The Connection Between ERM and Internal Audit

Internal audit and enterprise risk management (ERM) are two of the most important functions in organizational governance. While they have different roles, they share a common goal: helping the organization manage risk effectively.

The risk register is a critical connection point between these functions. It provides internal audit with a foundation for planning and execution, while audit findings feed back into the risk register to improve risk assessment accuracy.

Different Roles, Shared Goals

Aspect ERM Team Internal Audit
Primary role Identify and manage risks Provide independent assurance
Perspective First/second line of defense Third line of defense
Risk register use Maintain and update Use for planning and validation
Control focus Design and implement Test and evaluate
Reporting to Management/Risk Committee Audit Committee/Board

Risk-Based Audit Planning

Risk-based auditing is the standard approach for modern internal audit functions. Instead of auditing everything equally, audit resources are focused on the areas that matter most—those with the highest risk.

The risk register provides the foundation for this prioritization. By understanding which risks are most significant, internal audit can build an audit plan that addresses the organization's greatest vulnerabilities.

How the Risk Register Informs Audit Planning

  1. Identify high-risk areas — Review risks with high likelihood and impact scores
  2. Evaluate control adequacy — Look for risks with large gaps between inherent and residual risk or inadequate controls
  3. Consider risk changes — Prioritize areas where risks have increased or new risks emerged
  4. Balance coverage — Ensure all critical risk categories receive appropriate attention over time

Example: Annual Audit Plan Development

An internal audit team reviews the enterprise risk register and identifies:

  • 5 risks rated as "Critical" — Plan for audits in Q1-Q2
  • 12 risks rated as "High" — Plan for audits throughout the year
  • 3 risks where controls haven't been tested in 2+ years — Add to audit plan
  • 2 new risks identified by ERM team — Schedule preliminary reviews

Using Risk Registers in Audit Fieldwork

During audit execution, the risk register serves as a reference document that guides testing and provides context for findings.

Pre-Audit Preparation

  • Review risk descriptions and root causes for the audit area
  • Understand the controls mapped to each risk
  • Note management's risk ratings and the rationale behind them
  • Identify risk owners to interview during fieldwork

During Fieldwork

  • Control testing — Test whether controls in the risk register are operating effectively
  • Risk validation — Assess whether management's risk ratings are appropriate
  • Gap identification — Look for risks or controls not captured in the register
  • Evidence collection — Document control performance for audit workpapers

Comparing Perspectives

One of audit's most valuable contributions is comparing management's view of risk (in the register) with audit's independent assessment. Key questions include:

  • Are there risks management hasn't identified?
  • Are any risks underestimated or overestimated?
  • Are controls as effective as management believes?
  • Has anything changed since the last risk assessment?

Making Your Risk Register Audit-Ready

An "audit-ready" risk register contains the information auditors need and follows a methodology they can validate. Here's what to include:

Essential Elements for Auditors

Clear Risk Documentation

  • Specific, well-written risk descriptions
  • Identified root causes and risk drivers
  • Potential impacts clearly articulated
  • Risk categories aligned with organizational structure

Complete Risk Scoring

  • Inherent risk scores (before controls)
  • Residual risk scores (after controls)
  • Documented scoring methodology
  • Rationale for ratings (especially for high-impact risks)

Mapped Controls

  • Controls linked to specific risks
  • Control type identified (preventive, detective, corrective)
  • Control owner assigned
  • Control effectiveness rating with evidence

Ownership and Updates

  • Risk owners clearly assigned
  • Last review date visible
  • Update history or audit trail
  • Status of action items or treatment plans
Auditor Tip

Auditors are often skeptical of risk registers that haven't been updated recently or lack evidence of active management. Regular updates demonstrate that risk management is actually happening, not just documented.

Best Practices for ERM-Audit Collaboration

When ERM and internal audit work together effectively, both functions—and the organization—benefit significantly.

Collaboration Strategies

  • Regular touchpoints — Schedule quarterly meetings to share updates and insights
  • Shared access — Give audit read access to the risk register (with appropriate permissions)
  • Two-way communication — ERM shares emerging risks; audit shares control observations
  • Aligned terminology — Use consistent definitions for risk categories and ratings
  • Coordinated assessments — Avoid duplicating risk assessment efforts

Independence Considerations

While collaboration is valuable, internal audit must maintain independence. Best practices include:

  • Audit can provide input on risk methodology but shouldn't own the risk register
  • Audit should independently validate management's risk assessments
  • Audit shouldn't assume management's risk ratings are correct
  • Audit reports to a different authority (Audit Committee) than ERM (management)

Common Gaps Auditors Find

Based on audit findings across many organizations, here are common risk register issues that auditors identify:

Risk Identification Gaps

  • Missing emerging risks — Register doesn't reflect new threats (cyber, regulatory, etc.)
  • Incomplete coverage — Some business areas or processes not represented
  • Stale risks — Risks that no longer apply remain in the register
  • Third-party risks overlooked — Vendor and supply chain risks not adequately captured

Risk Assessment Issues

  • Inconsistent scoring — Similar risks rated differently across departments
  • Optimism bias — Residual risks rated lower than warranted
  • No inherent risk — Only residual risk captured, making control effectiveness unclear
  • Missing rationale — No documentation explaining why ratings were assigned

Control Mapping Problems

  • Missing controls — Risks without any linked controls
  • Overreliance on single controls — No backup if primary control fails
  • Controls not tested — Effectiveness assumed rather than verified
  • Obsolete controls — Controls that no longer exist or function

Incorporating Audit Findings

Audit findings should feed back into the risk register to improve future risk assessments. This creates a virtuous cycle of continuous improvement.

Types of Updates from Audit

  • Control effectiveness adjustments — Update ratings based on testing results
  • New risks identified — Add risks discovered during audit fieldwork
  • Risk rating changes — Adjust scores based on audit observations
  • Remediation tracking — Link audit recommendations to risk treatment plans

The Feedback Loop

Example Process

  1. Audit tests controls for "Cybersecurity Risk" rated as Medium residual
  2. Audit finds control gaps—actual effectiveness is lower than assumed
  3. Audit reports finding to management and Audit Committee
  4. ERM team updates risk register: residual risk increased to High
  5. Risk owner implements remediation; ERM tracks progress
  6. Follow-up audit confirms remediation; residual risk re-rated

How ERM Software Supports Audit Collaboration

Modern ERM software like Dimeri facilitates collaboration between risk management and internal audit teams:

  • Role-based access — Give auditors read access without editing rights
  • Audit trail — Track all changes to risks and controls for audit review
  • Control testing integration — Link audit testing results to control effectiveness
  • Finding tracking — Connect audit recommendations to risk treatment actions
  • Reporting — Generate audit-ready risk reports with filtering and sorting
  • Real-time visibility — Both teams see the same current information

Enable Better Audit Collaboration

Dimeri's role-based access and audit trail features help ERM and audit teams work together while maintaining appropriate separation.

Try Dimeri Free

Key Takeaways

  • Risk registers provide the foundation for risk-based audit planning
  • Internal audit uses the register to prioritize high-risk areas and identify controls to test
  • Audit-ready registers include clear documentation, complete scoring, mapped controls, and evidence of updates
  • ERM and audit should collaborate regularly while audit maintains independence
  • Audit findings should feed back into the risk register for continuous improvement
  • Common gaps include missing risks, inconsistent scoring, and untested controls
  • ERM software enables better collaboration with role-based access and audit trails

Frequently Asked Questions

How do internal auditors use risk registers?

Internal auditors use risk registers to: 1) Plan risk-based audits by prioritizing high-risk areas, 2) Identify controls to test during fieldwork, 3) Compare management's risk assessments with audit findings, and 4) Track remediation of audit findings over time.

What is risk-based audit planning?

Risk-based audit planning allocates audit resources based on risk levels. High-risk areas receive more audit coverage, while lower-risk areas are audited less frequently. The risk register provides the foundation for this prioritization.

Should internal audit maintain its own risk register?

Internal audit may maintain a separate audit risk assessment, but it should be informed by and aligned with the organization's enterprise risk register. The two should complement each other, not operate in silos. Many organizations use a shared risk register with different views.

How often should audit review the risk register?

Internal audit should review the risk register at least annually during audit planning, and whenever significant organizational changes occur. Many audit teams review risk updates quarterly to adjust their audit plan as needed.

What makes a risk register 'audit-ready'?

An audit-ready risk register includes: clear risk descriptions, documented inherent and residual scores, mapped controls with effectiveness ratings, assigned risk owners, evidence of regular updates, and a clear methodology for risk assessment.

Can auditors rely on management's risk assessments?

Auditors can use management's risk assessments as a starting point but should apply professional skepticism. They should validate key risks through independent assessment, test whether controls are operating effectively, and identify risks that management may have underestimated or missed.