What is enterprise risk management and what role in it does internal auditing play?
Enterprise risk management is about risk-based thinking and all of the new international standards start with risk-based thinking. The new standards look at how you’ve identified risks, prioritizing those risks and then looking at what controls you’re going to apply to those risks.
I would expect to see in most modern organizations looking at the 2015 editions of iso management system standards, that those organizations have Risk Registers. For example, a Corporate Risk Register starts to unpack all the high-level risks that are part of the risk horizon for the organization. This includes quality, safety, environment, data security, food, etc. This will allow you to start to unpack the controls.
This enterprise risk management system will starts to identify the issues, show you how to minimize, prevent, avoid them. Your internal auditing function is about asking the question, have we got those things in place?