iNTERNAL AUDIT DEPARTMENTS HAVE PLAYED A VARIETY OF ROLES in their organization's enterprise risk management (ERM) activities since The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Enterprise Risk Management--Integrated Framework in September 2004. An IIA position paper issued in the wake of COSO ERM, "The Role of Internal Auditing in Enterprise-wide Risk Management," indicates the roles that the internal audit function should and should not play throughout the ERM process, ranging from full involvement to no involvement. According to the paper, internal auditors should have a core role in five ERM-related assurance activities: giving assurance on risk management processes, giving assurance that risks are evaluated correctly, evaluating risk management processes, evaluating the reporting of key risks, and reviewing the management of key risks.
A recent IIA Research Foundation study examined the extent to which internal audit functions adhere to the ERM roles recommended in the IIA paper. During October 2005, researchers disseminated an online survey to 7,200 IIA members through The Institute's Global Auditing Information Network. The survey generated 361 responses from a mix of large, mid-sized, and small organizations in a variety of industries, including businesses, government agencies, and not-for-profit organizations. Nearly 60 percent of respondents identified themselves as a chief audit executive or audit director, 23 percent were audit managers, and 7.8 percent were staff or senior auditors. Approximately 90 percent were from the United States and Canada.
Respondents' organizations are at different stages of implementing ERM, as defined by COSO (see "ERM Status" on this page). More than 11 percent say their organization's ERM infrastructure is mature or relatively mature, and 37 percent have recently adopted or are in the process of implementing ERM. Among all organizations surveyed, the internal audit function is primarily responsible for ERM-related activities in 36 percent of respondents' organizations, while 27 percent say the primary responsibility belongs to a chief risk officer (CRO) who is not part of the audit function. Nearly one-third of respondents say another executive or function oversees ERM.
The hours and dollars internal audit functions spend on ERM-related activities are minimal for many respondents. Nearly half say their audit department spent 10 percent or less of its hourly and financial budgets on ERM-related activities during fiscal year 2004. More than one-third of audit departments spent 11 percent to 50 percent of their time on ERM, and 28 percent spent 11 percent to 50 percent of their financial budgets, while less than 10 percent of departments spent more than 50 percent of their time and money.
The IIA position paper categorizes 18 ERM-related activities according to the appropriate level of responsibility for the internal audit function. Survey respondents reported their current and ideal level of responsibility for these activities: no responsibility, limited responsibility, moderate responsibility, substantial responsibility, and total responsibility.
CORE ACTIVITIES
Differences between respondents' current and ideal responsibilities are greatest for the five core ERM assurance activities identified in the IIA paper (see "Core Internal Auditing Roles in ERM" on page 55). Respondents indicated...
Get Full Access
Gale offers a variety of resources for education, lifelong learning, and academic research. Log in through your library to get access to full content and features!
Internal Audit and Risk Management: The Basics This page is designed to help new professionals in the internal audit and risk management industry understand the field and start their careers. Internal audit is a profession common to consulting firms such as Protiviti. Internal auditors assist organizations in implementing and improving compliance, governance and risk management-related processes and controls within an organization. Many companies also have their own internal audit team in-house. The internal audit team within a company can range from one to hundreds of auditors, depending on the company size. These organizations may also partner with outside consulting firms on big projects or if they need more expertise. Guide to Internal Audit The objective of risk management is to help identify and document the organization's risks in critical business processes and the internal controls within each process to mitigate those risks. Guide to Enterprise Risk ManagementWhat is Internal Audit?
Internal audit can help with nearly any aspect of a business, from choosing new technology to implementing a new company culture. Auditors go in to analyze and document the current processes in place, usually through interviewing key personnel, and come up with recommendations to help the company achieve efficiency and effectiveness.
This internal audit guide addresses common questions concerning the NYSE listing requirements that mandate creation of an effective internal audit function. The questions and answers will assist those planning to develop a function. The booklet provides guidance on issues ranging from roles and reporting structures to audit risk assessments, and management’s responsibilities. Ten appendices include samples and additional information. This guide has now been updated to reflect the SEC’s approval of PCAOB Auditing Standard No. 2 and other regulations in the U.S. and Canada.What is Risk Management?
For all businesses, there are risks that exist and need to be identified and addressed in order to prevent or minimize losses. Risk is the threat that an event, action or non-action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully. Risk is measured in terms of consequences and likelihood.
Risk management must control identified risks to help the company achieve its performance and profitability targets, prevent loss of resources, ensure reliable financial reporting, and ensure compliance with laws and regulations, avoiding damage to its reputation and other consequences.
In today’s challenging global economy, there is a need for identifying, assessing, managing and monitoring an organization’s business opportunities and audit risks. The concept of enterprise risk management (ERM) helps elevate the focus of risk management from the tactical to strategic level. The purpose of this publication is to address some of the most commonly asked questions with respect to ERM. It offers ideas, suggestions and insights to executives responsible for ERM implementation.
Assessing Risks and Internal Controls Guide
For all businesses, there are risks that exist and need to be identified and addressed in order to prevent or minimize losses. As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. In this effort, it is important to acknowledge the process owner’s responsibility for the design, implementation and maintenance of the control structure within assigned business processes. Process owners are also expected to: contribute direction to identify, prioritize and review risks and controls; remove obstacles for compliance; and remedy control deficiencies; continue or begin a program of self-assessment and testing to monitor the controls within your processes. This guide was developed to help with this training activity.
Protiviti Risk Model
The Protiviti Risk Model is a comprehensive organizing framework for defining and understanding potential business risks. The model categorizes business risk into three main areas: Environment Risk, Process Risk and Information for Decision-Making Risk.