How can risk management and internal audit collaborate without losing independence?
author: AcadiFi Team
Answer:
They can collaborate by sharing risk information, aligning risk terminology, coordinating timing, and building an assurance map. Internal audit can use ERM information as one input to risk-based planning, while risk management can use audit themes to update the risk register and risk reporting.
The independence boundary is that internal audit should not own management's risk register, set risk appetite, approve risk responses, or let risk management control audit conclusions. Internal audit can advise and coordinate, but it remains responsible for its own evidence, scope, findings, and reporting.
The best CIA answer is not separation for its own sake. It is structured coordination with clear role boundaries.
Master CIA Part 3 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.