This article, authored by Daniel Clayton, discusses how CHAN Healthcare Auditors spent the past two years determining ways to better integrate ERM and internal audit.  The trouble came with defining how risk management activities impact internal controls.  While working their way to meeting this goal, it was determined that management control is the key connecting concept to properly integrating internal control and ERM

Internal auditors should be viewed as partners of management who are focused on helping the company achieve and execute its objectives.  Traditionally, internal auditors dealt with compliance and making sure management met financial and regulatory compliance objectives.  The new approach to internal audit allows for auditors to work with management by reaching strategic and business objectives by improving governance, risk management, and internal controls.  However, this is a very complex task and requires cooperation on both management and the internal auditor’s behalf.  For internal audit to be truly helpful, there is a need for everyone to understand the purpose of the corporation and the role management plays in the ongoing of the company.

To begin the new audit process, internal auditors need to look at the risks that stem from strategic and business objectives.  Traditionally, risks were assessed by looking at regulatory compliance needs and not those risk that affect business objectives.   By looking at the risks that affect strategic business objectives, auditors are able to determine more effectively what information is most relevant to management.  CHAN Healthcare Auditors created an audit model that follows the natural steps management would take in designing a business process to meet the business objective, considering risks that could prevent the process from working optimally, and designing controls into the process to mitigate those risks. 

Once the risks that affect the strategic business objective are determined, it is important to prioritize those risks.  To properly prioritize risk and still take a top-down approach risk assessment, internal auditors need to understand how top management disseminates objectives and roles throughout the company.  Also, internal auditors need to understand how the business operates at all levels when prioritizing risk. 

After the internal auditors have prioritized the risks that affect the company, they must then connect the risks to the proper controls.  To do this CHAN Healthcare auditors posed questions to management to determine what they consider as they run the business on a daily basis.  Internal audit realized that management on a daily basis considers its objectives and monitors how they are meeting goals so that processes can be adjusted as needed. 

The internal auditors also realized that some departments are lacking the skills and resources needed to meet their objectives.  This causes the department to be very susceptible to risk.  CHAN Healthcare Auditors created a tool that allows them to capture this risk.  The tool is designed to show the areas where management is vulnerable and to show how management responds to those risks by:

  • Setting metrics to measure progress toward achieving goals.
  • Designing operations supported by formalized policies and procedures.
  • Creating monitoring tools and reporting methods that are both proactive and reactive to measuring operational performance.
  • Creating open information and communication channels capable of alerting management to key risks efficiently.
  • Setting a formal tone that endorses ethical standards and promotes accountability. 

 

By measuring management’s vulnerabilities, internal auditors are able to discover how mature ERM is within a company and also how to properly audit internal controls. 
Internal audit is vital for the ongoing operations of a corporation.  Internal auditors play a major role in working alongside management in determining ways to mitigate not only regulatory and compliance risk, but risks that affect the strategic business objectives.  “If management controls are weak at any level of the organization, risk management is weak in that same place.”