The activities on the left of Figur

The activities on the left of Figure 1 are all assurance activities. They form part of the wider objective of giving assurance on risk management. An internal audit activity complying with the International Standards for the Professional Practice of Internal Auditing can and should perform at least some of these activities. Internal auditing may provide consulting services that improve an organization’s
governance, risk management, and control processes. The extent of internal auditor’s consulting in ERM will depend on the other resources, internal and external, available to the board and on the risk maturity2 of the organization and it is likely to vary over time. Internal auditor’s expertise in considering risks, in understanding the connections between risks and governance and in facilitation mean that the internal audit activity is well qualified to act as champion and even project manager for ERM, especially in the
early stages of its introduction. As the organization’s risk maturity increases and risk management becomes more embedded in the operations of the business, internal auditing’s role in championing ERM may reduce. Similarly, if an organization employs the services of a risk management specialist or function, internal auditing is more likely to give value by concentrating on its assurance role, than by undertaking the more consulting activities. However, if internal auditing has not yet adopted the risk-based approach represented by the assurance activities on the left of Figure 1, it is unlikely to be equipped to undertake the consulting activities in the center.