• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Internal audit and risk management must work together to navigate uncertainty

March 06, 2025

If there’s one thing we can all agree on, uncertainty is the only constant in today’s business landscape.  From economic volatility to technological disruption and geopolitical tensions, internal audit and risk professionals are under more pressure than ever to ensure they work together to help their organisations remain resilient.  And we’ve all seen the consequences of weak governance and poor risk oversight – BHS, Carillion, Bulb, ISG, Patisserie Valerie – ring a bell?  The question is, how do we bolster corporate governance and support organisations to step up and prevent history from repeating itself?

That’s where the Chartered Institute of Internal Auditors (Chartered IIA) new Internal Audit Code of Practice comes in.  Now effective, the updated Code is designed to strengthen internal audit functions and support organisations in tackling these emerging risks head-on, raising the bar for the profession across financial services, private, and third sectors.  But it’s not just for internal auditors.  If you’re a risk professional, an audit and/or risk committee member, or a board member, this Code is just as valuable in helping you strengthen and improve risk oversight, as well as ensure a joined-up and coordinated approach to assurance.

We know risks are evolving fast and organisations can no longer afford to take a narrow and siloed approach to assurance and risk management.  Businesses are facing increasingly complex and interconnected threats, and the Code of Practice has stepped up to keep pace.

The Code has been updated to reflect many of the new and emerging risks that are changing and impacting organisations like never before.  For the first time, the Code recommends that internal audit includes within its scope and priorities: environmental sustainability, climate change, financial and economic crime, cyber threats, artificial intelligence, and macroeconomic & geopolitical uncertainties.  These are no longer just concerns for large multinational companies – the fact is, they’re impacting all organisations and if they aren’t on your radar yet, they should be.

Why co-ordination, alignment and partnership is key

Internal audit and risk management have always operated most effectively when they have an open, constructive and cooperative approach.  Yet, it could be argued that at times they have operated in silos and not worked as closely as they perhaps should have.

This is why the new Code makes clearer than ever, the need for strong coordination between these two to create a unified and joined-up approach to risk oversight across the second and third lines.  Ultimately, this should help to improve the effectiveness of assurance and help support organisations to fully connect the dots on the plethora of risks they now face.

Effective risk oversight needs a complete 360-degree view.  One that’s structured, transparent, and free from blind spots.  The Code helps set the foundation for building that alignment, ensuring assurance efforts are coordinated, duplication is avoided, and critical risks don’t fall through the cracks.

For risk professionals, having a close working relationship with internal audit isn’t a ‘nice-to-have’, it’s essential.  Internal audit can be a valuable and trusted sounding board for risk management, challenging assumptions, stress testing scenario plans and making sure risks are not only being identified but actively managed and mitigated.  Indeed, the new Code recommends that internal audit should audit and assess the adequacy and effectiveness of risk management.  By doing so, it helps strengthen the risk management function, increasing its impact and raising its game.

Staying ahead of emerging risks needs a dynamic approach and one that looks at what’s happening on the ground and examines whether decisions are being made in alignment with the risk appetite and business strategy.  Are risk mitigation strategies working? Does the risk framework support a strong risk culture in the organisation?  These are the questions that internal audit and risk management can tackle together.

When risk management and internal audit work together, organisations can have confidence in taking on and responding proactively to their ever-changing risk landscape. Instead of reacting to threats after they’ve materialised, spotting and addressing risks earlier and faster can create a risk culture that works.  In many cases, as well as knowing when to apply the brakes when new threats emerge on the horizon, it’s also about supporting organisations to harness opportunities and take risks in the right way that benefits the business and supports growth.

While in today’s risk climate alignment and coordination matters more than ever, the need for internal audit to maintain its independence remains vital too.  The Code sets out clear guidance on how internal audit and risk management should interact to support the independence and objectivity needed for internal audit to provide effective assurance.

In financial services, the separation of the internal audit and risk management functions is a regulatory requirement.  This of course differs from the non-financial services sectors, where a joint Head of Internal Audit and Risk is common.  However, to protect internal audit’s independence, the Code recommends safeguards to prevent conflicts of interest and to ensure the function has the space to focus on assurance and challenge risk management where needed.  Strong board and audit committee oversight reinforces this balance, keeping internal audit independent while enabling it to add value to risk management.

Making the Code work for you

The Chartered IIA’s Internal Audit Code of Practice, along with the Raising Your Game guidance, gives organisations a practical roadmap for strengthening and increasing the effectiveness of both internal audit and risk management.  Organisations that embrace these principles will be in a much stronger position to anticipate and take better risks, make better decisions, and build resilience.  In today’s risk landscape, this is no longer just an advantage—it’s a necessity.

Mo Warsame, Senior Policy and Public Affairs Executive, Chartered Institute of Internal Auditors

Tags: Mo Warsame, Gavin Hayes
Prev / Next

Blog

Featured
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson
Sep 25, 2023
Chris Burt
The implications of the revised UK Corporate Governance Code
Sep 25, 2023
Chris Burt
Sep 25, 2023
Chris Burt