– Practice Guide   COORDINATINGRISK MANAGEMENT  AND ASSURANCE             March 2012
IPPF – Practice Guide      Coordinating Risk Management and AssuranceTable of ContentsExecutive Summary......................
IPPF – Practice Guide                                                                Coordinating Risk Management and Assu...
IPPF – Practice Guide                                                                 Coordinating Risk Management and Ass...
IPPF – Practice Guide                                                                Coordinating Risk Management and Assu...
IPPF – Practice Guide                                                              Coordinating Risk Management and Assura...
IPPF – Practice Guide                                                                Coordinating Risk Management and Assu...
IPPF – Practice Guide                                                               Coordinating Risk Management and Assur...
IPPF – Practice Guide                                                            Coordinating Risk Management and Assuranc...
IPPF – Practice Guide                                                                    Coordinating Risk Management and ...
IPPF – Practice Guide                                                                    Coordinating Risk Management and ...
IPPF – Practice Guide                                                               Coordinating Risk Management and Assur...
IPPF – Practice Guide                                        Coordinating Risk Management and AssuranceAuthors:Andrew MacL...
About the Institute                                          DisclaimerEstablished in 1941, The Institute of Internal     ...
Upcoming SlideShare
Loading in...5
×

Coordinating risk mgt and assurance march 2012

668
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
668
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Coordinating risk mgt and assurance march 2012

  1. 1. – Practice Guide COORDINATINGRISK MANAGEMENT AND ASSURANCE March 2012
  2. 2. IPPF – Practice Guide Coordinating Risk Management and AssuranceTable of ContentsExecutive Summary......................................................................................... 1Introduction.................................................................................................... 1Risk Management and Assurance (Assurance Services)................................. 1Assurance Framework..................................................................................... 2The Respective Roles of Risk Management, Internal Audit, Compliance,and other Assurance Providers........................................................................ 4Coordination Role of the CAE.......................................................................... 4Using the Risk Management Process in Internal Audit Planning...................... 6Preparation of Assurance Maps...................................................................... 8Feedback on Significant Risk Areas in Internal Audit Reports......................... 8Assessment by Internal Audit of the Adequacy of Risk Management............... 8The Promotion of Risk Management by Internal Audit..................................... 9Where Internal Audit Facilitates Risk Managment......................................... 10Impact on Internal Audit Where a Formal Risk ManagementFunction Does Not Exist................................................................................ 10 www.globaliia.org/standards-guidance / B
  3. 3. IPPF – Practice Guide Coordinating Risk Management and AssuranceExecutive Summary IntroductionRisk management is fundamental to organizational con- Standard 2050: Coordination states, “The chief audit ex-trol and a critical part of providing sound corporate gov- ecutive [CAE] should share information and coordinateernance. It touches all of the organization’s activities. The activities with other internal and external providers of as-establishment of an effective enterprise-wide risk man- surance and consulting services to ensure proper coverageagement system is a key responsibility of management and and minimize duplication of efforts.” This responsibilitythe board, which are responsible for adopting a holistic requires the CAE’s inclusion and participation in the orga-approach to the identification of organizational risks, cre- nization’s assurance provider framework. This frameworkating controls to mitigate those risks, and monitoring and can consist of internal audit, external audit, governance,reviewing the identified risks and controls. They should risk management, or other business control functions/ensure that risk management is integrated into the organi- disclosures performed by the organization’s managementzation, both at the strategic and operational levels. team. Inclusion and participation in this framework helps ensure that the CAE is aware of the organization’s risksWith responsibility for assurance activities traditionally and controls in relation to organizational goals and objec-being shared among management, internal audit, risk tives.management, and compliance, it is important that as-surance activities be coordinated to ensure resources are Boards will use various sources to gain reliable assurance,used in an efficient and effective way. Many organizations including management, internal audit, and third parties.operate with traditional (and separate) internal audit, risk, As discussed in Practice Advisory 2050-2: Assuranceand compliance activities. It is common for organizations Maps, an assurance map is a valuable tool for coordinat-to have a number of separate groups performing different ing risk management and assurance activities to increaserisk management, compliance, and assurance functions the efficiency and effectiveness of risk management as-independently of one another. Without effective coordi- surance investments made by an organization.nation and reporting, work can be duplicated or key risksmay be missed or misjudged. Risk ManagementMany internal audit functions work in close cooperation and Assurancewith risk management. Some organizations do not have aformal risk management function and in this case the in- (Assurance Services)ternal audit activity often provides risk management con- The International Standards for the Professional Practicesulting services to the organization. Internal audit should of Internal Auditing (Standards) Glossary defines risknot give independent assurance on any part of the risk management as “a process to identify, assess, manage, andmanagement framework for which it is responsible. Other control potential events or situations to provide reason-suitably qualified parties should provide such assurance. able assurance regarding the achievement of the organiza- tion’s objectives.” This is consistent with the International Standards Organization’s definition of risk management, which is “coordinated activities to direct and control an organization with regard to risk.” www.globaliia.org/standards-guidance / 1
  4. 4. IPPF – Practice Guide Coordinating Risk Management and AssuranceEnterprise risk management (ERM) — also known asenterprise-wide risk management — is a commonly used Assurance Frameworkterm. The Committee of Sponsoring Organizations of the The need for assurance arises from an organization’s gov-Treadway Commission defines it as “a process, effected ernance processes. Its origin is in the stewardship rela-by an entity’s board of directors, management, and other tionship between the board of an organization and itspersonnel, applied in strategy setting and across the enter- shareholders. This stewardship relationship demandsprise, designed to identify potential events that may affect that boards establish processes to both delegate and limitthe entity, and manage risk to be within its risk appetite, to power to pursue the organization’s strategy and directionprovide reasonable assurance regarding the achievement in a way that enhances the prospects for the organization’sof entity objectives.” long-term success. Assurance processes are needed to al- low the board to monitor the exercise of that power.Assurance services should be objective and professional,and can be obtained from a range of assurance providers. Risk management is a management process that promotesSuch providers can be internal — such as internal audit, the efficient and effective achievement of organizationalworkplace health and safety, compliance, and security — objectives. Assurance and risk management are comple-as well as external, such as statutory audit. mentary processes. In support of the risk management process, the major role of internal audit and other inde-The Glossary of the Standards defines assurance services pendent assurance providers is to provide assurance that:as “an objective examination of evidence for the purposeof providing an independent assessment on governance, • The risk management process has been appliedrisk management, and control processes of the organiza- appropriately and that elements of the process aretion.” suitable and sufficient. • The risk management process is keeping with theThere are generally three parties involved in assurance strategic needs and intent of the organization.services: • Processes and systems are in place to ensure that • The person or group directly involved with the entity, all material risks have been identified and are being operation, function, process, system, or other subject treated. matter, and oversight functions such as risk manage- • All prioritized intolerable risks have cost-effective ment, compliance, and finance. treatment plans in place. • The person or group making the assessment (the as- • Controls are being correctly designed in keeping with surance provider). the outputs of the risk management process. • The user of the assessment, such as executive man- • Key controls are adequate and effective. agement and the board. • Risks are not over-controlled or inefficiently con- trolled. • Line management review and other non-audit as- surance activities are effective at maintaining and improving controls. • Risk treatment plans are being executed. www.globaliia.org/standards-guidance / 2
  5. 5. IPPF – Practice Guide Coordinating Risk Management and Assurance • There is appropriate and as-reported progress in the provision of a formal statement of compliance or comfort risk management plan. to an external body.In support of the assurance process, the risk management The assurance objectives will dictate the assurance strate-process should: gy and level of rigor employed, but the basic requirements include assurance that: • Establish an organization-specific, documented risk management policy and framework. • All material risks have been identified. • Assign responsibility for effective identification and • Risks have been accurately analyzed and evaluated. management of significant risks. • Key controls are both adequate and effective. • Provide a structured analysis of the risks of the orga- nization recording: • Management is appropriately addressing intolerable risks. – Risks, their associated exposures, and current risk ratings. There are three fundamental classes of assurance provid- – The organizational objective(s) to which the risk ers, differentiated by the stakeholders they serve, their applies. level of independence from the activities over which they provide assurance, and the robustness of that assurance. – The organizational position responsible for identi- They are: fying and managing each risk. – Key control systems established to identify and • Those who report to management or are part of manage each risk. management (management assurance), including individuals who perform control self-assessments,The assurance strategy is closely aligned with the corpo- quality auditors, environmental auditors, and otherrate or other strategic plans of the organization. The legal, management (designated assurance personnel).legislative, cultural, and economic environment in which • Those who report to the board, including internalthe organization is operating, as well as the nature of the audit.organization’s activities and its long-term plans drives as-surance needs. • Those who report to external stakeholders (financial statement assurance), a role traditionally fulfilled byIt is an important first step to identify who will be the the independent/statutory auditor.users of organizational assurance. Clearly, the board and The level of assurance desired will vary depending on themanagement are the primary users. Other users may in- risk and other factors such as regulations. Who shouldclude the owners, regulators, government, or customers provide that assurance will vary based on the ability of thefor whom the organization is a critical supply component. assurance provider to deliver the necessary level of inde-In today’s highly interconnected economy, external enti- pendence and objectivity, as well as the historical organi-ties may require assurance of the organization as part of zational design of the entity and skill sets available withintheir own risk management process. the assurance group.The required assurance may range from providing comfortto the board when they need to approve the formal finan-cial statements or the contents of the annual report to the www.globaliia.org/standards-guidance / 3
  6. 6. IPPF – Practice Guide Coordinating Risk Management and AssuranceThe Respective Roles of Risk their design and operating effectiveness), management of those risks classified as high risk (including the effective-Management, Internal Audit, ness of the controls and other responses to them), veri-Compliance,and Other fication of the reliability and appropriateness of the risk assessment, and reporting of the risk and control status.Assurance Providers With responsibility for assurance activities traditionallyAssurance providers for an organization may include: being shared among management, internal audit, risk management, and compliance, it is important that assur- • Line management and employees (management ance activities are coordinated to ensure resources are provides assurance as a first line of defense over the used in the most efficient and effective way. Many organi- risks and controls for which they are responsible). zations operate with traditional (and separate) internal au- • Senior management. dit, risk, and compliance activities. Compliance is defined in the the Glossary of the Standards as “adhering to the re- • Internal and external auditors. quirements of laws, industry, and organizational standards • Compliance. and codes, principles of good governance and accepted • Quality assurance. community and ethical standards.” A compliance program is a series of activities that when combined are intended • Risk management. to achieve compliance. Without effective coordination • Environmental auditors. and reporting, work can be duplicated or key risks may be • Workplace health and safety auditors. missed or misjudged. • Government performance auditors. Risk management is fundamental to organizational con- • Financial reporting review teams. trol and a critical part of providing sound corporate gov- • Subcommittees of the board (such as audit, actu- ernance. It touches all of the organization’s activities. For arial, credit, governance). this reason many organizations have moved to adopt a more formalized ERM process. • External assurance providers, including surveys, specialist reviews (health and safety), etc.Refer to The IIA’s Practice Guide, Reliance on Internal Coordination Role of the CAEAudit by Other Assurance Providers (December 2011), IIA Standard 2050: Coordination states that the CAEfor more information on the range of internal and external should share information and coordinate activities withassurance providers. Also, refer to The IIA’s Position Pa- other internal and external providers of assurance andper, The Role of Internal Auditing in Enterprise-wide Risk consulting services to ensure appropriate coverage andManagement, (January 2009) regarding what roles are ap- minimize duplication of efforts. This responsibility re-propriate for internal audit in regard to risk management. quires the CAE’s inclusion and participation in the orga- nization’s assurance provider framework. This frameworkThe internal audit activity will normally provide assurance can consist of internal audit, external audit, governance,coverage over parts of the organization approved in the risk management, and other business control functions/internal audit charter or terms of engagement letter. This disclosures performed by the organization’s managementcoverage should include risk management processes (both team. Inclusion and participation in this framework helps www.globaliia.org/standards-guidance / 4
  7. 7. IPPF – Practice Guide Coordinating Risk Management and Assuranceensure that the CAE is aware of the organization’s risks nance or risk management function. Regardless of the ori-and controls in relation to goals and objectives. gin of the report, it is important that the CAE can rely on the techniques and methods performed by the assuranceMost internal audit functions perform annual and engage- providers.ment-based risk assessment activities to help prioritizerisks according to their potential impacts on the organiza- A thorough, documented and continuous risk manage-tion’s achievement of goals and objectives. At the macro- ment process is part of good governance and an importantlevel, these activities assist the internal audit activity to management tool to provide assurance that appropriatedevelop a proposed audit plan to submit to the board. At controls are in place to achieve the objectives of an orga-the micro-level, these activities help prioritize the scope nization.of audit work and assurance being provided by internalaudit engagements. The establishment of an effective enterprise-wide risk management system is a key responsibility of manage-It is important that the work performed by assurance ment. Boards and management are responsible for adopt-providers is understood and assessed by the CAE on an ing a holistic approach to the identification of organi-ongoing basis. This helps ensure that appropriate due pro- zational risks, creating controls to mitigate those risks,fessional care is exercised in the performance of internal monitoring and reviewing the identified risks and controls,audit work, including risk assessment activities performed and ensuring that risk management is integrated into theto derive proposed audit plans submitted to the board. organization — both at the strategic and operational lev-This also helps the board understand the coverage pro- els. Some organizations have delegated independent riskvided by the organization’s assurance providers to better management functions, but others do not have an inde-assess appropriate assignment of resources and potential pendent risk management function and require internalexposures due to non-coverage. audit to provide consulting services in this area. Internal audit can assist in identifying, evaluating, and facilitatingCoordination between assurance providers includes regu- risk management methodologies. Internal audit also is re-lar sharing of reports and outcomes of assurance activities. sponsible for evaluating the effectiveness and contribut-This formal coordination should occur on a regular basis ing to the improvement of the risk management process.and include time for discussion and review of techniquesand methods used to reach conclusions. This includes Identifying risks in a systematic way supports sound deci-management’s responses and an understanding of activi- sion making. It is about performing a thorough analysis ofties performed to mitigate any risks or control deficiencies the organization on various levels, describing events thatidentified. might occur, deciding on the importance of those risks, and developing adequate measures to deal with them.The CAE may develop an annual report to be shared withthe organization’s board and executive management team.This report should outline the organization’s assuranceprovider framework, the coverage of the assurance beingprovided, areas of high risk, and residual/un-mitigated riskareas within the organization. Another alternative wouldbe for the CAE to coordinate the development and dis-tribution of this report through the organization’s gover- www.globaliia.org/standards-guidance / 5
  8. 8. IPPF – Practice Guide Coordinating Risk Management and AssuranceUsing the Risk Management to base internal audit plans and individual audit engage- ments on the main identified internal risks and controls.Process in Internal AuditPlanning Internal audit should prepare short- and long-term au- dit plans to ensure that their activities are covering theThe documentation of risk management in an organiza- main risk areas and internal controls of the organization.tion can be at various levels below the strategic risk man- As business circumstances can change substantially, con-agement process. Many organizations have developed risk tinuous monitoring and periodic revision of annual plansregisters that document risks below the strategic level, — with at least yearly reviews of longer term plans — areproviding documentation of significant risks in an area needed to ensure that audit plans are flexible, based onand related inherent and residual risk ratings, key con- up-to-date information and cover changing priorities andtrols, and mitigating factors. An alignment exercise can risk areas.then be undertaken to identify links between the itemsincluded in the audit universe documented by the internal Standard 2010: Planning states that “the [CAE] must es-audit activity and risk categories and aspects described in tablish risk-based plans to determine the priorities of thethe risk registers. internal audit activity, consistent with the organization’s goals.” Also, Standard 2010.A1 states “the internal auditSome organizations may identify several high (or higher) activity’s plan of engagements must be based on a docu-inherent risk (potential exposure) areas. While these risks mented risk assessment, undertaken at least annually. Themay warrant internal audit attention, it is not always pos- input of senior management and the board must be con-sible to review all of them. Where the risk register shows sidered in this process.”a high, or higher, ranking for inherent risk (or major po-tential exposure) in a particular area, and the current risk Standard 2120: Risk Management states, “the internal au-remains similarly high with no action by management or dit activity must evaluate the effectiveness and contributeinternal audit planned, the CAE should report those areas to the improvement of risk management processes.”to the board with details of the risk analysis and reasonsfor the lack of, or ineffectiveness of, internal controls. The following are steps to consider in the preparation of internal audit plans to determine risks and exposures thatIn addition to evaluating the effectiveness of the organi- may affect the achievement of the organization’s goals andzation’s risk management process and contributing to its objectives:improvement, internal audit also uses the results of the • Research and review corporate documents such asrisk management process to develop annual audit plans enterprise business plans, strategic plans, enterpriseand individual audit engagements. risk assessments, yearly reports, minutes of board meetings, minutes of management meetings, outsideInternal audit is often asked to deliver better results with reports, external audit reports and other appropriatestrained resources. This can be achieved by strategically sources.placing internal audit work where it can be most effectivein delivering the best results and having the highest effect • Review previous internal audit plans, progress re-on the outcome of the strategic and operational goals of ports, and works in progress.the business entity. One of the tools of achieving this is • Consult senior management of the organization and www.globaliia.org/standards-guidance / 6
  9. 9. IPPF – Practice Guide Coordinating Risk Management and Assurance solicit information regarding concerns or risks areas. ditors must address risk consistent with the engagement’s • Conduct a risk assessment of the issues and deter- objectives and be alert to the existence of other signifi- mine priorities for the annual audit plan. cant risks.” • Prepare a draft audit plan. Thorough planning of an internal audit is crucial to its • Communicate the proposed audit plan to stakehold- success. It provides an opportunity to become familiar ers. with the entity being audited; to gather relevant issues, • Seek feedback and validation of the major risk areas concerns, and risks; to complete a risk assessment, and to review. determine the objectives and scope of the audit. • Finalize the audit plans. In developing an audit engagement plan, the internal au- • Present to management and the board for approval. dit team should conduct a formal, comprehensive and • Regularly monitor, review, and re-evaluate the plans documented risk assessment to identify audit issues and in light of changing circumstances. risk events. This involves significant research, consulting with management of the entity or area under review, andWhile the broader rationale and objective of an internal becoming familiar with the entity or area.audit are developed in the annual planning phase, de-tailed research and work are needed at the onset of the Risk assessment methods can vary; however, all risk as-audit to define the detailed objective and scope and de- sessments should cover the following points:velop criteria and methodology. • Description of the risk event (negative occurrence,Standard 2201: Planning Considerations states that “In undesirable event).planning engagements, internal auditors must consider: • Likelihood of the event happening (strong, moder- ate, weak). • The significant risks to the activity, its objectives, resources, and operations and the means by which • The impact of negative occurrence on the achieve- the potential impact of risk is kept to an acceptable ment of goals and objectives (high, moderate, low). level. • Current controls (systems, policies, procedures, • The adequacy and effectiveness of the activity’s risk etc.) in place and their effectiveness (effective/not management and control systems compared to a effective). relevant control framework or model. • Ranking of the risk events. • The opportunities for making significant improve- Every potential audit highlights a wide range of issues for ments to the activity’s risk management and control examination. However, it is not necessary, reasonable, or processes.” cost effective to look at them all. The audit team has toAlso, Standard 2210: Engagement Objectives states, “In- be cognizant of, and concentrate its efforts on, the mostternal auditors must conduct a preliminary assessment of important and high-risk issues.risks relevant to the activity under review. Engagementobjectives must reflect the results of this assessment.” By ranking the possible risk events, this process willWith regard to consulting engagements, Standard 2120. identify the issues with the most significance andC1 states, “During consulting engagements, internal au- highest ranking. At this point, a decision can be made www.globaliia.org/standards-guidance / 7
  10. 10. IPPF – Practice Guide Coordinating Risk Management and Assuranceregarding which issues are material and will be audited CAE can take this one step further and help in the cre-in light of the audit’s objective, and take into consider- ation of an assurance map for the organization. This willation other factors such as auditability, resources, and not only assist the board in providing governance over-time lines. The results of the risk assessment should be sight, but also will assist the CAE in ensuring the auditpresented and discussed with management of the entity activity is optimizing its resources for maximum assuranceunder review to ensure their concurrence and validation. value, and creating a more connected assurance commu- nity through effective coordination.Preparation of Assurance MapsBoards will use various sources to gain reliable assurance, Feedback on Significant Riskincluding management, internal audit, and third parties. Areas in Internal Audit Reports Many organizations operate with separate internal audit, During all assurance work, particularly where the scoperisk, and compliance functions, and it is not uncommon relates to significant potential exposures identified in anfor organizations to have a number of separate groups organization’s risk management process, audit approach,performing different risk management functions indepen- audit procedures, and communications should be de-dently of one another. As discussed in Practice Advisory signed to evaluate management’s assertions on the effec-2050-2, an assurance map is a valuable tool for coordi- tiveness of controls in bringing risk within an organiza-nating these risk management and assurance activities to tion’s risk tolerance threshold.increase the efficiency and effectiveness of assurance in-vestments made by an organization. Assurance maps can Reports to management and the board can describe thehelp: potential exposure and management’s assessment of cur- rent risks (with the implied value of the controls in place) • Identify duplication and overlap in assurance cover- together with the audit evaluation of the risk ratings. Any age, allowing the board and senior management to differences should be fed into management’s risk manage- decide if the overlap is necessary, intentional, or ment process for consideration. should be eliminated. • Define scope boundaries and roles and responsibili- The cumulative effect over time of such assurance ac- ties for various assurance providers to ensure the tivities over specific risk areas using a risk-based audit right resources are focused on the right risks. This plan will provide assurance not only over those areas, but can enhance the effectiveness of assurance providers also on the effectiveness of the overall risk management by ensuring they are focused on the areas that need process. their attention, and by clearly articulating the expec- tations of the board and senior management. • Assist in identifying any gaps in assurance coverage Assessment by Internal Audit that need to be addressed. of the Adequacy of RiskIt is the responsibility of the CAE to understand the as- Managementsurance requirements of the board and the organization,clarify the role the internal audit activity fills, and the level Internal audit should provide assurance as required byof assurance it provides. However, given their unique van- Standards 2100: Nature of Work, 2120: Risk Managementtage point to assurance activities in the organization, the and 2400: Communicating Results to senior management, www.globaliia.org/standards-guidance / 8
  11. 11. IPPF – Practice Guide Coordinating Risk Management and Assuranceand ultimately the board, that the organization is managing the effectiveness of the status of the risk manage-its risks effectively. Insofar as internal audit will need to in- ment system to senior management and the board.clude the adequacy of risk management within this scopethere are two dimensions to consider: The CAE has three important functions in the review of risk management, and as in any other audit assignment: 1. Whether the risk management function includes all appropriate risk areas within its remit. • Test the controls. • Report any missing or ineffective controls. 2. Whether the risk management function is operat- ing effectively. • Recommend improvements.The main elements of the assessment that internal auditwill need to encompass are covered to a large extent by The Promotion of RiskPractice Advisory 2120-1: Assessing the Adequacy of Risk Management by Internal AuditManagement Processes. The main features are: Standard 2100 states, “The internal audit activity must • Boards of management, as part of their oversight evaluate and contribute to the improvement of gover- role, may direct internal audit to assist by reviewing nance, risk management, and control processes using a and reporting on the adequacy of risk management. systematic and disciplined approach.” The internal audit activity often has a role providing independent and objec- • Management and the board are responsible for risk tive assurance to the organization’s board regarding the management; however, internal auditors acting in effectiveness of an organization’s ERM activities. This a consulting role can assist management in this helps ensure key business risks are being managed appro- responsibility. priately and the organization’s system of internal controls • Where the organization does not have a formal risk is operating effectively and efficiently. management process, the CAE should formally dis- cuss the situation with management and the board. Risk management is a management process that pro- motes the cost-effective achievement of organizationalThe CAE should establish that: objectives. Assurance provides reliable information about the achievements of risk management activity. Assurance • There is a culture of effective risk management. and risk management are complementary processes. • There is a clear understanding at all levels of the potential exposures or inherent risks facing the orga- Often the internal audit activity of an organization will nization (e.g., a risk register). work in close cooperation with the risk management • There is a clear understanding of the current level of function. By independently reviewing the risk manage- risk within the organization. ment process of an organization, internal audit can pro- mote risk management throughout the organization and • The amount of risk taken at every level of the organi- the audit process can be aligned with risk management zation is clearly defined and understood. frameworks. Consistent risk language used throughout • Adequate and effective controls exist to mitigate the organization can be adopted by internal audit. risks. • There is an appropriate method of communicating www.globaliia.org/standards-guidance / 9
  12. 12. IPPF – Practice Guide Coordinating Risk Management and AssuranceInternal audit’s review of risk identification, risk evalua- in Enterprise-wide Risk Management (January 2009),tion, control identification and evaluation, and appropri- describes roles that are appropriate for internal audit inate risk treatments challenges and enhances risk registers regard to risk management.and the risk management framework. Impact on Internal Audit WhereWhere Internal Audit Facilitates a Formal Risk ManagementRisk Management Function Does Not ExistSome organizations do not have a formal risk management When an organization does not have a risk managementfunction, and in this case the internal audit activity may function, it typically requires increased effort from theprovide risk management consulting services to the or- CAE to communicate risk management and assuranceganization. Internal audit may provide risk management activities to the board. Increased importance is placed onconsulting provided certain conditions apply: the quality of the internal audit risk assessment as the sole • It should be clear that management remains respon- view of risk the board may be exposed to. sible for risk management even in those organizations The CAE should promote the risk management function where internal audit has been asked to facilitate the as an important activity that assists the organization in risk management program. Internal audit should achieving its objectives, and provides recommendations not manage any risks on behalf of management, nor for establishing such a process. If requested, the CAE can make final decisions regarding the enterprise’s risk play a proactive consultative role in assisting with the ini- appetite or level of resource allocation to control or tial establishment of a risk management process for the mitigate risk. Whenever internal audit acts to help organization. However, while the internal audit function the management team to set up or to improve risk can facilitate or enable the creation of risk management management processes, the audit committee should processes, they should not be responsible for the process- approve its plan of work. es or management of the identified risks. Initially, the in- • The nature of internal audit’s responsibilities should ternal audit function can facilitate management’s risk as- be documented in the internal audit charter and ap- sessment processes; however, it is advisable to have such proved by the board. Any work beyond the assurance facilitation activities separated from assurance activities activities should be recognized as a consulting en- in the CAE’s organization. gagement and the implementation standards related to such engagements should be followed. If internal audit’s role exceeds normal assurance and • Internal audit should provide advice, challenge, and consulting activities such that independence could be act as a support to management’s decision making, impaired, the CAE should conform to the disclosure re- as opposed to making risk management decisions. quirements of the Standards. Internal audit cannot give objective assurance on any part of the risk management framework for which it is responsible. Other suitably qualified parties should provide such assurance.The IIA’s Position Paper, The Role of Internal Auditing www.globaliia.org/standards-guidance / 10
  13. 13. IPPF – Practice Guide Coordinating Risk Management and AssuranceAuthors:Andrew MacLeod, CIA, CMIIABrian Foster, CIAPatricia MacdonaldAndy RobertsonTeis Stokka, CIABenito Ybarra, CIAReviewers:Doug Anderson, CIA, CRMAAndy Dahle, CIASteve Jameson, CISA, CCSA, CFSA, CRMADavid Zechnich, CIA, CPA www.globaliia.org/standards-guidance / 11
  14. 14. About the Institute DisclaimerEstablished in 1941, The Institute of Internal The IIA publishes this document for informa-Auditors (IIA) is an international professional tional and educational purposes. This guidanceassociation with global headquarters in Altamonte material is not intended to provide definitive an-Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and asprofession’s global voice, recognized authority, such is only intended to be used as a guide. Theacknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen-pal educator. dent expert advice relating directly to any specific situation. The IIA accepts no responsibility forAbout Practice Guides anyone placing sole reliance on this guidance.Practice Guides provide detailed guidance forconducting internal audit activities. They include Copyrightdetailed processes and procedures, such as tools Copyright ® 2012 The Institute of Internaland techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, pleaseproaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org.Practice Guides are part of The IIA’s IPPF. Aspart of the Strongly Recommended categoryof guidance, compliance is not mandatory, butit is strongly recommended, and the guidanceis endorsed by The IIA through formal reviewand approval processes. For other authoritativeguidance materials provided by The IIA, pleasevisit our website at https://globaliia.org/standards-guidance. global headquarters T: +1-407-937-1111 247 Maitland Ave. F: +1-407-937-1101 Altamonte Springs, FL 32701 USA W: www.globaliia.org 120362

×