One of the common questions I get asked is about the relationship between enterprise risk management (ERM) and internal audit. There is often an overlap of responsibilities if the boundaries are not clearly defined, but these two groups play an essential role and must be coordinated.

ERM is typically responsible to develop the language and framework (policy, procedures, process, tools) for how risk is managed in the organization and work with the responsible managers to help train and provide support to them in managing the risk.

Internal audit is typically responsible to audit and provide assurance to the board and senior management that risks are being reduced to an acceptable level (i.e. the risk management process is working as designed and is aligned with the board’s expectations).

In this video, I explain the typical responsibilities and describe what to do when there is an internal audit group, but no ERM group in an organization.

Ultimately, both roles play an essential part and need to focus on working together to ensure the organization is able to manage its key risks in a holistic method.

To learn more about risk management basics, check out this training on Risk Management for Internal Auditors:

and the Certified Risk-Based Internal Auditing course:

Leave a comment