Title: Internal Audit can play a key role in enterprise risk management, providing assurance on ERM policies and procedures without compromising auditors' independence and objectivity.
1- Internal Audit can play a key role in enterprise
risk management, providing assurance on ERM
policies and procedures without compromising
auditors' independence and objectivity.
More than any other time in history, internal
audit faces a cross-roads. One path leads to
isolation and growing irrelevance. The other, to
confusion and insecurity. Let us pray that we
have the wisdom to choose correctly. (Mercer,
2002) Mercer L (2002 Internal Audit the
fourth paradigm True and Fair ICAEW Audit and
Assurance Faculty newsletter, November, p6.
2ERM Activities
3Evolving Audit Approaches
-
- Control-based auditing
- Processed-based auditing
- Risk-based auditing
- ERM-based auditing
4Impact of COSO ERM
- With the introduction of the COSO ERM framework,
opportunities for assurance by IA have grown
exponentially. - A review of the components of COSO ERM provides
a roadmap for these opportunities.
5COSO ERM Components
6ERM Information Flow
7Forces Driving ERM
8Internal Audit has two paths
- Providing assurance to the Board on the process
of ERM itself, and - Using knowledge gained in the evaluation of
strategy, risk appetite, and risk tolerances to
influence audit planning based on this
higher-level information. - Todays discussion is limited to an overview of
the audit of the ERM process.
9Questions from the Board
- What information about the risks facing the
organization do we receive to fulfill our
fiduciary and advisory governance
responsibilities? - When and how does senior management report risk
information to us? - How do we know that the information we receive on
risks and risk management is accurate and
complete for our purposes?
10Issues for Internal Audit
- Does the company have a specific strategy/policy
relating to risk management? - Are there goals and objectives for departments or
individuals that support risk management
activities on an annual basis? - Are the companys tolerances to risk clearly
defined and articulated? - Has a risk universe been developed that captures
all key risks the company faces?
11Issues for Internal Audit (cont)
- Have the risks been linked to the companys
strategy? - Has managements tolerance relative to their
acceptance of each risks exposures been
determined? - Are there other assessment criteria (e.g.,
manageability, efficiency) utilized by management
to assess risks? - Have relevant measurements been identified for
all key risks? - Have all of the viable risk strategies
(responses) been considered for each risk, with
the most economical options considered first?
12Maintaining Independence
- As Internal Audit deals more with strategy rather
than the traditional area of operations and
controls, there may be a tendency to lose
independence and objectivity. - IA needs the expertise to properly evaluate the
process of managements objective setting,
including definition of risk appetite and risk
tolerance, together with the selection of the
appropriate risk responses. - IA should not use this expertise to go beyond
assurance and limited consulting activities (with
the appropriate safeguards). - It should not engage in activities such as
setting risk appetite, making or implementing
decisions on risk response. - The following diagram from the IIA-UK and
Ireland illustrates internal audit roles.
13Internal Audit Roles
14Questions
- Jim DArcangelo
- 914-694-4600
- jdarcangelo_at_darcangelo.com