Like so many things in today’s world, the roles that ERM and internal audit play within the organization have changed dramatically in the last 10-15 years. Historically, the primary focus of both of these functions was preventing failure, avoiding excessive risk taking, and preserving value.
But times and organizations’ needs have changed, so it is necessary for both ERM and internal audit to move beyond this role and embrace a new paradigm of helping the company achieve strategic goals, create a strategic advantage, and otherwise succeed in a turbulent world.
Not only have the focus or priority of both groups shifted, so too has the perception that they should work in isolation.
While each has its own distinct purpose and should be housed in different areas of the company, both ERM and internal audit must find ways to collaborate wherever possible if they are going to meet the organization’s ever-increasing needs.
As the Three Lines Model from the Institute of Internal Auditors states:
Independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.
Not only does collaboration break down siloes to enable sharing of information, doing so also helps save one commodity everyone wishes they had more of – time.
Collaboration must be done carefully since ERM needs the business to be open and honest about risk. If they feel any data or other information will be used against them later, the business will not be as forthcoming.
The different ways ERM and internal audit can collaborate, or partner, really falls on a continuum with the first option below representing the lowest level and each subsequent option going a level deeper.
Option #1 – Behind the Scenes Coordination
We first explored this option to some degree back in this article on the right relationship (at the time) between ERM and internal audit.
How this works is ERM approaches internal audit before any meetings to determine what information internal audit needs to help them fulfill their responsibilities. During the meeting, ERM can ask questions on behalf of audit to gather this information and other data. Since audit is not present, more responsibility will be on ERM to capture the context of these discussions to them share with internal audit.
One nugget is that this coordination should help executives save time since a separate meeting with internal audit should not be needed. Taking into consideration the time constraints of the executives and other business area representatives will be extremely helpful in maintaining and improving ERM’s reputation with them.
This approach is a good option that enables coordination in situations where executives and business units are not comfortable with discussing sensitive topics with internal audit in the room but are okay with summaries of the discussions being shared. ERM will need to disclose to/remind the executives that high-level information from their conversation will be shared with Internal audit.
Option #2 – Simultaneous Information Gathering
The next level of collaboration is for ERM and internal audit to meet with executive or business areas together.
Risk can still facilitate the conversation and ask questions. With audit in the room, it gives them an opportunity to ask clarifying and follow-up questions from their perspective.
Taking this approach enables audit to get the information they need in real-time, eliminating the possibility that something will get lost in translation or overlooked.
And like option #1, it also eliminates the need for a second meeting. I can personally attest to how grateful an executive will be since time seems to dwindle away while the to-do- list continues to get longer.
Option #3 – Internal Audit Active Participant in Risk Assessment
The first two options were more about sharing information to help audit (mostly) do their job more effectively and efficiently. Option #3 takes things a bit deeper by fully integrating audit’s findings into actual risk assessments.
Part of a holistic risk assessment involves understanding the effectiveness of risk controls. Just because a business thinks their controls are effective doesn’t necessarily really mean they are. Are business areas or risk owners doing all of the steps (reviews, documentation, follow-up, etc.) they should be doing?
Collaborating with internal audit can help ERM understand where a risk stands with controls in place, but also where they may be falling short so adjustments can be made, which is something that can be challenging if done in isolation. As Norman Marks explains:
“Most risk practitioners, in my experience, don’t have the bandwidth (sometimes they also don’t think of it) to assess the likelihood that controls relied upon to manage risk and desired levels will fail. They tend to assume controls are effective. They can partner with internal auditors to upgrade their insights.”
One approach for measuring the effectiveness of risk controls was discussed in a previous article, but it is by no means the only approach.
Another approach I’ve taken is to assign numerical scores for management effectiveness and level of assurance for each identified control and mitigation. Here is a sample matrix of those scores:
While not my favorite method, it can give you (and the organization) a place to start for gaining a better understanding. And you will see that the last level of assurance is incorporating internal audit’s results. Looking back at this matrix, I would change the criteria for audit to simply say that a completed audit has been by either internal audit or an external audit that includes this activity. Then the management effectiveness rating is based on the outcome of that audit. (Wish I had thought about this when I created the matrix, but we are always learning, right?!)
If your organization prefers to stay away from a numerical score, simply asking if any audits of controls have been done, if the control is satisfactory or not, and if any management action plans are in place for a specific control can provide valuable insights for the risk assessment.
The times are changing…and we need to adapt. Now.
Not only are the roles of ERM and internal audit changing, but so too are how these groups can work together to deliver greater value to the organization. One thing is clear – if both cling to outdated ways of thinking just because “that’s the way it’s always been done,” both ERM and internal audit will not be able to provide the necessary help for ensuring future success.
How do ERM and internal audit collaborate at your company? Are there other options beyond the three outlined here where both can work together?
I’m interested in hearing your thoughts and learning more about how both of these functions come together to work for the good of the organization. Please don’t hesitate to leave a comment below.
If you’re trying to collaborate with internal audit and keep running into roadblocks or otherwise can’t seem to obtain additional insights, reach out to me today to discuss what the issues may be along with potential options for addressing them.
Featured image courtesy of LinkedIn Sales Solutions via Unsplash.com
