Risk Management Basics – ERM vs. Internal Audit

One of the common questions I get asked is about the relationship between enterprise risk management (ERM) and internal audit. There is often an overlap of responsibilities if the boundaries are not clearly defined, but these two groups play an essential role and must be coordinated.

ERM is typically responsible to develop the language and framework (policy, procedures, process, tools) for how risk is managed in the organization and work with the responsible managers to help train and provide support to them in managing the risk.

Internal audit is typically responsible to audit and provide assurance to the board and senior management that risks are being reduced to an acceptable level (i.e. the risk management process is working as designed and is aligned with the board’s expectations).

In this video, I explain the typical responsibilities and describe what to do when there is an internal audit group, but no ERM group in an organization.

Ultimately, both roles play an essential part and need to focus on working together to ensure the organization is able to manage its key risks in a holistic method.

If you are a member of the Institute of Internal Auditors (IIA) there are some great resources that go into more detail.

If you are not an IIA member and want more information, let’s set up a time to talk in more detail.

Please follow and like us:
error