Risk managers and internal auditors are starting to put their heads together to figure out how they can collaborate to create a better approach to risk and decision making.
The Institute of Internal Auditors and the Risk and Insurance Management Society have produced a report, titled Risk Management and Internal Audit: Forging a Collaborative Alliance, to get internal auditors and risk managers thinking about their respective duties and where there might be some opportunity for them to work more closely to produce a cohesive view of and response to risk within an entity.
The report profiles four organizations that RIMS and IIA view to emulate a more collaborative approach between risk management and internal audit – Cisco Systems, Hospital Corp. of America, TD Ameritrade, and Whirlpool. The report highlights four practices those four organizations have in common – including linking the audit plan with the enterprise risk assessment, sharing resources, assessing and monitoring strategic risks, and cross-leveraging each area's respective competencies, roles and responsibilities.
Both risk managers and internal auditors have seen big changes in their roles in recent years, says Hal Garyn, vice president of North American services for the IIA. “Risk managers have certainly moved in their organizations far away from being responsible for managing only the corporate insurance program,” he says. “At the same time, internal auditors have moved away from what may have been a controls-based view of business to a more risk-based view of business.”
With both professions serving essentially the same stakeholders – boards of directors, audit committees, and management, primarily – it makes sense for them to talk the same language and collaborate more closely to assure a singular view of risk throughout the organization, Garyn says. “We're not saying that this is not happening, but it's not happening to the level many organizations would like to see,” he says.
In a separate report, the semi-annual Pulse of the Profession, the IIA says chief audit executives are exploring a variety of strategies to enhance the value of the audit function to the organization, but there are still plenty of ways internal audit can better align its planned audit coverage with risks that are considered important by the organization.
IIA President and CEO Richard Chambers says companies should take advantage of a somewhat stable period of financial and staffing resources for most companies to look for ways to improve the stature and relevance of internal audit function within the entity. The report is based on a survey of more than 460 audit executives in the United States and Canada.