice standards:
planning the internal audit engagement, the auditor should identify and
assess risks relevant to the activity under review;
- The internal
audit plan should be based on the results of a risk assessment; and
- Based on the
results of the risk assessment, the internal audit activity should
evaluate the adequacy and effectiveness of controls encompassing the
organization’s governance, operations and information systems.
Implementing a risk-based approach to planning and executing the internal audit
process is not only best practice, but also best supports the COSO ERM
the COSO ERM framework, much of the risk identification and assessment work is
conducted by management and chief risk officer.
Therefore, the scope of auditors role may be
somewhat different. This means that the
auditor can spend more time reviewing risks and controls during the planning
phase rather than identifying risks.
Developing an internal audit strategy that is
aligned to the COSO ERM framework is critical.
Auditor Adding Value
the COSO ERM framework, the role of the auditor does not need to be limited to
just auditing controls. According to the
Internal Auditors, the auditor can also
add value in many other ways:
or facilitating ERM workshops;
managers set risk appetite based on internal audits experience and
the effectiveness of management's risk assessments and the internal
the basis of management’s risk assessments and evaluating the adequacy and
effectiveness of risk treatment strategies;
- Advising on
the design and improvement of control systems and risk mitigation
critical risk management activities;
that internal audit resources are directed to areas most important to the
- Developing an internal audit strategies and reporting process that
supports the ERM framework.
Aligning Internal Audit to the COSO ERM
internal audit process can be aligned to the COSO ERM framework.
The audit process can be divided into two parts - audit
fieldwork. Within each of these areas,
information from the COSO ERM can be utilised
to help focus internal audit activities.
the audit planning phase, the auditor establishes the scope of the internal
audit function and activities.
In a pure risk-based audit approach,
the auditor would be responsible for preparing much of the risk assessment
documentation. Applying the COSO ERM framework, the auditor considers the organisational objectives (strategic, operations etc) and
the different levels (subsidiaries, divisions and processes). The auditor will review the organisations
risk and control documentation to help prioritise
audit activities according to the different risk profiles.
audit fieldwork, the auditor reviews the most current risk profiles and control
procedures of the entity/process undergoing the audit. The auditors primary
responsibility is to ensure that the internal control environment is working
effectively and efficiently to mitigate risks.
Where there are exception, the weaknesses
should be documented and improvements recommended.
audit process is a continuous process. Issues identified during audit fieldwork
are re-considered again during the next audit planning phase.
Before You Start
because an organisation adopts the COSO ERM framework, it does not mean
internal auditors can rely on the framework in its entirety. Auditors need to consider the following
completeness and scope of the COSO ERM framework; and
- The quality
of risk assessment and control documentation.
overcome these potential limitations, the auditor should be proactively
involved in all aspects of ERM implementation.
The following is a brief checklist of implementation considerations:
organisation structure and design;
- The current
and proposed ERM framework;
overall risk appetite;
risk assessments and identifying risk responses;
roles and responsibilities; and
activities, reporting and communication flows.