The document discusses the collaboration between risk management and internal audit functions, emphasizing how this partnership can enhance organizational efficiency and decision-making. It reviews trends in financial services, the challenges faced by internal auditors, and the importance of focusing on real risks rather than just financial compliance. Additionally, it outlines the core roles of internal auditing in enterprise risk management (ERM) and provides a framework for assessing risk priorities and developing an effective audit plan.

1. Working Together
Luis Fernandez
March 10th, 2015
Internal Audit &
Enterprise Risk
Management
5/17/2024
1

2. 5/17/2024
2
Let’s think about risk…
…and find ways to better align our process.

3. Let’s talk about…
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
3

4. Objective
 Collaboration of risk-management and internal-
audit functions is helping organizations improve
efficiency, decision-making, and results.
(Reference 1)
5/17/2024
4
Is this
happening?

5. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
5

6. Overview
5/17/2024
6
 In 1999 IIA revised the definition of internal
auditing to include both assurance and consulting
activities.
 In 2004 the Commission of Sponsoring
Organizations of the Treadway Commission
(COSO) released its integrated framework for
ERM.
 IIA issues a position paper delineating the core
roles of IA in regard to ERM. (IIA, 2004a).
(Reference 2)

7.  ERM is defined by COSO (2004, 2) as:
“…a process, effected by an entity’s board of
directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events that
may affect the entity, and manage risks to be within
its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.”
Overview…cont’d
5/17/2024
7 (Reference 2)

8. Overview…cont’d
5/17/2024
8
 When announcing the release of the COSO
framework, the IIA issued a statement
commenting on the internal auditor’s role in risk
management (IIA, 2004b).
“Internal auditors should assist both management
and the audit committee in their risk management
responsibilities and oversight roles by examining,
evaluating, reporting, and recommending
improvements on the adequacy and effectiveness
of management’s risk processes.”
(Reference 2)

9. Overview…cont’d
5/17/2024
9

10. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
10

11. Trends in Financial Services
5/17/2024
11
 Convergence
o Barriers separating Banks, Brokerage and Insurers
are coming down. CROSS SELLING!
 Consolidation
o Acquisitions. Reduce operating expenses and
increase market share.
 Changing Business Models
o Ways to make more profit (Technology, etc.)
Challenge: Customization and Personalization
of product lines. Changes in structure for
revenue models.

12. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
12

13. IA’s challenge:
5/17/2024
13
 It needs to reconsider its role!
o Board Oversight
o Execution – A clear differentiator
o Change Management
o Operating style and culture – Critical to execution
effectiveness
Change the mindset! From control oriented to risk
oriented.

14. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
14

15. Is audit focused on the real risks?
5/17/2024
15
6% 12%
68%
13%
Financial Compliance
Operation
al
Strategic/Busines
s
12
%
6
%
13% 68%
(Reference 6)
However, a significant percentage of internal audit resources
are focused on financial controls in most organizations.

16. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
16

17. What should be the approach?
5/17/2024
17
Audit Plan
Traditional Transformed
(Reference 6)
• Evaluate impact of risks within
universe.
• Identify different risks (financial,
operational, Compliance).
• Define Audit Universe.
• Identify shareholders value by
creating business assessment
activities.
• Understand Enterprise Risks
(Strategic, Financial, Ops,
Compliance).
• Evaluate impact to shareholder
value.
√
√
√

18. ERM three-dimensional matrix:
5/17/2024
18 (Reference 5)

19. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
19

20. How do we assess risk priorities?
5/17/2024
20 (Reference 6)
Result: Audit universe is prioritized based on impact on
shareholder value drivers, and the current and targeted maturity
of the processes, programs and initiatives

21. Sample Risk Assessment Framework
5/17/2024
21 (Reference 6)
Result: A practical framework is created based on risk information
and judgment.

22. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
22

23. Audit Plan
5/17/2024
23 (Reference 6)
Result: Audit plan is based on impact on shareholder value
drivers, regulatory requirements/priorities and audit judgment.

24. How do we continue the
process?
5/17/2024
24 (Reference 6)
Result: The relevance of the framework is driven per behavior of
each of the elements of the audit program/plan, and audit
judgment.

25. Table Content
 Objective
 Overview
 Trends in Financial
Services
 Internal Audit Challenge
 Real Risks?
 Approach
 Assessment Framework
 Audit Plan
 Role of IA in ERM
5/17/2024
25

26. Summarizing - Role of IA in ERM
5/17/2024
26
 Core Internal
Auditing Roles in
ERM
 Giving assurance on risk
management processes
 Giving assurance that risks
are correctly evaluated
 Evaluating risk management
processes
 Evaluating the reporting of
risks
 Reviewing the management
of key risks
(Reference 2)
 Roles internal auditing
should not undertake
 Setting the risk appetite
 Imposing risk management
processes
 Management assurance on
risks
 Taking decisions on risk
responses
 Implementing risk
responses on
management’s behalf
 Accountability for risk
management

27. 5/17/2024
27
Luis Fernandez
luisfernandezlange@gmail.com
(704) 724-2481

28. References
1. Kristina Narvaez & John Bugalla, October 22,2012, CFO.com
2. Laura de Zwaan, Jenny Stewart and Nava Subramaniam,
Internal Audit Involvement in ERM, Griffith University,
Queensland Australia, No. 2009-02
3. Andre Brodeur & Martin Pergler, Top-dow ERM: A pragmatic
Approach to Managing Risk from the C-Suite, McKinzey
working papers on risk, #22
4. Institute of Internal Auditors, The Professional Practices
Framework, January 22
5. COSO – ERM Enterprise Risk Management - Integrated
Framework, Executive Summary, September 2004.
6. Mike Brown & Rich Reynolds, Applying Risk Assessment to
Your Audit Plan, The Future of Internal Audit, Corp Executive
Board, 2010.
7. Walter Festand - GARP (Global Association of Risk
Professionals, Common Themes in SEC and FINRA Exam
5/17/2024
28