IIA-Australia White Paper - Internal Audit and Risk Management: Separate or Together?

Internal Audit and Risk Management: Separate or Together?

This is a members only resource. Please login to access. 

Author

Andrew Cox MBA, MEC, GradDipSc, GradCertPA, DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM, PFIIA, CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA

Michael Parkinson BSc (Hons), GradDipComputing, CIA, CISA, CRMA, CRISC, PFIIA

Date

 2023

Topics Explored

Governnance

Format

White Paper

Extract/Description

There are advantages and disadvantages to keeping
risk management and internal audit separate and for a
decision to co-locate them.
The decision is ultimately for an individual organisation to
make.

Key Points

  1. Both risk management and internal audit contribute to the management of risk within an organisation, although neither of these functions directly manage organisational risk.
  2. In some organisations risk management advisory and internal audit are combined – the same individual is both chief risk officer and chief audit executive.
  3. The ideal situation is that the chief risk officer and chief audit executive are different individuals.
  4. It is much better to combine the positions than to have the chief risk officer report to the chief audit executive or the reverse. 
  5. A combined position is also better than having each report separately to a third person.

Relevant Industries

All

Level of Assumed Knowledge

Intermediate