23 The IERP® Monthly Newsletter December 2021
ERM can even ask IA if there are outstanding issues, he added, and share results of risk assessments but he cautioned that for an environment like this to develop, the Chief Audit Executive (CAE) and IA need to have a certain level of maturity and a proper understanding of their role in risk management. What should be avoided, he stressed, are “turfing” and “empire-building” tendencies. Commenting on the appropriateness of IA providing consulting advice, Ramesh remarked that when being hands-on with risk management, it was difficult to tell people what to do without getting involved with how they do it. Conflicts of interest were inherent. Where IA was involved in the risk management function or where risk management was parked under IA, a clear strategy and timeline were necessary for migrating responsibility for risk management to members of the management team.
Having given advice pertaining to ERM, IA cannot then give objective assurance on any part of the ERM process it has advised on. Such assurance should be provided by other suitably qualified parties. If IA were to give independent assurance in such circumstances, this could be challenged because it would then be playing both an advisory and audit role, which could lead to conflicts of interest. Auditors have to avoid actual or potential conflicts of interest because it impairs their independence. A better understanding of ERM has also developed in the past 20 years; there is more awareness now of the need for ERM to stand on its own.
Despite this increase in awareness and understanding, Ramesh acknowledged that gaps in risk leadership, competency, capability and implementation of ERM still exist. Audit does not need to be defensive about its role, he stressed, as both ERM and IA are trying to achieve the same objective. It is a matter of taking responsibility for the advice that is given; due diligence must be undertaken before giving advice as the advising party is accountable for the advice given. Auditors can make recommendations which are not mandatory; the party that is being advised can then decide whether or not to accept the advice and act on it accordingly.