4 ways to improve the relationship between enterprise risk management and audit

relationship between internal audit and erm blog
October 12, 2016

Both audit and enterprise risk management (ERM) functions focus on an organization’s risk profile and areas of great risk importance and exposure, but the two often take different approaches.

Audit serves as the assurance arm of risk management, answering the question: Are you doing what you said you were going to do to manage risk? This function maintains independence to be objective in review and analysis of risk.

ERM proactively works with the business to understand, assess, and report on risk. This function seeks to understand potential areas of risk focus and work with the business to develop and implement an adequate risk response, if needed.

In order to create stronger risk practices and build a strategic relationship between ERM and audit, it's crucial to increase collaboration between the two. Ongoing monitoring of risks and related controls is especially important to ensuring there is a constant feedback loop between risk management and audit.

If approaches between ERM and audit teams are not coordinated, there will be issues. It can lead to inconsistent priorities and strategic messaging, greater burdens on all stakeholders, and increased reporting needs and documentation requests.


Areas in need of alignment

ERM team Audit team
Develop and implement the risk management framework Develop an independent evaluation of risk management framework design and effectiveness
Advise management on open remediations and note unmitigated risks Provide assurance on management's capability to identify and remediate open and unmitigated risks
Provide statuses on risk priorities and audit coverage of risk priorities Provide assurance on the scope and prioritization of risks
Advise the audit committee and board of directors on risk reporting and internal audit reporting Prepare independent assessment of risk information reported to the audit committee and board of directors

A combined report from the Institute of Internal Auditors and the Risk and Insurance Management Society, reveals that alliances between these two functions help many companies increase efficiencies, sharpen decision-making processes, and improve overall results.

Here are four ways organizations can increase collaboration between these two risk functions:

  1. Map ERM risks to the audit universe
    This helps provide the business with a view of the consolidated effort to manage risk from both ERM and audit perspectives. Mapping also ensures that there is adequate ERM and audit coverage in areas of key focus.
  2. Conduct co-risk assessments (or at least share results of independent risk assessments)
    Partnering on risk assessments ensures an effective flow of risk information between the functions and helps identify discrepancies that may exist within their respective assessment processes.
  3. Share results
    To keep knowledge of the risk environment current, audit reports should be sent to the ERM team, and risk deep dives and root cause analyses should be sent to the audit team.
  4. Coordinate board and executive committee reporting
    A consistent message to the executive committee and board is essential in delivering the maximum value proposition. Simple reviews of these reports prior to delivery will help identify and remediate inconsistencies.

Ensuring collaboration between enterprise risk management and audit benefits both functions. Download the white paper, Harnessing the Power of Technology in ERM, to find out how to simplify the process as complexity increases.

Joe Boeser

About the author

Joe Boeser brings over 10 years experience in risk management, compliance, and ERM to his role as Senior Product Marketing Manager at Workiva. Joe's extensive experience includes developing and implementing risk management and ERM programs as well as directly managing risk and control operations. This includes managing the ERM program at a large banking institution and overseeing SOX and internal audit programs. Joe holds an MBA and Juris Doctor.