The Changing Dynamics Between ERM And Internal Audit
Enterprise Risk Management (ERM) and Internal Audit (IA) are not immune to change, asserted Ramesh Pillai, at an IERP Tea Talk recently. Commenting frankly and openly on the changing environment which was one of the greatest challenges confronting business today, he said rapid changes were complicated further by the uncertainties brought about by the Covid-19 virus and its fast-mutating variants. These changes have spurred the speedier adoption of technology, and businesses were finding it necessary to digitise operations to stay viable. Analytics has improved, and is now being used more extensively, he said, making it easier for management and auditors to review businesses and operations.
However, the IA function was still struggling to find its level. Competencies and capabilities at all levels, from the board downwards, was still generally lagging. Providing assurance has always been one of the functions of IA which has traditionally been focussed on preventing failure. It has long concentrated on whether management was properly handling risks; what controls were in place and if they were sufficient and being applied appropriately. Risk management, on the other hand, is about “bringing the future into the present” and identifying what could happen so that mitigation can be applied to decrease negative impact and manipulate the upside.
“To better serve the organisation’s needs, ERM and IA have to think offensively by focussing on objectives and intelligent risk-taking,” Ramesh said, remarking that a lot of auditors tended to challenge risk-taking when they should actually be trying ensure robust risk taking. Steps should be taken to reinvent IA to satisfy key customers, particularly board members. “Risk and Audit are two sides of the same coin,” he said. “They are complementary and should work with each other.” But this can be a major challenge; what is critical is that IA should satisfy the needs of board members. In order to do this, Risk and Audit should harmonise their roles to support the business.
But what should the relationship between ERM and IA be like? Firstly, the ERM function should operate on its own, independently, and not be “parked” within the IA function. Doing so will likely result in a conflict of interest in IA. ERM and IA have to work together to understand any concerns that IA may have about a business unit and ERM’s assessment of risk pertaining to it. This kind of cooperation will ensure the organisation’s success. Key questions to ask when finding a way to collaborate effectively include whether the IA function could expand its focus to cover risk-taking, and not just limit it to risk avoidance; and other ways in which ERM and IA could cooperate.
Expanding on the issue of conflict of interest, Ramesh explained that the Institute of Internal Auditors (IIA) standards say internal auditors should be objective and not be unduly influenced; they should be independent. “IA and ERM should be best friends,” he said. “IA should use ERM information to identify and manage risks, develop and update audit plans and ensure IA resources are being appropriately focused.” IA is tasked with providing assurance that the ERM programme is working effectively and documentation is in order. ERM can also bring up concerns and reach out to IA when designing programmes, discuss plans and request constructive feedback.
ERM can even ask IA if there are outstanding issues, he added, and share results of risk assessments but he cautioned that for an environment like this to develop, the Chief Audit Executive (CAE) and IA need to have a certain level of maturity and a proper understanding of their role in risk management. What should be avoided, he stressed, are “turfing” and “empire-building” tendencies. Commenting on the appropriateness of IA providing consulting advice, Ramesh remarked that when being hands-on with risk management, it was difficult to tell people what to do without getting involved with how they do it. Conflicts of interest were inherent. Where IA was involved in the risk management function or where risk management was parked under IA, a clear strategy and timeline were necessary for migrating responsibility for risk management to members of the management team.
Having given advice pertaining to ERM, IA cannot then give objective assurance on any part of the ERM process it has advised on. Such assurance should be provided by other suitably qualified parties. If IA were to give independent assurance in such circumstances, this could be challenged because it would then be playing both an advisory and audit role, which could lead to conflicts of interest. Auditors have to avoid actual or potential conflicts of interest because it impairs their independence. A better understanding of ERM has also developed in the past 20 years; there is more awareness now of the need for ERM to stand on its own.
Despite this increase in awareness and understanding, Ramesh acknowledged that gaps in risk leadership, competency, capability and implementation of ERM still exist. Audit does not need to be defensive about its role, he stressed, as both ERM and IA are trying to achieve the same objective. It is a matter of taking responsibility for the advice that is given; due diligence must be undertaken before giving advice as the advising party is accountable for the advice given. Auditors can make recommendations which are not mandatory; the party that is being advised can then decide whether or not to accept the advice and act on it accordingly.