The internal audit profession will reach an important landmark next year. It will be a decade since the term enterprise risk management (ERM) entered the lexicon of many practitioners. Though it was around well before 2004, that was the year two influential pieces of guidance were produced — one of them large and complex, the other incredibly succinct, but no less influential.
Since then, internal auditors have been encouraged to "step up to the plate" and take on a new higher-profile, potentially more valuable role, one where they become key players in their organization's approach to ERM — perhaps even the main catalyst of risk management improvement.
Have internal auditors risen to that challenge? The language of risk management has certainly pervaded The IIA's professional standards since 2004. And The Institute's own research shows that many of its members play an active role in ERM. The 2010 IIA Global Internal Audit Survey (a component of the Common Body of Knowledge studies) showed that 57 percent of internal audit shops around the world perform audits of ERM processes. Twenty percent indicated that performing such audits would increase over the next five years. That still leaves a large number of internal audit shops out in the cold. As the 10-year milestone approaches, should more internal auditors be playing an ERM role? And for those who are already engaged, how might that role evolve in the years ahead?
What emerged in 2004 was The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management–Integrated Framework, which defined the essential components of ERM. Though The IIA was involved in the project, the guidance wasn't aimed directly at internal auditors. Its purpose was to help companies that were looking to implement ERM for the first time.
It was the IIA–U.K. and Ireland's Position Statement: The Role of Internal Audit in Enterprise-wide Risk Management, also published in 2004, that addressed the question of how internal audit could, should, and should not get involved in the move to ERM. By then, this issue had become far more than a theoretical concern for internal auditors. When the IIA–U.K. and Ireland started to think about writing its position statement it was clear that the way organizations thought about risk was changing, says Gail Easterbrook, its chief executive at the time.
Financial scandals such as the Parmalat fraud in Europe and Enron in the United States, and the consequent U.S. Sarbanes-Oxley Act of 2002, were pushing companies to look at a much wider spectrum of risks and controls, not just financial controls, she says. "Given internal audit's skills and competencies, there was obvious value our members could add, but some of them had concerns about getting involved," Easterbrook explains.
"They didn't want to jeopardize their independence by getting entangled in management activities," she says. "So we decided to clarify the gray areas, so that internal audit could play a role, adding value with the confidence that their professional body [The IIA] supported what they were doing."
Easterbrook turned to Terry Cunnington, the institute's 2003-2004 president, who had a reputation for innovative thinking on internal audit and its relationship to risk management. Cunnington set up and chaired a working group of leading practitioners, some of whom had already played a significant part in developing and implementing ERM in their own organizations.
"ERM was in its infancy at the time, so we knew we were breaking fresh ground," Cunnington recalls. "There was much debate about the opportunity that ERM presented to raise the profile and effectiveness of internal audit, and the extent that internal audit could be involved without compromising its independence."
In just four pages, Cunnington's group produced guidance that would help internal auditors navigate their relationship with ERM for years to come. It concluded that internal audit's core ERM role should be to provide assurance to management and to the board on the effectiveness of risk management. But internal audit could go further, it said, if certain safeguards were in place. Among them, practitioners should treat any additional work as a "consulting service" in accordance with The IIA's professional standards.
To illustrate the range of roles that internal audit should, could, and should not perform, the guidance included a simple illustration (see "The ERM Fan" below). "That 'fan' image became an icon, a landmark, that was referred to globally," he says of its impact. Global IIA adopted it.
Many organizations were ripe for a move to ERM; the guidance that Cunnington's team produced was a green light for internal auditors who wanted to show them the way. It also indicated how far they should go before handing the reins over to management.
But a 2011 paper published by The IIA Research Foundation (IIARF) — Internal Auditing's Role in Risk Management — cited IIA research that showed most internal audit shops were not performing the kind of services that would appear in the middle of Cunnington's fan. They were helping to implement and operate risk management programs — the kind of activities that were core to their traditional role — but only 40 percent were providing independent assurance on risk management. What's more, 25 percent said they expected never to do so. The IIARF report concluded that "the majority of internal audit activities are falling short" of the role envisaged in The IIA's International Standards for the Professional Practice of Internal Auditing (Standards).
That 25 percent figure worries Paul Sobel, the author of The IIARF report. "There always will be a percentage that feel content with what they are doing and don't want to change. I suspect you'd get that in a lot of professions," he says. "But I think most of us believe that the world changes, and if you don't adapt you're going to be left behind."
The IIARF report asserts that most internal audit shops have been successful in providing broad advice on risk management, "but fewer are confident enough to provide specific assurance and recommendations to move risk management ahead in their organizations."
The paper quotes other research that identifies the challenges internal auditors face when considering a more evolved role in ERM. The top five challenges are each cited by almost one-third of respondents (see "Top Five Perceived Barriers to Internal Audit Involvement in Risk Management" at right). None of them is insurmountable so the report concludes, "With adequate training and effort, there is no reason why any internal auditor cannot be skilled enough to perform many risk management roles."
But that begs a question, Sobel says. Given the fact that risk management has been part of the internal audit world for at least a decade, why don't all auditors have these skills? Fear is a factor, he says. Creating a career for yourself as a control or risk assessment expert is one thing, "but to be good at ERM you really need a good understanding of the business — that scares a lot of people."
Cunnington's assessment is that the profession, overall, has 'stepped up,' but he stresses the danger of generalizing. "In many organizations, internal audit probably has missed the opportunity presented by ERM, either because it is not resourced to do so or because the head of internal audit or senior management have a more traditional view of internal audit's role. But in many organizations internal audit has been instrumental in developing ERM and in such cases it has succeeded in raising its profile and adding value."
Even where internal audit has just championed ERM and then handed over responsibility to others, "this has provided great benefit to organizations." And when internal audit performs that role, "it develops considerable ERM expertise, which puts it in a good position to undertake independent reviews of the ERM framework and continue to add value."
Those internal audit shops that are afraid of getting too close to ERM may not have attracted much criticism from the top of their organizations — so far. The IIARF report says many audit committees still have a low awareness of ERM, and hence have low expectations about how internal audit might be involved in a way that adds value. But that is changing.
"For both the board and management there is growing awareness of what ERM can be and how it can deliver value," Sobel says. Many organizations planning to implement ERM are still looking to internal auditors for help, because they are seen as the people who understand risk assessment and control. But these organizations increasingly want management to own ERM as soon as possible, with internal audit providing independent assurance, he says. "That creates quite a challenge for the audit profession, because we don't have a lot of good guidance or experience in how to do that," Sobel says.
ERM best practice has evolved in ways that can require a rethink of internal audit's role, Cunnington agrees. "In many smaller organizations, particularly where there is no risk management department, internal audit was responsible for developing, and still operates, the ERM framework. In these cases, the model set out in the position statement is still applied," he says.
"But since 2004, ERM has become much more sophisticated, particularly in large organizations and financial services," Cunnington adds. It often requires risk modeling, a definition of risk appetite or tolerance, and a close connection with business strategy. "Such activities are not appropriate for internal audit to undertake and require specialist risk management skills."
Best-practice thinking about ERM and internal audit's role continues to evolve. One driving theme is the need to find ways of using ERM not just to control risks better but to "manage the upside," says Michael Parkinson, a director of KPMG in Australia and a member of the International Internal Auditing Standards Board. "The issue we have now is the view that risks are all negative and that they are based on events," he says. "This inevitably leads to individuals trying to predict events as part of risk management and internal audit processes."
Parkinson wants internal auditors to change their focus. He points to the value of the international standard ISO 31000: Risk Management Principles and Guidelines, which defines risk as the effect of uncertainty on objectives. Internal auditors, like risk managers, are employed to help the organization achieve its objectives, Parkinson says. "But until we recognize that we can move an organization forward — not just prevent it from going backward — then we will never reach our full potential."
Jackie Cain, director, Policy and Technical, for IIA–Australia, is worried that as ERM matures, organizations will want to see more "visibility and formality" in their risk management process. "That can be a bad thing if it prioritizes structures and committees and minutes over action and attitude," she says. "The thing is, structures are easy to see, behavior is not."
Cain says there is currently a lot of confusion in the intellectual space as organizations reexamine their ERM practices in a climate of global financial turmoil. "You still have a lot of mechanistic models like COSO and exhortations to reduce every risk consideration to a number, while others are talking about issues like behavior and fast or slow 'clock speed' risks. I don't know how business managers are meant to keep up and know what to do."
One way that internal auditors can better keep up is by collaborating more willingly. The IIARF report notes that most internal audit shops try to "go it alone" when providing risk management services, but adds that this can be a dangerous approach. If the audit function lacks skills and confidence, the report recommends teaming up with third-party service providers or other functions in the organization that have expertise in this area.
Reaching out to others in the business might require a change of attitude. "While [chief audit executives (CAEs)] often feel their function is the only one that is truly independent and objective enough to provide these services, frequently there are other functions that provide some sort of advice or assurance on risk management," the IIARF report says. "CAEs should seek out these functions to collaborate and synergize as much as possible."
Cain says internal auditors should use the shifting language of risk management as an opportunity to remind senior executives about the value of core audit principles, such as accountability, monitoring, checks, and balances. "Since ERM emerged, some internal auditors have managed to exploit it as an opportunity, others haven't," she says. "But what worries me is this: When you see internal auditors rushing to be risk managers, that betrays a lack of confidence in our value. We have a unique role. We can stand back and make sure things are working well, and we have the influence to improve things if they are not. We should be proud of that."
"Since 2004, part of the profession has stepped up and delivered," says Steve Jameson, CAE and risk officer at Community Trust Bancorp, Inc., a Kentucky-based bank holding company. "Those who chose not to get heavily involved have missed a great opportunity to add value, prove their worth, and develop closer and stronger ties to their board."
At Community Trust, the benefits of internal audit's contribution to ERM are clear. "We have remained profitable during the recent economic downturn, did not have to take any bailout funds from the government, and have better performance and quality measures than our peers," he says. "I do not see us changing our ERM program in a major way. We will continually update and tweak our approach, but it has been battle tested and served us well."
A decade after the profession's first guidance on ERM, most internal auditors around the world have "stepped up" and become more involved in risk management. For the rest, there is a clear opportunity to add value in this area. They may doubt whether they have the knowledge or profile to make a difference, but all the research suggests their core audit skills will serve them well — at least as a starting point. As ERM becomes increasingly sophisticated, even those auditors who have already embraced it will need to stay on their toes and collaborate where necessary. But the basic principles the profession established in 2004 remain the guiding light today.
The IIA's website to download the IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control.