Part One: Enterprise Risk Management, Internal Controls, Internal Audit: Are They All Needed?

The right accountability and compliance approach for a government entity depends on its complexity, criticality, and risk appetite. However, a minimalized approach can lead to inefficiencies, waste or disruption of services, or worst case, the invitation and realization of fraud.       

Understanding the ingredients of each philosophy and function, as well as their advantages and limitations, can inform senior leaders on how to best approach accountability and compliance in their entity. 

Part One of this three-part series focuses on Enterprise Risk Management (ERM); its main components, and how the function may inform or be impacted by Internal Controls, as well as Internal Audit. Further details regarding Internal Control’s particulars will be covered in Part Two, with the publication of the Internal Audit version serving to finalize the triad. 

ERM

ERM is a top-down risk management methodology wherein senior leadership of an entity defines entity-level goals and objectives and the risks or threats to achieving them. ERM can be facilitated or directed by a dedicated function, or it may be a philosophy driven by senior leaders to align the organization’s control and compliance functions in each area to achieve goals and the objectives of the entity. 

Key Ingredients

• Objectives and goals are established by senior leadership through a formalized process; management is considered the “first line of defense” in ensuring controls are implemented and functioning.    

• Internal and external risks to strategic objectives are identified through an ERM Risk Assessment.

• Results of the Risk Assessment (ideally) drives control emphasis and implementation, advised by the potential impact or likelihood of a particular threat.

• Internal Controls should then be implemented and/or adjusted to mitigate those risks depending on the variability of the risk environment.

• ERM is embraced by the tone at the top as a “way of doing business” and not an end point.

• ERM is often referred to as a system, where all facets of operations, risk, and control functions work in concert for the shared goals of the entity. 

Relative Advantages of ERM

• Objectives and threats clearly identified and communicated.

• Awareness of goals and risks permeates the entity.

• Serves as an “input” to other Risk Assessments, such as Internal Control and Internal Audit.

Relative Limitations of ERM

• Subjective: Goals and threats may be myopic or incomplete.

• ERM cannot offer any assurance that Internal Controls are implemented, functioning or effective.

• An ERM Risk Assessment is not detailed enough to use at identifying risks/threats at the departmental level, nor is it an adequate substitute for an Internal Audit Risk Assessment, which directs/influences the annual Internal Audit plan.   

Dependencies of ERM with Internal Control and Internal Audit

• Implementation of an Internal Control function can assist and advise senior management that mitigating controls supporting the ERM strategy have been implemented.

• Results of ERM can serve as an input to Internal Control, and to a lesser extent, Internal Audit.

• Internal Control testing, when present, serves as input to the evolution of the ERM system, as the entity and risk environment change.

• Internal Audit can independently and objectively review the effectiveness and/or gaps in an ERM system.

Each of the three risk and control functions identified can uniquely enable an entity to better achieve its desired results. The appropriate width and breadth of these functions employed at an entity can only be ascertained by a thorough, qualified analysis and review of its risk and control environment and how best to adapt to reach key organizational goals, objectives, and mission.