How will auditors audit ERM, since this is different than regulation and procedure compliance? What conversations are happening with IGs to ensure they understand how ERM works?

Question asked by

AFERM Experts Say...

Past experiences with ERM program audits by the Government Accountability Office (GAO) and Inspector General (IG) lead to similar areas of focus.  Their initial reviews concentrated on ensuring that basic program elements were present and documented.  These elements included the maturity model and program development map; ERM governance structure; ERM framework, including standardized processes and procedures; ERM function staffing, including Chief Risk Officer (CRO) duties and responsibilities, as well as placement within the agency’s organizational structure; and the agency’s Risk Appetite Statement.  After the audit teams understood the basic design and foundation elements supporting the ERM program, they investigated methods used to identify key risks, as well as conducted interviews with agency executives, ERM program staff, and ERM points of contact within each line of business.  While auditors from both teams were interested in the enterprise risk register and responses to key risks, the GAO team did not raise questions regarding whether the risk appetite and risk response actions were appropriate.  On the other hand, the IG audit team questioned various aspects of risk appetite and risk tolerance adopted by the agency.  Each audit team will likely have a different focus, but starting with foundational ERM program elements with a clear direction for program development and maturity will compel the audit team to consider how the agency is approaching its ERM program and may help steer auditors away from judgements about whether agency leadership has set suitable risk appetites and tolerances and if risk response actions are appropriate.