Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Internal Auditors and Enterprise Risk Management

Auditing Best Practice

Internal Auditors and Enterprise Risk Management

by Ian Fraser

Executive Summary

  • Organizations should implement effective risk management as a component of good corporate governance.

  • Internal audit has a natural affinity with risk due to its centrality to audit and auditor expertise in monitoring and systems review.

  • The key issue for determination is the parameters of the internal audit responsibility in the risk management area. Is internal audit best focused on a monitoring and review role, or might this extend to risk identification and the establishment of risk management systems?

  • There is no one “best-fit” solution, and much will depend on organizational size, safeguards to protect objectivity, and the range and scope of available internal auditor expertise.


Traditionally, internal auditors have been “policemen,” and their efforts have been concentrated on the more detailed, and arguably less appealing, aspects of financial auditing within organizations. Often, therefore, internal auditors have been regarded in the past as the poor relations of their external auditor cousins. This no longer applies, however, as the purpose of many internal audit functions has evolved over time.

From a concern with (arguably) low-level financial audit, internal auditors have progressed to systems audit and an involvement with economy, efficiency, and effectiveness (the 3Es), to their contemporary focus on enterprise risk management. I generalize here, of course; not every internal audit function in every organization has been involved with each of these areas. In the public sector, for example, there has tended to be more involvement with the 3Es. This chapter is concerned with the internal audit role in connection with how enterprises manage risk.

Involvement of Internal Audit with Risk

To an extent, the traditional role of internal auditors in connection with financial auditing gave them an initial knowledge base with which to get involved with risk management. Financial auditing has a concern with the risk of financial misstatement, whereas (although this burden falls primarily on the external auditors) audit risk is primarily concerned with the risk of issuing a wrong opinion on the financial statements. The recent external audit phenomenon of business risk auditing has pinpointed that effective financial audit (whatever the ostensible audit methodology employed) has to engage with business risks. The rationale for the latter assertion is, of course, that entity business risks, of whatever nature, ultimately affect the risk of misstatement in the financial statements. There is, therefore, a clear link between business risk and audit risk.

Thus, in one sense, it is natural for auditors (whether internal or external) to be concerned with the management of risks within organizations. External auditors tend to be involved with organizations on an occasional, rather than an ongoing, basis, and so it is difficult for them to have anything other than a relatively superficial appreciation of the business risks. Indeed, this is a valid criticism that has been made of “business risk auditing” as an external audit methodology. Arguably, therefore, there is a ready-made role for internal auditors in connection with risk.

Undoubtedly, however, the UK Turnbull Report (henceforth “Turnbull”) on corporate governance was an important catalyst in the process of involving internal auditors with risk management. The Turnbull emphasis on the adoption by corporations of risk-based approaches to the establishment of internal control systems, and on the subsequent monitoring of these systems’ effectiveness, created a role for high-level monitoring agencies within organizations. Internal audit functions were the clear beneficiaries of this, and Turnbull provided an opportunity for internal auditors to align their work to real business issues and to make an impact at board level. There was a clear opportunity for internal auditors to enhance their (in many cases) erstwhile humble status and to expand their jurisdiction as a professional interest group.

The Internal Audit Risk Role—What Should It Be?

While it is now probably fairly uncontroversial to argue that internal auditors certainly have a role to play in relation to risk management, the parameters of the role are far less easily defined. Are internal auditors executive managers specializing in risk management, or, alternatively, are they concerned primarily with the monitoring of organizational risk management systems? There has certainly been a tendency, post-Turnbull, for internal audit functions to gravitate toward the former role. The intention of Turnbull, however, was primarily that the internal audit role should largely be focused on the evaluation of risk management and the monitoring of internal control effectiveness. While the post-Turnbull era has seen some companies assign ownership of risk management to internal audit, there is recognition of the pitfalls involved in this. With most internal auditors still receiving what is primarily a financial training, there may be a danger of non-financial risks receiving inadequate consideration.

There is also a real danger of internal audit departments losing their independent status within organizations if they evolve into risk management functions. There is evidence that when risk management initially became a priority for organizations, many internal audit heads were assigned responsibility for risk management audit. This, however, has not always been the case as distinct functions for internal audit and risk management have been established in some organizations.

In brief, the internal audit role might be summarized as: “The provision of objective assurance to corporate boards and senior management on risk management effectiveness; specifically, to ensure that key risks are managed appropriately and that internal control systems are operating effectively.”

This is a general definition, though, and might be interpreted in various ways as far as the fine detail of responsibilities is concerned.

Back to Table of contents

Further reading


  • Fraser, Ian A. M., and W. M. Henry. The Future of Corporate Governance: Insights from the UK. Edinburgh, UK: Institute of Chartered Accountants of Scotland, 2003.
  • IFAC. Enterprise Governance: Getting the Balance Right. New York: Professional Accountants in Business (PAIB) Committee, International Federation of Accountants, 2004.
  • Pickett, K. H. Spencer. Auditing the Risk Management Process. Hoboken, NJ: Wiley, 2005.
  • Pickett, K. H. Spencer. Audit Planning: A Risk-Based Approach. Hoboken, NJ: Wiley, 2006.


  • The Committee of Sponsoring Organizations of the Treadway Commission provides guidance on organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting:
  • Personal website by David M. Griffiths introducing risk-based internal auditing:
  • The Institute of Internal Auditors, for internal auditing standards and other professional pronouncements:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share