Internal audit and risk management

K. P. SHASHIDHARAN | Updated on November 15, 2017

The Institute of Internal Auditors prohibits internal auditors from taking up any assignments that may compromise independence, objectivity and professionalism.

As an essential component of corporate governance, Enterprise-wide Risk Management (ERM) has assumed greater significance. Quite different from the traditional ways of “silo” or “stove pipe” approach of risk management, ERM helps in integrating strategy, processes, people, technology and knowledge of an entity.

In a well-structured ERM, effective controls are designed to mitigate potential risks pertaining to the entire gamut of an entity's functioning encompassing strategic, operational, financial, regulatory compliance and reputational realms. Besides, ERM facilitates better resource allocation decisions, transparency, supply chain management, improving image, branding, core competence and the bottom line.


Setting up of ERM is the sole responsibility of the board and executive leadership.

The role of the Internal Auditor in ERM has been clearly anchored by the COSO framework that the auditors should “assist management and the board of directors or audit committee by examining, evaluating, reporting on, and recommending improvements to the adequacy and effectiveness of the entity's enterprise risk management.”

However, the tasks of internal audit relating to ERM have been specified by Institute of Internal Auditors (IIA). The institute issued ‘International Standards for the Professional Practice of Internal Auditing' delineating duties and responsibilities of internal auditors and prohibiting taking up any assignments that may compromise independence, objectivity and professionalism.

The institute identifies ERM-related activities in three distinct categories. The first category of activities relate to core internal audit roles of providing assurance.

Internal audit should give assurance on risk management processes and that key risks are correctly evaluated. Internal auditors are required to evaluate risk management processes, report key risks as well as reviewing the management of key risks.

The legitimate internal audit roles are of consulting nature and include facilitating identification and evaluation of risks, coaching management in responding to risks, coordinating ERM activities, consolidated reporting on risks, maintaining and developing ERM framework, championing establishment of ERM and developing risk management strategy for board approval.

Internal auditors are strictly prohibited to take up certain assignments, which are exclusively the functions of the management like setting the risk appetite of the organisation, imposing risk management processes and management assurance on risks.

Management should only take some of the ERM-related decisions on risk responses and implementing those responses on its behalf as accountability for risk management ultimately is the management's responsibility.


Nonetheless, internal audit should function effectively like a catalyst, providing maximum value addition by being proactive, assuming the consulting role of the internal audit and help in the implementation of integrated risk management framework into the governance architecture expeditiously. While management should ultimately own the establishment of ERM, the auditor can contribute substantially by leveraging off of internal audit's experience in developing risk assessments and assist in creation of the overall risk model for the organisation.

Though there are varied risk assessment methodologies, conciseness, consistency of terminology, formal structure in the risk rating system, and general clarity of message are considered as distinct attributes of good risk assessments.

Internal auditors professional expertise, knowledge of the enterprise's risk universe, coordination with top leadership, data analytics skills enable them to take up assurance and consulting activities of ERM and help management in its implementation.

When internal auditing expands its scope and extends its activities beyond the core role of assurance services, it is important to apply safeguards including treating the engagement as consulting services and apply applicable standards in its functioning.

Internal auditors can undertake consulting role relating to implementation of ERM without compromising independence and objectivity. Internal auditors can also provide tools and techniques for risk assessment, mitigation and controls.

(The author is Director-General, CAG office.)

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on February 12, 2012
This article is closed for comments.
Please Email the Editor