There are many reasons why internal auditors should learn about Enterprise Risk Management. In fact, auditors and ERM are a good fit in so many ways. Firstly, auditors are trained to deep-dive into details, and ERM is nothing if not deep-diving and managing details so that the organisation overcomes the obstacles which are preventing it from achieving its objectives. The main role of the auditor is to check and see if things are running as they are supposed to. This provides assurance to the Board and shareholders that the company’s processes, controls and procedures are in place, fit for purpose, and functioning as intended.
Auditors gather data, analyse and report on the state of the organisation, i.e., how it is running; if anything is wrong; and they recommend measures that may be able to fix it. This is a constant and continuous activity because the organisation has to keep running 24/7, even if the staff work 9 to 5. Auditors therefore are trained to know where to look in order to collect and analyse data which helps them anticipate the unanticipated. Auditors have an edge when it comes to risk management because their training points them in the right direction; they can as easily apply their skills to their core function, as to auditing ERM as the necessity arises.
The elements that are integral to the proper functioning of an organisation’s risk management measures are what auditors look at in the course of their regular work. Organisations which want to implement ERM are very often unsure of where and how to start. Many ERM processes require screening and assessment – which is what auditors do – that may be quite labour-intensive for staff with no background in auditing. Additionally, the work of auditors makes it necessary for them to interact with other staff, often from the front desk to Board level, as they gather information on what is essentially the health of the organisation.
This level of engagement makes them a natural conduit for communication and a source of information that helps the organisation’s decision-making processes. Auditing work is integral to the organisation’s overall strategy because what they do adds value to the firm. Their continuous information-gathering, for instance, keeps management up-to-date on market and industry conditions, the state of the business environment in general, as well as the health of the business. It is worthwhile noting that the auditor’s traditional role too is changing, as companies change the way they do business.
Understanding ERM will enable them to audit ERM processes better and more effectively and add to the level of assurance that they are providing for their organisation. The ability to understand the organisation’s macro view, including the risks that confront it, helps them to support the development of its future plans and strategies. The organisation’s institutional knowledge also increases in tandem, improving its governance, honing its competitive edge and strengthening its sustainability.
When the ERM function can be properly audited, this assures the various parties that the framework on which it is based, is working as intended. The very definition of internal auditing as independent, objective assurance that will add value and improve an organisation’s operations, supports the idea that auditors should embrace ERM. Auditors may be good at identifying something that isn’t performing as it is intended, but their work is really not about fault-finding; it’s about improvements that can be made so that procedures, processes and systems can be set up properly and resources can be optimally deployed. They are there to ensure that the right things are in place, and the directions of the Board are indeed being carried out, and ultimately, good governance prevails.