Part Three: Enterprise Risk Management, Internal Controls & Internal Audit: Are They All Needed?
The right accountability and compliance approach for a government depends on its complexity, criticality, and risk appetite. However, a minimalized approach could lead to inefficiencies or waste or a disruption of services at best or, in the worst-case scenario, fraud.
Understanding the ingredients of each philosophy and function, as well as their advantages and limitations, can inform senior leaders how to best approach accountability and compliance in their organization.
The final part of this three-part blog series focuses on Internal Audit and how the function may inform or be impacted by Enterprise Risk Management (ERM) and Internal Controls. Further details regarding Internal Controls were covered in Part Two of this blog series, while the particulars of ERM were addressed in Part One.
Internal Audit
Internal Audit is defined as “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.” An Internal Audit function serves to provide reasonable assurance that controls under audit are in place and function at a specific point in time.
Key Ingredients:
Derives authority from the commissioner, an Internal Audit charter and, ideally, an audit committee.
Internal Audit activities should remain free of influence from any element in the organization.
Follows auditing standards established by professional advisory bodies, including the Government Accountability Office (GAO) and the Institute of Internal Auditors (IIA).
Provides an objective Risk Assessment separate and distinct from management, to advise and execute the annual Internal Audit plan.
Tracks issues and actions and communicates to the entity head or audit committee, if applicable.
Internal Audit is considered the “third line of defense.” Based on an independent Risk Assessment, Internal Audit assists to ensure that select Internal Controls are in place and function at a specified timeframe.
Relative Advantages of Internal Audit:
Identifies and communicates potential risks and control gaps that may not be considered by management or Internal Control.
Ideally, Internal Audit staff incorporate standards in the audit process and afford a level of control assurance to senior management not afforded by Internal Control or ERM.
Supports both ERM and Internal Control in assessing and enhancing the accountability and control environment.
Relative Limitations of Internal Audit:
Span of influence and authority is limited by the charter and/or support by senior leadership and audit committee, if applicable.
Not permitted to design or implement controls; dependent on management to implement and enforce control compliance.
Senior management may divert audit resources to perform duties compromising their independence and objectivity.
Dependencies on ERM and Internal Control:
Implementation of an Internal Audit function can provide reasonable assurance to senior management that the mitigating controls under audit, supporting the ERM strategy, were defined effectively and functioning.
The result of an Internal Audit can inform the ERM system, inclusive of Internal Control, where additional control focus may be needed.
Internal Audit can inform ERM and Internal Control of risk areas not yet identified.
Internal Audit can independently and objectively review the effectiveness and/or gaps in an ERM system.
ERM provides Internal Audit input to its independent Risk Assessment, assisting in the development of the audit plan to ensure it is aligned with the objectives, threats, and risk appetite of the organization.
Each of the risk and control functions discussed in this three-part blog series can uniquely enable an entity to better achieve desired results. The appropriate width and breadth of these functions employed at an entity can only be ascertained by a thorough, qualified analysis and review of its risk and control environment, and how best to amend to reach organizational goals, objectives, and mission.