Effective Enterprise Risk Management through Internal Audit involvement

Background: Internal audit role in an organisation has evolved over last few decades and the expectation from it by stakeholders has expanded. Historically role was limited to compliance and assurance on financial reporting including adherence to policies. But consequent to the focus on the larger scope of Corporate Governance (CG), the expectation from the function is also on supporting in ensuring governance. IAF is part of the chain which function as a link between owners and EM to ensure on the functioning of theory of principal and agent. The Board of Directors (BOD) and the Audit Committee (AC) expect the internal audit function (IAF) helps it in driving governance. One very critical aspect of CG is ERM. As the focus shifted to driving CG, beside the other elements of assurances, the importance and significance of Enterprise Risk Management (ERM) became very important.

Purpose/Objective: ERM does include not only the short-term risks, but goes beyond risk associated with strategic intents, long term business plans, business model, market, and other external environmental risks. Organisation today want to grow aggressively in a very competitive and dynamic external environment. In the expectation to grow faster and justify the success, the risks undertaken are also very high. With principal agency theory being core of organisation trust, the risks of bad decision are high in growth plans by the executive management (EM). This research proposes to analyse the extent of IAF role in ERM, challenges faced by the IAF, extent of support it gets from executive management and the support from BOD and AC in performing its role.

Methodology:This paper is based on empirical studies done in past and an analysis of primary data collected from around 50 senior executives and their views on extent of IAFrole in ERM. The participants were taken from various roles which includes BOD, CAE, IAF, AC. The questions evolved around the views on enhanced participation of IAF needed in ERM and how can RBIA play an effective role in risk management.

Findings:Our study finds that the involvement of IAF in ERM is very limited and executive management does not find IAF can add value in ERM at the strategic planning stage. There is hesitancy on the part of EM to include IAF mainly to avoid any questions as the level of mitigation plans of their strategy risks are not sufficient. We find that Executive Management isnot transparent to share the plans to IAF as they feel them as representing to BODdirectly and not an integral part of their team.In case the role of IAF is outsourced, this challenge becomes more evident on the pretext of confidentiality. IAF get involved only after the risk has arisen and expected to provide solution or advice. Further there is an acceptance that RBIA is the future for IAF, and this can drive the aspect of value addition in the role of IAF. With major part of controls automated and tech enabled, the role of IAF will be more around risk assessment and advising EM in risk mitigation as well assuring the existence of effective ERM process to stakeholders.

Limitations:This research is limited based on Indian context and need to be further tested in global environment. Further the paper is based on a survey on a population of 50 executives involved in IAF directly or at supervisory position, which can further be extended in larger varied group including the business and operational executives.