Enterprise Risk Management
ERM vs. Internal Audit: What's the Difference, and How Should They Work Together?
They both talk about risk, they both run assessments, and in most mid-market companies they are two hats on the same head. Here is where the line actually sits, and how to make the two functions stronger together.
By Eric Kennedy · Tue Jul 07 2026 · 7 min read
TL;DR: Internal audit and enterprise risk management are different disciplines with different jobs. ERM is a management process: identifying the risks that could derail strategy, assigning owners, and deciding what to do about them. Internal audit is an assurance function: independently verifying that those risks are actually being managed and reporting what it finds to the audit committee. ERM makes decisions about risk; audit checks the work. In the mid-market, both jobs often land on the same person, which is workable if the boundary is understood. This piece explains the difference, what the IIA says audit should and should not do in ERM, and how to run both on a lean team without compromising either.
Ask a mid-market CFO who owns risk management and you will often get the same answer: "internal audit handles that." Ask the head of internal audit and you will get a more complicated look, because most audit leaders know that answer is wrong, and also know they are the closest thing to a risk function the company has.
I spent fifteen years inside internal audit and advisory teams before running an enterprise risk program, so I have argued this boundary from both sides of it. The confusion is understandable. Both functions talk about risk constantly. Both run assessments. Both produce reports that end up in front of the audit committee. But they are doing fundamentally different jobs, and companies that blur them usually end up weakening both.
The one-sentence difference
Enterprise risk management is a management activity. Internal audit is an assurance activity.
ERM identifies the risks that could knock the company's strategy off course, assigns each one an owner, decides how to respond, and reports the picture to leadership and the board on a cadence. It is decision-making work, owned by management, because only management can accept a risk, fund a mitigation, or change a plan.
Internal audit stands apart from that machinery on purpose. Its job is to independently verify that the machinery works: that the risks management claims to be managing are actually being managed, that controls do what they say, and that the board is getting an honest picture. Audit does not decide which risks to take. It tells the audit committee whether the risk-taking is under control.
A simple way to hold it: ERM drives the car. Audit inspects it. You would not want your inspector driving, and you would not want to drive a car no one ever inspects.
Where the confusion comes from
The overlap is real, which is why the confusion is so durable.
Both functions start from a risk assessment. ERM assesses risk to decide what management should do. Audit assesses risk to decide what to audit. Same word, different purpose, and in companies without a formal ERM program, the audit risk assessment is often the only enterprise-wide look at risk anyone performs. It starts getting treated as the company's risk program by default.
Both functions also end up at the audit committee. When the committee sees one risk deck a quarter and it comes from the head of audit, the board starts to assume audit owns risk. Nobody corrects the assumption because there is no one else to hand it to.
The Institute of Internal Auditors' Three Lines Model exists to untangle exactly this. In its terms, management owns and manages risk in the first line, risk and compliance functions like ERM support and challenge that management in the second, and internal audit sits in the third line providing independent assurance over both. The model was updated in 2020 to stress that the lines are meant to work as a system, not as walls, but the independence of the third line is the one element it treats as non-negotiable.
The mid-market wrinkle is that the model assumes three sets of people, and most mid-market companies have one. That does not make the model useless. It makes the boundary a matter of discipline instead of org design, which is exactly why it is worth understanding what the boundary protects.
What audit can and cannot do in ERM
This is not a matter of opinion. The IIA published a position paper on internal audit's role in enterprise-wide risk management that sorts the work into three buckets, and the buckets hold up well two decades on.
Core audit roles. Giving objective assurance on the risk management process itself, on whether key risks are correctly evaluated, and on how they are reported. This is audit's home turf, and a company with an ERM program should want audit examining it.
Legitimate roles with safeguards. Audit can facilitate risk workshops, coach the organization on responding to risks, and help management stand up the early machinery of ERM, provided safeguards are in place. The engagements are treated as consulting, the work is documented as such, and everyone understands management still owns the outcome.
Roles audit should never take. Setting the risk appetite, making risk response decisions, owning risks, and being accountable for risk management. The paper's underlying principle is blunt: management remains responsible for managing risk. The moment audit owns a risk, it can no longer objectively assure anyone about how that risk is managed. It would be auditing itself.
For a mid-market CAE, that middle bucket is the important one. The IIA is not saying keep your hands off ERM. It is saying you can help build it, and often you are the only person who can, as long as you build it for management to own rather than quietly becoming its owner.
The mid-market reality: one hat, both jobs
In a 300-person company there is no chief risk officer, no second-line risk team, and often a one-person audit function. The AICPA and NC State's 2025 State of Risk Oversight report puts numbers on how unfinished this picture is: just 35 percent of organizations report having comprehensive ERM processes in place, and only 11 percent of senior finance leaders view their risk management process as a strategic tool that delivers competitive advantage.
So the practical question is not "should audit stay out of ERM." It is "how does a lean team do both jobs without wrecking either." Three disciplines make it work.
Name the hat. When the CAE facilitates the annual risk assessment, that is consulting work in service of management's program, and it should be labeled that way in the audit committee materials. When the same CAE later audits how a major risk is being managed, that is assurance. The work products look different, the reporting language is different, and the committee is told which is which. This sounds like formality. It is actually what preserves the committee's ability to trust the assurance.
Put owners in management, always. Audit can build the risk register. Audit must not appear in the owner column. Every risk gets a named operating owner (the CFO, the head of sales, the COO) even if audit is the one holding the pen that writes the names down. If a risk genuinely has no owner, that fact goes on the page, because an unowned risk is a finding in itself.
Give ERM its own path to the board. Even if audit facilitates the work, the risk report should reach the board as management's report, presented by the CFO or CEO, not as an audit deliverable. That single change does more to separate the functions in the board's mind than any org chart.
Since January 2025, this is not just good hygiene. It is the profession's rule. The IIA's new Global Internal Audit Standards, which replaced the 2017 standards, address this exact situation in Standard 7.1: when a chief audit executive holds ongoing roles beyond internal auditing, the responsibilities and safeguards must be discussed with the board and documented in the internal audit charter, and if those areas fall within audit's scope, the organization must arrange alternative assurance, such as an objective external provider reporting to the board. For a mid-market CAE wearing the ERM hat, that is the checklist: a board conversation, charter language, named safeguards, and a plan for who provides assurance over the risk program you facilitate.
How they make each other better
Run correctly, the two functions compound. The ERM program's risk register becomes the best input the audit plan ever had: instead of auditing on rotation or habit, audit points its limited hours at the risks management has already ranked as the ones that matter. And audit's findings flow back the other way, as evidence for the next risk assessment. A finding that inventory controls are failing is not just an audit issue to track; it is data that operational risk in the supply chain is running hotter than the register assumed.
That loop, risks informing the audit plan and findings informing the risk picture, is the whole payoff. One calendar helps: the risk assessment refresh, the audit plan approval, and the board risk report get sequenced so each feeds the next instead of running as three disconnected annual rituals.
Companies that get this right stop asking whether they need a risk register or a risk program and start running both functions off the same picture of the business. Companies that get it wrong usually discover it in the same way: a risk everyone assumed audit was watching, and audit assumed management owned, surfaces in front of the board owned by no one.
Where to Start
If you are a CAE or CFO trying to figure out whether your current setup would hold up to this standard, the scorecard gives you a fast read on your risk reporting in about six minutes. If you already know the boundary is blurred and want a structured look at where ownership, cadence, and reporting need work, that is what the ERM diagnostic is built for: a short, fixed-fee review designed for mid-market teams, often run in partnership with the internal audit function.
Take the scorecard{.cta-primary} Explore the ERM Diagnostic{.cta-secondary}
Frequently Asked Questions
What is the difference between internal audit and enterprise risk management?
Enterprise risk management is a management process for identifying the risks that could affect the company's objectives, assigning owners, and deciding how to respond. Internal audit is an independent assurance function that verifies whether those risks are actually being managed and reports its findings to the audit committee. ERM makes and owns risk decisions; audit independently checks that the decisions and controls work.
Can internal audit own the ERM program?
No. The Institute of Internal Auditors is explicit that internal audit should not set risk appetite, make risk response decisions, or be accountable for risk management, because audit cannot objectively assure a process it owns. Audit can legitimately help build and facilitate an ERM program with safeguards in place, but management must own the program and every risk in it.
Does a mid-market company need both internal audit and ERM?
Yes, but not necessarily as separate teams. A mid-market company needs the two capabilities: a management-owned process for identifying and responding to key risks, and independent assurance that the process works. In practice a lean team, sometimes a single audit leader, can support both, as long as the facilitation work and the assurance work are clearly labeled and risk ownership stays with management.
Should ERM report to the CFO or to the head of internal audit?
ERM should report into management, most commonly the CFO in mid-market companies, with regular visibility to the board. Housing ERM permanently under the head of internal audit compromises audit's independence, because audit would be assuring a program it runs. If the audit leader is temporarily incubating ERM, the plan should include moving ownership to management as the program matures. Under the IIA's 2024 Global Internal Audit Standards, any ongoing role a chief audit executive holds beyond internal auditing must be disclosed to the board, safeguarded, and documented in the internal audit charter.
What is the Three Lines Model?
The Three Lines Model is the Institute of Internal Auditors' framework for organizing risk and assurance roles. Management owns and manages risk in the first line, functions like ERM and compliance support and challenge that management in the second line, and internal audit provides independent assurance over both in the third line. The 2020 update emphasizes that the three lines should collaborate as a system while keeping internal audit's independence intact.