Eighty percent of internal audit teams use the results from other function’s risk assessments to identify information threats, according to CEB Audit benchmark data. Although this may seem an efficient way to monitor risk, it can store up numerous problems for the firm later on.
Auditors that use Enterprise Risk Management’s (ERM’s) output and that of other assurance functions often feel that, because they have had no input in the initial assessment, the assessment is incomplete and they then go back to the business with further questions.
This can annoy line managers who are “struggling to get on with the day job,” and make them feel as if they are constantly under scrutiny. Eventually, this can lead management to disengage from the assurance process altogether; a situation that ERM, Audit, and Compliance all want to avoid.
What ERM Can Do
If risk managers know that Audit is going to use their work, they should get in touch with the relevant auditor(s) before doing the risk assessment to confirm that Audit will be able to rely on the findings without having to perform significant follow up.
The audit team at InterContinental Hotel Group (IHG) uses the work of other assurance providers only when it deems it “sufficiently independent and robust” (see chart 1).
Chart 1: Assurance providers at IHG Source: IHG; CEB analysis
The various functions work together to build an “assurance map”. This is essentially a dashboard that shows which group is doing what to help management deal with the company’s risks. The map shows:
- The risk category.
- Whether the threat is increasing, stable or decreasing.
- Ongoing assurance work from the first, second, and third lines.
This helps audit plan its activities for the upcoming year.
It also helps ERM over the long run, by keeping the business onboard with the assurance process, and by raising the profile of its work via Audit’s regular board presentations.
For more on the shortcomings of current risk management processes and how to remedy them, see this page.