Why risk management and internal audit need to collaborate
My congratulations to the IIA and RIMS (the Risk and Insurance Management Society) for their joint paper Risk Management and Internal Audit: Forging a Collaborative Alliance. Written by a number of good friends in both associations, with input from others who are practitioners, this is excellent reading for board members as well as practitioners.
The highlights include:
- Explanations of how the two functions can increase each other’s effectiveness and value by sharing information, teaming to enhance risk management within the organization, and collaborative enhancement of the organization’s processes
- An explanation (using the IIA’s ‘fan’ – see this post) of what activities can be performed by internal audit without jeopardizing their independence
- Case studies of organizations where successful collaboration has been achieved
This is all good stuff, but the key is what additional actions should the IIA and other organizations take? Here is my wish list:
- The membership of COSO should be expanded to include organizations like RIMS and IRM (the Institute of Risk Management, which focuses on ERM). After all, COSO has two primary frameworks: the internal controls framework – and internal control is how you manage risk to be within acceptable levels; and the ERM framework – and it seems silly not to have risk practitioners drive this
- The IIA and COSO should both become associated with the global ISO organization, contributing with ideas and insight to the latter’s standards and guidance on risk management, auditing, and controls
What do you think?