Print (Page Cover) Page | of | Ta CSU | on Governance | Responsible Reporting Ose | Improving Business | Dutch Government. atc ENaC InternalAuditor Reet erie Gere eau coe coe eee aca ced hitp://thefia.texterity.conv/ia/200604/templates/pageviewer_print?pg=1&pm=1 8/9/2007Print (Page 52,53,54,55,56,57,58) Page | of 7 internal auditing’s role in ERM AUDREY A. GRAMLING, PHD, CIA, CPA ASSOCIATE PROFESSOR KENNESAW STATE UNIVERSITY PATRICIA M. MYERS, PHD, CPA [ASSOCIATE PROFESSOR OF ACCOUNTING [BROCK UNIVERSITY HLWUSTRATION BY DOUG ROSS As organizations lay INTERNAL AUDIT DEPARTMENTS HAVE PLAYED A ry OF ROLES in th organization’s enterprise risk their enterprise risk = VARI groundwork, many management (ERM) activities since The Committee of auditors are taking on Sponsoring Organizations of the Treadway Commission management's oversight (CSO) released its Bnferprise Risk Management-Integrated responsibilities, new Framework in Septernber 2004. An IIA position paper issued in research finds, the wake of COSO FRM, “The Role of Internal Auditing in Enterprise-wide Risk Management,” indicates the roles that the internal audit function should and should not play throughout the ERM process, ranging from full involvement to no hutp://theiia.texterity. com/ia/200604/templates/pageviewer_print?pg=S4é&pm=7 8/972007Print (Page 52,53,54,55,56,57,58) Page 2 of 7 ERM UNDER CONSTRUCTION * hitp:/Itheiia.texterity.com/ia/200604/templates/pageviewer_print?pg=54&pm=7 8/9/2007Print (Page 52,53,54,55,56,57,58) Page 3 of 7 ge). More thansepercenteay ther one-third of audit departments pent ‘orgenization's ERM infrastructure ia perosnt to 50 percent oftheir time on in foetaneclaed msunccnctvides state ot atively mnie and yypers EAM and a8 pent port m percent gjvng wsurancs on rskimanagenent cnt hae recon opted ocaeinthe_g percent of thet financial budge, pprocetses, giving senutance that risks are process of implementing FRM. Among while less than 1 percent of departments valid correctly, evabating fick management process, Salting teepoting of enanlwietng Oemn ‘Auditors! current responsibility for pment of key rss i a ‘A recont la Reseach Foun- Piece aie tadh CCH dation sudy examined the Geen isan anc PCRS ucigen ait AUN tle ioral te Pcie mu isae fovearchors dasominated an ‘online survey to 7,200 1A rmembets hrowgh'The lasts Global ll orgenizations surveyed, the internal spent move tha so percent oftheir time ‘using Information Network Te se-audionction'a primary espouablefor and money dey generated yotesponssfiom armixot ERMrelated seis in 36 perant af The II postion paper eategosies 18 [nig mid-izd and nal ogaizstionseapondent enanizatons, while x7 pec- waoi-clated activities according to the ina atieyofinduste,incading bus cent any he pia expontiy belongs appropiate lovel of responsibly forthe tenes, govemment agencies and notfor- to weet risk officer (CRO) who is not_ intemal audit function. Survey fespen= joi organizations NeslyGo percent of par ofthe audit Faction. Newly one- dents reported thee current and ideal ‘respondents identified themselves as a third of respondents say another execu- level of responsibilty for these activities: chief adie exeetive ot audit ditector, ior fntion oversees HRM to responsi, linited responsi, 23 percent were audit managers, and The hous and dollars i moderate responsibility, sibrtuntal Zapeteent were a or senior auditors. Sanctions spend on IRM. ponabity, snd total rexponebiy. ‘Appreximtely go percent were from thts are minimal for many respondents ‘nied Sats nod Canada, Nearly halfsny chix audiedepactmcnt CORE ACTIVITIES Respondents onganiastions reat spenttopecentor ess of eehowyand Differences between esponden uent ferent eager of implementing 22M, e9 Gnancial budgets on HRM-rlated aetiv- and ideal esponsiilites ate greatest for defined by CO%0 (ee “ERM Statin” on ie daring fei oar 2004 More then th is core BM aurance csr ‘ie in the A pap (15 "Core Lateral ‘Auiting Roles fn ERR” on pagel. Respondent indicted tha tel eure responsibilty for etch ofthe core RM related actives femodert, they sy they should havea substi lvel of resporisibility. Theso views agree vith the MA guidance. Additionally, zoughy half oftnternal sud faction surveyed eut- ently have substantial or fll espnsi~ : oreo cre ey i ‘mote han two-day they shold hare it oe : : Edscedanatenorbity relent Ve one core sty ‘Within the core category, the audi funtion’ so highert levels of erent Sie a tttore canis anata! sesponabliyivole reviewing manage- rele! i = ‘ment of key riske and evahuating the risk rele Rl en management process, Byaluating the risk ‘rnagement proces and giving msurance tn re management procesea ae the Highest-rated del responniblier. Cone erly ving vss that ile re t= ‘ted comet thlower-ated caren x and ideal responsi. htip:/theiia.texterity.comv/ia/200604/templates/pageviewer_printpg=54&pm~7 8/9/2007Print (Page 52,53,54,55,56,57,58) Page 4 of 7 “Te following rape comments ferent wy sa dar facet re ester Tnverelaed ween the evel thoy dem appropiate We bre een bag iple- menting HIM actives no ome fay. We do ot yet hae complete Srvfctaning othe proce and tnyrin fom managennt™ s:"Te mt corsa manage iment oto fat BM “Tie nal su nonfat inated meres api trong the commie mers? “Ths comment gg that ching szangenenc andthe sive on Fa acca cao ering st the ult retin aaron on prope ted of seaport LEGITIMATE ACTIVITIES: “ThottA paper preerbes seven legitimate aRMrelated tivities foc which intesnal suit fmetione may be responsible as long at four rein place: aio ing the identification an evaluation of ‘nk, conching management in ing oss, coorinating ERM te, conssidatng the repo Ziska, maintsning and developing the Ea fameworte championing etab- lishment of ERM, and developing isk management atatny fr board approval ‘Then atten ae deserved as"con- sling activi Aldnough respondents arent erponriblity for ech of these legitimate sti rnges from ited tormoecite, thoy ny thie ileal evel should be moderate, which s consistent th the dance "Leia er ‘al Auciting Role” on pagel) ‘Within the legitimate eategor, the hight eel ferent ten ade rexponsbiiy involves fitating the ‘entiation and enieation of ks — AM responsibilities in an au the toperated mnm-related activity, including core scivities. This activity algo the highest-rated ideal activity ong legitimate activities, uggeting that auditors consider ita core responsi- been traditional considerations in developing sal ad plane. The loweststed t= rentaad ideal atin developing ask management swatgy fr oar approval, ‘which is an activity that might best be led by management. “The 1A guidance cautions that when intecnal auditors undertake these legit inmate consulting activities, safeguards shouldbe place wo ensure tha they do hot take on management eesponsibil= ity for acually managing sks. One por "Ble prevenie mesure wo inte Alocumenting the auditor? ERM respon~ Sites in an audi commivee sodit charter, Further, if auditors rake fon any lnbrelated activites chat all (Oppel tu ciate Cee ene a ett Beetle 2 | ee fnetonispliyings Cyan) ec ae ing rl thy shold gems se conuling Sd apply the velo IA EAN ()) appetite. Respondenes com standards to help ensure their indepen- ence and objectivity. IMAPPROPRIATE ACTIVITIES ‘According tothe IA postin paps itis inappropete for itera actors to be reaponebe foes iverelated ates Setting thers appetie, i fmanagereat proceso, rowing man Agement erence on a aking con ink apna pleating ek responseson management btll fv hing accountant gement, Overall, dit Rnetion in the survey have greater eapenetiity fr these Sets than the A paper recommends {eee “HUME Roles Interoal Auditing Should Not Perfor” on pags) lowe itor ay they should Rave some Tinted copoly fo the inappeope ate acti "Within the inporptote catego ner nal auditory highest lve of exe and ide renponsbliy is providing manage- meat asuane on tis wile thet lowest level of epon- tilgy fe or ecting the ik iments suggest that auditors ‘eureenly have geater respon- ible in these areas because Jeading role during the early ‘stags of BRD development. ‘ORGANIZATIONAL CHARACTERISTICS: “The perceived caret and ideal FRM roles forthe internal audit fonction may vary across organizations, depending on the bitp://theiia.texterity.com/ia/200604/templates/pageviewer_print?pg=54&pm=7 8/9/2007Print (Page 52,53,54,55,56,57,58) Page 5 of 7 organization’ industy, sive, and audic that year. Researchers compared res~ 50 anitors,Intemal adic functions with ‘department size, ae walle the fur's need pans rom organizations with yevenues more than 10 auulitors currently have to.comply with the US. Sarbanes-Oxley of less than US billion with organi~ somewhat more esponsibility for core Act of aco. ‘ations with rovenses greater than US aetvities than audit departments with 0 3 fewer auditors. Both lange and small both types of orgonin audit fanctions have roughly equa levels. tively equal levels of responsibity for of responsibility forall other txbi-related ‘transportation, com= cote activities, However, smaller activities. However, unlike lage audit ‘munications, wiitis, health cat, cetail oxgantations rated ther idea! involve organizations, respondents from mall and wholesale, government, andl educa- ment for these cove setivities higher than _oudit departments want to have more tion, Researchers compared responses from the two largest industry groupe: Financial er- ees and manufictring. On IGE Clan Cra ects average, financial sevice industry andi departments departinan(s tend to take on ERM ave pester euzet espons= Tox core activites than Pees nortan. thor fiom manufactuing ‘With respect to inappropriate DC Gtc ua activities, manufacturing audit departments tend to say thelr invalvement should be Tne than their current responsibilty, large orgeniantions, Smaller oxgeniza- responsibility for activities in the inap- swhile financial service industry audit tions have slightly higher curentlevel_ propriate category. Uepartments rte their current and ideal of responsibility for inappropriate sctiv~ responsibilities atthe same evel ities than larger organizations and sty SARSANES-OXLEY Most respondent orga their ideal involvement in these steas nizations are veguited to comply with CORGAWAATION Size Apprenisately halfof should be higher, Sarbancs-Osle Section 40g. Researchers ‘eaponcdents work in organizations that found Few differences between those had 2004 venues tween US $300 mil- AUDITSTAFESWZE More than halfofrespon- organizations and respondents from Tion and Usas billion, Newly 25 percent dents work in audit departments With organizations that do not have to com ‘of respondents work in organizations 10 or fewer auditors, slightly more ply with the act.‘ 5 dilecence that had reverse under US 300 million than one-quarter work in departments related to core aot complic in 2004, while « similar number of with between 1 and so auditors, and ert report a higher level of curzent respondents work in arganieations that approximately one-tenth ofrespondents responsibility than non-conoplirs, Thad more than US 55 billion in revenue work in departments with more than Although thea rm vm applicable 10 all organizations, the clube ‘serch indicates tat smal interaal tnt peti an thw om mar Srpansations fend to take on ERM rosponsbiites that would be more fnproptat for mangement, Io thee fac, ternal auditing should work develop an RRM implementation and tnintenance pla thet incest tay and tele or migrating responsi- ‘is fo these actives to management. ance is equally The AubIvoR's ROLE “Athngh che nue res wgget that tho arent evel of emponstbiey aut dpatnents have aye somewhat fhe eval contented by Th Ins position paper, the reapondent Comments afer some evidence tht Siditor derstand th ued eon cept ofthe uid http://theiia.texterity.com/ia/200604/templates/pageviewer_print?pg=54&pm=7 8/9/2007Print (Page 52,53,54,55,56,57,58) Page 7 of 7 "Thee need tobe hin the “dcng ofthe ott being an ier audit finan heli on fd emlate the BM proces. Should be in eye with ee cniveie ed plan ss "Toth past 8 mont, the corpo raion hae appolied 2 CX0 to po tide overeght and gudance Ching HM proce, Dig this poiod, nich af inven audtng pes turtles hare More Seportantly,respon= dents identified significant Dartiersin their organizations 19 following the guidance: sm "There #RM respansbii- tet and process are not well defined ia many organizations and should bbe more clealy articulated by senior management.” sa "There is not enough emphasit from the top that ick management efletvely. Managerent a oy ing thie things ro internal suing. Tes not ther gaia trove ain together at "Moet editors enterpine enn ager lick cay ont incton tetean sexponbliy fr ik ssa inpementon vee respon fr ri araance, Conplancs snd soning” ‘The comment rcs ht ey l= amen to exablshing sever 24 gram is cation onthe mpotmace Stand the appropriate roles man Agement and internal ating have In ths proces, Intel auitore can lay sey role In providing this edseation ‘The auie department, management, board of director, and sudi commit teed to bo en about which 4 ‘ated actnes intra suitor shold perform and whish seer should Ce acer Ia tia slbvaye be performed by management Relevant training should highlight that ‘internal auditing could serve in & mon- itoring a consulting role throughout much of the BRM process, b decision-making authority matt reside ‘vith management if the audit depart- ‘ment is to maintain ite independence and objectivity. “Auditors shoul take steps to ensure thatthe board and audit commitce are ware of the COSO ERM framework and are actively engaged in overseeing the ERM process, Additionally, auditore should consider tsining senior manage meat, the board, and eters throughout “| appropriate places within the organiza- 4) playing a role that is consistent with their organization on COSO ERM and related guidance. [Respontes tothe survey provide use~ {al insights into additional swps thatthe internal audit profession should take. ‘Auditors whose orgenizations arein the carly stages of adopting 2M or will be implementing ERM in the future have many opportiities to ensure that the process is affective and efficient, For migrated to this officer.” Auditors should ensive that i eC a cen gee lt at example, audit departments that cur- renly perfoom Bneelsted sets hse thoald be managements responsibilty sam take proactive atop t open up the Tines of communication between inter~ sal auditing and management, the board and aie committee and external audi- tors about the risks ofthis sso. Sash communication should encourage man~ fgement to take on appropriate ERM responsibilities. One approach audit departments could take ito develop 4 tnsiness plan describing how manage- ‘ment san assume responsiblity for ERM related activities for which they should lreaecoutable. However, intel dir tors should seeognize that completing thie plhn and convincing management t0 accept theve HRM responsibilities might not oezut quickly. ‘With appropriate planaing, commu ication, and education, internal audi- tore, management, the board, and external auditor shoul be ely to wrk together to achiews the many benefits af 2, Lely this eoordnation wl enalt In performing meMerelated activin st ‘tion, management accepting is Fespon- sibility for ERM, and the audit fonction appropriate professional guidance. To comment on tis rte, eal the ‘uthors atograning insite. hutp:/theiia.texterity.comy/ia/200604/templates/pageviewer_print?)pg=548&pm=7 8/9/2007