Content area
Full Text
Internal audit can play a key role In enterprise risk management, providing assurance on ERM policies and procedures without compromising auditors' Independence and objectivity.
Internal auditing has received renewed attention since the recent corporate governance and accounting scandals here in the United States and in the 1990s in the U.K. The measures put in place to monitor corporate governance, i.e., monitoring financial controls, have now expanded to include total enterprise risk management (ERM). This provides an opportunity for internal audit to be more effective - to provide assurance and perhaps consulting roles for ERM-based auditing without risking internal auditors' independence and objectivity.
Providing assurances on ERM
One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. It is likely that assurance will come from different sources. Management provides the first level of assurance. This should be complemented by the provision of objective assurance, for which internal audit is a key source. Other sources include external audit and independent specialist reviews.
Internal audit will normally provide assurances in three areas:
* risk management processes-both their design and how well they are working;
* management of those risks classified as "key," including the effectiveness of the controls and other responses to them; and
* reliable and appropriate reporting and classification of risks.
Prior to the development of ERM processes, a typical internal audit department performed audit planning by its own assessment of risk based on factors such as its perception of inherent risk for the auditable entities as defined by the department. Factors that went into this evaluation included the results of the prior audit, changes in operations, mandated frequency, and the like. This assessment was completed by internal audit, with possible interviews of responsible parties associated with the entities.
With effective ERM processes, management owns, assesses, and is the key provider of assurance on risk to the board. Management is responsible for continuously updating and monitoring its status. ERM infrastructure promotes the sharing of risk knowledge across the enterprise and makes it available transparently to internal audit. This information is now available to drive the audit planning process and to provide assurance on the...