Integrating Internal Audit into the COSO ERM Framework

The growing popularity of Enterprise Risk Management (ERM), its recognition as best practice and the acceptance of the COSO ERM framework means that internal auditors may need to review and perhaps re-align their internal audit strategy.  This transformation can be a challenge, exposing the organisation to a risk in ‘turf wars’ and fragmentation within the risk management framework.  But there is a lot of common ground.  In fact, risk management and internal audit work best ‘hand-in-hand’.

The Importance of Managing Risk

To achieve corporate objectives, all organisations make decisions with some degree of uncertainty. Uncertainty about assumptions made, uncertainty about the likelihood and impact of future events, and uncertainty of future outcomes.

Uncertainty is very real and it’s like a double edged sward - presenting both risks and opportunities. Ultimately, management are responsible for balancing between the risk and reward options as they strive towards achieving their organisational objectives.

Enterprise Risk Management is a tool that helps management to effectively deal with uncertainty in order to achieve organisational goals.

The COSO ERM Framework

The COSO ERM framework provides a structured and integrated approach to managing risk that is consistent with risk-based audit principles.  The framework aligns risk management initiatives with organisational objectives at the various entity, business and process levels.

It promotes the use of a common language between the various entities within the group (including internal audit) to better manage risk.

Roles and responsibilities

Within any effective risk management framework, including the COSO ERM framework, there are a number of roles and responsibilities that exist to ensure various activities are performed.

The Board: Responsible for overseeing management’s design and operation of ERM. 

Management: Responsible for establishing the ERM framework, promoting the desired risk culture, establishing risk appetite, establishing controls and enforcing compliance.

The Risk Officer: Responsible for establishing and maintaining an effective ERM framework, monitoring progress and assisting the board and managers in managing risk.

Internal Audit: Internal audit assists management, the board and/or audit committee in the process by monitoring the entire ERM framework, evaluating controls, examining compliance, reporting finding and recommending improvements.

Although internal audit is not responsible for implementing or maintaining the risk management framework, they still play an important role.

The Auditors Role in Managing Risk

In simple terms, the purpose of an internal audit is to assess the level of compliance to predefined internal controls designed to manage risks.  A risk-based approach involves gaining a thorough understanding of the organisation, an assessment of the entities operations and an understanding of the systems and processes in order to develop a risk and control profile to channel audit activities to higher risk areas.

Risk-based auditing has been popular with internal auditors around the world for many years and is the standard promoted by the Institute of Internal Auditors.  According to the Institute of Internal Auditors professional practice standards:

• When planning the internal audit engagement, the auditor should identify and assess risks relevant to the activity under review;
• The internal audit plan should be based on the results of a risk assessment; and
• Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations and information systems.

Implementing a risk-based approach to planning and executing the internal audit process is not only best practice, but also best supports the COSO ERM framework.In the COSO ERM framework, much of the risk identification and assessment work is conducted by management and chief risk officer.  Therefore, the scope of auditors role may be somewhat different.  This means that the auditor can spend more time reviewing risks and controls during the planning phase rather than identifying risks.

Developing an internal audit strategy that is aligned to the COSO ERM framework is critical.

Auditor Adding Value

Within the COSO ERM framework, the role of the auditor does not need to be limited to just auditing controls.  According to the Institute of Internal Auditors, the auditor can also add value in many other ways:

• Conducting or facilitating ERM workshops;
• Helping managers set risk appetite based on internal audits experience and judgment;
• Reviewing the effectiveness of management's risk assessments and the internal controls;
• Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies;
• Advising on the design and improvement of control systems and risk mitigation strategies;
• Reviewing critical risk management activities;
• Ensuring that internal audit resources are directed to areas most important to the organisation; and
• Developing an internal audit strategies and reporting process that supports the ERM framework.

Aligning Internal Audit to the COSO ERM Framework

The internal audit process can be aligned to the COSO ERM framework. 

The audit process can be divided into two parts - audit planning and audit fieldwork.  Within each of these areas, information from the COSO ERM can be utilised to help focus internal audit activities.

During the audit planning phase, the auditor establishes the scope of the internal audit function and activities. 

In a pure risk-based audit approach, the auditor would be responsible for preparing much of the risk assessment documentation. Applying the COSO ERM framework, the auditor considers the organisational objectives (strategic, operations etc) and the different levels (subsidiaries, divisions and processes).  The auditor will review the organisations risk and control documentation to help prioritise audit activities according to the different risk profiles.

During audit fieldwork, the auditor reviews the most current risk profiles and control procedures of the entity/process undergoing the audit.  The auditors primary responsibility is to ensure that the internal control environment is working effectively and efficiently to mitigate risks.  Where there are exception, the weaknesses should be documented and improvements recommended.

The audit process is a continuous process. Issues identified during audit fieldwork are re-considered again during the next audit planning phase.

Before You Start

Just because an organisation adopts the COSO ERM framework, it does not mean internal auditors can rely on the framework in its entirety.  Auditors need to consider the following possible limitations;

• The completeness and scope of the COSO ERM framework; and
• The quality of risk assessment and control documentation.

To overcome these potential limitations, the auditor should be proactively involved in all aspects of ERM implementation.  The following is a brief checklist of implementation considerations:

• The organisation structure and design;
• The current and proposed ERM framework;
• Establishing overall risk appetite;
• Performing risk assessments and identifying risk responses;
• Oversight roles and responsibilities; and
• Monitoring activities, reporting and communication flows.