The last decade has seen companies forced to adapt their Risk Management strategies with unprecedented alacrity. Technological innovation in particular has brought with it, by its very nature, numerous unknown risks, while a number of devastating corporate crises have led to a raft of major regulatory reforms, which 22% of CEOs surveyed by Gartner in 2012 placed at the top of their risk list. By way of response to this environment of mutating risk, many companies have adapted their processes to utilize the unique position of Internal Audit, or the chief audit executive, to lead their Risk Management strategies.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), in its 2004 Framework on Enterprise Risk Management, said that the key to achieving the comprehensive approach necessary for an organization to meet its Risk Management objectives was that all of its members were committed to achieving them. Internal Audit’s role in this, the Framework said, would see it participate in both assessing the risks and advising senior management on their performance. This was reinforced by a 2010 Global Audit Information Network Flash Survey, to which three quarters of the 321 respondents agreed or strongly agreed that there is an emerging need for the audit committee to have better insight into organisations' risk management processes.
Internal Audit’s ability to provide both better resource allocation and a fuller assessment of the risks, thereby providing a more accurate appraisal of the Risk Management framework, are now widely recognized. However, Internal Audit still has a number of obstacles to overcome before it can properly integrate its function within the Risk Management framework. The most pressing of those is that such responsibilities are often considered beyond its remit, and that there is a lack of support from management. Central to overcoming such challenges is recognising the service that Internal Audit can provide, the unique space it exists in from which it is able to look at risk across an entire organization, as well as its ability to exploit the benefits of integrated reporting to achieve the communication necessary to respond with the speed required to deal with risk in the modern world.
As it stands, Internal Audit still primarily serves in an assurance capacity. This is likely to expand further into an advisory role as the advantages of using it for proper Risk Management become better recognized and exploited, and senior management adapts the way it integrates it into the framework so as to ensure it does not get in its way.