Section 1: Internal Audit Roles and Responsibilities

Roles and Competencies

Balancing the Dual Mandate: Appropriate IA Services for Risk Management

In today’s business landscape, volatility is the new normal. Organizations face a torrent of complex, interconnected risks, from global supply chain disruptions and sophisticated cyber-attacks to sudden regulatory shifts and the existential questions of climate change. In this environment, effective risk management is not just a compliance exercise; it is a core strategic competency. It is the mechanism that allows an organization to navigate uncertainty, protect its value, and seize new opportunities.

Within this high-stakes arena, the Internal Audit (IA) function is uniquely positioned. It holds an enterprise-wide view, reports directly to the board's audit committee, and is (or should be) staffed with professionals skilled in process, risk, and control. This position, however, presents a fundamental challenge. The board and stakeholders demand objective assurance—an independent, "cold-eyes" review of whether the company’s risk management processes are working. At the same time, management and the executive team crave practical consulting—forward-looking advice and partnership to help them build and improve those very processes.

This is the dual mandate of modern Internal Audit. It is a delicate, essential balance between being the independent auditor and the trusted advisor. The key to success is not choosing one role over the other, but skillfully determining the appropriate services for each, without ever compromising the independence that serves as the function's bedrock. This paper will explore this dual role, defining the specific, appropriate, and value-added services Internal Audit can—and should—provide for risk management.

The Foundation: Understanding the Dual Mandate

Before we can define "appropriate services," we must first clarify our terms. The Institute of Internal Auditors (IIA) formally defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations." The definition itself bakes in this dual mandate.

Risk management, particularly Enterprise Risk Management (ERM), is the formal process management uses to identify, assess, respond to, and monitor risks to achieve its objectives. It’s management's job to own this process, full stop.

The central tension lives in one non-negotiable principle: objectivity. Internal Audit's primary value to the board is its independence. If IA becomes responsible for managing risk, it can no longer provide objective assurance over it. This would be like a student grading their own exam.

So, we must view all services through these two distinct lenses:

Assurance Services: These involve an objective assessment of evidence to provide an independent opinion or conclusion. The core question for assurance is: "Is our risk management process designed correctly and working as intended?" This is often a look-back or a current-state review.

Consulting Services: These are advisory in nature and are generally performed at the specific request of management. The key is that management retains full ownership of the outcome. The core question for consulting is: "How can we improve our risk management process?" This is forward-looking and collaborative.

From a "lived experience" perspective, this is the daily tightrope a Chief Audit Executive (CAE) walks. The Audit Committee Chair calls and asks, "I want your independent assurance that management’s new cybersecurity risk program is effective." An hour later, the Chief Information Security Officer (CISO) calls and says, "I'm building that new cyber program and I’d value your team’s advice on best practices for control design." The CAE must serve both masters, and the answer to both is, "Yes." It's all in how it's done.

The Auditor's Lens: Appropriate Assurance Services on Risk Management

Assurance is Internal Audit's home turf. When it comes to risk management, IA should provide assurance over the process, not over the risks themselves. (IA does not, for example, opine on "whether our credit risk is at the right level." It opines on "whether the process for identifying, measuring, and reporting credit risk is effective.")

Here are the primary, appropriate assurance services IA should provide:

1. Auditing the Risk Management Framework (Design Adequacy)

This is a fundamental audit. IA assesses the design of the ERM framework itself, long before looking at any specific risks.

What it is: IA reviews the organization's chosen framework (e.g., COSO ERM, ISO 31000) and compares it to the company's size, complexity, and strategic goals.

Key Questions: Is the framework comprehensive? Does it clearly define roles and responsibilities? Does it cover all relevant risk categories (strategic, operational, financial, compliance)? Is the "risk appetite statement" approved by the board clear and communicated effectively?

Case Study Example: IA at a rapidly growing financial technology (fintech) company performed a "design adequacy" review of its ERM program. The program was copied from the CEO's prior firm, a traditional, slow-moving insurance company. The audit finding was clear: the framework's design was inadequate. It was too bureaucratic, focused on financial and compliance risks, and almost completely ignored the company's primary strategic risks: speed of innovation, talent retention, and platform scalability. This assurance report gave the board the leverage to demand a framework that fit the actual business.

2. Auditing the Risk Management Process (Operating Effectiveness)

This is the "boots-on-the-ground" audit. The company has a framework; is anyone actually following it?

What it is: IA tests the execution of the ERM process. This involves sampling, interviews, and examining documentation.

Key Questions: Are risk assessments actually performed consistently? Is the risk register a living document used for decision-making, or is it "shelf-ware" that's dusted off once a year for the board meeting? Are risk owners actively managing their identified risks?

Case Study Example: At a large consumer goods company, IA audited the supply chain risk management process. The ERM policy stated that all "critical sole-source" suppliers must have a documented and tested contingency plan. IA selected a sample of 20 such suppliers. They found that while the suppliers were correctly identified, 18 of them had no contingency plan on file. The risk was known, but the management process was broken. This assurance finding on process effectiveness led to an immediate overhaul of the procurement team's risk management duties.

3. Evaluating the Accuracy and Relevance of Risk Information

This is one of the most critical assurance roles. The board and executive team make multi-billion dollar decisions based on risk reports. IA must provide assurance that this information is trustworthy.

What it is: IA audits the data pipeline and aggregation logic that feeds into key risk dashboards and reports (e.g., KRI - Key Risk Indicator reports).

Key Questions: Is the data timely, accurate, and complete? Is risk information aggregated correctly from business units to the enterprise level? Are the right risks being reported? Is there a "watermelon" effect (where everything looks "green" on the report, but underneath it's "red")?

Case Study Example: A global bank’s board received a monthly "Liquidity Risk Dashboard" showing healthy reserves. The IA team, as part of its annual plan, audited the data sources feeding that dashboard. They discovered that one of the core systems, based in an Asian subsidiary, was transmitting its data on a 48-hour delay. In a fast-moving liquidity crisis, this 48-hour-old data would be dangerously misleading. The assurance report didn't question the bank's liquidity; it questioned the integrity of the data used to measure it.

4. Assessing the Effectiveness of Risk Responses (Control Audits)

This is IA's traditional "bread and butter," but viewed through an ERM lens.

What it is: Management identifies a risk (e.g., "data breach") and implements a response, which is usually a set of internal controls (e.g., firewalls, encryption, access controls). IA's job is to test those controls to see if they are working and effectively mitigating the risk to an acceptable level.

Key Questions: Are the key controls designed properly? Are they operating effectively? Is the "residual risk" (the risk left over after controls) truly as low as management claims?

Example: Management identifies "inaccurate financial reporting" as a key risk. The control response is "monthly account reconciliations." IA performs an audit by re-performing a sample of those reconciliations. This provides direct assurance on whether the risk response is effective.

The Advisor's Hat: Appropriate Consulting Services for Risk Management

Here, IA changes hats. The goal is to advise, improve, and empower, not to opine. This is where IA can add immense value, but it is also where the "red lines" of independence are most easily crossed. All consulting work...