For a smaller, non-public company in the financial services industry, can the Chief Audit Officer also be the Chief Risk Officer? If so, how do they typically navigate around independence requirements? Is this a common practice?

Similar to Martin's experience, I implemented a regular cadence of status meetings with a different senior leader to discuss the audit.

Chief Auditors are taking on the responsibility of Chief Risk Officer in companies large and small. It makes sense to me because the skillsets are very similar. A big caveat is to address this in the audit committee charter (for publicly traded companies). You can wear the two hats (I do in my middle market organization), but you have to be careful with how you manage the independence and objectivity. In short, it's doable and more common than you'd think.

I would not recommend combining those roles. First of all, they require different skill sets. Second,  there would be the appearance of potential for conflict.  Third, one's judgment could be questioned even if one is trying their very best to be objective.

You can find helpful delineation of activities in the Internal Audit Institute article
"the role of internal auditing in enterprise wide risk management. 

I have seen this structure in place at organizations of varying sizes, including publicly traded companies.  I think the key is for your Board and senior leadership to be comfortable with the structure and the considerations from an independence perspective.  I do think the benefits of having this structure can be meaningful.  

To address independence, when we've conducted audits of the risk management function when it also reports up through the CAE, we've typically had the audit team seconded to another leader in the organization for that audit only.  Typically, this has been the General Counsel.  On a few occasions I've also seen organizations out/co-source the audit of risk management, to further ensure independence exists.