Internal Auditing's Role in ERM

Document Type


Publication Date



Internal audit departments have played a variety of roles in their organization's enterprise risk management (ERM) activities since The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Enterprise Risk Management -- Integrated Framework in Sep 2004. According to the IIA position paper issued in the wake of COSO ERM, "The Role of Internal Auditing in Enterprise-wide Risk Management," internal auditors should have a core role in five ERM-related assurance activities: giving assurance on risk management processes, giving assurance that risks are evaluated correctly, evaluating risk management processes, evaluating the reporting of key risks, and reviewing the management of key risks. The perceived current and ideal ERM roles for the internal audit function may vary across organizations. With appropriate planning, communication, and education, internal auditors, management, the board, and external auditors should be ready to work together to achieve the many benefits of ERM.