Internal audit is uniquely positioned to assist the audit committee and the board in achieving their objectives regarding risk management.

Assigning risk oversight responsibility remains difficult for many board directors. Do directors have sufficient knowledge to play a full and proper oversight role? Under which committee’s purview should risk oversight fall? Are directors overburdened?

These are just some of the concerns facing directors about the clarity of risk management responsibilities. Because many risk oversight roles often fall to the audit committee, its members need to understand the company’s risks and the metrics management uses to monitor these risks.

More and more, boards are asking for better communication with management on risk matters — for reports that are timely, integrated, forward-looking and results-oriented. They also expect dialogues to be open, substantive, set in a strategic context and support timely decisions.

Enter internal audit and its ability to provide insight into the risks facing the company.

Internal audit’s role

Internal audit is uniquely positioned to assist the audit committee and the board in achieving their objectives regarding risk management, specifically role clarity, appropriate and timely communications and coordination among the various risk functions across the organization.

A recent survey conducted by Forbes Insights on behalf of Ernst & Young asked more than 500 C-suite executives and board members about the role of internal audit. A great majority, 94%, believed that the internal audit function has an important role in the company’s overall risk management efforts. In addition, 96% of respondents believed strong risk management has a positive effect on the company’s long-term earnings performance.¹

Many internal audit functions today involve reviews of governance, enterprise risk management, compliance and other risk activities to provide executive management and the audit committee with an objective view as to the effectiveness of controls. In many cases, internal audit actively leads coordination of the various risk and compliance functions to ensure information provided is comprehensive, consistent and timely. They are also challenging the overall risk framework so that there is comprehensive risk coverage and alignment of results.

Leading-class strategies

Progressive internal audit functions use risk-based planning to focus on the greatest risks. Risk-based planning addresses every risk type — strategic, financial, operational, compliance, reputational, IT, etc. Planning is dynamic so it can respond to emerging risks or changes in the business risk profile.

These leading-class internal audit functions are training and upgrading staff to have the resources available to address any scenario. When necessary, internal audit teams bring in third-party providers with the requisite skill sets to understand and assess all risk types.

Leading internal audit functions are also proactive about assessing the risks involved in key business initiatives, such as capital projects, M&A activities and major system development projects. When involved early on, internal audit can help identify risks and develop and implement controls from the beginning, eliminating the costs and delays of after-the-fact fixes. Internal audit functions can also provide process improvement recommendations.

Adding value by focusing on greatest exposures and key business initiatives

Leading-class internal audit functions increase their value to an organization by focusing on areas of greatest exposure, complex operations and key business initiatives. They can validate that the organization is well controlled and operating effectively and efficiently to meet the company’s strategic objectives.

 Questions for the audit committee to consider

---

¹ Internal Audit survey: a survey conducted by the Forbes Insights on behalf of Ernst & Young, May 2010.