“Integrating internal audit with enterprise risk management” by Rebecca G. Sarmenta (September 6, 2010)

SUITS THE C-SUITE By Rebecca G. Sarmenta
Business World (09/06/2010)

The traditional role of internal audit is undergoing a transformation.

One important aspect of this transformation is the integration of internal audit with the discipline of enterprise risk management (ERM). With integration, internal audit can focus on controlling “the risks that matter,” which extend beyond financial and compliance risks.

In many organizations today, we find two sets of risks — one identified in the ERM process and another in their internal audit plan.

Integrating an organization’s risk map into its internal audit plan enables one to focus on assurance and control activities that are risk-based and not just on activities that are conducted simply for the sake of compliance.

Leonardo J. Matignas, Jr., SGV & Co Advisory Partner and President of the Asian Confederation of Institutes of Internal Auditors, points out that “internal audit plays a very critical yet sensitive role in the whole ERM process.”

“They (internal auditors) have to be very keen on the risks that the company faces, but at the same time independent in their functions. A company with robust risk management would be the ideal situation for internal auditors since this will allow them to focus on what is really important, and implement a risk-based audit approach. Accordingly, a company with an effective ERM will allow internal auditors to monitor the effectiveness of the risk management strategies that are in place and propose recommendations for their continuing improvement, rather than go through the tedious process of transaction auditing that may sometimes not add value or importance in achieving the company’s objectives,” Mr. Matignas said.

He added that the challenge, however, is how to have ERM as a discipline and culture within an organization.

Integration involves reconsidering the scope of internal audit’s role and responsibility, and the staffing of the internal audit function to ensure that it has the right skills and resources to execute its new role. In the integration, the functions and responsibilities of internal audit and ERM should remain separate.

According to the Institute of Internal Auditors (IIA), “internal auditing’s core role with regard to ERM is to provide objective assurance to the Board on the effectiveness of the organization’s ERM activities to help ensure that key business risks are being managed appropriately, and that the system of internal control is operating effectively.”

Internal auditors are not, and cannot be, responsible for implementing or maintaining an organization’s risk management and control processes. This is management’s key responsibility.

But internal auditors, acting in a consulting capacity, can assist management by challenging or supporting their decisions on risk. Internal auditors, though, should never make risk management decisions.

Internal audit should also assist management, the board, and/or the audit committee by monitoring the entire risk management framework, evaluating controls, examining compliance, reporting findings, and recommending improvements.

According to a position statement made by the IIA in 2004, the core internal audit roles vis-a-vis ERM are to:

• give assurance on the risk management processes;

• give assurance that risks are correctly evaluated;

• evaluate the risk management processes;

• evaluate the reporting of key risks;

• review the management of key risks; and

• facilitate the identification and evaluation of risks.

The IIA has also identified the legitimate internal audit roles with safeguards to ensure that internal audit’s independence and objectivity are maintained. These are to:

• coach management in responding to risks;

• coordinate ERM activities;

• consolidate reporting on risks;

• maintain and develop the ERM framework;

• champion the establishment of ERM; and

• develop the risk management strategy for board approval.

Integration is an opportunity for internal audit to gain new skills and focus that will enable it to support ERM going forward, eventually delivering value beyond compliance assurance. It will help internal audit take a risk-based approach, showing where it needs to focus in the business beyond financial compliance.

A holistic view will give internal audit the opportunity to help the organization to “think risk.”

Good risk management requires management of culture and the way it connects to risk. This is a new way of thinking for most organizations. With its pervasive viewpoint and “access all areas” pass to the organization, the internal audit function has the potential to act as a change agent.

Undergoing culture change and expanding into more areas of the organization will require internal audit to expand its current skill sets, including its risk management skills.

Internal audit will also need to have subject matter experts to cover areas such as revenue assurance and contract management, mergers and acquisitions, project risk management, international market expansion, IT processes and projects, as well as people and change management.

To develop the team with the right mix of skills, many organizations are considering outsourcing or co-sourcing. For example, to perform audits that require judgment and specialist technical knowledge such as tax or large IT or construction projects, internal audit may employ an audit team that combines core internal audit practitioners and highly skilled specialists who can come from within the organization or from third party service providers.

A multi-disciplinary internal audit team benefits the organization through an increased focus on business improvements to achieve competitive advantage. A supply chain expert, for example, is able to see things from a completely different perspective and identify opportunities for improvement that are not visible to a financial auditor.

In conclusion, the integration of ERM and internal audit creates a mutually reinforcing relationship in which risk drives the internal audit agenda, and the internal audit findings feed back into the risk profile.

This involves expanding the internal audit skills and capabilities and embarking on a journey to adopt an assurance and advisory role with specialist technical knowledge and enterprise-wide risk focus.

The new internal audit role, which may have been previously feared or endured in an organization, will transform internal audit into a function that adds value, offering important skills to help improve processes and performance across the organization.

(As of publication, Rebecca G. Sarmenta is an Advisory Partner of SGV & Co. She is also a Certified Internal Auditor and is a Director of the Institute of Internal Auditors-Philippines.)

This article was originally published in the BusinessWorld newspaper. It is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.