The internal auditing function is receiving new levels of attention and interest, especially as organizations seek to strengthen their ability to protect value and drive higher levels of confidence. Effective Chief Audit Executives are becoming even more risk-oriented than they have in the past, taking a more proactive approach to their organization’s Enterprise Risk Management programs. This shift reflects a growing recognition that internal assurance is not only about compliance but also enabling smarter risk decisions which builds trust across the business.
I have identified three justifications that highlight internal audit’s evolving role in ERM, drawing on insights from CAEs who are leading the way.
Why should CAEs actively participate in ERM—and what’s the framework for doing so?
CAEs who actively participate in ERM gain greater visibility into enterprise risks, improved awareness and stronger business relationships. Based on research, CAEs who “actively participate” in their organizations’ ERM programs and found that this involvement delivers tangible benefits: higher risk orientation, deeper connection with business leaders, and better acumen for what matters most.
For example, the CAE of a publicly traded energy company shared that integrating with ERM increased their confidence in articulating the rationale behind internal audit plan choices. This clarity made it easier to prioritize audit activities and defend decisions—even when saying “no” to requests that did not align with organizational priorities.
Active participation in ERM allows audit leaders to:
- Understand the organization’s top risks and align assurance activities accordingly.
- Build stronger relationships with business leaders, fostering collaboration and trust.
- Gain the confidence needed to make strategic decisions about audit coverage and resource allocation.
The framework for CAE involvement starts with recognizing that ERM is not a one-size-fits-all process. Instead, it requires internal audit leaders to be intentional about their role—whether providing input, leading specific risk assessments or facilitating risk discussions. By mapping their participation to the organization’s ERM steps, CAEs can ensure their contributions are meaningful and aligned with enterprise objectives.
How can CAEs take a more active involvement in ERM without sacrificing objectivity?
While 97 percent of chief audit executives participate in at least one non-audit activity, such as ERM or business continuity, maintaining objectivity is a valid concern. Collaboration can enhance value, but it must not compromise the independence that is the foundation of effective internal audit.
To strike this balance, CAEs should use the RACI matrix—a tool for clarifying roles and responsibilities within projects and processes (Figure 1). The RACI framework defines four types of involvement:
- Responsible (R): Those who perform the work to complete a specific task, often in collaboration with consulted parties.
- Accountable (A): The ultimate authority who approves work and is responsible for outcomes.
- Consulted (C): Individuals who provide expertise or insight, influencing decisions but not executing tasks.
- Informed (I): Stakeholders who are kept updated on progress and decisions but do not have direct input.
Figure 1: Use RACI roles to Explore and Choose ERM Participation Level
By mapping their ERM involvement to the RACI matrix, CAEs can determine where they add the most value without overstepping boundaries. For instance, a CAE may be “consulted” during risk identification but “informed” during risk response planning, preserving their independence while contributing expertise.
Understanding and communicating these roles is essential. CAEs should proactively discuss their intended level of ERM participation with the audit committee, ensuring clarity and alignment. This approach not only protects audit’s objectivity but also demonstrates a thoughtful commitment to enterprise risk management.
How can CAEs assess and defend their objectivity as they get more involved in ERM?
As CAEs deepen their involvement in ERM, they must be able to assess and defend their objectivity to stakeholders. This begins with transparent communication: CAEs should inform the audit committee of their intention to participate in non-audit activities and explain how their objectivity will be maintained.
A review of the internal audit charter is a critical step. CAEs should ensure that their expanded role is consistent with the charter’s provisions and make updates as needed to reflect new responsibilities. This alignment provides a formal foundation for their participation and reassures stakeholders of the integrity of internal audit activities.
There are 14 factors that underpin the highest levels of internal audit objectivity, including organizational and operational independence. CAEs should evaluate their position against these factors, making adjustments where necessary to preserve independence. Once this assessment is complete, communicating with key stakeholders—such as the audit committee, executive leadership and business unit heads—is vital. These conversations should reinforce the message that audit’s involvement in ERM enhances, rather than diminishes, the reliability of assurance activities.
Ultimately, the goal is to ensure that stakeholders have full confidence in audit’s conclusions and recommendations. By taking a proactive, transparent approach to ERM participation and objectivity, CAEs position themselves as trusted advisors who strengthen the organization’s ability to manage risk and protect value.
The evolving role of audit in enterprise risk management reflects a broader shift toward value creation, strategic alignment and proactive risk leadership. CAEs who embrace active participation in ERM—while safeguarding their objectivity—are better equipped to provide assurance, build business confidence and support long-term success. As organizations continue to navigate complex risk landscapes, the partnership between audit and ERM will be essential to protecting value and driving enterprise resilience. 
Tim Berichon is Vice President Analyst in Gartner’s Audit and Risk practice.