23 Sep

Bridge the Gap Between Internal Audit & Enterprise Risk Management (Part 1)

Author’s Note: This series will help you build an ERM system that will bridge the gap between Internal Audit (IA) and Enterprise Risk Management (ERM).

Part 1 | Part 2 | Part 3

Last week I had the pleasure of listening Larry Harrington speak at an IIA conference in Atlanta. One point Larry brought up was the role Internal Audit (IA) can and should play in Enterprise Risk Management (ERM).

Internal Audit has an interesting vantage point – understanding the company’s risk, control design and operating effectiveness, and being able to link those controls to business drivers. No position in the company is better positioned to manage and communicate risk.

Business Risk

Click to enlarge. Created by Christian Hyatt.

ERM is macro in nature, but lack the details of internal business control. They are not positioned to measure the business’s ability to execute risk management procedures (perform audits) or understand control design. This is why, from a holistic perspective, it is important ERM and IA operate in partnership to understand the Micro/Macro risk environment and link those risks to business drivers. 

Great in Theory

These ideas are great in theory, but no one ever tells you HOW to bridge the gap between ERM and IA. This series will put a system in place to bridge the gap between internal audit and ERM.

Note: This is a complex topic – so my goal here is to keep these posts short and simple.  I have helped a number of companies implement ERM systems just like this one and I am the author of this particular methodology. If you have questions, ideas, or need help shoot me an email.

Leave a Reply