Internal Audit can play a key role in enterprise risk management, providing assurance on ERM policies and procedures without compromising auditors' independence and objectivity.

1

• Internal Audit can play a key role in enterprise
  risk management, providing assurance on ERM
  policies and procedures without compromising
  auditors' independence and objectivity.

More than any other time in history, internal
audit faces a cross-roads. One path leads to
isolation and growing irrelevance. The other, to
confusion and insecurity. Let us pray that we
have the wisdom to choose correctly. (Mercer,
2002)    Mercer L (2002 Internal Audit the
fourth paradigm True and Fair ICAEW Audit and
Assurance Faculty newsletter, November, p6.
2
ERM Activities
3
Evolving Audit Approaches

• Control-based auditing
• Processed-based auditing
• Risk-based auditing
• ERM-based auditing

4
Impact of COSO ERM

• With the introduction of the COSO ERM framework,
  opportunities for assurance by IA have grown
  exponentially.
• A review of the components of COSO ERM provides
  a roadmap for these opportunities.

5
COSO ERM Components
6
ERM Information Flow
7
Forces Driving ERM
8
Internal Audit has two paths

• Providing assurance to the Board on the process
  of ERM itself, and
• Using knowledge gained in the evaluation of
  strategy, risk appetite, and risk tolerances to
  influence audit planning based on this
  higher-level information.
• Todays discussion is limited to an overview of
  the audit of the ERM process.

9
Questions from the Board

• What information about the risks facing the
  organization do we receive to fulfill our
  fiduciary and advisory governance
  responsibilities?
• When and how does senior management report risk
  information to us?
• How do we know that the information we receive on
  risks and risk management is accurate and
  complete for our purposes?

10
Issues for Internal Audit

• Does the company have a specific strategy/policy
  relating to risk management?
• Are there goals and objectives for departments or
  individuals that support risk management
  activities on an annual basis?
• Are the companys tolerances to risk clearly
  defined and articulated?
• Has a risk universe been developed that captures
  all key risks the company faces?

11
Issues for Internal Audit (cont)

• Have the risks been linked to the companys
  strategy?
• Has managements tolerance relative to their
  acceptance of each risks exposures been
  determined?
• Are there other assessment criteria (e.g.,
  manageability, efficiency) utilized by management
  to assess risks?
• Have relevant measurements been identified for
  all key risks?
• Have all of the viable risk strategies
  (responses) been considered for each risk, with
  the most economical options considered first?

12
Maintaining Independence

• As Internal Audit deals more with strategy rather
  than the traditional area of operations and
  controls, there may be a tendency to lose
  independence and objectivity.
• IA needs the expertise to properly evaluate the
  process of managements objective setting,
  including definition of risk appetite and risk
  tolerance, together with the selection of the
  appropriate risk responses.
• IA should not use this expertise to go beyond
  assurance and limited consulting activities (with
  the appropriate safeguards).
• It should not engage in activities such as
  setting risk appetite, making or implementing
  decisions on risk response.
• The following diagram from the IIA-UK and
  Ireland illustrates internal audit roles.

13
Internal Audit Roles
14
Questions

• Jim DArcangelo
• 914-694-4600
• jdarcangelo_at_darcangelo.com