A quick glance at the daily news is likely to convince most people that risk management is a good idea. Yet many organisations are still wondering whether it’s worthwhile or are trying to figure out how to do it without committing too many resources.
It doesn’t come as any surprise then that senior managers often turn to internal audit for help, including designing and facilitating the process. If this is the case then it should be set out in the internal audit charter.
In many small organisations the internal auditor may be the only person with any sort of expertise and concept as how to organise risk management. In fact it makes perfect sense if the function has the knowledge, skills and experience to take on the task. Especially if it means risk management is taken seriously and the link between risk and assurance become clearer and more effective.
The Standards acknowledge the valuable role internal audit can make but go on to suggest that a few sensible safeguards can be put in place to protect internal audit’s perceived and actual independence (Standard 1112). For instance, get an external view every now and then on how well risk management is being developed. At the same we still expect and urge the head of internal audit to give an annual opinion upon the maturity of risk management, outline how well it is being applied and say whether or not risk management reporting is meaningful based on audit reviews. This will support the risk culture and sound systems of governance.
The IIA position paper on the role of internal audit in enterprise-wide risk management explains the various roles that internal audit can perform depending how mature an organisation's risk management culture is.
Position paper: Risk management and internal audit
Implementation Guide 1112 Chief Audit Executive Roles Beyond Internal Auditing