Examining the Synergy Between Enterprise Risk Management and Internal Audit Functions

Anjali Suresh Nair^*, Priya Nair, Anurag Agrawal

 

Abstract:

This study examines the symbiotic relationship between Internal Auditing (IA) and Enterprise Risk Management (ERM), demonstrating how the efficiency of one function enhances the other. Specifically, it analyzes the influence of ERM on the IA function and investigates the role of internal auditors in the ERM implementation process, assessing how their involvement may optimize this process. Additionally, the study explores the potential repercussions of auditors' engagement in ERM on their independence and objectivity. Data for this research was gathered through questionnaires distributed to professionals in the field, with conclusions drawn based on the majority of responses. The findings reveal that an established ERM framework significantly boosts the efficiency of the IA process. Internal auditors can leverage ERM's comprehensive data to prioritize their auditing activities more effectively. Furthermore, the study concludes that the involvement of internal auditors in ERM, when confined to advisory capacities, does not compromise their independence or objectivity. This controlled participation ensures that auditors maintain their critical oversight capabilities while contributing to the management of enterprise-wide risks.

Keywords: Enterprise Risk Management, Internal Audit, ERM, IA, Interdependence of ERM and IA, Auditor Independence

 

We live in a world full of uncertainties ranging from technological disruptions to cyberattacks. Our environment is dynamic, and the future it holds is quite unpredictable. Organizations feel the heat of this ever-changing scenario in their day-to-day operations. To overcome these challenges, organizations use a combination of two core functions of risk management: Enterprise Risk Management (ERM) and Internal Audit (IA).

While ERM provides the basic framework for organizations to identify, assess, prioritize, and monitor risk, IA provides independent assurance on the design and effectiveness of controls. ERM sets the groundwork for IA to work on, as without its input, IA’s workload would drastically increase, having to identify and prioritize risks independently.

ERM involves creating a relevant framework, quantifying risk through impact and likelihood variables, and providing ongoing monitoring. Through its detailed processes, ERM tries to create a culture of awareness, embedding risk into the organization's heart, which is essential for survival in today’s world.

Internal auditing also plays a crucial role in every organization by providing independent assurance over the design and efficiency of controls, building trust among stakeholders, and identifying areas for improvement. This leads to good corporate governance practices and a better culture aligned with organizational goals.

The interdependencies between ERM and IA are intricate yet crucial for bolstering organizational resilience. ERM lays the foundational risk landscape and control environment upon which IA functions, facilitating effective risk prioritization essential for thorough audits. Conversely, IA enhances ERM by critically evaluating its effectiveness, including testing the design and operational efficacy of risk management processes, identifying deficiencies, and recommending enhancements.

This cyclical evaluation process fosters the continuous refinement and evolution of the ERM framework, ensuring both functions adapt effectively in dynamic risk contexts. Our paper delves into the mutual benefits of this symbiotic relationship, such as improved decision-making through strategic information sharing, elevated risk management capabilities, more efficient resource utilization, and strengthened risk governance frameworks.

Problem Statement

How does the implementation of Enterprise Risk Management (ERM) impact the independence of the Internal Audit (IA) function, and what strategies can be developed to foster a mutually beneficial relationship between ERM and IA within organizations?

Literature Review

The Role of ERM in Risk Management

Risk management is fundamental to corporate governance, with management playing a crucial role on behalf of the board in developing and implementing an effective risk management framework. This framework is essential for its structured approach to risk coordination, which is consistent across the organization.

 

The Influence of Organizational Factors

The adoption of ERM varies depending on several organizational factors. As noted by Ghosh (2013), the likelihood of implementing ERM is influenced by the firm’s size, complexity, profitability, and leverage. These factors determine how ERM is tailored to effectively mitigate risks and enhance strategic decision-making, underscoring its importance in maintaining corporate governance standards under dynamic economic conditions.

The COSO ERM Framework

The COSO ERM Framework (2021) emphasizes understanding and prioritizing risks to create a connection between risk, strategies, and business performance. According to the IIA’s IPPF (2017), internal auditing aims to increase value through independence, improving the organization’s operations, and ensuring objective assurance and consulting activity. It helps organizations maintain effective risk management practices with controls and governance in place.

     Furthermore, the COSO ERM Framework supports governance and control processes by emphasizing the role of internal audit in maintaining effective risk practices. Recent updates to the framework also encourage organizations to integrate environmental, social, and governance (ESG) considerations, recognizing the evolving demands for transparency and responsibility from stakeholders (COSO, 2021).

ERM’s Impact on IA

The impact of ERM on IA is most significant when a firm has a fully implemented ERM framework. Beasley et al. (2006) suggest that the extent of ERM's influence on IA depends on the maturity stage of the ERM implementation. A comprehensive and operational ERM system enhances IA effectiveness by providing a structured risk management approach.

The Role of Internal Audit

The existence of an internal audit positively influences ERM implementation through monitoring and reporting for top managers, ensuring regular checks on its efficiency (Setiawan et al., 2021). However, the involvement of internal auditors in ERM could affect their objectivity and independence, suggesting that their role should primarily be monitoring (Beasley et al., 2006).

Enhancing ERM through IA

Internal audit quality, particularly auditor independence, significantly impacts ERM implementation concerning the COSO Framework (2021). Internal auditors’ independence ensures efficient audit work and professional care (Saleem & Zraqat, 2019). Well-positioned internal audits adhering to relevant standards can add significant value to the ERM process due to the extensive risk-based assessments and executive leadership insights they provide (Hall & The IIA Research Foundation, 2007). In the development of a structured approach for internal audits, Coetzee’s (2010) risk-based audit model provides a valuable framework for focusing on high-priority risks within an organization.

     In their study, Odoyo et al. (2014) analyzed the critical role of internal audit functions in implementing risk management processes within state corporations in Kenya. The research emphasizes that internal auditors are instrumental in identifying, assessing, and monitoring organizational risks. Their study highlights the need for a proactive internal audit function that collaborates closely with risk management teams to enhance corporate governance and ensure effective risk mitigation strategies within public sector entities.

     The effectiveness and the responsibilities of Internal Audit (IA) in any institution are subject to change based on the maturity of their ERM frameworks. Beasley et al. (2006) argue that the more embedded and mature the ERM frameworks are within organizations, the better the internal audit departments are able to focus on risks that are more critical in most organizations and help in achieving strategic goals. In addition, a full ERM framework focuses on the primary risks within internal auditors, minimizing duplication of effort and enhancing efficiency as far as audits are concerned. In addition, Bailey et al. (2022) stress that ERM offers the internal audit a methodology for evaluating and tracking risk management in a manner that is consistent with the audit missions and objectives of the organization. As a result, this alignment not only improves the effectiveness of audit procedures but also ensures that IA functions complement the risk management and governance frameworks of the organization.

     Internal audit is essential to supporting ERM by offering unbiased assurance and consulting services that reinforce the organization’s approach to managing risks. According to Setiawan et al. (2021), the role of an internal audit in ERM involves activities like monitoring, reporting, and sharing valuable insights with top management about how well risk management practices are working. This input from internal audit helps ensure that the organization’s risk management framework remains effective and aligned with its strategic goals.

The dynamic nature of global markets and technological advancements have necessitated a shift in risk management from traditional financial risks to a comprehensive ERM approach (Vij & Nath, 2024). This evolution has expanded the roles of CFOs and auditors to include strategic advisory and proactive risk management, ensuring organizational resilience and value creation amidst increasing global disruptions.

Challenges and Balance

Finding the right balance between consulting and assurance services is challenging for internal auditors, management, and boards relying on their services (de Zwaan et al., 2011). Reinforcing recommendations by the IIA and ensuring that internal auditors do not play inappropriate roles in ERM are crucial for maintaining independence and objectivity. This paper explores the interdependence of Enterprise Risk Management (ERM) and Internal Audit (IA) through a mixed-method approach, incorporating both qualitative and quantitative analyses.

Data Collection

Data was collected from professionals in ERM and IA across various locations.

Qualitative Analysis

A questionnaire was created to explore the connection and nuances of the topic, with responses forming the primary data source. Existing research papers and articles provided secondary data.

 

Quantitative Analysis

Responses were analyzed based on the percentage of positive and negative replies. The majority-based approach summarized these responses to understand the relationship between ERM and IA. Figure 1 shows the percentage of the respondents.

 

Figure 1

Survey Responses on the Importance of Maintaining an Independent Perspective in Internal Audit (IA) Assessments

Data confirms that 93.5% of respondents believe maintaining an independent perspective is essential for IA, aligning with core internal auditing principles focusing on independence to produce unbiased evaluations. This aligns with the core principles of internal auditing, which focus on independence as an important factor in objectivity to produce unbiased evaluations. An independent internal audit function is less prone to pressures from management that could compromise judgment, which would ultimately strengthen the credibility of findings and recommendations.  Figure 2 presents an overview of the auditor’s knowledge of two key components: risks and assessments.

 

Figure 2

Survey Responses on Internal Auditors' Knowledge of Company Risks and Assessments

The majority of the respondents, i.e., 80.6%, believe that internal auditors do not know all about the risks and assessments inside and outside the company. Only a few respondents believe that internal auditors fully understand all the risks. Internal auditors may not have access to all the data in order to assess the risks, and the landscape of risk may be complex and constantly changing. Internal auditors may not be able to do a comprehensive risk assessment due to time constraints. 

 

Figure 3

Survey Responses on the Impact of Internal Auditors' Involvement in the ERM Function

The majority of the respondents, 87.1%, are shown to believe that the interference of internal auditors in the ERM function would make it more efficient. A small portion also disagrees with the same. The results are illustrated in the Figure 3.

It is important to consider the reasons behind these responses and their judgment. Because internal auditors are experts in risk identification, the assessment and controls could be the reason for one’s belief that internal auditors make the ERM function better. The other factor is independent oversight and assurance that the ERM processes are functioning effectively.

On the other hand, those who disagree may argue that the internal auditors may not be familiar with the specific risks and the holistic view of them facing an organization. Another factor could be that involving internal auditors could be time-consuming.

 Figure 4

Survey Responses on Whether Involvement in ERM Hampers Internal Auditors'

As shown in Figure 4, the majority of the respondents, that is, 90.3%, believe that the interference of internal auditors in the ERM function does not hamper their independence. A small portion disagrees and says it does hamper independence.

Those who believe that ERM involvement does not hamper independence may be due to the fact that a strong ERM function and implementation of the program would ensure independence and assurance. It also facilitates the audit function by making an organization more risk-aware and receptive to internal audit findings. 

The ones believing independence could be hampered might think the internal auditors could be pressured to downplay or overlook the critical findings due to over-interdependence and familiarity. For the internal auditors to maintain a good rapport with management, they could compromise the objectivity of the audit function.

 

Figure 5

Survey Responses on Limited Involvement of Internal Auditors in ERM for Maintaining Independence

The 71% of respondents, as shown in Figure 5, believe that limited interference by internal auditors in the ERM process, specifically by providing suggestions and recommendations, can help with maintaining independence. This also suggests that many of them believe this approach could be a way to mitigate the risk of auditors being pressured, jeopardizing their objectivity, and downplaying critical findings. 

Few of the respondents disagree, too, considering the fact that limited involvement could hinder the process and not be able to identify all potential issues. 

More research may be needed in order to determine the most effective approach to balance the benefits and need for auditor independence, considering involvement in ERM. 

Figure 6

Survey Responses on the Impact of an Existing ERM on the Efficiency of the Internal Audit Process

The majority of the respondents, 96.8%, believe that an existing ERM function in the company would improve the overall efficiency of the internal audit process, and only a small portion disagrees with the same. As shown in Figure 6, just 3.2% of responses were No.

This suggests that internal auditors can facilitate their process with the help of ERM. ERM can help increase the efficiency of the audit process by providing specific, useful risk information to prioritize areas with control weaknesses and also by providing collated information, saving internal auditors time and effort by eliminating the need to collect information from different sources. 

 

Figure 7

Survey Responses on ERM Leveraging IA’s Expertise to Strengthen Internal Controls and Risk Mitigation

As we show in Figure 7, the majority of respondents, that is, 90%, believe that enterprise risk management can leverage internal audit expertise to strengthen internal controls and risk mitigation strategies. A small minority disagrees with the same. 

This says internal auditing is a valuable resource. Through the expertise of internal controls, assessment, and evaluation, it could help with better ERM implementation. This highlights the importance of collaboration between both functions to ensure a robust framework for risk management.

 Figure 8

Survey Responses on Using ERM Information to Inform Internal Audit (IA) Plans

Based on Figure 8, the majority, 83.9%, indicates that ERM information can be used by internal auditors (IAs) to inform their audit plans. Only a small minority disagrees.

This suggests that ERM provides information that is considered a valuable resource to the internal auditors while developing their audit plans. The data on risks, processes, and controls can help gain insights into the areas of priority-based risks and plan their audit accordingly.

 Figure 9

Survey Responses on Whether ERM and IA Can Completely Replace Each Other's Functions

The vast majority of respondents, that is, 90.3%, disagree that ERM and IA completely replace each other's functions. Only a small portion believed that ERM could entirely take away the position of internal audit (See Figure 9).

This suggests that ERM as well as IA functions go hand in hand and are not replaceable with each other. ERM focuses on identifying and managing risks across the organization, and IA provides independent assurance. While ERM can help mitigate risks, it cannot eliminate the need for IA's objective assessment. Table 1 presents the number of responses to questions about role of internal audit (IA) and enterprise risk management (ERM).

 

Table 1

Survey Responses on the Role of Internal Audit (IA) and Enterprise Risk Management (ERM)

	Questions	Yes	No
1	Is maintaining an independent perspective essential for IA to ensure the objectivity of its assessments?	29	2
2	Do you believe internal auditors know all about the risks and assessment in and out of the company?	6	25
3	Do you believe the involvement of internal auditors in the ERM function make it more efficient?	27	4
4	Does involvement of internal auditors in the ERM hamper with their independence?	3	28
5	Can limited involvement of internal auditors in the ERM process specific to providing suggestions and recommendations help with maintaining independence?	21	10
6	Do you believe an existing ERM in the company enhances the efficiency of the internal audit process?	30	1
7	Can ERM leverage IA's expertise to strengthen internal controls and risk mitigation strategies?	28	3
8	Can ERM information be used by IA to inform their audit plan?	26	5
9	ERM and IA completely replace each other's functions. (True/False)	3	28

 

Conclusion

Our study explores the intricate relationship between Enterprise Risk Management (ERM) and Internal Audit (IA), highlighting both the challenges and advantages of their interdependence. The findings emphasize that effective communication is critical for enhancing both functions in a dynamic risk environment. Key obstacles include deficiencies in knowledge, undefined boundaries, and inadequate communication protocols.

Primary data analysis suggests that concerns regarding IA independence can be mitigated by restricting IA's role to advisory capacities. Leveraging comprehensive risk data provided by ERM, IA can more effectively prioritize risks, enhancing audit efficiency.

To foster seamless cooperation between ERM and IA, clear leadership, a culture of transparency, defined roles and responsibilities, and robust governance are essential. Further research is necessary to find the optimal balance, maximizing the benefits of both functions while preserving their independence. Future studies should develop models addressing independence concerns and explore strategies to maintain IA’s objectivity during collaboration with ERM.

 

Key Areas of Interdependence and Benefits

Synergy in Risk Identification and Assessment

Internal Audit (IA) can leverage Enterprise Risk Management (ERM)’s risk assessments to focus on areas requiring more in-depth attention from the auditors. Conversely, IA’s findings can inform ERM about previously unknown risks and control weaknesses (Bruns & Alles, 2018).

 

Continuous Improvement of Risk Management Processes

IA plays a crucial role in evaluating the effectiveness and efficiency of implemented risk-management practices (IIA, 2014). This ongoing evaluation helps ensure that risk management processes remain effective and relevant.

Risk Reporting and Communication

ERM provides a comprehensive view of potential threats, while IA reports on the weaknesses of controls and their potential impact on risk management effectiveness (Bruns & Alles, 2018). Both functions are essential for communicating key risk areas to all critical stakeholders.

Driving Continuous Improvement

Collaboration between ERM and IA facilitates continuous improvement in risk management practices and internal audit methodologies. By sharing knowledge and best practices, a more robust risk management environment is created (IIA, 2014).

 

Benefits of Effective Interdependence

Enhanced Risk Management: Effective communication and collaboration lead to a holistic approach to risk management, creating a stronger defence against potential risks and threats (Alles & Kasinger, 2018).

     Improved Decision-Making: ERM and IA together provide a clearer understanding of the risk environment at all organizational levels, facilitating informed decision-making (IIAF, 2017).

     According to The Role of Internal Auditing in Enterprise-Wide Risk Management (2009), internal auditing is essential in enhancing enterprise risk management (ERM) by providing objective assurance and strengthening risk controls and governance.

     Increased Efficiency: Collaborative efforts result in a more cost-effective approach, streamlining risk management processes and optimizing resource allocation (Bruns & Alles, 2018).

     Stronger Governance: By promoting transparency, accountability, and well-defined risk management practices, effective ERM and IA practices contribute to good governance (IIA, 2014).

As shown in Table 1, the survey reveals strong support for the idea that maintaining an independent perspective is essential for Internal Audit (IA) to remain objective, with 29 respondents agreeing and only 2 disagreeing. Furthermore, while a significant majority (27 respondents) believe that IA's involvement enhances the efficiency of Enterprise Risk Management (ERM), 28 respondents feel that such involvement does not compromise IA's independence. "These points illustrate the practical benefits of ERM and IA working together, providing strong support for your conclusions about their interdependence and the necessity of effective collaboration. This comprehensive approach, in conclusion, ensures that the reader understands the importance of the symbiotic relationship between ERM and IA and the tangible benefits it brings to organizational risk management and governance.

Limitations

The paper does not explore specific challenges faced by different industries or organization sizes in implementing a combined ERM-Internal Audit approach. Due to the complexity of the topic, the complete picture of the interdependencies between ERM and IA may not have been captured. The paper relies heavily on academic research, publications by professional organizations, and the opinions of working professionals. The potential cost implications of implementing a robust ERM framework along with maintaining a high-quality internal audit function are not adequately addressed. Respondents may be limited to a particular geography and industry, leading to limitations in findings and analysis. The reliance on the “majority” approach may not yield accurate results, as the majority does not guarantee reliability and correctness. The use of only closed-ended questions due to the complexity of the topic further limits the findings.

 

References

Alles, M. G., & Kasinger, D. (2018). The benefits of interdependence between internal audit and risk management. Journal of Risk Management in Financial Institutions, 11(4), 376–390.

Bailey, J., Chen, K., & Martin, S. (2022). The impact of ERM maturity on internal audit practices. Journal of Risk Management, 18(2), 95–108.

Beasley, M. S., Clune, R., & Hermanson, D. R. (2006). The impact of enterprise risk management on the internal audit function. Journal of Forensic Accounting, 7(1), 1–25. https://mgt.ncsu.edu/pdfs/faculty/Beasley%20Workshop%20paper.pdf

Bruns, M., & Alles, M. G. (2018). Integrating risk management and internal audit: Synergies in risk identification and assessment. Journal of Accounting Literature, 40, 56–73.

Coetzee, G. P. (2010, November 1). A risk-based audit model for internal audit engagements. https://scholar.ufs.ac.za/items/a66347ae-645b-4722-9233-094877d03652

COSO. (2021). Guidance on ERM and Environmental, Social, and Governance (ESG) Risks. Committee of Sponsoring Organizations of the Treadway Commission.

De Zwaan, L., Stewart, J., & Subramaniam, N. (2011). Internal audit involvement in enterprise risk management. Managerial Auditing Journal, 26(7), 586–604. https://doi.org/10.1108/02686901111151323

Ghosh, A. (2013, February 1). An Empirical Investigation into Enterprise Risk Management in India. https://ir.iimcal.ac.in:8443/jspui/handle/123456789/437

Hall, J., & The IIA Research Foundation. (2007). 2007 Esther R. Sawyer Scholarship Essay. The IIA Research Foundation. https://ww1.odu.edu/content/dam/odu/offices/risk-management/DOCS/erm-internal-audit-sawyer-award.pdf

Institute of Internal Auditors (IIA). (2014). Auditing Anti-Bribery and Anti-Corruption Programs. https://global.theiia.org/OntolicaSearch/Pages/DefaultResults.aspx?k=auditing%20anticorruption%20programs%20&s=Global Sites&start1=0&ct=Site&cs=Standards and Guidance&ref=https://global.theiia.org/standards-guidance&ret=https%3A%2F%2Fglobal.theiia.org%2Fstandards-guidance%2FPages%2FStandards-and-Guidance-IPPF.aspx (last accessed on September 15, 2015).

Institute of Internal Auditors (IIA) (2017). International professional practices framework (IPPF). The Institute of Internal Auditors Altamonte Springs/Fl.

Institute of Internal Auditors Foundation (IIAF) (2017). ERM and internal audit: The key to enhanced decision-making. The Institute of Internal Auditors.

Odoyo, F. S., Omwono, G. A., & Okinyi, N. O. (2014, May 1). An analysis of the role of internal audit in implementing risk management - a study of state corporations in Kenya. http://erepository.uonbi.ac.ke/handle/11295/81029

Saleem, K. A., & Zraqat, O. M. (2019). The effect of Internal Audit Quality (IAQ) on Enterprise Risk Management (ERM) in accordance to COSO framework. ResearchGate. https://doi.org/10.13140/RG.2.2.22520.08962

Setiawan, A., Manurung, A. H., Hamsal, M., & Soepriyanto, G. (2021). The analysis of the effect of internal audit, IT capability and CRO role in the enterprise risk management implementation on firm performance moderated by listed status among Indonesian state-owned enterprises. BINUS Business School, Bina Nusantara University, Jakarta, Indonesia. https://www.dpublication.com/wp-content/uploads/2021/03/13-223.pdf

The Role of Internal Auditing in Enterprise-Wide Risk Management. (2009). ERM PP. https://www.theiia.org/globalassets/documents/resources/the-role-of-internal-auditing-in-enterprise-wide-risk-management-january-2009/pp-the-role-of-internal-auditing-in-enterprise-risk-management.pdf

Vij, M., & Nath, S. (2024). The changing role of auditors and CFOs in addressing risk management: A questionnaire study. Global Risk Management Institute.