White Paper - Internal Audit and Risk Management: Separate or Together

Whitepaper

This is a members only resource.

Please login to access.

Author

Andrew Cox

MBA, MEC, GradDipSc, GradCertPA, DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM, PFIIA, CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA

Michael Parkinson

BSc (Hons), GradDipComputing, CIA, CISA, CRMA, CRISC, PFIIA

Date

2023

Topics Explored

Governance, Internal Audit Management, Risk Management

Format

White Paper

Extract/Description

There are advantages and disadvantages to keeping risk management and internal audit separate and for a decision to co-locate them. 

The decision is ultimately for an individual organisation to make.

Key Points

1. Both risk management and internal audit contribute to the management of risk within an organisation, although neither of these functions directly manage organisational risk.
2. In some organisations risk management advisory and internal audit are combined – the same individual is both chief risk officer and chief audit executive.
3. The ideal situation is that the chief risk officer and chief audit executive are different individuals.
4. It is much better to combine the positions than to have the chief risk officer report to the chief audit executive or the reverse. 
5. A combined position is also better than having each report separately to a third person.

Relevant Industries

All

Level of Assumed Knowledge

Intermediate

Aligned to Global Internal Audit Standards

No