A
AcadiFi
Core Conceptscia

Risk Management and Internal Audit: How to Coordinate Without Blurring the Three Lines

AcadiFi Editorial·2026-05-20·12 min read
  • Title: Risk Management and Internal Audit: How to Coordinate Without Blurring the Three Lines
  • Slug: `cia-risk-management-internal-audit-coordination`
  • Certification: CIA
  • Level: CIA Part 3
  • Topics: Governance, Risk Management, Assurance Mapping, Coordination and Reliance
  • Tags: risk-management, internal-audit, assurance-map, three-lines, reliance, audit-reports, risk-register
  • Related Q&A slugs: `how-can-risk-management-and-internal-audit-collaborate`, `can-internal-audit-share-reports-with-risk-management`, `should-internal-audit-assign-dollar-values-to-risks`, `when-can-internal-audit-rely-on-risk-management-work`
  • Related question bank public slug placeholders: `risk-audit-coordination-best-first-step`, `audit-report-sharing-protocol`, `risk-quantification-role-boundary`, `assurance-map-gap-duplication`, `reliance-on-risk-management-work`, `risk-register-audit-theme-update`, `three-lines-collaboration-boundary`

Thesis

Risk management and internal audit should coordinate, but they should not collapse into the same function. Risk management helps the organization identify, assess, monitor, and report risk. Internal audit provides independent assurance and advice on governance, risk management, and controls.

For CIA candidates, the best answer is usually structured coordination: share risk information, align terminology, map assurance coverage, avoid duplicated work, and preserve internal audit's independence, evidence standards, and reporting authority.

Why Collaboration Gets Awkward

Risk management and internal audit often look at the same risks from different positions. That creates friction:

  • Risk management wants audit results to update the risk register.
  • Internal audit worries that sharing reports too broadly will weaken confidentiality or stakeholder trust.
  • Risk management may expect internal audit to quantify every issue in monetary terms.
  • Internal audit may want to use risk management's assessments but must decide whether reliance is appropriate.
  • Both functions may talk to the same process owners and create duplicate requests.

The solution is not silence. The solution is a coordination protocol.

Worked Example: Aster Harbor Energy

Aster Harbor Energy has a corporate risk management team and an internal audit team. Both teams cover cyber resilience, vendor concentration, regulatory compliance, and major capital projects. Process owners complain that they answer the same risk questions twice.

The CAE and Chief Risk Officer design a coordination model:

  • quarterly risk-information exchange,
  • common risk taxonomy,
  • shared assurance map,
  • clear report-sharing rules,
  • defined reliance criteria,
  • separate ownership of conclusions,
  • escalation protocol for risk-appetite issues.
flowchart TD A["Management owns risks and responses"] --> B["Risk management maintains ERM process and risk register"] A --> C["Internal audit develops risk-based assurance plan"] B --> D["Quarterly risk-information exchange"] C --> D D --> E["Assurance map: coverage, gaps, duplication"] E --> F["Audit plan input and ERM updates"] F --> G["Separate reporting: ERM risk reporting and IA assurance conclusions"] G --> H["Board/audit committee oversight"]

The teams now share risk signals without merging roles. Risk management can update the risk register based on audit themes. Internal audit can consider ERM assessments during planning. Neither function owns the other's conclusion.

What Internal Audit Can Share

Internal audit can often share useful information with risk management, but the sharing should be intentional. Examples include:

  • audit universe and planned coverage at an appropriate level,
  • recurring themes across engagements,
  • issue categories and aging trends,
  • control themes that affect risk assessment,
  • risk taxonomy alignment,
  • assurance map status,
  • remediation themes,
  • high-level lessons learned.

Full audit reports may require more care. The CAE should consider report audience, confidentiality, board or audit committee expectations, legal sensitivity, stakeholder commitments, and whether risk management needs the full report or only risk-relevant themes.

What Internal Audit Should Not Own

Internal audit should avoid taking ownership of management's ERM responsibilities. It should not:

  • set enterprise risk appetite,
  • own the risk register,
  • decide management's risk response,
  • assign monetary values to every enterprise risk as a management estimate,
  • operate risk monitoring controls,
  • approve risk acceptance on management's behalf,
  • soften audit conclusions to match risk management messaging.

Internal audit can challenge risk scoring, test ERM processes, and advise on better criteria. But management and risk management should own the ongoing risk process.

Monetary Risk Quantification

Risk management may ask internal audit to determine the dollar value of risks raised in an audit. Sometimes internal audit can estimate a financial exposure when evidence supports it. For example, an audit may calculate duplicate payments found in a tested population or estimate recoverable vendor credits.

But not every audit issue should be forced into a dollar estimate. Cyber resilience, compliance exposure, safety risk, reputational risk, and strategic execution risk may need qualitative or scenario-based assessment. Internal audit can describe the risk exposure and evidence; risk management can help translate broader enterprise risk implications using ERM methodology.

The boundary is simple: internal audit supports its finding with evidence. Management owns risk valuation and response decisions unless the audit objective specifically includes a supported financial exposure calculation.

Reliance and Assurance Mapping

Coordination is stronger when the organization builds an assurance map. The map shows who provides what coverage over key risks:

  • first-line management controls,
  • second-line risk or compliance monitoring,
  • internal audit assurance,
  • external audit,
  • regulators or external reviewers,
  • specialist assessments.

Internal audit may rely on work from risk management or another assurance provider only when it has a documented basis. That means considering scope, competence, objectivity, methods, evidence quality, and whether the work answers the audit objective.

Reliance does not transfer accountability. If internal audit relies on another function's work, it still owns the internal audit conclusion.

Exam Framing

When the CIA exam gives a risk management and internal audit coordination scenario, choose the answer that:

  1. preserves internal audit independence,
  2. avoids duplication in assurance coverage,
  3. uses ERM information as planning input,
  4. documents any reliance on another assurance provider,
  5. keeps management responsible for risk ownership and response,
  6. creates clear report-sharing and confidentiality protocols,
  7. communicates assurance gaps and duplicated coverage to senior management and the board.

The weakest answer usually makes one function dominate the other: risk management controls the audit report, internal audit owns the risk register, or both teams refuse to coordinate and leave assurance gaps invisible.

Ready to level up your exam prep?

Join 2,400+ finance professionals using AcadiFi to prepare for CFA, FRM, and other certification exams.

Start Free Trial — $19/moCompare Plans

Related Articles

Core Concepts

Engagement Supervision: Keeping Audit Findings Accurate When Ratings Are Challenged

8 min read

Core Concepts

Full-Company Internal Control Audits: A Risk-Based Roadmap for CIA Candidates

8 min read

Core Concepts

Who Owns ICFR? A CIA Candidate's Map of Lines of Defense, Control Design, and Fraud Escalation

8 min read