In the fourth in our series of blogs about independent assurance Tony and John explain how internal audit provides oversight to the risk management function. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
Internal audit provides assurance to the board on the first and second lines of defence (How does Independent Assurance in Risk Management support 3LOD?). Regarding the first line, it provides assurance that controls are working effectively and are appropriate to the risks of the organisation. As for the second line of defence, oversight functions such as risk management ensure consistent application of the risk management framework and provide challenge to business operations. Internal audit provides assurance that the oversight functions are working effectively, picking up on adverse changes in the risk profile and that these are being reported. As can be seen from the illustration below, oversight covers both financial and non-financial controls, including the people risks overseen by HR, such as incentive structures and organisational culture, as well as regulatory and statutory compliance.
It is important that the second and third lines of defence work closely together, leveraging each other’s expertise and experience. While their activities are complementary, there needs to be clear demarcation so that their respective roles are understood both by themselves and by others in the firm. They also need to map sources of assurance over key risks and controls, so that there are no underlaps or overlaps. Internal audit is part of the risk management process but is not risk management. It should not set the risk appetite or in any other way have accountability for risk management. Its role is to review and give assurance on the process elements of the risk management framework.
Internal audit, in as much as they challenge the process elements, should be involved in new and emerging risk, such as cybersecurity, data privacy, ESG (environmental, social and governance) risks, change management and new and existing third parties such as global supply chain and outsourcing risks. Similarly, they also challenge the various risk appetites and the overall risk and control culture of the organisation, both in the first and the second lines of defence, but only the audit process.
Where there is no risk management function, the internal auditor may act as a facilitator in establishing a risk management strategy and framework. But it is important that they do not compromise their independence or confuse their role by taking risk decisions or being executive risk managers, however attractive that role may seem.
In our next blog Tony and John outline the role of Internal Audit.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on email@example.com