Print (Page Cover) Page | of |
Ta CSU |
on Governance | Responsible Reporting
Ose | Improving Business | Dutch Government.
atc ENaC
InternalAuditor
Reet erie Gere eau coe coe eee aca ced
hitp://thefia.texterity.conv/ia/200604/templates/pageviewer_print?pg=1&pm=1 8/9/2007Print (Page 52,53,54,55,56,57,58) Page | of 7
internal
auditing’s
role in ERM
AUDREY A. GRAMLING, PHD, CIA, CPA
ASSOCIATE PROFESSOR
KENNESAW STATE UNIVERSITY
PATRICIA M. MYERS, PHD, CPA
[ASSOCIATE PROFESSOR OF ACCOUNTING
[BROCK UNIVERSITY
HLWUSTRATION BY DOUG ROSS
As organizations lay INTERNAL AUDIT DEPARTMENTS HAVE PLAYED A
ry OF ROLES in th
organization’s enterprise risk
their enterprise risk = VARI
groundwork, many management (ERM) activities since The Committee of
auditors are taking on Sponsoring Organizations of the Treadway Commission
management's oversight (CSO) released its Bnferprise Risk Management-Integrated
responsibilities, new Framework in Septernber 2004. An IIA position paper issued in
research finds, the wake of COSO FRM, “The Role of Internal Auditing in
Enterprise-wide Risk Management,” indicates the roles that the
internal audit function should and should not play throughout
the ERM process, ranging from full involvement to no
hutp://theiia.texterity. com/ia/200604/templates/pageviewer_print?pg=S4é&pm=7 8/972007Print (Page 52,53,54,55,56,57,58) Page 2 of 7
ERM UNDER CONSTRUCTION
*
hitp:/Itheiia.texterity.com/ia/200604/templates/pageviewer_print?pg=54&pm=7 8/9/2007Print (Page 52,53,54,55,56,57,58) Page 3 of 7
ge). More thansepercenteay ther one-third of audit departments pent
‘orgenization's ERM infrastructure ia perosnt to 50 percent oftheir time on
in foetaneclaed msunccnctvides state ot atively mnie and yypers EAM and a8 pent port m percent
gjvng wsurancs on rskimanagenent cnt hae recon opted ocaeinthe_g percent of thet financial budge,
pprocetses, giving senutance that risks are process of implementing FRM. Among while less than 1 percent of departments
valid correctly, evabating
fick management process,
Salting teepoting of
enanlwietng Oemn ‘Auditors! current responsibility for
pment of key rss i a
‘A recont la Reseach Foun- Piece aie tadh CCH
dation sudy examined the
Geen isan anc
PCRS ucigen ait AUN
tle ioral te Pcie mu isae
fovearchors dasominated an
‘online survey to 7,200 1A
rmembets hrowgh'The lasts Global ll orgenizations surveyed, the internal spent move tha so percent oftheir time
‘using Information Network Te se-audionction'a primary espouablefor and money
dey generated yotesponssfiom armixot ERMrelated seis in 36 perant af The II postion paper eategosies 18
[nig mid-izd and nal ogaizstionseapondent enanizatons, while x7 pec- waoi-clated activities according to the
ina atieyofinduste,incading bus cent any he pia expontiy belongs appropiate lovel of responsibly forthe
tenes, govemment agencies and notfor- to weet risk officer (CRO) who is not_ intemal audit function. Survey fespen=
joi organizations NeslyGo percent of par ofthe audit Faction. Newly one- dents reported thee current and ideal
‘respondents identified themselves as a third of respondents say another execu- level of responsibilty for these activities:
chief adie exeetive ot audit ditector, ior fntion oversees HRM to responsi, linited responsi,
23 percent were audit managers, and The hous and dollars i moderate responsibility, sibrtuntal
Zapeteent were a or senior auditors. Sanctions spend on IRM. ponabity, snd total rexponebiy.
‘Appreximtely go percent were from thts are minimal for many respondents
‘nied Sats nod Canada, Nearly halfsny chix audiedepactmcnt CORE ACTIVITIES
Respondents onganiastions reat spenttopecentor ess of eehowyand Differences between esponden uent
ferent eager of implementing 22M, e9 Gnancial budgets on HRM-rlated aetiv- and ideal esponsiilites ate greatest for
defined by CO%0 (ee “ERM Statin” on ie daring fei oar 2004 More then th is core BM aurance csr
‘ie in the A pap (15 "Core Lateral
‘Auiting Roles fn ERR” on pagel.
Respondent indicted tha tel eure
responsibilty for etch ofthe core RM
related actives femodert, they sy
they should havea substi lvel of
resporisibility. Theso views agree vith the
MA guidance. Additionally, zoughy half
oftnternal sud faction surveyed eut-
ently have substantial or fll espnsi~
: oreo cre ey
i ‘mote han two-day they shold hare
it oe : : Edscedanatenorbity relent
Ve one core sty
‘Within the core category, the audi
funtion’ so highert levels of erent
Sie a tttore canis anata! sesponabliyivole reviewing manage-
rele! i = ‘ment of key riske and evahuating the risk
rele Rl en management process, Byaluating the risk
‘rnagement proces and giving msurance
tn re management procesea ae the
Highest-rated del responniblier. Cone
erly ving vss that ile re t=
‘ted comet thlower-ated caren
x and ideal responsi.
htip:/theiia.texterity.comv/ia/200604/templates/pageviewer_printpg=54&pm~7 8/9/2007Print (Page 52,53,54,55,56,57,58)
Page 4 of 7
“Te following rape comments
ferent wy sa dar
facet re ester
Tnverelaed ween the evel thoy
dem appropiate
We bre een bag iple-
menting HIM actives no ome
fay. We do ot yet hae complete
Srvfctaning othe proce and
tnyrin fom managennt™
s:"Te mt corsa manage
iment oto fat BM
“Tie nal su nonfat
inated meres api
trong the commie mers?
“Ths comment gg that ching
szangenenc andthe sive on
Fa acca cao ering st
the ult retin aaron on prope
ted of seaport
LEGITIMATE ACTIVITIES:
“ThottA paper preerbes seven legitimate
aRMrelated tivities foc which intesnal
suit fmetione may be responsible as
long at four rein place: aio
ing the identification an evaluation of
‘nk, conching management in
ing oss, coorinating ERM
te, conssidatng the repo
Ziska, maintsning and developing the
Ea fameworte championing etab-
lishment of ERM, and developing isk
management atatny fr board approval
‘Then atten ae deserved as"con-
sling activi Aldnough respondents
arent erponriblity for ech of these
legitimate sti rnges from ited
tormoecite, thoy ny thie ileal evel
should be moderate, which s consistent
th the dance "Leia er
‘al Auciting Role” on pagel)
‘Within the legitimate eategor, the
hight eel ferent ten ade
rexponsbiiy involves fitating the
‘entiation and enieation of ks —
AM responsibilities in an au
the toperated mnm-related activity,
including core scivities. This activity
algo the highest-rated ideal activity
ong legitimate activities, uggeting
that auditors consider ita core responsi-
been
traditional considerations in developing
sal ad plane. The loweststed t=
rentaad ideal atin developing ask
management swatgy fr oar approval,
‘which is an activity that might best be
led by management.
“The 1A guidance cautions that when
intecnal auditors undertake these legit
inmate consulting activities, safeguards
shouldbe place wo ensure tha they do
hot take on management eesponsibil=
ity for acually managing sks. One por
"Ble prevenie mesure wo inte
Alocumenting the auditor? ERM respon~
Sites in an audi commivee
sodit charter, Further, if auditors rake
fon any lnbrelated activites chat all
(Oppel tu ciate
Cee ene a ett
Beetle 2 | ee fnetonispliyings
Cyan) ec ae
ing rl thy shold
gems se conuling
Sd apply the velo IA
EAN ()) appetite. Respondenes com
standards to help ensure their indepen-
ence and objectivity.
IMAPPROPRIATE ACTIVITIES
‘According tothe IA postin paps itis
inappropete for itera actors to be
reaponebe foes iverelated ates
Setting thers appetie, i
fmanagereat proceso, rowing man
Agement erence on a aking
con ink apna pleating
ek responseson management btll
fv hing accountant
gement, Overall, dit Rnetion in the
survey have greater eapenetiity fr these
Sets than the A paper recommends
{eee “HUME Roles Interoal Auditing
Should Not Perfor” on pags) lowe
itor ay they should Rave some
Tinted copoly fo the inappeope
ate acti
"Within the inporptote catego ner
nal auditory highest lve of exe and
ide renponsbliy is providing manage-
meat asuane on tis wile
thet lowest level of epon-
tilgy fe or ecting the ik
iments suggest that auditors
‘eureenly have geater respon-
ible in these areas because
Jeading role during the early
‘stags of BRD development.
‘ORGANIZATIONAL
CHARACTERISTICS:
“The perceived caret and ideal FRM roles
forthe internal audit fonction may vary
across organizations, depending on the
bitp://theiia.texterity.com/ia/200604/templates/pageviewer_print?pg=54&pm=7 8/9/2007Print (Page 52,53,54,55,56,57,58) Page 5 of 7
organization’ industy, sive, and audic that year. Researchers compared res~ 50 anitors,Intemal adic functions with
‘department size, ae walle the fur's need pans rom organizations with yevenues more than 10 auulitors currently have
to.comply with the US. Sarbanes-Oxley of less than US billion with organi~ somewhat more esponsibility for core
Act of aco. ‘ations with rovenses greater than US aetvities than audit departments with 0
3 fewer auditors. Both lange and small
both types of orgonin audit fanctions have roughly equa levels.
tively equal levels of responsibity for of responsibility forall other txbi-related
‘transportation, com= cote activities, However, smaller activities. However, unlike lage audit
‘munications, wiitis, health cat, cetail oxgantations rated ther idea! involve organizations, respondents from mall
and wholesale, government, andl educa- ment for these cove setivities higher than _oudit departments want to have more
tion, Researchers compared
responses from the two largest
industry groupe: Financial er-
ees and manufictring. On IGE Clan Cra ects
average, financial sevice
industry andi departments departinan(s tend to take on ERM
ave pester euzet espons=
Tox core activites than Pees nortan.
thor fiom manufactuing
‘With respect to inappropriate DC Gtc ua
activities, manufacturing audit
departments tend to say thelr
invalvement should be
Tne than their current responsibilty, large orgeniantions, Smaller oxgeniza- responsibility for activities in the inap-
swhile financial service industry audit tions have slightly higher curentlevel_ propriate category.
Uepartments rte their current and ideal of responsibility for inappropriate sctiv~
responsibilities atthe same evel ities than larger organizations and sty SARSANES-OXLEY Most respondent orga
their ideal involvement in these steas nizations are veguited to comply with
CORGAWAATION Size Apprenisately halfof should be higher, Sarbancs-Osle Section 40g. Researchers
‘eaponcdents work in organizations that found Few differences between those
had 2004 venues tween US $300 mil- AUDITSTAFESWZE More than halfofrespon- organizations and respondents from
Tion and Usas billion, Newly 25 percent dents work in audit departments With organizations that do not have to com
‘of respondents work in organizations 10 or fewer auditors, slightly more ply with the act.‘ 5 dilecence
that had reverse under US 300 million than one-quarter work in departments related to core aot complic
in 2004, while « similar number of with between 1 and so auditors, and ert report a higher level of curzent
respondents work in arganieations that approximately one-tenth ofrespondents responsibility than non-conoplirs,
Thad more than US 55 billion in revenue work in departments with more than
Although thea
rm vm applicable 10 all organizations, the
clube ‘serch indicates tat smal interaal
tnt peti an thw om mar
Srpansations fend to take on ERM
rosponsbiites that would be more
fnproptat for mangement, Io thee
fac, ternal auditing should work
develop an RRM implementation and
tnintenance pla thet incest
tay and tele or migrating responsi-
‘is fo these actives to management.
ance is equally
The AubIvoR's ROLE
“Athngh che nue res wgget that
tho arent evel of emponstbiey aut
dpatnents have aye somewhat
fhe eval contented by Th
Ins position paper, the reapondent
Comments afer some evidence tht
Siditor derstand th ued eon
cept ofthe uid
http://theiia.texterity.com/ia/200604/templates/pageviewer_print?pg=54&pm=7 8/9/2007Print (Page 52,53,54,55,56,57,58)
Page 7 of 7
"Thee need tobe hin the
“dcng ofthe ott being an
ier audit finan heli on
fd emlate the BM proces.
Should be in eye with ee
cniveie ed plan
ss "Toth past 8 mont, the corpo
raion hae appolied 2 CX0 to po
tide overeght and gudance
Ching HM proce, Dig
this poiod, nich af
inven audtng pes
turtles hare
More Seportantly,respon=
dents identified significant
Dartiersin their organizations
19 following the guidance:
sm "There #RM respansbii-
tet and process are not
well defined ia many
organizations and should
bbe more clealy articulated
by senior management.”
sa "There is not enough emphasit
from the top that ick management
efletvely. Managerent a oy
ing thie things ro internal
suing. Tes not ther gaia
trove ain together
at "Moet editors enterpine enn
ager lick cay ont incton
tetean sexponbliy fr ik
ssa inpementon vee
respon fr ri araance,
Conplancs snd soning”
‘The comment rcs ht ey l=
amen to exablshing sever 24
gram is cation onthe mpotmace
Stand the appropriate roles man
Agement and internal ating have In
ths proces, Intel auitore can lay
sey role In providing this edseation
‘The auie department, management,
board of director, and sudi commit
teed to bo en about which 4
‘ated actnes intra suitor shold
perform and whish seer should
Ce acer Ia
tia
slbvaye be performed by management
Relevant training should highlight that
‘internal auditing could serve in & mon-
itoring a consulting role throughout
much of the BRM process, b
decision-making authority matt reside
‘vith management if the audit depart-
‘ment is to maintain ite independence
and objectivity.
“Auditors shoul take steps to ensure
thatthe board and audit commitce are
ware of the COSO ERM framework and
are actively engaged in overseeing the
ERM process, Additionally, auditore
should consider tsining senior manage
meat, the board, and eters throughout
“| appropriate places within the organiza-
4) playing a role that is consistent with
their organization on COSO ERM and
related guidance.
[Respontes tothe survey provide use~
{al insights into additional swps thatthe
internal audit profession should take.
‘Auditors whose orgenizations arein the
carly stages of adopting 2M or will be
implementing ERM in the future have
many opportiities to ensure that the
process is affective and efficient, For
migrated to this officer.” Auditors should ensive that
i
eC a cen gee lt at
example, audit departments that cur-
renly perfoom Bneelsted sets hse
thoald be managements responsibilty
sam take proactive atop t open up the
Tines of communication between inter~
sal auditing and management, the board
and aie committee and external audi-
tors about the risks ofthis sso. Sash
communication should encourage man~
fgement to take on appropriate ERM
responsibilities. One approach audit
departments could take ito develop 4
tnsiness plan describing how manage-
‘ment san assume responsiblity for ERM
related activities for which they should
lreaecoutable. However, intel dir
tors should seeognize that completing
thie plhn and convincing management t0
accept theve HRM responsibilities might
not oezut quickly.
‘With appropriate planaing, commu
ication, and education, internal audi-
tore, management, the board, and
external auditor shoul be ely to wrk
together to achiews the many benefits af
2, Lely this eoordnation wl enalt
In performing meMerelated activin st
‘tion, management accepting is Fespon-
sibility for ERM, and the audit fonction
appropriate professional guidance.
To comment on tis rte, eal the
‘uthors atograning insite.
hutp:/theiia.texterity.comy/ia/200604/templates/pageviewer_print?)pg=548&pm=7 8/9/2007