Aligning Forces: How Internal Audit and Risk Management Collaborate in Canadian Financial Institutions

Part of our "Resilience and Readiness" Blog Series

In Canada’s dynamic financial services sector, resilience has become a strategic imperative for financial institutions - not just a trending term - it’s a regulatory expectation. For federally regulated financial institutions (FRFIs), including banks and insurance companies, building resilience demands stronger coordination between two key assurance functions: internal audit and risk management.

While these functions serve distinct roles within the governance framework, their collaboration—especially underpinned by a risk-based audit approach—is critical to meet the expectations of stakeholders and regulators like the Office of the Superintendent of Financial Institutions (OSFI).

Understanding the Distinct but Complementary Roles

At their core:

• Risk Management owns the design and oversight of risk identification, mitigation, and monitoring processes.

• Internal Audit provides independent assurance that processes deployed across an organization are working as intended, and align with regulatory requirements and strategic priorities.

These distinct roles are intentionally structured to maintain audit independence. However, modern governance calls for alignment - not duplication - to ensure that the organization’s risk management framework is effective, responsive, and well-integrated.

A Risk-Based Approach: Guided by IIA Standards

The Institute of Internal Auditors (IIA) defines the standard for audit planning in its International Standards for the Professional Practice of Internal Auditing. Under Standard 2010 – Planning, internal audit must “establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals.”

This is more than a procedural step—it’s a strategic imperative.

A risk-based internal audit plan:

• Uses the organization’s risk appetite and enterprise risk assessments as a foundation.

• Targets assurance work to areas of greatest impact, such as credit risk, third-party management, model governance, or cyber resilience.

• Informs priorities based on regulatory trends and feedback, such as emerging themes from OSFI guidelines (e.g., Guidelines E-21 on Operational Risk and Operational Resilience, E-23 on Model Risk Management, B-10 on Third-Party Risk, and B-20 on Residential Mortgage Underwriting Practices).

Integration in Practice: Where Audit and Risk Connect

For FRFIs, especially those navigating complex risk environments, internal audit and risk management intersect at several key points:

1. Audit Planning

Internal audit reviews the relevent risk frameworks applicable to the audit entity, uses risk assessments and risk monitoring, and aligns priorities with evolving regulatory and business risks.

2. Control Validation

In an organization with a mature risk management program, the business units (first line of defence) designs and implements controls. The business units may also test the effectiveness of these controls, as part of their business mapping processes, and risk and control self-assessments. The compliance and risk functions (second line of defence) may facilitate this process, and may also perform control testing to validate the self-assessments. Internal audit (third line of defence) independently assesses internal control design and effectiveness—ensuring accountability and oversight.

This may appear to be duplication in efforts, however, the level of assurance obtained from control testing increases with the weakest level obtained in the first line (business), and the strongest in the third line (internal audit). A well designed internal audit program will time the contol testing to ensure duplication of efforts, and undue pressure on business resources is kept to a minimum

3. Monitoring and Escalation

Audit findings are integrated into the broader governance framework, validating or challenging risk indicators reported by risk management. Internal audit plays a key role in validating the accuracy, completeness, and consistency of risk indicators reported by risk management. This includes assessing the reliability of data sources, the appropriateness of thresholds or risk appetite metrics, and whether escalation protocols are triggered as intended. Where discrepancies, blind spots, or overreliance on lagging indicators are identified, internal audit may challenge the effectiveness of these metrics and recommend enhancements to better reflect the organization’s true risk exposure

4. Advisory and Maturity Assessments

Internal audit also plays a role in assessing the maturity of risk governance practices -including risk culture, escalation mechanisms, and board-level reporting - without overstepping into management’s domain.

Maintaining Audit Independence: The Three Lines of Defence Model

Under the updated Three Lines Model (IIA, 2020), internal audit remains a third line of defence - independent from the business and risk functions. Effective governance requires strong alignement between the business, risk function and Internal Audit; cooperation is not conflict.

Well-designed governance models encourage:

• Regular risk and audit committee collaboration

• Audit participation in risk forums (in an observer or feedback capacity)

• Transparent handoffs of findings or escalations

  
  

The result? Informed, timely, and effective assurance—without compromising independence.

Final Thoughts: Why This Matters Now

In an era of accelerated risk, tightened budgets, compliance pressure, and regulatory scrutiny, aligning internal audit and risk management is more than good practice—it’s essential.

For Canadian financial institutions, especially in banking and insurance, this alignment enhances:

• Strategic responsiveness

• Regulatory readiness

• Operational resilience

• Stakeholder trust

By rooting audit efforts in real risk intelligence, organizations can move beyond hindsight assurance and toward proactive governance.

Interested in more on this topic? Explore our ongoing Blog Series on Resilience and Readiness for deep dives into operational risk and resilience readiness