Departmental Functions in Audit Processes

One question I often get from clients and peers is: “What’s the real difference between Internal Audit, ERM, and Internal Controls? If we have one why do the other two even matter?” We often explain these as functions or frameworks — but the most intuitive way I’ve found is to look at them through the lens of time: 🔹Internal Controls = The Present This is where the business operates right now. The policies, procedures, and activities designed to ensure operations are effective, financial reporting is reliable, and compliance is maintained. Purpose: To prevent mistakes, detect anomalies, and ensure everything is working as intended — in real time. Example: A finance system requiring dual approvals for large payments. Controls are your first line of defense, working in the moment. 🔹 ERM (Enterprise Risk Management) = The Future ERM is the organization’s forward-looking radar. It’s not about what is happening — but what could happen. Purpose: To anticipate emerging risks that could derail strategic objectives, long before they surface. Example: Identifying cyber threats or ESG-related shifts that could affect long-term value. ERM helps you prepare for uncertainty, before it becomes reality. 🔹 Internal Audit = The Past Internal audit is your rearview mirror. It examines what has already occurred — to understand whether controls worked, and if not, why. Purpose: To analyze breakdowns, control failures, or missed risks — and recommend improvements. Example: Reviewing a procurement fraud case to understand how policies were bypassed. Audit helps you learn from the past, so the same mistakes aren’t repeated. Why this time-based view matters: Together, these three functions form a time loop of risk thinking: Internal Controls = Manage the present ERM = Anticipate the future Internal Audit = Understand the past They’re not silos — they’re parts of a continuum. And when they work in sync, organizations move from reactive to resilient — and ultimately, to strategic. #RiskManagement #InternalAudit #ERM #InternalControls #Governance #Assurance #Leadership #StrategicThinking

In many companies, Internal Audit, Compliance, and Risk Management are often viewed as one big bucket. The reality is very different. Each function carries a distinct mandate that shapes how the organization stays disciplined, resilient, and accountable. I put together this visual to make the distinction clearer and easier to communicate across teams. Internal Audit provides independent assurance and challenges how things truly work in day-to-day operations. It pushes for meaningful improvements, not cosmetic fixes. Compliance ensures the company operates within the rules, protects the organization from regulatory exposure, and keeps our processes aligned with external and internal standards. Risk Management builds the structure that helps the business stay ahead of potential threats, supports informed decision making, and reinforces long-term resilience. Three functions with different strengths, yet all contributing to the same goal: safeguarding the business so it can grow with clarity and confidence. Sharing this for anyone who is building or strengthening their governance ecosystem.

Internal Audit vs Compliance vs Risk Management Internal Audit, Compliance and Risk Management are distinct functions that work together to strengthen organisational governance and resilience. Although often viewed as similar, each plays a unique role. Internal Audit provides independent assurance on how well controls and processes are functioning. It focuses on identifying weaknesses, inefficiencies and potential fraud and recommends improvements that enhance effectiveness. Its performance is often measured through audit ratings, timely reporting and the implementation rate of audit recommendations. Compliance ensures the organisation adheres to laws, regulations, industry standards and internal policies. It monitors regulatory changes, supports policy development and verifies that business activities meet required obligations. Compliance effectiveness is usually reflected in breach rates, completion of mandatory training and accuracy of regulatory filings. Risk Management takes a forward looking approach. It identifies and assesses risks across departments, develops risk registers and appetite frameworks and partners with leadership on mitigation strategies. Key indicators include mitigation effectiveness, risk heatmap movements and reduction in incident frequency. Individually they serve different purposes, but collectively they create a robust governance ecosystem. Internal Audit assures, Compliance enforces and Risk Management anticipates. When aligned, they reduce surprises, improve decision making and build a resilient organisation.