Which of the following roles should internal audit not undertake in terms of risk management?

In today’s world, processes and operations have become more complex and new risks have emerged. Organizations are trying to give more considerations to risk management; however, they struggle with the decision of differentiating the internal audit functions and risk management functions. The best approach is to have a separate internal audit and risk management function, but operationally this is difficult to implement, time consuming and is costly. Most organizations have internal audit functions but do not have a risk management function. Therefore, the internal audit function undertakes the risk function in organizations without an effective risk management function.

The three levels of defense in an effective Risk Management Control Framework is Operational Management as the first line of defense, Risk management as the second level defense function and internal audit as the third level of defense responsible for entity wide assurance. The main role of the internal audit in risk management is providing an assurance on the effectiveness of the risk management process. 

However, in cases where they play the same role, Internal Audit takes up a consultative role in risk management. This is done through assessing and monitoring risks that an organization faces, providing recommendations for appropriate risk mitigation controls, assessment of the system’s internal controls and assessing the governance processes in an organization. The following are roles that internal audit should not undertake setting the risk appetite, imposing risk management processes, taking decisions on risk response, implementing risk responses on management’s behalf and accountability for risk management. These roles majorly lie on the operational management.

If Internal Audit and Risk Management is performed as one role, these are some of the recommended actions internal auditors can take to help their organization adopt a more strategic risk management focus:

1. 1. 1. Ensuring that the risk assessment identifies those risks presenting the most significant risks to shareholder value.
      2. Facilitating risk management discussions across the organization.
      3. Viewing risk management as a core competency and ensuring that auditors receive appropriate training on risk and risk management practices.
      4. Reviewing business plans to determine whether they assess the risks embedded in their strategies and have risk monitoring and trigger points.
      5. Reviewing the annual report to determine whether risks are addressed appropriately.
      6. Continuously monitoring and assessing stakeholder expectations relative to risk and risk management, as well as assisting in the education of these stakeholders.
      7. Building a stronger relationship with other risk and control business functions to drive an enhanced process to identify emerging risks.
      8. Identifying and sharing best practices in risk management. 

If the internal audit and risk management function is the played as one role, it is advised that reporting is done to two different managers for clear governance and non-bias.

An internal audit function that is properly organized plays a very important role in the organization by understanding the system of internal controls, effectiveness of key controls, governance & effectiveness of the risk management processes.