Enterprise Risk Management: Internal Auditor’s Role Perspective

The role of internal auditor in enterprise risk management (ERM) implementation is being highlighted by Institute of Internal Auditors (IIA) in 1999 where internal audit scope is to include assurance and consulting activities in risk management, control and governance. Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its integrated framework in 2004 (updated in 2017). After announcing of the released COSO framework in 2004, IIA then released a statement in the commencement of internal auditor’s role in risk management. Both internal and external audit are said to play a key role in the effectiveness of risk management within their organization. However, even though ERM has been introduced in 2004, the implementation is still not widely used and outgrowing. Since many organizations are still in developing their own risk management procedure, there are many arguments and debates over the involvement and the role of internal audit in risk management. The purpose of this paper is to highlight the issues and challenges which are faced by internal auditors in conducting their role in auditing risk management of an organization.


Introduction
The increase in the issue of financial irregularities and mismanagement leading to fraud has resulted in an increase in the adaptation of risk management systems in business. In order to produce an effective risk management system, organizations began to change their traditional approach in managing risk management separately from one department to another. A system known as Enterprise Risk Management (ERM) that integrates all risk management processes involved in an organization has become an alternative to the organization to address this issue. ERM implementation also involves the board of directors in dealing with risk management for an organization as they are the most influential party in an organization.
The Treadway Commission Sponsor Organization (COSO) Committee published the Integrated Enterprise Risk Management Framework in 2004, which included general terminology and framework for ERM. The framework includes eight essential components of risk management that provides a common language and a clear direction and guidance for ERM. The components of the framework are (1) internal environment; (2) objective setting; (3) event identification; (4) risk assessment; (5) risk response; (6) control activities; (7) information and communication; and (8) monitoring. Each of these components is placed under each of the four categories of entity objectives namely (1) strategic; (2) operations; (3) reporting; and (4) compliance. In addition, the ERM framework also considers activities at all levels of the organisation that covers enterprise-level, division or subsidiary and business unit processes. Hence, each level of the organisation applies the eight interrelated components of ERM to the four categories of objectives (COSO, 2004). From then on, the implementation of ERM in organisations began to grow globally and the role of internal auditors is also becoming more widespread and they play an important role in providing both guarantees and consulting services with respect to risk management for an organization (Jallow, Sarens, Abdolmohammadi, and Lenz, 2012). The ERM is regarded as a wide-approach process of an organization use to mitigate potential risk that can harm the organizations and at the same time offers the organization ways to mitigate risk (Beasley, Clune, and Hermanson, 2006). It is claimed that an effective ERM approach aligns strategy, technology, people, processes and knowledge. Contrary to the traditional approach of risk management that assess and mitigate risks in "silos", the ERM practise comprises disaggregated approaches to face several risks in organization (Yazid, Razali, and Hussin, 2012). This paper is divided into five sections and is structured as follows. Firstly, this paper will discuss ERM in corporate governance and then the involvement of internal audit in ERM which highlights the roles of internal auditors in ERM. Next, there would be a discussion on the issues and challenges of internal audit in conducting the roles in auditing an organization's risk management practices. This paper also includes some recommendations that internal auditors could undertake and finally concludes of the said matter.

ERM in Corporate Governance
Organization for Economic Corporation and Development (OECD) defines corporate governance as "a set of relationship between a company's management, its board, its shareholders and other stakeholders". OECD also states that a good corporate governance provides the board and the management some proper incentives to pursue objectives that are of interest to the company and its shareholder. It also facilitates in effective monitoring of the company's affair. Without doubt, the board of directors is responsible for any company's strategic measures and effective monitoring of management and at the same time, it is accountable to the company and its shareholders.
The implementation of ERM in organisations enhances the commitment of the board of directors in achieving the corporate objectives that finally create value for their shareholders and stakeholders. Institute of Internal Auditors (IIA) state that the goal of ERM is to create, protect and enhance shareholder value by managing uncertainties surrounding the achievement of the organization's objectives (Najah and Omar, 2018;Sobel and Reding, 2004). This explains the definition of ERM by COSO which relate the involvement of the board of directors in the risk management process. The involvement of board of directors in the risk management process shows elements of corporate governance. Corporate governance is a process that a board carries out to provide direction, authority and oversight of management for the company's stakeholders. It emphasizes stewardship and firm performance goal (Keasey and Wright, 1993;Short, Keasey, Wright, and Hull, 1999). The control goal of corporate governance is to ensure stewardship responsibility of management to shareholders is fulfilled. Moreover, the performance goal concentrates on enhancing the efficiency of the firm in order to increase the shareholder's wealth (Hart, 1995;Keasey and Wright, 1993). Sobel and Reding (2004) posits that the ERM and governance framework involve four components i.e., corporate stakeholders, board of directors, risk management and assurance. Board of directors, senior management, internal auditors and external auditors are the supports of an effective corporate governance. These people provide an oversight on the implementation of the ERM activities in an organization. The responsibilities of the board and management on ERM are clearly stated in the international frameworks (such as the ERM Framework) and the Corporate Governance Code. Generally, the board should oversee the ERM by: • Knowing the extent of ERM within the organization • Reviewing the risk portfolio of the organization and considering it against the risk appetite • Understanding the changes and significant risks the organization is facing • Considering whether the risk responses are appropriate or not. Whereas, risk owners are people in the organisation who are accountable and responsible for managing specific risks (IIA, 2002). Example of such people is chief legal officer who is responsible for company's legal risks. On the other hand, Senior Management is the person who directly responsible for the ERM as a whole. Their responsibility involves the design, implementation and monitoring of it. Most importantly, both internal auditor and external auditor plays an important role in providing independent, objective assurance to senior management and the board of directors about the implementation, control and governance process that relate to the risk management (IIA, 2016).

Involvement of Internal Auditor in ERM
Institute of Internal Auditors (IIA) states that internal auditing is "an independent appraisal function, established within an organization to examine and evaluate its activities as a service to the organization" In 1999, IIA revised internal auditor definition which scope of auditing should include both assurance and consulting activities across the three related areas of risk management, control and governance (IIA, 2009). Notably, based on COSO (1994), internal auditing and risk management are elements in the five interrelated components of the internal control system in organisations i.e., control environment, risk assessment, control activities, information and communication, and monitoring (COSO, 1994).
The risk management activities turn under the second component i.e., risk assessment. It is described in three processes i.e., appraise the significance of the risk; assess the impact and the likelihood of the risk; and manage the risk (COSO, 1994;Moeller, 2011). Besides, the internal auditing falls under the fifth component i.e., monitoring, that focus on review process and assess the compliance with established internal control component. The IIA in 2004 supports an active role for internal auditors in ERM, including making recommendations to improve the organisation's risk process by stating "Internal auditors should assist both management and the audit committee in their risk management responsibilities and oversight roles by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management's risk process".
In addition, International Standards for the Professional Practise of Internal Auditing (ISPPIA) also identifies the internal auditor's responsibilities in risk management as follows (Please refer to Table 1):

2120
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. 2120.A1 The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the achievement of the organization's strategic objectives, reliability and integrity of financial and operational information, effectiveness and efficiency of operations and programs, safeguarding of assets and compliance with laws, regulations, policies, procedures, and control. 2120.A2 The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. 2120.C1 During consulting engagements, internal auditors must address risk consistent with the engagement's objectives and be alert to the existence of other significant risks. 2120.C2 Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization's risk management processes. 2120.C3 When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. 2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems. Source: IPPF International Standards for Professional Practices on Internal Auditing (IIA, 2016 pp.6-14) Recently, in 2017, COSO has revised the Integrated Enterprise Risk Management Framework to a new framework that emphases on aligning risk with the organization's policy and performance. In other words, all strategies related to risk management must be frame around the policy and performance (Protiviti, 2019). The revised ERM framework also requires internal auditor to align internal audit assurance and consulting activity to the company's policy. The revision of ERM framework was in line with the requirement under ISPPIA which clearly specify under, Para 1220.A3 that an internal auditor "must be alert of significant risk affecting the objectives, the operation and resources" (IIA, 2016, p. 7), be it the existing risk or emerging risk (Ibrahim, 2016;KPMG, 2008;Soh and Martinov-Bennie, 2011). The survey conducted by PricewaterhouseCoopers, "Rethinking Internal Audit" in 2019, found that in order to remain relevant, internal audit need to align the internal audit effort towards issues which contain strategic insight into the organization.
It is also mentioned that in order to create or adding up value, internal auditors is expected to identify and audit any possible risk that matters to the boards and management (Leech, 2017;Marks, 2017). This is where the internal auditors are deemed to expand their duties from "ticking the box" audit to more value-added audit which is known as a risk-based audit. Jallow et al. (2012) confirmed this expectation in their study that have been conducted on internal audit functions and organization governance through the use of risk-based audit plan. Risk based internal audit (RBIA) helps to inculcate the risk management practices in the entire organization as it incorporates principles of risk management throughout the audit process, both in the annual planning process, and in planning of each audit engagement (Castanheira, Rodrigues, and Craig, 2010).
In addition, Mohamed (2012) claimed that consultation becomes the main extension in internal audit process related to the area of risk management aspects and control assurance. Bou-Raad (2000) as cited in Drogalas and Siopi (2017) highlighted that internal audit functions that providing a value-added approach will contribute to the achievement of the organizations in improving the quality of information for decision making purposes. Mihret and Woldeyohannis (2008) claimed that the organisations that have the internal audit services could reduce their level of risks, which came to shape the attributes of a value-adding internal audit department. Carcello, Eulerich, Masli, and Wood (2020) also found that manager of audited units perceives a greater decline in risk as well as a greater increase in performance compared to managers of non-audited units.
Provision of objective assurance that internal control framework is operating efficiently by the internal auditor has become as one of the most important factors regarding internal auditing services that added value to the organizations. This is supported by a survey of 3,774 Chief Audit Executive (CAE) in the Global Internal Audit Common Body of Knowledge (CBOK) entitled "Delivering on the Promise: Measuring Internal Audit Value and Performance 2015" which highlighted that amongst top internal audit activities that added value to organization is "assuring the organization's risk management processes" (Seago, 2015).
On the other hand, as the engagement of internal auditors in ERM is proven can add value to the organizations, there is also a risk of compromising the internal auditors' objectivity and independence. Realizing this possibility, IIA issued a paper describing the roles of internal audit in ERM in 2017. The roles are described into three categories; (1) the core roles of internal audit in regard to ERM, (2) the roles that internal audit can legitimately undertake providing safeguards are in place; and (3) roles that internal audit should not undertake (IIA, 2017). Below diagram depicted the three roles of internal audit in ERM.  (2017) In a study conducted by IIA Research foundation, highly involvement of internal audit is defined by internal auditor extensively involved in all three categories of roles while low involvement is regarded as minimal involvement in only those activities that classified as core roles to internal auditor. From the Table 2, there are four core ERM assurance activities identified for the first role of internal auditor in enterprise risk management i.e. provide assurance that risks are correctly stated and evaluated, provide assurance that mitigating actions are operating, evaluate risk management process and evaluate reporting and management of key risks. These four core roles form part of the wider objective of giving assurance on risk management. Specifically, internal audit core role is to provide objective assurance to the board on the effectiveness on risk management (IIA, 2017). An internal audit activity that complied under ISPPIA should perform at least some of these activities.
Under the second role i.e., legitimate roles, IIA states seven legitimate ERM-related activities for which internal auditor may responsible as long as safeguards are in place. These seven activities (i.e. facilitate identification and evaluation of risks, coach management in responding to risks, coordinate ERM activities, consolidate reporting on risks, maintain and develop the ERM framework and champion establishment of ERM) are described as consulting activities which can enhance the value provided by internal auditor in risk management.
Finally, the third part states the six roles that an internal auditor should not undertake as their assignments as these roles are considered as management responsibilities i.e., set the risk appetite, impose risk management process, manage risk, make decisions, and implement risk response, implement mitigating actions for risks and accountable for risk management. It is claimed that these roles could impair internal audit activity's objectivity (Gramling and Myers, 2006).

Issues and Challenges in Involvement of Internal Auditor in ERM
It is apparent from the previous section that the internal auditor has important roles in the implementation of ERM in organisations. In this section, the article reviews pertinent literature on some of the hindrance that could limit the expected roles of the internal auditor.

The Limitation of The Role of Internal Auditor
A Global Audit Information Network (GAIN) Flash survey in 2009 was conducted to identify the extent of internal auditing's role in risk management practises. The survey found that 77% of the respondents are informally provides consulting and advice on risk management practices to the management. This finding supports the notion that internal auditors tend to have a stronger understanding of risk management. However, only 40% of the respondents involved in providing independent assurance on risk management while 25% of them never expect to do the task. The reason that resulted in this survey may cause by lack of skills and experience among the respondents to be applied in the risk assessment task (Sobel, 2011). In addition, IIA (2009) also stated that the internal auditor could not get involved in setting the risk appetite of the organisation including risk tolerance, risk capacity and desired risk level. These limitations are to avoid highly involvement of internal auditor in risk management practises which might impair internal auditor's objectivity.
However, in a study conducted on financial directors, audit committee chairs, internal auditor, and risk directors of five United Kingdom listed companies as well as four audit partners from the "big four" audit firms found that internal auditor heavily involved in ERM where the internal auditors are responsible for ERM practices (Fraser and Henry, 2007). This sort of findings generally shows that in some cases in which internal auditors are involved in ERM activities although are regarded as inappropriate by IIA, signalling a possibility of high risk for loss of internal auditor's objectivity. Sobel (2011) states that there are good reasons why the last category of roles should not be undertaken by internal auditor, but there may be some appropriate times to do so. There are some incidents that would be appropriate for the internal auditor to undertake the task, for instance, when there is no other person to fill in an urgent risk management vacancy, thus it may be better if internal auditor fills the role rather than others that do not have any experiences at all. The management might rationalize it with having independent assurance that they could obtain from the outside sources which may provide them with the comfort that they need. Recently, Kiral and Karabacak (2020) found that internal auditor role can be determine based on risk maturity level of an organization. In "risk mature" organizations, it is possible to create more value by focusing on the assurance role, as compared to early stage of risk management where focusing on consulting role added more value. Whereas, in the face of uncertainty about the risk maturity, internal auditor should focus on providing assurance to the organization.

The independence and objectivity of assurance on the effectiveness of the ERM process.
There is a particular concern on the high involvement of internal auditor in ERM process may pose a threat to internal audit objectivity. The issue of internal audit objectivity in providing assurance on the effectiveness of ERM process has been addressed in ISPPIA to safeguard internal auditor from objectivity threat. Specifically, Para 1103.A3 stated: "The internal audit activity may provide assurance services where it had previously performed consulting services, provided that the nature of the consulting did not impair objectivity and individual objectivity is managed when assigning resources to the engagement".
Objectivity threat in the form of self-review, social pressure and familiarity could be exposed when the internal auditor engaging with consulting activities in ERM (Brody and Lowe, 2000;Ahlawat and Lowe, 2004). As previously mentioned, the IIA already highlighted the six types of roles which considered to be management responsibilities, that internal auditor should not undertake such as decision making by internal auditor in setting the organisation's risk appetite. For example, getting involve in implementing a business risk management system, a sort of toolkit that people could actually use, and installed reporting and understanding throughout the group may raise to independence issue (Fraser and Henry, 2007). Additionally, high involvement in ERM practices and be part of the decision-making committee might cause high familiarity relationship between the auditors and ERM staffs. Fern (1985, p.32) quoted in earlier study on internal auditor familiarity with auditees, points out that "an unconscious erosion of objectivity could occur as the auditor's questioning attitude is placated through over familiarity with activity and/or with the person involved." Familiarity or close relationship could also cause the impairment of objectivity in giving an independent assurance on the risk management effectiveness. Studies of approximately 500 CAEs from various business sectors around the world, revealed that internal auditor does experienced social pressure in making risk assessment (Miller and Rittenberg, 2015). The pressure might include of being directed to not audit higher risk area (49 percent) and being directed to purposely audit low risk area (31 percent) (Miller and Rittenberg, 2015). Surprisingly, 78.9 percent of the respondents admitted being directed by Executive Management, 5.0 percent by both executive management and audit committee, 5.0 percent by counsel, 1.2 percent by audit committee and 9.9 percent by others. Interestingly, Miller and Rittenberg (2015) also found that the pressure also occurred even though in the presence of strong support from executive management and audit committee, which indicated that the threats not only come from the governing body, but also from functional areas of divisional management.
There is also an issue on internal auditor's relationship with audit committee as it also affects the internal auditor's objectivity as it could influence the internal auditor behaviour on their willingness to report to the committee. Hoos, Messier Jr, Smith, and Tandy (2014) found that internal auditor tends to make judgment that is bias towards those they directly reported to (either management or audit committee). Audit committee's role is to support internal audit function and ensure the objectivity of the internal auditors. In the presence of audit committee, the internal auditors are claimed to have the ability to resist management pressure (Gul and Subramaniam, 1994). The research conducted by Subramaniam, Carey, de Zwaan, and Stewart (2011) approve that there is a negative relationship between stronger relationship of internal audit-audit committee with internal auditor willingness to report breakdown in risk procedure to audit committee. The relationship between internal audit and audit committee does not give an impact on perceptions of the internal auditor willingness to report to committee.

Management Perception on Internal Audit Role in ERM
Global Audit Information Network (GAIN) Flash Survey conducted by Institute Internal Auditor Research Foundation in 2009 provide some understandings on the internal auditor challenges in their journey to understand risk. Most of the respondents indicate that the top challenges face by internal audit practices is the management perception that risk management is beyond the scope of internal audit. This led to lack of management support on internal audit involvement in risk management. Other challenges for internal auditor in auditing risk management practices are lack of coordination and clarity roles with other risk controls unit. This can be explained further by referring to a study conducted by Ali and Ahmad (2017) which explore collaborative effort experienced by internal audit function (IAF) and risk management function (RMF). In their study they mentioned that according to IIA and Risk Management Society (RIMS), "The two functions make a powerful team when they collaborate and leverage one another's resources, skill sets and experience to build risk capabilities within their organizations. The adage, 'the sum is greater than the parts' certainly, applies. Moreover, it is clear that leading organizations have discovered efficiencies, better decision-making and improved results by forming strong alliances between the RMF and IAF " (the IIA and RIMS, p.3, 2012) Therefore, it is a call for collaborative effort between these two functions to make both professions more effective and efficient in carrying out duties in risk management practices. The collaborations are expected to create a stronger risk management practices and be used to fulfil the corporate governance mission which to fill the stakeholders' interests. The mutual understanding of both functions is vital as it could lead to coordinated structure of IAF and RMF. In general, people seem to think that either one or other is not necessary, it is assumed that if risk management control units is available then, the internal audit functions is no more needed to be involved in controlling risk in an organization (Ali and Ahmad, 2017). IIA in 2013 has responded to this confusion by stating it views in an issued position paper entitled, "The three line of defences". The paper provides a clear guidance and specifically identifies the roles and functions of the three key players in supporting the effective risk management practices in an organisation. It is posited that the risk management process will be stronger with a support from the three separate and identified lines of defence knowing as the first line-operational management which the functions are owning and managing risks, the second line-RMF which functions to oversee risks and the third line-IAF which functions to provide independent and objective assurance (IIA, 2013). IIA (2013) mentioned that "The function of the owner of the risk management process is where the operational management has ownership, responsibility and accountability towards the entire assessing, managing and controlling risks. As the second line of defence, the risk management function (RMF) responsible in specialist of risks and control functions that monitor and facilitate effective risk management by the first line and making sure that communication and risk information moves up and down the organization. Lastly for the third line of defence, the internal audit function (IAF) are responsible in providing independent and objective assurance to the board committee on the effectiveness of the risk management process and activities of the first two lines and supports the audit committee and board in challenging the management executives regarding this matter of risks". Therefore, to add value and remain relevant, internal audit have to play a significant role in seeking consistency amongst the three line of defence in ERM activity and breakdown silos to establish a consistent risk communication within the organization (Protiviti, 2018).

Conclusions
This paper highlight two most important findings and it associated recommendation. First, it highlights the growing importance of roles play by internal auditor in assuring the effectiveness of Enterprise Risk Management towards accomplishing organization strategic goal. It is unclear to what extent that internal audit should or should not involve in ERM activities. Therefore, as one of key corporate governance actor that highly relied upon by BOD and Audit Committee, internal auditors should understand risk management concepts and the value propositions better than other employees. Thus, it is recommended that the Chief Internal Auditor (CIA) to play a more proactive role in highlighting the value of effective risks management and the roles that internal auditor could offer in order to enhance the value. The messages should be clearly conveyed to the audit committees and board of management to help them in understanding the concept so that internal audit function can carry out the right role in the future (IIARF, 2011). To stay relevance, internal auditor must be able to identify existing and emerging risk that matter to the board. To create value, the internal auditor needs to be more critical and fully understand the organization short-term and longterm strategies, related procedures and any related risk strategy that are implemented in an organisation. An internal auditor must always polish their current knowledge and equipped with related expertise and skills so that can easily assess any organization risk. Internal auditor also may get on-the-job training from real experts such as the external auditor and other related profession (Sobel, 2011). Teoh, Lee, and Muthuveloo (2017) also noted that the quality assurance and improvements programs are considered necessary as to ensure consistent quality in audit function and to assure the internal audit functions is in compliance with the definition of ISPPIA, internal auditing and the code of ethics. Secondly, the paper also highlights the condition that could lead to the impairment of internal auditor's independence and objectivity as independent assurer for enterprise risk management. Involvement in illegitimate ERM activities could lead to objectivity threats and noncompliance with IIA requirement. The unclear roles of IA in ERM lead to low management support thus create misalignment and less coordination between three lines of defence. It is highly recommended that each lines of defence understand and clear of their own responsibilities in ensuring ERM's effectiveness. High coordination between each lines of defence will result in better understanding of each other roles thus enable internal auditor to focus on their ultimate roles in ERM which is assurance and consulting.
To conclude, it is clear that internal auditor continues to play an important role in risk management practices of an organisation. Although this is still predominantly seen as provider of assurance on risk management, there is increase in expectations for internal audit to play an advisory role given their skills and experience in this area (Ernst & Young, 2012). The IIA also has supported the rising task on the internal auditor by clearly posit the function of the internal auditor in its various studies and position paper. In addition, past empirical studies also revealed that the internal audit function successfully added some values and internal auditors are statistically significantly related with risk management practices (Drogalas and Siopi, 2017). Therefore, one could conclude that the internal audit is critical to risk management process and at the same time required further improvement in term of risk education, exposure, and training. Most importantly, as mentioned by Weekes-Marshall (2020), strong support from Audit Committee and Senior Management is the key for effective involvement of internal auditors in risk management process.