As presented at the 3rd Annual IIA DC Top Risks Summit, held October 24, 2024, in downtown Washington, D.C. This annual event is a gathering of auditors, risk practitioners, and business leaders seeking to stay ahead of the curve in today’s dynamic landscape. Presenters:
- Melissa Musser, CPA, CIA, CISA, CITP, IIA DC Board Governor, Partner and Director of Risk & Advisory Services at GRF CPAs & Advisors
- Joseph Pugh, CCEP, CFE, RIMS-CRMP, CRMA, CDSPE, former IIA DC Board Governor, Senior Director of Enterprise Risk Management & Compliance at AARP
November 4, 2024
ERM Audits & Maturity Evaluations: A Holistic Approach for Internal Auditors
To stay ahead of constant regulatory changes and cybersecurity threats, you need a robust Enterprise Risk Management (ERM) program in place. To make sure your ERM system is properly managing risks that could impact your strategic objectives, we recommend conducting a periodic review.
Your internal audit team plays a pivotal role in evaluating the effectiveness of ERM practices by providing independent and objective assessments. Through comprehensive audits, internal auditors assess if risk management is aligned with the organization’s risk appetite and strategic priorities. This helps drive continuous improvement in risk management, enhancing governance and strengthening decision-making across the organization.
To maximize the value, internal auditors should incorporate ERM in their audit plans and consider both ERM audits and maturity evaluations. This enables organizations to not only align with risk management best practice but also progressively refine their ERM practices toward greater maturity.
What is the Difference Between an ERM Audit and a Maturity Evaluation?
An ERM maturity evaluation focuses on assessing the overall development and effectiveness of an organization’s risk management framework, highlighting the progression and integration of risk management practices across the business. It identifies the maturity level of processes like risk identification, mitigation, and monitoring, providing a roadmap for growth.
An internal audit of ERM, on the other hand, is more of a compliance and performance review. It examines whether the ERM processes are functioning as intended, adhering to established policies, and meeting regulatory or governance requirements. It tends to focus on the effectiveness and accuracy of the current risk management activities rather than the overall maturity or strategic development of the ERM system.
Auditing an ERM Program
Below is an example of an approach internal auditors can follow when auditing an ERM program.
Planning the Audit
-
- Define Objectives: Determine what you want to achieve with the audit (e.g., assess compliance, effectiveness, alignment with strategic goals).
- Establish Scope: Identify which aspects of the ERM program will be audited, including risk assessment processes, ERM Playbook/Polices, ERM Framework to benchmark (Such as ISO 31000 or COSO ERM ), reporting mechanisms, and integration across the organization.
- Develop an Audit Plan: Create a detailed plan outlining the audit process, including timelines, resources needed, and methodologies to be employed.
Engage Stakeholders
-
- Communicate with Management: Meet with senior management, the ERM team, the board and other relevant stakeholders to understand their risk management priorities and concerns.
- Gather Input: Collect insights on potential areas of focus for the audit based on stakeholder experiences and perceptions.
Document Review
-
- Collect Relevant Documents: Gather key documentation related to the ERM program, such as:
- ERM playbook and policies
- Risk registers and assessments
- Control documentation
- Internal and external audit reports
- Meeting minutes from risk committees
- Evaluate Documentation: Assess these documents and their alignment with best practices.
- Collect Relevant Documents: Gather key documentation related to the ERM program, such as:
Conduct Interviews
-
- Engage Key Personnel: Interview individuals involved in the ERM process, including risk owners, the ERM team, and management. Focus on understanding:
- Risk identification and assessment processes
- Handling plan implementation and effectiveness
- Reporting and monitoring practices
- Gather Insights: Collect information on the culture of risk management within the organization and how risks are perceived.
- Engage Key Personnel: Interview individuals involved in the ERM process, including risk owners, the ERM team, and management. Focus on understanding:
Assess Risk Identification and Assessment Processes
-
- Evaluate Methodologies: Review how the organization identifies, assesses, and prioritizes risks. This includes analyzing:
- The tools and techniques used for risk assessment
- The criteria for risk prioritization
- Review Risk Registers: Examine the risk register to ensure all significant risks are identified, assessed, and updated regularly.
- Evaluate Methodologies: Review how the organization identifies, assesses, and prioritizes risks. This includes analyzing:
Analyze Reporting and Monitoring Mechanisms
-
- Review Risk Reporting: Assess how risks are monitored and reported to management and the board. Evaluate:
- The frequency and format of reports
- The clarity and relevance of reported information
- Assess Communication Channels: Ensure there are effective communication channels for escalating emerging risks and issues.
- Review Risk Reporting: Assess how risks are monitored and reported to management and the board. Evaluate:
Identify Gaps and Areas for Improvement
-
- Summarize Findings: Compile your observations and findings from the audit process. Identify gaps in the ERM program, such as weaknesses in risk assessment, governance structure, control deficiencies, or lack of stakeholder engagement.
- Prioritize Recommendations: Based on the significance of the gaps identified, prioritize actionable recommendations for improvement.
By following these steps, you can conduct a comprehensive audit of an ERM program, providing valuable insights and recommendations to enhance the organization’s risk management capabilities.
Conducting a Maturity Evaluation
Conducting a maturity evaluation is a strategic approach for internal auditors to assess the effectiveness of the ERM program and guide improvements. It provides a framework for ongoing development and enhances the organization’s overall risk management capabilities.
Define the Maturity Model
-
-
- Choose or develop a maturity model that outlines different levels of maturity (e.g., initial, developing, established, advanced) for the ERM program).
-
Engage Stakeholders
-
-
- Involve key stakeholders from various departments, including risk management, compliance, and operations, to gather diverse perspectives on current practices.
-
Collect Data
-
-
- Use surveys, interviews, and document reviews to collect data on the organization’s current ERM practices and processes.
-
Assess Current Maturity Level
-
-
- Evaluate the data against the chosen maturity model to determine the current maturity level of the ERM program.
-
Identify Gaps and Opportunities
-
-
- Analyze the results to identify gaps and areas for improvement. Highlight opportunities for advancing the maturity of the ERM program.
-
Develop an Action Plan
-
-
- Create a roadmap with actionable steps to enhance the ERM program, including specific initiatives, timelines, and responsible parties.
-
Communicate Findings and Recommendations
-
-
- Present the findings of the maturity evaluation to senior management and the board, along with recommendations for improving the ERM program.
-
Monitor Progress
-
-
- Establish mechanisms for ongoing monitoring and reassessment of the ERM maturity level to ensure continuous improvement.
-
Which to do?
Deciding between an audit or a maturity evaluation largely depends on the specific goals, context, and resources of the organization. Here are some considerations to help determine whether to conduct one or both:
| Key Considerations | Audit | Maturity Evaluation |
|---|---|---|
| Objectives and Focus | Assess compliance, effectiveness, and efficiency of specific processes, controls, or programs. Results in actionable findings and recommendations. | Assess the overall maturity and capability of the ERM program. Identifies strengths, weaknesses, and opportunities for improvement. |
| Scope and Depth | Provides a deeper dive into specific areas, uncovering issues or non-compliance needing immediate attention. | Offers a high-level overview of the ERM program’s effectiveness but may not provide detailed findings. |
| Resource Availability | Consider the availability of time, personnel, and budget. Conducting both simultaneously may strain resources and reduce effectiveness. | |
| Timing and Frequency | If a thorough audit was recently conducted, a maturity evaluation might be appropriate as a follow-up to assess improvements. | If the maturity of the ERM program is unknown, a maturity evaluation can help set the stage for a subsequent audit. |
| Stakeholder Expectations | If senior management and the board are looking for specific insights into compliance and control effectiveness, an audit may be prioritized. | If they are interested in strategic development, a maturity evaluation may be more appropriate. |
Which one to choose?
If you choose to conduct only one:
-
- Select an audit if the priority is to identify specific compliance issues or control weaknesses that need immediate attention.
- Select a maturity evaluation if the focus is on strategic improvement, benchmarking against best practices, and overall program development.
If considering both:
-
- Conduct a maturity evaluation first to understand the ERM program’s current state, which can inform the focus of a subsequent audit. However, ensure that adequate resources are available to handle both evaluations effectively without compromising quality.
Recommendation
Ultimately, it may not be too much to conduct both. Consider the timing, resources, and organizational priorities first. If the organization is ready and able, integrating findings from a maturity evaluation into the audit process can lead to a more comprehensive understanding of the ERM program and enhance the overall value of the audit.
Recommended Resources
Institute of Internal Auditors (IIA)
-
- Website: IIA Resources
- Description: The IIA offers a variety of resources for internal auditors, including standards, guidance, and tools for assessing and improving ERM programs.
COSO (Committee of Sponsoring Organizations of the Treadway Commission)
-
- Website: COSO ERM Framework
- Description: COSO provides frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. Their ERM framework is widely used to structure risk management processes.
ISO 31000: Risk Management
-
- Website: ISO 31000 Overview
- Description: The ISO 31000 standard provides principles and guidelines for risk management, applicable to any organization. It can serve as a reference for developing and auditing ERM processes.
GRF Can Help
GRF’s internal audit co-sourcing approach is rooted in strengthening the link between risk and strategy. We review existing ERM initiatives to identify opportunities for organizations to enhance and get more value out of their current ERM efforts.
Contact us to discuss your ERM concerns or reach out to Melissa Musser directly at the contact information below.
