Home > Risk > Why risk management and internal audit need to collaborate

Why risk management and internal audit need to collaborate

My congratulations to the IIA and RIMS (the Risk and Insurance Management Society) for their joint paper Risk Management and Internal Audit: Forging a Collaborative Alliance. Written by a number of good friends in both associations, with input from others who are practitioners, this is excellent reading for board members as well as practitioners.

The highlights include:

  • Explanations of how the two functions can increase each other’s effectiveness and value by sharing information, teaming to enhance risk management within the organization, and collaborative enhancement of the organization’s processes
  • An explanation (using the IIA’s ‘fan’ – see this post) of what activities can be performed by internal audit without jeopardizing their independence
  • Case studies of organizations where successful collaboration has been achieved

This is all good stuff, but the key is what additional actions should the IIA and other organizations take? Here is my wish list:

  1. The membership of COSO should be expanded to include organizations like RIMS and IRM (the Institute of Risk Management, which focuses on ERM). After all, COSO has two primary frameworks: the internal controls framework – and internal control is how you manage risk to be within acceptable levels; and the ERM framework – and it seems silly not to have risk practitioners drive this
  2. The IIA and COSO should both become associated with the global ISO organization, contributing with ideas and insight to the latter’s standards and guidance on risk management, auditing, and controls

What do you think?

  1. April 16, 2012 at 11:40 AM

    2.The IIA and COSO should both become associated with the global ISO organization, contributing with ideas and insight to the latter’s standards and guidance on risk management, auditing, and controls

    Yes, I agree. Should be about value creation, value preservation and avoiding the value killers. Getting the organization prepared is not a external or internal audit sweet spot as COSO and the IIA have shown.

  2. April 17, 2012 at 12:34 AM

    Very good in theory but as difficult to implement in practice. Reasons:

    1) In order to this approach to be successful, Internal Audit has to sacrifice its “Big Brother Eye” on risk management department. They have to be equal in statue in organization. Audit department should not have sole responsibility on final risk assessment of the organization. Whatever the rights auditors have same rights must apply for risk officers.
    2) Auditors perspective must be based on “strategic objectives and compliance” not only in compliance and protecting assets. With this way it would be possible to form a basis for alignment.
    3) In practice audit departments do not like to share the information they have, however risk management is based on information. One way information flow would not help to collaborate.

  3. aljuhani
    April 18, 2012 at 2:12 AM

    Internal Audit as being a standalone entity should remain the same and not to get involved in Quality, risk and Operational Procedures that falls under the Executive Management. Internal Auditors review / evaluate procedures but do not implement them on the management side because such will conflict with duty of Internal Audit. Therefore I do not think that IIA involvement with ISO is benifical for the Internal Auditors functions.

  4. Sam Demuth
    April 18, 2012 at 4:04 AM

    I may have missed the point here.
    Internal Audit is very much about Quality (QA) and compliance.
    Is the implementation of Risk systematised ? If so it can be audited.
    If it is something that should fall under the ISO 9000 aegis and it is not systematised then it gets audited under QA.
    Either way it gets auditted.
    The FINDINGS of the Audit need to be closed out under QA system, and not necessarily BY Internal Audit. They identify that something must be done and have the power to make recommendations. Implementation is the responsibility of QA and Executive Management.

  5. Rami
    April 18, 2012 at 6:19 AM

    I think in essence it’s a great idea. However, would the IA’s independence be compromised?! Would the roles be segregated appropriately and respectively?!

    Having someone to monitor the overall risk of the organization, and a support role to ensure that all risks are mitigated and within the risk appetite of the organization, but would it lead to more efficiency of the organization or would the collaboration of the RM & IA functions lead to confusion and war of power?

    These are my thoughts……

  6. Norman Marks
    April 18, 2012 at 6:29 AM

    I suggest that the IIA needs to be involved when standards about internal audit and assurance are developed by ISO. I think there is also value in contributing to standards that define how risk management should be done.

  7. aljuhani
    April 18, 2012 at 9:44 AM

    Norman Marks :I suggest that the IIA needs to be involved when standards about internal audit and assurance are developed by ISO. I think there is also value in contributing to standards that define how risk management should be done.

    Norman, What about ISO/IEC standards for corporate governance?.

    • Norman Marks
      April 19, 2012 at 5:16 AM

      That’s an interesting question. We are often involved at a national level (e.g., in South Africa and Malaysia) with national governance standards. I would give those preference, as I am not sure that ISO/IEC standards are prescripted by national laws. Do you know of any examples?

    April 19, 2012 at 5:03 PM


    There are a number of things to be done. Whereas the attached does have some useful information, I think that we need to be careful in any sort of alliance/collaboration because I do not think that either organization has distinguished itself as being thought leaders in this discipline. RIMS portends in this document that it speaks for ERM practitioners. It certainly does not and in fact it probably speaks for insurance practitioners because the majority of the members seem to be buyers of insurance. So the context for my recommendations is that whereas communication/ collaboration is an excellent idea- we need to be sensitive to the fact that both of these organizations are average players at the moment in a very complex discipline. Therefore I recommend as follows:

    The membership of COSO should be expanded to include any organizations that can further promote the thinking of risk, governance and internal control. I am not sure what RIMS will add to COSO but I think that the IRM is an excellent addition to COSO. If RIMS changes its charter /mission statement and the focus of its work from insurance to risk management, then sure they should be added.

    COSO should also go down the path of trying to solicit involvement from organizations such as PRMIA, GARP, SOA but I have concerns with these organizations as well and along the same lines as per RIMS except PRIMA, GARP and SOA also are skewed to their constituents. I see no mention of your suggestion that COSO try to solicit members from ISO 31000 onto COSO and even if they did this, I am not sure who would wish to participate

    I believe that whatever team comprises the make up of COSO, that all participants be given equal promotion in the cover of any future publications. I think that COSO should also reach out internationally to such organizations such as within New Zealand, Australia, the UK and South Africa to get participation from the various institutes onto the COSO Board

    In terms of IIA and COSO becoming associated with the global ISO organization, that is an excellent idea. But before they spend time contributing with ideas and insight to the latter’s standards and guidance on risk management, auditing and controls- they should take the time to learn quite well what ISO is all about. Only then can one be in a position to contribute.

    COSO should also reach out to individuals as selected risk practitioners that have proven over an extended period of time that they have much to contribute to moving this thinking forward.

  9. Manda Vuyolwethu
    April 20, 2012 at 1:27 AM

    I share the same sentiment Noman, my concerns is more on the audit planning, with the current scenario there is no visit to the risk register to monitor the monvement of risks and adjust the plan accordingly, for example an area that was assesed a high risk area when the plan was prepared may no longer be a risk as mitigating controls might have been implemented and changed the overall risk rating. In this sense internal audit will be running a risk of auditing areas that are not of critical importance to the organisation and hence the value proposition of internal audit will not be realised

  10. April 28, 2014 at 4:56 AM

    I think we should be careful not to mix up the concepts of Risk Based Auditing with Risk Management. The two concepts tend to be confused by Internal Auditors and I have spent many an hour teaching them the differences.

    Risk Based Auditing is part of Internal Audit Methodology and bears no relationship to how risks are practically identified or managed in an organisation. The purpose of Risk Mangement however, in line with ISO 31000, is linked to the increased likelihood of organisational objectives.

    Another point to bear in mind id the separate role of Internal Auditors and Risk Managers. Internal Auditors exist to support Board Audit Committees discharge their oversight role. They help in the provision of independent assurance that Internal Controls are in existence and are fit for purpose.

    Risk managers, on the other hand, get involved in the decision making process as managing risk is very much the role of active management.

    The active participation and involvement of Internal Audit in the Risk Management process (assuming they had the requisite skill sets to begin with) would put Internal Auditors in a potential position of conflict – especially if Internal Audit was asked to conduct an investigation into a process where Risk Management decisions were made.

    For these very simple reasons, Internal Audit should stick to their assurance role and not place themselves in an actual or potential position of conflict. This would be in line with good Corporate Governance principles

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: