4 ways to improve the relationship between enterprise risk management and audit
Both audit and enterprise risk management (ERM) functions focus on an organization’s risk profile and areas of great risk importance and exposure, but the two often take different approaches.
Audit serves as the assurance arm of risk management, answering the question: Are you doing what you said you were going to do to manage risk? This function maintains independence to be objective in review and analysis of risk.
ERM proactively works with the business to understand, assess, and report on risk. This function seeks to understand potential areas of risk focus and work with the business to develop and implement an adequate risk response, if needed.
In order to create stronger risk practices and build a strategic relationship between ERM and audit, it's crucial to increase collaboration between the two. Ongoing monitoring of risks and related controls is especially important to ensuring there is a constant feedback loop between risk management and audit.
If approaches between ERM and audit teams are not coordinated, there will be issues. It can lead to inconsistent priorities and strategic messaging, greater burdens on all stakeholders, and increased reporting needs and documentation requests.
Areas in need of alignment
|ERM team||Audit team|
|Develop and implement the risk management framework||Develop an independent evaluation of risk management framework design and effectiveness|
|Advise management on open remediations and note unmitigated risks||Provide assurance on management's capability to identify and remediate open and unmitigated risks|
|Provide statuses on risk priorities and audit coverage of risk priorities||Provide assurance on the scope and prioritization of risks|
|Advise the audit committee and board of directors on risk reporting and internal audit reporting||Prepare independent assessment of risk information reported to the audit committee and board of directors|
A combined report from the Institute of Internal Auditors and the Risk and Insurance Management Society, reveals that alliances between these two functions help many companies increase efficiencies, sharpen decision-making processes, and improve overall results.
Here are four ways organizations can increase collaboration between these two risk functions:
- Map ERM risks to the audit universe
This helps provide the business with a view of the consolidated effort to manage risk from both ERM and audit perspectives. Mapping also ensures that there is adequate ERM and audit coverage in areas of key focus.
- Conduct co-risk assessments (or at least share results of independent risk assessments)
Partnering on risk assessments ensures an effective flow of risk information between the functions and helps identify discrepancies that may exist within their respective assessment processes.
- Share results
To keep knowledge of the risk environment current, audit reports should be sent to the ERM team, and risk deep dives and root cause analyses should be sent to the audit team.
- Coordinate board and executive committee reporting
A consistent message to the executive committee and board is essential in delivering the maximum value proposition. Simple reviews of these reports prior to delivery will help identify and remediate inconsistencies.
Ensuring collaboration between enterprise risk management and audit benefits both functions. Download the white paper, Harnessing the Power of Technology in ERM, to find out how to simplify the process as complexity increases.
About the Author
Mike Rost is a key contributor to product strategy at Workiva and works with business leaders in the areas of financial reporting and compliance. With more than 25 years of experience assisting organizations using technology to optimize business processes, Mike has an extensive background in finance and accounting, corporate performance management, and GRC technology. Mike was a founding member of XBRL International with involvement in the XBRL initiative dating back to 1999. He has also been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). Mike has a bachelor's degree in economics and an MBA in marketing and finance from the University of Minnesota.