Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Leadership and Governance

The Evolution of Internal Audit and ERM

August 1, 2009 2-min. read

Traditionally, internal audit has focused primarily on identifying policy violations and encouraging compliance with regulations. However, internal audit departments have recently turned their efforts towards an integrated approach to risk management. This evolution of internal audit came about as a result of both the changing nature of the market and industry regulations. The new outlook also involves a transition from a document-centric approach to a data-centric approach, allowing internal audit to take advantage of technology that can enhance enterprise risk management (ERM).

The Institute of Internal Auditors (IIA) defines internal audit as a value-added activity that helps an organization achieve its objectives, “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” In the past, these responsibilities were carried out through a bottom-up, checklist methodology. Following the Sarbanes-Oxley Act and the issuance the PCAOB’s Auditing Standard No. 5, the approach has developed into an increasingly top-down, consultative methodology. In addition to bringing best practices into an organization, the evolved approach also assists in reducing redundancies and inefficiencies by breaking down the silos in an organization.

A barrier to top-down ERM techniques in the past was the complexity of data gathering and management. Today, centralized technology frameworks can assist internal audit in identifying, assessing, and monitoring risks and controls. This also allows a transition from a document-centric approach to a data-centric approach, increasing the ease of efficiency and accuracy in reporting across the business. It also enables data collection to be standardized with greater security and data integrity, leading to more consistency throughout the organization. The data can then be utilized in evaluating historical trends and providing management and the board with better access to information underlying enterprise risks in the organization.

Recently, internal audit departments have employed “continuous auditing” in an effort to review, analyze, and report on issues in a near real-time environment. Traditionally, there has been a considerable lapse between the completion of fieldwork and the issuance of audit reports, making the reported information less valuable to users. By using a centralized technology framework, the continuous audit capability provides meaningful information within a shorter time frame. In addition, the process can assist in understanding changes in risk, supporting a proactive management approach, and engaging business units in active risk management efforts.

The IIA, the PCAOB, and the SEC have all encouraged the rapid adoption of a risk-based approach to internal audit. This approach helps create efficiencies across the business and provides a comprehensive view of risk in the enterprise. In collaboration with risk managers, internal audit can provide independent assurance and provide valuable input to the ERM process. Through this partnership and the evolving role of internal audit, the goal of continuous improvement and greater transparency can be met in every organization.

Original Articles Source: “IIA Position Paper: The Role of Internal Audit in Enterprise-wide Risk Management“, Institute of Internal Auditors (IIA), January 2009

More From Enterprise Risk Management Initiative

cover fo 2024 global risk oversight

2024 Global State of Risk Oversight: Managing the Rapidly Evolving Landscape
photo of woman with e-tablet.

Techniques to Prioritize and Monitor Risks
5 Questions to Identify Potential Risks on the Horizon

Processes to Identify Risks