The report, authored by Audrey Grambling and Patricia Myers, claims that Internal auditors need to be actively involved in the assurance and evaluation of risk management processes, assurance that risks are evaluated correctly, evaluation of the reporting process for risks, and assessment of management used for risks.  According to surveys, the amount of money and hours spent on internal audit duties is varied.  The largest differences are in the essential activities mentioned above.  Internal auditors indicate they currently only have moderate responsibility for these activities, but feel they should have much more accountability.

There are seven valid or legitimate ERM-related responsibilities to be used by internal auditors when the proper safeguards are in place.  These consulting activities include identifying and evaluating risks, communicating and teaching how to respond to risks, organizing risk management activities, combining risk reporting, managing the ERM framework, coordinating the implementation of ERM, and creating a plan for risk management to be approved by the board. 

Two of the most important levels of responsibility include evaluating the risk management process and reviewing management of key risks.  The unsuitable activities include six ERM-related duties:  establishing risk appetite, enforcing risk management processes, giving assurance on risks, creating risk decisions, facilitating risk responses on behalf of management, and having responsibility for risk management.

Research indicates that the internal audit departments in small organizations usually take on ERM activities that should be handled by management.  In these circumstances, companies should devise a plan that would transfer these activities to management.

Some internal auditors surveyed expressed concern about organizations’ communication of ERM responsibilities and processes, lack of emphasis on the importance of ERM, and the need for distinction between responsibility for risk assurance and responsibility for risk assurance compliance and monitoring.   Essentially, the proper planning and communication can eliminate these concerns and provide for a better ERM process.

Click below for a link to the full article.