The IIA has published a Statement of Position clarifying the role of internal audit in Enterprise Risk Management. It is carefully written, professionally presented, and almost entirely beside the point.
The paper’s central concern is independence: can internal auditors remain objective if they also help design or operate risk management processes? That is a legitimate governance question. But it is the wrong question — and the fact that it dominates the paper reveals a deeper problem with how the entire ERM edifice is conceived.
The Premise Nobody Challenges
The paper opens with this: “Organizations require effective governance, risk management, compliance, and control structures and processes to achieve their objectives and sustain long-term value.”
That sentence sounds self-evidently true. It isn’t. It smuggles in the assumption that ERM — as currently practiced — actually helps organizations achieve their objectives. Decades of corporate failures, from financial institutions with mature ERM programs to large infrastructure projects with sophisticated risk registers, suggest this assumption deserves serious scrutiny rather than a ceremonial nod in paragraph one.
Ask RAW@AI about this post or just talk about risk management
The IIA does not ask whether ERM works. It asks who should do it and who should audit it. That is a bit like debating the optimal seating arrangement on a bus heading in the wrong direction.
ERM Is Treated as a Given. It Shouldn’t Be.
The paper describes ERM as integrating “threat and opportunity considerations into strategy, decision-making, and performance.” Fine words. But the dominant form of ERM in practice — risk registers, heat maps, likelihood-impact matrices, risk appetite statements — does none of those things reliably.
Risk matrices embed well-documented mathematical errors. They compress continuous, uncertain outcomes into arbitrary ordinal categories, making it impossible to add, compare, or prioritize risks in any mathematically coherent way. They systematically misrepresent tail risks — the scenarios that actually destroy organizations — because those scenarios sit in corners of a grid designed for average thinking. The IIA paper does not mention this. Not once.
Instead, it takes ERM’s methodology as settled and focuses entirely on governance arrangements around it. This is intellectually comfortable but practically dangerous. You cannot audit your way to a good risk framework if the framework itself is broken.
The Independence Problem Is Real — But It’s a Symptom
The paper’s substantive content concerns what happens when internal auditors take on operational ERM responsibilities. It recommends safeguards: board approval, charter documentation, a 12-month cooling-off period before auditing activities you previously managed.
These are sensible procedural fixes. But they treat independence as the core problem when independence is actually a symptom of a deeper structural confusion — namely, that organizations have built two parallel bureaucracies (risk management and internal audit) that both claim to “manage risk” without either one being clearly accountable for decision quality.
The 12-month rule is particularly telling. It acknowledges that auditing your own work is compromised — but it does not ask the more uncomfortable question: what exactly is being audited? If the underlying ERM process produces risk registers that nobody uses to make decisions, then auditing that process with perfect independence still produces nothing of value. You get a clean opinion on a useless artifact.
“Assurance Over Risk-Related Information” Is Not Risk Management
The paper emphasizes the growing importance of “independent insight and assurance over risk-related information.” This framing reveals the compliance-first DNA of the entire document.
Assurance over risk-related information means checking that the risk register exists, that it was updated on schedule, that the heat map was reviewed by the right committee, and that someone signed off on the risk appetite statement. It says nothing about whether the organization made better decisions because of any of this activity.
Real risk management happens before decisions are made — not after, in the form of audit trails. The question a board should ask is not “did we follow the ERM process correctly?” but “did our risk analysis improve the quality of the choices we made?” Those are fundamentally different questions, and the IIA paper is only equipped to answer the first one.
What the Paper Gets Right — And Why That Makes It More Dangerous
To be fair, the paper acknowledges nuance. It recognizes that expanded internal audit roles in ERM are sometimes practical or transitional. It notes that even formal separation of duties can create perceptions of impairment. These are honest observations.
But that nuance makes the paper more dangerous, not less. It is written well enough to satisfy a board that something rigorous has been considered. It will be cited in audit committee reports as evidence of governance maturity. It will generate compliance activity — charters updated, responsibilities documented, cooling-off periods tracked — and none of that activity will make a single important decision better.
That is the real risk the IIA should be writing about.
The Question the IIA Should Have Asked
Instead of “how do we preserve internal audit independence within ERM?”, the foundational question should be: “Does our current approach to ERM actually improve the decisions that determine organizational survival?”
If the answer is yes, then the governance arrangements around it matter enormously. If the answer is no — or “we don’t know” — then the IIA has published a detailed manual for optimizing a process that isn’t working.
The paper ends with a disclaimer that it is “not intended to provide definitive answers.” Fair enough. But it is also not intended to challenge fundamental premises. And that, more than any independence question, is the gap that will cost organizations the most.
