Should internal auditors learn about Enterprise Risk Management? There is a definite connection between internal audit and ERM, especially as an auditor provides assurance to the Board that processes are in place and working to the prescribed standards. This includes analysing and reviewing the organisation’s processes and procedures, and identifying shortfalls so that these can be addressed before they become a threat or a barrier to the organisation’s achievement of its objectives – particularly with respect to the management of risk. In fact, auditors have an edge when it comes to risk management processes because they have already received some basic training which guides them to look in the right direction.
They are able, in the course of their work, to see things which may not be working so well, red-flag them in a timely manner, and provide recommendations as to how they may be improved Organisations around the world are increasingly looking at ERM as a necessity but developing the skills necessary to implement it effectively across the organisation is often (wrongly) viewed as being an expensive, time-consuming exercise which they can ill afford.
As it stands in relation to risk management, auditors are required to check on internal controls and processes in their efforts to ensure that these relate to the proper functioning of ERM frameworks and, to accordingly, provide the necessary assurance related thereto. ERM requires constant evaluation to make it relevant; auditors are required to constantly evaluate in order to ensure that the firm’s checks and balances are in place and operational. Audit and ERM are often argued as being two sides of the same coin. What auditors look at in the course of their work are complementary and also integral to the proper functioning of the organisation’s risk management.
When carrying out their core function, auditors interact with management at all levels and with staff across the board; they need to screen and assess practically everything from supply of raw materials to cash flows. It stands to reason that in doing so, they are also identifying risks that could escalate, and are thus in a prime position to bring it to the attention of decision-makers who determine what the firm’s risk appetite can and cannot tolerate – all from an assurance perspective. With something as critical as assurance, an in-depth understanding of the risks facing the organisation is imperative; auditors will find that a thorough understanding of risk management is therefore advantageous.
Tasked with this critical function, they must remain aware of regulatory requirements and how business strategy needs to be aligned to these. Their expertise contributes to the overall operationalisation and sustainability of their organisations, and helps them further support the development, planning and strategising efforts that will spur organisational growth and sharpen its competitive edge.
It is these skills that will also put them in pole position when it comes to proposing effective and efficient risk management. There are few ERM,QRD,ORL,ERTpersonnel who are as ideally positioned to identify and monitor the links between risk and internal control, and who have the skill to be able to report them effectively. Being able to identify and monitor an organisation’s risk processes allows them to also work on reviewing mitigative measures and evaluate or analysing their effectiveness.
In the course of their work of data collection and analysis, they may turn up evidence of emerging or hitherto unanticipated risks which they should red-flag for attention. It is not the auditor’s role to find fault. Rather, it is to identify where things could be better deployed or managed, in the organisation’s efforts to run the business. These are the efforts that all organisations expend when striving for good governance and competitiveness – hence the need for up-to-the-minute data to assist in decision-making.
Ongoing data collection makes it necessary for auditors to have access to all units and departments in the organisation, enabling them, where necessary, to share information as expediently as they obtain it. This has two advantages: the data will be accurate and reliable, and very quickly shared, leading to speedier, better-informed decision-making. An added advantage here is also the easing of communications and dismantling of silos within the organisation.
Internal auditors may already do a lot of ERM related work within the parameters of their present positions. As an example, many of them help management with evaluating fraud riskprocesses or conduct special audits for the Board, or work with external auditors to ensure the integrity of the organisation’s financial reports and internal control systems. They also consult with executives, managers and the audit committee when analysing reports of incidents, complaints and other audit-related work, which gives them the wide scope they need to make recommendations and give advice.
This understanding of the business enables them to deal efficiently with risk management processes, and with the assurance that internal audit provides, the Board and the organisation’s shareholders can take comfort that all is being done in the best interests of the firm – and this includes managing the firm’s risks. At the heart of the matter, ERM too is about ensuring systems have been properly set up, are operating according to regulations and guidelines, and are being professionally administered and managed. It deep-dives into the elements that create good governance, and helps organisations develop the best way of dealing with their challenges.
