IA: friend or foe?

Internal Audit: Friend or Foe of Enterprise Risk Management?

Microsoft Bing Chat has the answer.

During a recent lecture at Nanyang University in Singapore, students enquired with us about the relationship between internal audit (“IA”) and enterprise risk management (“ERM”).

Internal governance functions should collaborate to the maximum extend that good governance allows. Effective and efficient collaboration will improve output, reduce redundancies, make best use of resources, enhance embedding of ERM and tangibly contribute to resilience building.

Risk Managers should engage with internal audit as much as possible. I use the term “engage” in the sense of “participate.”

For instance, setting a common risk-language and risk identification are prime examples, where the input of IA is extremely valuable.

To be clear, IA must preserve its independence under the three lines (of defence) model. Hence, IA should take a backseat during the development and implementation of risk mitigation measure to ensure its unclouded view.

Along that train of thought, I also advocate keeping ERM separate from internal and external audit at board level.

In addition, internal audit will provide a second opinion on processes, status of implementation and many other relevant matters. Hence, from a very pragmatic perspective, I look at the contributions from IA as additional, quality-input at no cost (“aka free consulting”).

On the topic of “free consulting,” I asked Microsoft Bing Chat, which I believe is a close relative of ChatGtp, to answer this question.

The bot’s initial, generic reply described the relationship as “complex and interdependent.” This statement is akin to an anamnesis done by a savvy relationship therapist, who tries to secure more sessions with the couple who sits on the opposite side of the table.

However, after a few rounds of me “digging deeper,” the bot’s reply suddenly trended towards a tangible and positive stance. Briefly, the bot opined (is that a suitable word to describe a bot’s answer?) that collaboration is beneficial for all stakeholders as long as independence is maintained. The bot provides sources of information (see the references below).

From this short, non-scientific test using the bot as a ‘second’ opinion, I am very positively surprised by the depth and quality of information provided, the ease of handling and the effective approach of providing the information. Lightyears ahead of a classic Google-search that most prominently displays advertisements and SEO-engineered content.

Having said that, I continue writing the Podcasts and blog-entries myself. The ChatBot will support me as an “editor” and a source of information (with the well-documented caveats).


Note 1: I enquired which version of the language model the bot is using for its work. The machine refused to answer and ended the conversation abruptly.

Note 2: despite locating my IP address correctly, the bot cited resources out of the Australian context. Hence, I wonder whether the bot “knows” something about my future that I do not know, just yet?

Note 3: Microsoft 365 found no similarities between this text and other published materials.

Note 4: you might notice my struggles with word choice when describing the interactions with the browser-bot.

Sources cited by Microsoft Bing Chat

(1) Relationship between internal audit and risk management. http://broadleaf.com.au/resource-material/relationship-between-internal-audit-and-risk-management/.

(2) Position paper: Risk management and internal audit. https://www.iia.org.uk/resources/risk-management/position-paper-risk-management-and-internal-audit/.

(3) Internal Audit vs. Risk Management – LinkedIn. https://www.linkedin.com/pulse/internal-audit-vs-risk-management-bradley-gilbert.

(4) COMPLIANCE AND ITS RELATIONSHIP TO INTERNAL AUDIT. https://www.accountancysa.org.za/compliance-and-its-relationship-to-internal-audit/.