News
Events
Blog
Training

Blog

The Evolution from Internal Auditor to Risk Manager

Internal audit used to be all about financial controls.  Then operational controls were added.  Then Risk Management came along.  Now, post the 2009 crisis, Internal Auditors need to evolve yet again.  Regulators, stakeholders and management are all demanding more from the internal audit (IA) function.
According to the IIA, the key role of internal audit is to "provide senior management and the board with an objective assurance and independent advice that the major business risks are being managed appropriately and that the risk management and internal control framework is operating effectively".  So it seems risk management is now a core part of Internal Audit.

As a background to all of this, internal auditors have to achieve more with less.  Headcount has reduced by 12% in Fortune 500 while the industry average, according to the IIA, is a staff reduction of around 20% in the past year.
 

Yet internal auditors are also transforming themselves to become risk managers and strategy management.  Rotation of staff is also on the increase, with more firms rotating accountants and managers through the internal audit department and vice versa, so that a better understanding is obtained of the function in IA as well as other departments.  The IIA reported roughly 30% of all companies surveyed had a rotation policy in place. 

Why is this happening? Well, mostly to create better understanding of the organization so that internal auditors can contribute more than just a simple auditing function.  Some of the key skills include:

  • Industry and business knowledge
  • Understanding and prioritizing of business strategy and achievement of goals
  • Improved interpersonal skills to communicate with business units throughout the enterprise as well as with senior executives and the board
  • Risk management skills
  • Fraud detection and prevention skills

The takeaway : Enterprise Risk Management (ERM) now forms part of the internal auditor’s domain. 

In risk mature business, IA needs to provide assurance that the risk management program is in place, working, and evolves/matures as the business navigates through time.  However, in businesses that are smaller, have a combined IA/ERM function or have a lack of maturity in ERM, IA executives will find themselves responsible for ERM too. When doing risk management, an internal auditor may therefore find themselves facilitating and consultants in the overall risk management process. In so doing, an internal auditor may be called upon to assist with:

  • Defining risk management processes
  • Providing and establishing assurance on risk management processes
  • Providing and establishing assurance that risks are correctly evaluated
  • Analyzing and quantifying risks in strategic areas
  • Identifying, assessing and, treating and monitoring risks as well as reporting thereupon
  • Implementing systems and techniques to help advance risk management in the organization

It therefore makes sense, in the wider context of GRC (Governance, Risk, and Compliance) that internal audit educates itself with ERM standards such as ISO31000, as well as with industry requirements such as Basell II in banking, Solvency II in insurance and other similar regulatory requirements in their chosen industries so that not only will auditors understand their business, but also understand the context in which they operate.

Return to news


Copyright 2010 Cura Software Solutions. All rights reserved. Privacy Statement. Legal Notice.