SlideShare uma empresa Scribd logo

Coordinating risk mgt and assurance march 2012

Good Light Massage Center
Good Light Massage Center
1 de 14
Baixar para ler offline
– Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012
IPPF – Practice Guide Coordinating Risk Management and Assurance Table of Contents Executive Summary......................................................................................... 1 Introduction.................................................................................................... 1 Risk Management and Assurance (Assurance Services)................................. 1 Assurance Framework..................................................................................... 2 The Respective Roles of Risk Management, Internal Audit, Compliance, and other Assurance Providers........................................................................ 4 Coordination Role of the CAE.......................................................................... 4 Using the Risk Management Process in Internal Audit Planning...................... 6 Preparation of Assurance Maps...................................................................... 8 Feedback on Significant Risk Areas in Internal Audit Reports......................... 8 Assessment by Internal Audit of the Adequacy of Risk Management............... 8 The Promotion of Risk Management by Internal Audit..................................... 9 Where Internal Audit Facilitates Risk Managment......................................... 10 Impact on Internal Audit Where a Formal Risk Management Function Does Not Exist................................................................................ 10 www.globaliia.org/standards-guidance / B
IPPF – Practice Guide Coordinating Risk Management and Assurance Executive Summary Introduction Risk management is fundamental to organizational con- Standard 2050: Coordination states, “The chief audit ex- trol and a critical part of providing sound corporate gov- ecutive [CAE] should share information and coordinate ernance. It touches all of the organization’s activities. The activities with other internal and external providers of as- establishment of an effective enterprise-wide risk man- surance and consulting services to ensure proper coverage agement system is a key responsibility of management and and minimize duplication of efforts.” This responsibility the board, which are responsible for adopting a holistic requires the CAE’s inclusion and participation in the orga- approach to the identification of organizational risks, cre- nization’s assurance provider framework. This framework ating controls to mitigate those risks, and monitoring and can consist of internal audit, external audit, governance, reviewing the identified risks and controls. They should risk management, or other business control functions/ ensure that risk management is integrated into the organi- disclosures performed by the organization’s management zation, both at the strategic and operational levels. team. Inclusion and participation in this framework helps ensure that the CAE is aware of the organization’s risks With responsibility for assurance activities traditionally and controls in relation to organizational goals and objec- being shared among management, internal audit, risk tives. management, and compliance, it is important that as- surance activities be coordinated to ensure resources are Boards will use various sources to gain reliable assurance, used in an efficient and effective way. Many organizations including management, internal audit, and third parties. operate with traditional (and separate) internal audit, risk, As discussed in Practice Advisory 2050-2: Assurance and compliance activities. It is common for organizations Maps, an assurance map is a valuable tool for coordinat- to have a number of separate groups performing different ing risk management and assurance activities to increase risk management, compliance, and assurance functions the efficiency and effectiveness of risk management as- independently of one another. Without effective coordi- surance investments made by an organization. nation and reporting, work can be duplicated or key risks may be missed or misjudged. Risk Management Many internal audit functions work in close cooperation and Assurance with risk management. Some organizations do not have a formal risk management function and in this case the in- (Assurance Services) ternal audit activity often provides risk management con- The International Standards for the Professional Practice sulting services to the organization. Internal audit should of Internal Auditing (Standards) Glossary defines risk not give independent assurance on any part of the risk management as “a process to identify, assess, manage, and management framework for which it is responsible. Other control potential events or situations to provide reason- suitably qualified parties should provide such assurance. able assurance regarding the achievement of the organiza- tion’s objectives.” This is consistent with the International Standards Organization’s definition of risk management, which is “coordinated activities to direct and control an organization with regard to risk.” www.globaliia.org/standards-guidance / 1
IPPF – Practice Guide Coordinating Risk Management and Assurance Enterprise risk management (ERM) — also known as enterprise-wide risk management — is a commonly used Assurance Framework term. The Committee of Sponsoring Organizations of the The need for assurance arises from an organization’s gov- Treadway Commission defines it as “a process, effected ernance processes. Its origin is in the stewardship rela- by an entity’s board of directors, management, and other tionship between the board of an organization and its personnel, applied in strategy setting and across the enter- shareholders. This stewardship relationship demands prise, designed to identify potential events that may affect that boards establish processes to both delegate and limit the entity, and manage risk to be within its risk appetite, to power to pursue the organization’s strategy and direction provide reasonable assurance regarding the achievement in a way that enhances the prospects for the organization’s of entity objectives.” long-term success. Assurance processes are needed to al- low the board to monitor the exercise of that power. Assurance services should be objective and professional, and can be obtained from a range of assurance providers. Risk management is a management process that promotes Such providers can be internal — such as internal audit, the efficient and effective achievement of organizational workplace health and safety, compliance, and security — objectives. Assurance and risk management are comple- as well as external, such as statutory audit. mentary processes. In support of the risk management process, the major role of internal audit and other inde- The Glossary of the Standards defines assurance services pendent assurance providers is to provide assurance that: as “an objective examination of evidence for the purpose of providing an independent assessment on governance, • The risk management process has been applied risk management, and control processes of the organiza- appropriately and that elements of the process are tion.” suitable and sufficient. • The risk management process is keeping with the There are generally three parties involved in assurance strategic needs and intent of the organization. services: • Processes and systems are in place to ensure that • The person or group directly involved with the entity, all material risks have been identified and are being operation, function, process, system, or other subject treated. matter, and oversight functions such as risk manage- • All prioritized intolerable risks have cost-effective ment, compliance, and finance. treatment plans in place. • The person or group making the assessment (the as- • Controls are being correctly designed in keeping with surance provider). the outputs of the risk management process. • The user of the assessment, such as executive man- • Key controls are adequate and effective. agement and the board. • Risks are not over-controlled or inefficiently con- trolled. • Line management review and other non-audit as- surance activities are effective at maintaining and improving controls. • Risk treatment plans are being executed. www.globaliia.org/standards-guidance / 2
IPPF – Practice Guide Coordinating Risk Management and Assurance • There is appropriate and as-reported progress in the provision of a formal statement of compliance or comfort risk management plan. to an external body. In support of the assurance process, the risk management The assurance objectives will dictate the assurance strate- process should: gy and level of rigor employed, but the basic requirements include assurance that: • Establish an organization-specific, documented risk management policy and framework. • All material risks have been identified. • Assign responsibility for effective identification and • Risks have been accurately analyzed and evaluated. management of significant risks. • Key controls are both adequate and effective. • Provide a structured analysis of the risks of the orga- nization recording: • Management is appropriately addressing intolerable risks. – Risks, their associated exposures, and current risk ratings. There are three fundamental classes of assurance provid- – The organizational objective(s) to which the risk ers, differentiated by the stakeholders they serve, their applies. level of independence from the activities over which they provide assurance, and the robustness of that assurance. – The organizational position responsible for identi- They are: fying and managing each risk. – Key control systems established to identify and • Those who report to management or are part of manage each risk. management (management assurance), including individuals who perform control self-assessments, The assurance strategy is closely aligned with the corpo- quality auditors, environmental auditors, and other rate or other strategic plans of the organization. The legal, management (designated assurance personnel). legislative, cultural, and economic environment in which • Those who report to the board, including internal the organization is operating, as well as the nature of the audit. organization’s activities and its long-term plans drives as- surance needs. • Those who report to external stakeholders (financial statement assurance), a role traditionally fulfilled by It is an important first step to identify who will be the the independent/statutory auditor. users of organizational assurance. Clearly, the board and The level of assurance desired will vary depending on the management are the primary users. Other users may in- risk and other factors such as regulations. Who should clude the owners, regulators, government, or customers provide that assurance will vary based on the ability of the for whom the organization is a critical supply component. assurance provider to deliver the necessary level of inde- In today’s highly interconnected economy, external enti- pendence and objectivity, as well as the historical organi- ties may require assurance of the organization as part of zational design of the entity and skill sets available within their own risk management process. the assurance group. The required assurance may range from providing comfort to the board when they need to approve the formal finan- cial statements or the contents of the annual report to the www.globaliia.org/standards-guidance / 3
IPPF – Practice Guide Coordinating Risk Management and Assurance The Respective Roles of Risk their design and operating effectiveness), management of those risks classified as high risk (including the effective- Management, Internal Audit, ness of the controls and other responses to them), veri- Compliance,and Other fication of the reliability and appropriateness of the risk assessment, and reporting of the risk and control status. Assurance Providers With responsibility for assurance activities traditionally Assurance providers for an organization may include: being shared among management, internal audit, risk management, and compliance, it is important that assur- • Line management and employees (management ance activities are coordinated to ensure resources are provides assurance as a first line of defense over the used in the most efficient and effective way. Many organi- risks and controls for which they are responsible). zations operate with traditional (and separate) internal au- • Senior management. dit, risk, and compliance activities. Compliance is defined in the the Glossary of the Standards as “adhering to the re- • Internal and external auditors. quirements of laws, industry, and organizational standards • Compliance. and codes, principles of good governance and accepted • Quality assurance. community and ethical standards.” A compliance program is a series of activities that when combined are intended • Risk management. to achieve compliance. Without effective coordination • Environmental auditors. and reporting, work can be duplicated or key risks may be • Workplace health and safety auditors. missed or misjudged. • Government performance auditors. Risk management is fundamental to organizational con- • Financial reporting review teams. trol and a critical part of providing sound corporate gov- • Subcommittees of the board (such as audit, actu- ernance. It touches all of the organization’s activities. For arial, credit, governance). this reason many organizations have moved to adopt a more formalized ERM process. • External assurance providers, including surveys, specialist reviews (health and safety), etc. Refer to The IIA’s Practice Guide, Reliance on Internal Coordination Role of the CAE Audit by Other Assurance Providers (December 2011), IIA Standard 2050: Coordination states that the CAE for more information on the range of internal and external should share information and coordinate activities with assurance providers. Also, refer to The IIA’s Position Pa- other internal and external providers of assurance and per, The Role of Internal Auditing in Enterprise-wide Risk consulting services to ensure appropriate coverage and Management, (January 2009) regarding what roles are ap- minimize duplication of efforts. This responsibility re- propriate for internal audit in regard to risk management. quires the CAE’s inclusion and participation in the orga- nization’s assurance provider framework. This framework The internal audit activity will normally provide assurance can consist of internal audit, external audit, governance, coverage over parts of the organization approved in the risk management, and other business control functions/ internal audit charter or terms of engagement letter. This disclosures performed by the organization’s management coverage should include risk management processes (both team. Inclusion and participation in this framework helps www.globaliia.org/standards-guidance / 4
IPPF – Practice Guide Coordinating Risk Management and Assurance ensure that the CAE is aware of the organization’s risks nance or risk management function. Regardless of the ori- and controls in relation to goals and objectives. gin of the report, it is important that the CAE can rely on the techniques and methods performed by the assurance Most internal audit functions perform annual and engage- providers. ment-based risk assessment activities to help prioritize risks according to their potential impacts on the organiza- A thorough, documented and continuous risk manage- tion’s achievement of goals and objectives. At the macro- ment process is part of good governance and an important level, these activities assist the internal audit activity to management tool to provide assurance that appropriate develop a proposed audit plan to submit to the board. At controls are in place to achieve the objectives of an orga- the micro-level, these activities help prioritize the scope nization. of audit work and assurance being provided by internal audit engagements. The establishment of an effective enterprise-wide risk management system is a key responsibility of manage- It is important that the work performed by assurance ment. Boards and management are responsible for adopt- providers is understood and assessed by the CAE on an ing a holistic approach to the identification of organi- ongoing basis. This helps ensure that appropriate due pro- zational risks, creating controls to mitigate those risks, fessional care is exercised in the performance of internal monitoring and reviewing the identified risks and controls, audit work, including risk assessment activities performed and ensuring that risk management is integrated into the to derive proposed audit plans submitted to the board. organization — both at the strategic and operational lev- This also helps the board understand the coverage pro- els. Some organizations have delegated independent risk vided by the organization’s assurance providers to better management functions, but others do not have an inde- assess appropriate assignment of resources and potential pendent risk management function and require internal exposures due to non-coverage. audit to provide consulting services in this area. Internal audit can assist in identifying, evaluating, and facilitating Coordination between assurance providers includes regu- risk management methodologies. Internal audit also is re- lar sharing of reports and outcomes of assurance activities. sponsible for evaluating the effectiveness and contribut- This formal coordination should occur on a regular basis ing to the improvement of the risk management process. and include time for discussion and review of techniques and methods used to reach conclusions. This includes Identifying risks in a systematic way supports sound deci- management’s responses and an understanding of activi- sion making. It is about performing a thorough analysis of ties performed to mitigate any risks or control deficiencies the organization on various levels, describing events that identified. might occur, deciding on the importance of those risks, and developing adequate measures to deal with them. The CAE may develop an annual report to be shared with the organization’s board and executive management team. This report should outline the organization’s assurance provider framework, the coverage of the assurance being provided, areas of high risk, and residual/un-mitigated risk areas within the organization. Another alternative would be for the CAE to coordinate the development and dis- tribution of this report through the organization’s gover- www.globaliia.org/standards-guidance / 5
IPPF – Practice Guide Coordinating Risk Management and Assurance Using the Risk Management to base internal audit plans and individual audit engage- ments on the main identified internal risks and controls. Process in Internal Audit Planning Internal audit should prepare short- and long-term au- dit plans to ensure that their activities are covering the The documentation of risk management in an organiza- main risk areas and internal controls of the organization. tion can be at various levels below the strategic risk man- As business circumstances can change substantially, con- agement process. Many organizations have developed risk tinuous monitoring and periodic revision of annual plans registers that document risks below the strategic level, — with at least yearly reviews of longer term plans — are providing documentation of significant risks in an area needed to ensure that audit plans are flexible, based on and related inherent and residual risk ratings, key con- up-to-date information and cover changing priorities and trols, and mitigating factors. An alignment exercise can risk areas. then be undertaken to identify links between the items included in the audit universe documented by the internal Standard 2010: Planning states that “the [CAE] must es- audit activity and risk categories and aspects described in tablish risk-based plans to determine the priorities of the the risk registers. internal audit activity, consistent with the organization’s goals.” Also, Standard 2010.A1 states “the internal audit Some organizations may identify several high (or higher) activity’s plan of engagements must be based on a docu- inherent risk (potential exposure) areas. While these risks mented risk assessment, undertaken at least annually. The may warrant internal audit attention, it is not always pos- input of senior management and the board must be con- sible to review all of them. Where the risk register shows sidered in this process.” a high, or higher, ranking for inherent risk (or major po- tential exposure) in a particular area, and the current risk Standard 2120: Risk Management states, “the internal au- remains similarly high with no action by management or dit activity must evaluate the effectiveness and contribute internal audit planned, the CAE should report those areas to the improvement of risk management processes.” to the board with details of the risk analysis and reasons for the lack of, or ineffectiveness of, internal controls. The following are steps to consider in the preparation of internal audit plans to determine risks and exposures that In addition to evaluating the effectiveness of the organi- may affect the achievement of the organization’s goals and zation’s risk management process and contributing to its objectives: improvement, internal audit also uses the results of the • Research and review corporate documents such as risk management process to develop annual audit plans enterprise business plans, strategic plans, enterprise and individual audit engagements. risk assessments, yearly reports, minutes of board meetings, minutes of management meetings, outside Internal audit is often asked to deliver better results with reports, external audit reports and other appropriate strained resources. This can be achieved by strategically sources. placing internal audit work where it can be most effective in delivering the best results and having the highest effect • Review previous internal audit plans, progress re- on the outcome of the strategic and operational goals of ports, and works in progress. the business entity. One of the tools of achieving this is • Consult senior management of the organization and www.globaliia.org/standards-guidance / 6
IPPF – Practice Guide Coordinating Risk Management and Assurance solicit information regarding concerns or risks areas. ditors must address risk consistent with the engagement’s • Conduct a risk assessment of the issues and deter- objectives and be alert to the existence of other signifi- mine priorities for the annual audit plan. cant risks.” • Prepare a draft audit plan. Thorough planning of an internal audit is crucial to its • Communicate the proposed audit plan to stakehold- success. It provides an opportunity to become familiar ers. with the entity being audited; to gather relevant issues, • Seek feedback and validation of the major risk areas concerns, and risks; to complete a risk assessment, and to review. determine the objectives and scope of the audit. • Finalize the audit plans. In developing an audit engagement plan, the internal au- • Present to management and the board for approval. dit team should conduct a formal, comprehensive and • Regularly monitor, review, and re-evaluate the plans documented risk assessment to identify audit issues and in light of changing circumstances. risk events. This involves significant research, consulting with management of the entity or area under review, and While the broader rationale and objective of an internal becoming familiar with the entity or area. audit are developed in the annual planning phase, de- tailed research and work are needed at the onset of the Risk assessment methods can vary; however, all risk as- audit to define the detailed objective and scope and de- sessments should cover the following points: velop criteria and methodology. • Description of the risk event (negative occurrence, Standard 2201: Planning Considerations states that “In undesirable event). planning engagements, internal auditors must consider: • Likelihood of the event happening (strong, moder- ate, weak). • The significant risks to the activity, its objectives, resources, and operations and the means by which • The impact of negative occurrence on the achieve- the potential impact of risk is kept to an acceptable ment of goals and objectives (high, moderate, low). level. • Current controls (systems, policies, procedures, • The adequacy and effectiveness of the activity’s risk etc.) in place and their effectiveness (effective/not management and control systems compared to a effective). relevant control framework or model. • Ranking of the risk events. • The opportunities for making significant improve- Every potential audit highlights a wide range of issues for ments to the activity’s risk management and control examination. However, it is not necessary, reasonable, or processes.” cost effective to look at them all. The audit team has to Also, Standard 2210: Engagement Objectives states, “In- be cognizant of, and concentrate its efforts on, the most ternal auditors must conduct a preliminary assessment of important and high-risk issues. risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.” By ranking the possible risk events, this process will With regard to consulting engagements, Standard 2120. identify the issues with the most significance and C1 states, “During consulting engagements, internal au- highest ranking. At this point, a decision can be made www.globaliia.org/standards-guidance / 7
IPPF – Practice Guide Coordinating Risk Management and Assurance regarding which issues are material and will be audited CAE can take this one step further and help in the cre- in light of the audit’s objective, and take into consider- ation of an assurance map for the organization. This will ation other factors such as auditability, resources, and not only assist the board in providing governance over- time lines. The results of the risk assessment should be sight, but also will assist the CAE in ensuring the audit presented and discussed with management of the entity activity is optimizing its resources for maximum assurance under review to ensure their concurrence and validation. value, and creating a more connected assurance commu- nity through effective coordination. Preparation of Assurance Maps Boards will use various sources to gain reliable assurance, Feedback on Significant Risk including management, internal audit, and third parties. Areas in Internal Audit Reports Many organizations operate with separate internal audit, During all assurance work, particularly where the scope risk, and compliance functions, and it is not uncommon relates to significant potential exposures identified in an for organizations to have a number of separate groups organization’s risk management process, audit approach, performing different risk management functions indepen- audit procedures, and communications should be de- dently of one another. As discussed in Practice Advisory signed to evaluate management’s assertions on the effec- 2050-2, an assurance map is a valuable tool for coordi- tiveness of controls in bringing risk within an organiza- nating these risk management and assurance activities to tion’s risk tolerance threshold. increase the efficiency and effectiveness of assurance in- vestments made by an organization. Assurance maps can Reports to management and the board can describe the help: potential exposure and management’s assessment of cur- rent risks (with the implied value of the controls in place) • Identify duplication and overlap in assurance cover- together with the audit evaluation of the risk ratings. Any age, allowing the board and senior management to differences should be fed into management’s risk manage- decide if the overlap is necessary, intentional, or ment process for consideration. should be eliminated. • Define scope boundaries and roles and responsibili- The cumulative effect over time of such assurance ac- ties for various assurance providers to ensure the tivities over specific risk areas using a risk-based audit right resources are focused on the right risks. This plan will provide assurance not only over those areas, but can enhance the effectiveness of assurance providers also on the effectiveness of the overall risk management by ensuring they are focused on the areas that need process. their attention, and by clearly articulating the expec- tations of the board and senior management. • Assist in identifying any gaps in assurance coverage Assessment by Internal Audit that need to be addressed. of the Adequacy of Risk It is the responsibility of the CAE to understand the as- Management surance requirements of the board and the organization, clarify the role the internal audit activity fills, and the level Internal audit should provide assurance as required by of assurance it provides. However, given their unique van- Standards 2100: Nature of Work, 2120: Risk Management tage point to assurance activities in the organization, the and 2400: Communicating Results to senior management, www.globaliia.org/standards-guidance / 8
IPPF – Practice Guide Coordinating Risk Management and Assurance and ultimately the board, that the organization is managing the effectiveness of the status of the risk manage- its risks effectively. Insofar as internal audit will need to in- ment system to senior management and the board. clude the adequacy of risk management within this scope there are two dimensions to consider: The CAE has three important functions in the review of risk management, and as in any other audit assignment: 1. Whether the risk management function includes all appropriate risk areas within its remit. • Test the controls. • Report any missing or ineffective controls. 2. Whether the risk management function is operat- ing effectively. • Recommend improvements. The main elements of the assessment that internal audit will need to encompass are covered to a large extent by The Promotion of Risk Practice Advisory 2120-1: Assessing the Adequacy of Risk Management by Internal Audit Management Processes. The main features are: Standard 2100 states, “The internal audit activity must • Boards of management, as part of their oversight evaluate and contribute to the improvement of gover- role, may direct internal audit to assist by reviewing nance, risk management, and control processes using a and reporting on the adequacy of risk management. systematic and disciplined approach.” The internal audit activity often has a role providing independent and objec- • Management and the board are responsible for risk tive assurance to the organization’s board regarding the management; however, internal auditors acting in effectiveness of an organization’s ERM activities. This a consulting role can assist management in this helps ensure key business risks are being managed appro- responsibility. priately and the organization’s system of internal controls • Where the organization does not have a formal risk is operating effectively and efficiently. management process, the CAE should formally dis- cuss the situation with management and the board. Risk management is a management process that pro- motes the cost-effective achievement of organizational The CAE should establish that: objectives. Assurance provides reliable information about the achievements of risk management activity. Assurance • There is a culture of effective risk management. and risk management are complementary processes. • There is a clear understanding at all levels of the potential exposures or inherent risks facing the orga- Often the internal audit activity of an organization will nization (e.g., a risk register). work in close cooperation with the risk management • There is a clear understanding of the current level of function. By independently reviewing the risk manage- risk within the organization. ment process of an organization, internal audit can pro- mote risk management throughout the organization and • The amount of risk taken at every level of the organi- the audit process can be aligned with risk management zation is clearly defined and understood. frameworks. Consistent risk language used throughout • Adequate and effective controls exist to mitigate the organization can be adopted by internal audit. risks. • There is an appropriate method of communicating www.globaliia.org/standards-guidance / 9
IPPF – Practice Guide Coordinating Risk Management and Assurance Internal audit’s review of risk identification, risk evalua- in Enterprise-wide Risk Management (January 2009), tion, control identification and evaluation, and appropri- describes roles that are appropriate for internal audit in ate risk treatments challenges and enhances risk registers regard to risk management. and the risk management framework. Impact on Internal Audit Where Where Internal Audit Facilitates a Formal Risk Management Risk Management Function Does Not Exist Some organizations do not have a formal risk management When an organization does not have a risk management function, and in this case the internal audit activity may function, it typically requires increased effort from the provide risk management consulting services to the or- CAE to communicate risk management and assurance ganization. Internal audit may provide risk management activities to the board. Increased importance is placed on consulting provided certain conditions apply: the quality of the internal audit risk assessment as the sole • It should be clear that management remains respon- view of risk the board may be exposed to. sible for risk management even in those organizations The CAE should promote the risk management function where internal audit has been asked to facilitate the as an important activity that assists the organization in risk management program. Internal audit should achieving its objectives, and provides recommendations not manage any risks on behalf of management, nor for establishing such a process. If requested, the CAE can make final decisions regarding the enterprise’s risk play a proactive consultative role in assisting with the ini- appetite or level of resource allocation to control or tial establishment of a risk management process for the mitigate risk. Whenever internal audit acts to help organization. However, while the internal audit function the management team to set up or to improve risk can facilitate or enable the creation of risk management management processes, the audit committee should processes, they should not be responsible for the process- approve its plan of work. es or management of the identified risks. Initially, the in- • The nature of internal audit’s responsibilities should ternal audit function can facilitate management’s risk as- be documented in the internal audit charter and ap- sessment processes; however, it is advisable to have such proved by the board. Any work beyond the assurance facilitation activities separated from assurance activities activities should be recognized as a consulting en- in the CAE’s organization. gagement and the implementation standards related to such engagements should be followed. If internal audit’s role exceeds normal assurance and • Internal audit should provide advice, challenge, and consulting activities such that independence could be act as a support to management’s decision making, impaired, the CAE should conform to the disclosure re- as opposed to making risk management decisions. quirements of the Standards. Internal audit cannot give objective assurance on any part of the risk management framework for which it is responsible. Other suitably qualified parties should provide such assurance. The IIA’s Position Paper, The Role of Internal Auditing www.globaliia.org/standards-guidance / 10
IPPF – Practice Guide Coordinating Risk Management and Assurance Authors: Andrew MacLeod, CIA, CMIIA Brian Foster, CIA Patricia Macdonald Andy Robertson Teis Stokka, CIA Benito Ybarra, CIA Reviewers: Doug Anderson, CIA, CRMA Andy Dahle, CIA Steve Jameson, CISA, CCSA, CFSA, CRMA David Zechnich, CIA, CPA www.globaliia.org/standards-guidance / 11
About the Institute Disclaimer Established in 1941, The Institute of Internal The IIA publishes this document for informa- Auditors (IIA) is an international professional tional and educational purposes. This guidance association with global headquarters in Altamonte material is not intended to provide definitive an- Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and as profession’s global voice, recognized authority, such is only intended to be used as a guide. The acknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen- pal educator. dent expert advice relating directly to any specific situation. The IIA accepts no responsibility for About Practice Guides anyone placing sole reliance on this guidance. Practice Guides provide detailed guidance for conducting internal audit activities. They include Copyright detailed processes and procedures, such as tools Copyright ® 2012 The Institute of Internal and techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, please proaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org. Practice Guides are part of The IIA’s IPPF. As part of the Strongly Recommended category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is endorsed by The IIA through formal review and approval processes. For other authoritative guidance materials provided by The IIA, please visit our website at https://globaliia.org/standards- guidance. global headquarters T: +1-407-937-1111 247 Maitland Ave. F: +1-407-937-1101 Altamonte Springs, FL 32701 USA W: www.globaliia.org 120362

Recomendados

Robert jones & agnes hunt hospital presentation
Robert jones & agnes hunt hospital presentationRobert jones & agnes hunt hospital presentation
Robert jones & agnes hunt hospital presentationLawson Odere
 
Southmead Hospital Presentation
Southmead Hospital PresentationSouthmead Hospital Presentation
Southmead Hospital PresentationLawson Odere
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820สปสช นครสวรรค์
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrkRavinder Kumar Bhan
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
 
Southmead Hospital Presentation
Southmead Hospital PresentationSouthmead Hospital Presentation
Southmead Hospital PresentationLawson Odere
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyИван Вали-Пур
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 

Recomendados

Robert jones & agnes hunt hospital presentation
Robert jones & agnes hunt hospital presentationRobert jones & agnes hunt hospital presentation
Robert jones & agnes hunt hospital presentationLawson Odere
 
Southmead Hospital Presentation
Southmead Hospital PresentationSouthmead Hospital Presentation
Southmead Hospital PresentationLawson Odere
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820สปสช นครสวรรค์
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrkRavinder Kumar Bhan
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
 
Southmead Hospital Presentation
Southmead Hospital PresentationSouthmead Hospital Presentation
Southmead Hospital PresentationLawson Odere
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyИван Вали-Пур
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk ManagementMark Conway
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORENaresh Parandhaman
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017Jorge A. Gomez P.
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmTim Leech
 
Risk Mgt
Risk Mgt Risk Mgt
Risk Mgt Morris Muhwezi
 
Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
Five lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & ermFive lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & ermDr .Maizar Radjin, SE., M.Ak., QIA., QRMA, CRGP
 
DiSerafino - ORSA_insurance_conference
DiSerafino - ORSA_insurance_conferenceDiSerafino - ORSA_insurance_conference
DiSerafino - ORSA_insurance_conferenceLou DiSerafino
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shcPeter Schellinck
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationInternational Federation of Accountants
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820minhaj52
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Vijay Kejriwal
 
Risk management standard
Risk management standardRisk management standard
Risk management standardLuis Vitiritti
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Tim Smith
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.pptSashaKing4
 

Mais conteúdo relacionado

Mais procurados

Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk ManagementMark Conway
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmTim Leech
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
DiSerafino - ORSA_insurance_conference
DiSerafino - ORSA_insurance_conferenceDiSerafino - ORSA_insurance_conference
DiSerafino - ORSA_insurance_conferenceLou DiSerafino
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB
 

Mais procurados (17)

Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk Management
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017
 
Risk management
Risk managementRisk management
Risk management
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
 
Risk Mgt
Risk Mgt Risk Mgt
Risk Mgt
 
Coso erm
Coso ermCoso erm
Coso erm
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
Five lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & ermFive lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & erm
 
DiSerafino - ORSA_insurance_conference
DiSerafino - ORSA_insurance_conferenceDiSerafino - ORSA_insurance_conference
DiSerafino - ORSA_insurance_conference
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
 

Semelhante a Coordinating risk mgt and assurance march 2012

Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820minhaj52
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Vijay Kejriwal
 
Risk management standard
Risk management standardRisk management standard
Risk management standardLuis Vitiritti
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Tim Smith
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraJenard Wachira
 
An Investigation Of Risk Management Strategies In Projects
An Investigation Of Risk Management Strategies In ProjectsAn Investigation Of Risk Management Strategies In Projects
An Investigation Of Risk Management Strategies In ProjectsNancy Ideker
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSODina Pramudianti
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
The IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India
 
Southmead Hospital Presentation
Southmead Hospital PresentationSouthmead Hospital Presentation
Southmead Hospital PresentationLawson Odere
 
COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Frameworkssuser6ea258
 
Internal Controls Topic 2.ppt
Internal Controls Topic 2.pptInternal Controls Topic 2.ppt
Internal Controls Topic 2.pptyahyamuthamia
 
Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...
Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...
Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...Dayana Mastura FCCA CA
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
insurance-busines.pdf
insurance-busines.pdfinsurance-busines.pdf
insurance-busines.pdfyebegashet
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
 

Semelhante a Coordinating risk mgt and assurance march 2012 (20)

Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard
Risk management standardRisk management standard
Risk management standard
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
 
An Investigation Of Risk Management Strategies In Projects
An Investigation Of Risk Management Strategies In ProjectsAn Investigation Of Risk Management Strategies In Projects
An Investigation Of Risk Management Strategies In Projects
 
ERM ppt.pptx
ERM ppt.pptxERM ppt.pptx
ERM ppt.pptx
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
The IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India- A Risk Management Standard
The IRM India- A Risk Management Standard
 
Southmead Hospital Presentation
Southmead Hospital PresentationSouthmead Hospital Presentation
Southmead Hospital Presentation
 
COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Framework
 
Internal Controls Topic 2.ppt
Internal Controls Topic 2.pptInternal Controls Topic 2.ppt
Internal Controls Topic 2.ppt
 
Governance, Risk, and Control Knowledge Elements
Governance, Risk, and Control Knowledge ElementsGovernance, Risk, and Control Knowledge Elements
Governance, Risk, and Control Knowledge Elements
 
Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...
Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...
Malaysian Code of Corporate Governance 2017 (MCCG2017): Principle B - Effecti...
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
insurance-busines.pdf
insurance-busines.pdfinsurance-busines.pdf
insurance-busines.pdf
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 

Mais de Good Light Massage Center

Personal finance basics and time value of money
Personal finance basics and time value of moneyPersonal finance basics and time value of money
Personal finance basics and time value of moneyGood Light Massage Center
 

Mais de Good Light Massage Center (6)

G&C Financials Folio
G&C Financials FolioG&C Financials Folio
G&C Financials Folio
 
Couples and Money
Couples and MoneyCouples and Money
Couples and Money
 
Why is Ethics and Compliance important
Why is Ethics and Compliance importantWhy is Ethics and Compliance important
Why is Ethics and Compliance important
 
Personal finance basics and time value of money
Personal finance basics and time value of moneyPersonal finance basics and time value of money
Personal finance basics and time value of money
 
Guide to writing a business plan
Guide to writing a business planGuide to writing a business plan
Guide to writing a business plan
 
Red flags fraud
Red flags fraudRed flags fraud
Red flags fraud
 

Coordinating risk mgt and assurance march 2012

  • 1. – Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012
  • 2. IPPF – Practice Guide Coordinating Risk Management and Assurance Table of Contents Executive Summary......................................................................................... 1 Introduction.................................................................................................... 1 Risk Management and Assurance (Assurance Services)................................. 1 Assurance Framework..................................................................................... 2 The Respective Roles of Risk Management, Internal Audit, Compliance, and other Assurance Providers........................................................................ 4 Coordination Role of the CAE.......................................................................... 4 Using the Risk Management Process in Internal Audit Planning...................... 6 Preparation of Assurance Maps...................................................................... 8 Feedback on Significant Risk Areas in Internal Audit Reports......................... 8 Assessment by Internal Audit of the Adequacy of Risk Management............... 8 The Promotion of Risk Management by Internal Audit..................................... 9 Where Internal Audit Facilitates Risk Managment......................................... 10 Impact on Internal Audit Where a Formal Risk Management Function Does Not Exist................................................................................ 10 www.globaliia.org/standards-guidance / B
  • 3. IPPF – Practice Guide Coordinating Risk Management and Assurance Executive Summary Introduction Risk management is fundamental to organizational con- Standard 2050: Coordination states, “The chief audit ex- trol and a critical part of providing sound corporate gov- ecutive [CAE] should share information and coordinate ernance. It touches all of the organization’s activities. The activities with other internal and external providers of as- establishment of an effective enterprise-wide risk man- surance and consulting services to ensure proper coverage agement system is a key responsibility of management and and minimize duplication of efforts.” This responsibility the board, which are responsible for adopting a holistic requires the CAE’s inclusion and participation in the orga- approach to the identification of organizational risks, cre- nization’s assurance provider framework. This framework ating controls to mitigate those risks, and monitoring and can consist of internal audit, external audit, governance, reviewing the identified risks and controls. They should risk management, or other business control functions/ ensure that risk management is integrated into the organi- disclosures performed by the organization’s management zation, both at the strategic and operational levels. team. Inclusion and participation in this framework helps ensure that the CAE is aware of the organization’s risks With responsibility for assurance activities traditionally and controls in relation to organizational goals and objec- being shared among management, internal audit, risk tives. management, and compliance, it is important that as- surance activities be coordinated to ensure resources are Boards will use various sources to gain reliable assurance, used in an efficient and effective way. Many organizations including management, internal audit, and third parties. operate with traditional (and separate) internal audit, risk, As discussed in Practice Advisory 2050-2: Assurance and compliance activities. It is common for organizations Maps, an assurance map is a valuable tool for coordinat- to have a number of separate groups performing different ing risk management and assurance activities to increase risk management, compliance, and assurance functions the efficiency and effectiveness of risk management as- independently of one another. Without effective coordi- surance investments made by an organization. nation and reporting, work can be duplicated or key risks may be missed or misjudged. Risk Management Many internal audit functions work in close cooperation and Assurance with risk management. Some organizations do not have a formal risk management function and in this case the in- (Assurance Services) ternal audit activity often provides risk management con- The International Standards for the Professional Practice sulting services to the organization. Internal audit should of Internal Auditing (Standards) Glossary defines risk not give independent assurance on any part of the risk management as “a process to identify, assess, manage, and management framework for which it is responsible. Other control potential events or situations to provide reason- suitably qualified parties should provide such assurance. able assurance regarding the achievement of the organiza- tion’s objectives.” This is consistent with the International Standards Organization’s definition of risk management, which is “coordinated activities to direct and control an organization with regard to risk.” www.globaliia.org/standards-guidance / 1
  • 4. IPPF – Practice Guide Coordinating Risk Management and Assurance Enterprise risk management (ERM) — also known as enterprise-wide risk management — is a commonly used Assurance Framework term. The Committee of Sponsoring Organizations of the The need for assurance arises from an organization’s gov- Treadway Commission defines it as “a process, effected ernance processes. Its origin is in the stewardship rela- by an entity’s board of directors, management, and other tionship between the board of an organization and its personnel, applied in strategy setting and across the enter- shareholders. This stewardship relationship demands prise, designed to identify potential events that may affect that boards establish processes to both delegate and limit the entity, and manage risk to be within its risk appetite, to power to pursue the organization’s strategy and direction provide reasonable assurance regarding the achievement in a way that enhances the prospects for the organization’s of entity objectives.” long-term success. Assurance processes are needed to al- low the board to monitor the exercise of that power. Assurance services should be objective and professional, and can be obtained from a range of assurance providers. Risk management is a management process that promotes Such providers can be internal — such as internal audit, the efficient and effective achievement of organizational workplace health and safety, compliance, and security — objectives. Assurance and risk management are comple- as well as external, such as statutory audit. mentary processes. In support of the risk management process, the major role of internal audit and other inde- The Glossary of the Standards defines assurance services pendent assurance providers is to provide assurance that: as “an objective examination of evidence for the purpose of providing an independent assessment on governance, • The risk management process has been applied risk management, and control processes of the organiza- appropriately and that elements of the process are tion.” suitable and sufficient. • The risk management process is keeping with the There are generally three parties involved in assurance strategic needs and intent of the organization. services: • Processes and systems are in place to ensure that • The person or group directly involved with the entity, all material risks have been identified and are being operation, function, process, system, or other subject treated. matter, and oversight functions such as risk manage- • All prioritized intolerable risks have cost-effective ment, compliance, and finance. treatment plans in place. • The person or group making the assessment (the as- • Controls are being correctly designed in keeping with surance provider). the outputs of the risk management process. • The user of the assessment, such as executive man- • Key controls are adequate and effective. agement and the board. • Risks are not over-controlled or inefficiently con- trolled. • Line management review and other non-audit as- surance activities are effective at maintaining and improving controls. • Risk treatment plans are being executed. www.globaliia.org/standards-guidance / 2
  • 5. IPPF – Practice Guide Coordinating Risk Management and Assurance • There is appropriate and as-reported progress in the provision of a formal statement of compliance or comfort risk management plan. to an external body. In support of the assurance process, the risk management The assurance objectives will dictate the assurance strate- process should: gy and level of rigor employed, but the basic requirements include assurance that: • Establish an organization-specific, documented risk management policy and framework. • All material risks have been identified. • Assign responsibility for effective identification and • Risks have been accurately analyzed and evaluated. management of significant risks. • Key controls are both adequate and effective. • Provide a structured analysis of the risks of the orga- nization recording: • Management is appropriately addressing intolerable risks. – Risks, their associated exposures, and current risk ratings. There are three fundamental classes of assurance provid- – The organizational objective(s) to which the risk ers, differentiated by the stakeholders they serve, their applies. level of independence from the activities over which they provide assurance, and the robustness of that assurance. – The organizational position responsible for identi- They are: fying and managing each risk. – Key control systems established to identify and • Those who report to management or are part of manage each risk. management (management assurance), including individuals who perform control self-assessments, The assurance strategy is closely aligned with the corpo- quality auditors, environmental auditors, and other rate or other strategic plans of the organization. The legal, management (designated assurance personnel). legislative, cultural, and economic environment in which • Those who report to the board, including internal the organization is operating, as well as the nature of the audit. organization’s activities and its long-term plans drives as- surance needs. • Those who report to external stakeholders (financial statement assurance), a role traditionally fulfilled by It is an important first step to identify who will be the the independent/statutory auditor. users of organizational assurance. Clearly, the board and The level of assurance desired will vary depending on the management are the primary users. Other users may in- risk and other factors such as regulations. Who should clude the owners, regulators, government, or customers provide that assurance will vary based on the ability of the for whom the organization is a critical supply component. assurance provider to deliver the necessary level of inde- In today’s highly interconnected economy, external enti- pendence and objectivity, as well as the historical organi- ties may require assurance of the organization as part of zational design of the entity and skill sets available within their own risk management process. the assurance group. The required assurance may range from providing comfort to the board when they need to approve the formal finan- cial statements or the contents of the annual report to the www.globaliia.org/standards-guidance / 3
  • 6. IPPF – Practice Guide Coordinating Risk Management and Assurance The Respective Roles of Risk their design and operating effectiveness), management of those risks classified as high risk (including the effective- Management, Internal Audit, ness of the controls and other responses to them), veri- Compliance,and Other fication of the reliability and appropriateness of the risk assessment, and reporting of the risk and control status. Assurance Providers With responsibility for assurance activities traditionally Assurance providers for an organization may include: being shared among management, internal audit, risk management, and compliance, it is important that assur- • Line management and employees (management ance activities are coordinated to ensure resources are provides assurance as a first line of defense over the used in the most efficient and effective way. Many organi- risks and controls for which they are responsible). zations operate with traditional (and separate) internal au- • Senior management. dit, risk, and compliance activities. Compliance is defined in the the Glossary of the Standards as “adhering to the re- • Internal and external auditors. quirements of laws, industry, and organizational standards • Compliance. and codes, principles of good governance and accepted • Quality assurance. community and ethical standards.” A compliance program is a series of activities that when combined are intended • Risk management. to achieve compliance. Without effective coordination • Environmental auditors. and reporting, work can be duplicated or key risks may be • Workplace health and safety auditors. missed or misjudged. • Government performance auditors. Risk management is fundamental to organizational con- • Financial reporting review teams. trol and a critical part of providing sound corporate gov- • Subcommittees of the board (such as audit, actu- ernance. It touches all of the organization’s activities. For arial, credit, governance). this reason many organizations have moved to adopt a more formalized ERM process. • External assurance providers, including surveys, specialist reviews (health and safety), etc. Refer to The IIA’s Practice Guide, Reliance on Internal Coordination Role of the CAE Audit by Other Assurance Providers (December 2011), IIA Standard 2050: Coordination states that the CAE for more information on the range of internal and external should share information and coordinate activities with assurance providers. Also, refer to The IIA’s Position Pa- other internal and external providers of assurance and per, The Role of Internal Auditing in Enterprise-wide Risk consulting services to ensure appropriate coverage and Management, (January 2009) regarding what roles are ap- minimize duplication of efforts. This responsibility re- propriate for internal audit in regard to risk management. quires the CAE’s inclusion and participation in the orga- nization’s assurance provider framework. This framework The internal audit activity will normally provide assurance can consist of internal audit, external audit, governance, coverage over parts of the organization approved in the risk management, and other business control functions/ internal audit charter or terms of engagement letter. This disclosures performed by the organization’s management coverage should include risk management processes (both team. Inclusion and participation in this framework helps www.globaliia.org/standards-guidance / 4
  • 7. IPPF – Practice Guide Coordinating Risk Management and Assurance ensure that the CAE is aware of the organization’s risks nance or risk management function. Regardless of the ori- and controls in relation to goals and objectives. gin of the report, it is important that the CAE can rely on the techniques and methods performed by the assurance Most internal audit functions perform annual and engage- providers. ment-based risk assessment activities to help prioritize risks according to their potential impacts on the organiza- A thorough, documented and continuous risk manage- tion’s achievement of goals and objectives. At the macro- ment process is part of good governance and an important level, these activities assist the internal audit activity to management tool to provide assurance that appropriate develop a proposed audit plan to submit to the board. At controls are in place to achieve the objectives of an orga- the micro-level, these activities help prioritize the scope nization. of audit work and assurance being provided by internal audit engagements. The establishment of an effective enterprise-wide risk management system is a key responsibility of manage- It is important that the work performed by assurance ment. Boards and management are responsible for adopt- providers is understood and assessed by the CAE on an ing a holistic approach to the identification of organi- ongoing basis. This helps ensure that appropriate due pro- zational risks, creating controls to mitigate those risks, fessional care is exercised in the performance of internal monitoring and reviewing the identified risks and controls, audit work, including risk assessment activities performed and ensuring that risk management is integrated into the to derive proposed audit plans submitted to the board. organization — both at the strategic and operational lev- This also helps the board understand the coverage pro- els. Some organizations have delegated independent risk vided by the organization’s assurance providers to better management functions, but others do not have an inde- assess appropriate assignment of resources and potential pendent risk management function and require internal exposures due to non-coverage. audit to provide consulting services in this area. Internal audit can assist in identifying, evaluating, and facilitating Coordination between assurance providers includes regu- risk management methodologies. Internal audit also is re- lar sharing of reports and outcomes of assurance activities. sponsible for evaluating the effectiveness and contribut- This formal coordination should occur on a regular basis ing to the improvement of the risk management process. and include time for discussion and review of techniques and methods used to reach conclusions. This includes Identifying risks in a systematic way supports sound deci- management’s responses and an understanding of activi- sion making. It is about performing a thorough analysis of ties performed to mitigate any risks or control deficiencies the organization on various levels, describing events that identified. might occur, deciding on the importance of those risks, and developing adequate measures to deal with them. The CAE may develop an annual report to be shared with the organization’s board and executive management team. This report should outline the organization’s assurance provider framework, the coverage of the assurance being provided, areas of high risk, and residual/un-mitigated risk areas within the organization. Another alternative would be for the CAE to coordinate the development and dis- tribution of this report through the organization’s gover- www.globaliia.org/standards-guidance / 5
  • 8. IPPF – Practice Guide Coordinating Risk Management and Assurance Using the Risk Management to base internal audit plans and individual audit engage- ments on the main identified internal risks and controls. Process in Internal Audit Planning Internal audit should prepare short- and long-term au- dit plans to ensure that their activities are covering the The documentation of risk management in an organiza- main risk areas and internal controls of the organization. tion can be at various levels below the strategic risk man- As business circumstances can change substantially, con- agement process. Many organizations have developed risk tinuous monitoring and periodic revision of annual plans registers that document risks below the strategic level, — with at least yearly reviews of longer term plans — are providing documentation of significant risks in an area needed to ensure that audit plans are flexible, based on and related inherent and residual risk ratings, key con- up-to-date information and cover changing priorities and trols, and mitigating factors. An alignment exercise can risk areas. then be undertaken to identify links between the items included in the audit universe documented by the internal Standard 2010: Planning states that “the [CAE] must es- audit activity and risk categories and aspects described in tablish risk-based plans to determine the priorities of the the risk registers. internal audit activity, consistent with the organization’s goals.” Also, Standard 2010.A1 states “the internal audit Some organizations may identify several high (or higher) activity’s plan of engagements must be based on a docu- inherent risk (potential exposure) areas. While these risks mented risk assessment, undertaken at least annually. The may warrant internal audit attention, it is not always pos- input of senior management and the board must be con- sible to review all of them. Where the risk register shows sidered in this process.” a high, or higher, ranking for inherent risk (or major po- tential exposure) in a particular area, and the current risk Standard 2120: Risk Management states, “the internal au- remains similarly high with no action by management or dit activity must evaluate the effectiveness and contribute internal audit planned, the CAE should report those areas to the improvement of risk management processes.” to the board with details of the risk analysis and reasons for the lack of, or ineffectiveness of, internal controls. The following are steps to consider in the preparation of internal audit plans to determine risks and exposures that In addition to evaluating the effectiveness of the organi- may affect the achievement of the organization’s goals and zation’s risk management process and contributing to its objectives: improvement, internal audit also uses the results of the • Research and review corporate documents such as risk management process to develop annual audit plans enterprise business plans, strategic plans, enterprise and individual audit engagements. risk assessments, yearly reports, minutes of board meetings, minutes of management meetings, outside Internal audit is often asked to deliver better results with reports, external audit reports and other appropriate strained resources. This can be achieved by strategically sources. placing internal audit work where it can be most effective in delivering the best results and having the highest effect • Review previous internal audit plans, progress re- on the outcome of the strategic and operational goals of ports, and works in progress. the business entity. One of the tools of achieving this is • Consult senior management of the organization and www.globaliia.org/standards-guidance / 6
  • 9. IPPF – Practice Guide Coordinating Risk Management and Assurance solicit information regarding concerns or risks areas. ditors must address risk consistent with the engagement’s • Conduct a risk assessment of the issues and deter- objectives and be alert to the existence of other signifi- mine priorities for the annual audit plan. cant risks.” • Prepare a draft audit plan. Thorough planning of an internal audit is crucial to its • Communicate the proposed audit plan to stakehold- success. It provides an opportunity to become familiar ers. with the entity being audited; to gather relevant issues, • Seek feedback and validation of the major risk areas concerns, and risks; to complete a risk assessment, and to review. determine the objectives and scope of the audit. • Finalize the audit plans. In developing an audit engagement plan, the internal au- • Present to management and the board for approval. dit team should conduct a formal, comprehensive and • Regularly monitor, review, and re-evaluate the plans documented risk assessment to identify audit issues and in light of changing circumstances. risk events. This involves significant research, consulting with management of the entity or area under review, and While the broader rationale and objective of an internal becoming familiar with the entity or area. audit are developed in the annual planning phase, de- tailed research and work are needed at the onset of the Risk assessment methods can vary; however, all risk as- audit to define the detailed objective and scope and de- sessments should cover the following points: velop criteria and methodology. • Description of the risk event (negative occurrence, Standard 2201: Planning Considerations states that “In undesirable event). planning engagements, internal auditors must consider: • Likelihood of the event happening (strong, moder- ate, weak). • The significant risks to the activity, its objectives, resources, and operations and the means by which • The impact of negative occurrence on the achieve- the potential impact of risk is kept to an acceptable ment of goals and objectives (high, moderate, low). level. • Current controls (systems, policies, procedures, • The adequacy and effectiveness of the activity’s risk etc.) in place and their effectiveness (effective/not management and control systems compared to a effective). relevant control framework or model. • Ranking of the risk events. • The opportunities for making significant improve- Every potential audit highlights a wide range of issues for ments to the activity’s risk management and control examination. However, it is not necessary, reasonable, or processes.” cost effective to look at them all. The audit team has to Also, Standard 2210: Engagement Objectives states, “In- be cognizant of, and concentrate its efforts on, the most ternal auditors must conduct a preliminary assessment of important and high-risk issues. risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.” By ranking the possible risk events, this process will With regard to consulting engagements, Standard 2120. identify the issues with the most significance and C1 states, “During consulting engagements, internal au- highest ranking. At this point, a decision can be made www.globaliia.org/standards-guidance / 7
  • 10. IPPF – Practice Guide Coordinating Risk Management and Assurance regarding which issues are material and will be audited CAE can take this one step further and help in the cre- in light of the audit’s objective, and take into consider- ation of an assurance map for the organization. This will ation other factors such as auditability, resources, and not only assist the board in providing governance over- time lines. The results of the risk assessment should be sight, but also will assist the CAE in ensuring the audit presented and discussed with management of the entity activity is optimizing its resources for maximum assurance under review to ensure their concurrence and validation. value, and creating a more connected assurance commu- nity through effective coordination. Preparation of Assurance Maps Boards will use various sources to gain reliable assurance, Feedback on Significant Risk including management, internal audit, and third parties. Areas in Internal Audit Reports Many organizations operate with separate internal audit, During all assurance work, particularly where the scope risk, and compliance functions, and it is not uncommon relates to significant potential exposures identified in an for organizations to have a number of separate groups organization’s risk management process, audit approach, performing different risk management functions indepen- audit procedures, and communications should be de- dently of one another. As discussed in Practice Advisory signed to evaluate management’s assertions on the effec- 2050-2, an assurance map is a valuable tool for coordi- tiveness of controls in bringing risk within an organiza- nating these risk management and assurance activities to tion’s risk tolerance threshold. increase the efficiency and effectiveness of assurance in- vestments made by an organization. Assurance maps can Reports to management and the board can describe the help: potential exposure and management’s assessment of cur- rent risks (with the implied value of the controls in place) • Identify duplication and overlap in assurance cover- together with the audit evaluation of the risk ratings. Any age, allowing the board and senior management to differences should be fed into management’s risk manage- decide if the overlap is necessary, intentional, or ment process for consideration. should be eliminated. • Define scope boundaries and roles and responsibili- The cumulative effect over time of such assurance ac- ties for various assurance providers to ensure the tivities over specific risk areas using a risk-based audit right resources are focused on the right risks. This plan will provide assurance not only over those areas, but can enhance the effectiveness of assurance providers also on the effectiveness of the overall risk management by ensuring they are focused on the areas that need process. their attention, and by clearly articulating the expec- tations of the board and senior management. • Assist in identifying any gaps in assurance coverage Assessment by Internal Audit that need to be addressed. of the Adequacy of Risk It is the responsibility of the CAE to understand the as- Management surance requirements of the board and the organization, clarify the role the internal audit activity fills, and the level Internal audit should provide assurance as required by of assurance it provides. However, given their unique van- Standards 2100: Nature of Work, 2120: Risk Management tage point to assurance activities in the organization, the and 2400: Communicating Results to senior management, www.globaliia.org/standards-guidance / 8
  • 11. IPPF – Practice Guide Coordinating Risk Management and Assurance and ultimately the board, that the organization is managing the effectiveness of the status of the risk manage- its risks effectively. Insofar as internal audit will need to in- ment system to senior management and the board. clude the adequacy of risk management within this scope there are two dimensions to consider: The CAE has three important functions in the review of risk management, and as in any other audit assignment: 1. Whether the risk management function includes all appropriate risk areas within its remit. • Test the controls. • Report any missing or ineffective controls. 2. Whether the risk management function is operat- ing effectively. • Recommend improvements. The main elements of the assessment that internal audit will need to encompass are covered to a large extent by The Promotion of Risk Practice Advisory 2120-1: Assessing the Adequacy of Risk Management by Internal Audit Management Processes. The main features are: Standard 2100 states, “The internal audit activity must • Boards of management, as part of their oversight evaluate and contribute to the improvement of gover- role, may direct internal audit to assist by reviewing nance, risk management, and control processes using a and reporting on the adequacy of risk management. systematic and disciplined approach.” The internal audit activity often has a role providing independent and objec- • Management and the board are responsible for risk tive assurance to the organization’s board regarding the management; however, internal auditors acting in effectiveness of an organization’s ERM activities. This a consulting role can assist management in this helps ensure key business risks are being managed appro- responsibility. priately and the organization’s system of internal controls • Where the organization does not have a formal risk is operating effectively and efficiently. management process, the CAE should formally dis- cuss the situation with management and the board. Risk management is a management process that pro- motes the cost-effective achievement of organizational The CAE should establish that: objectives. Assurance provides reliable information about the achievements of risk management activity. Assurance • There is a culture of effective risk management. and risk management are complementary processes. • There is a clear understanding at all levels of the potential exposures or inherent risks facing the orga- Often the internal audit activity of an organization will nization (e.g., a risk register). work in close cooperation with the risk management • There is a clear understanding of the current level of function. By independently reviewing the risk manage- risk within the organization. ment process of an organization, internal audit can pro- mote risk management throughout the organization and • The amount of risk taken at every level of the organi- the audit process can be aligned with risk management zation is clearly defined and understood. frameworks. Consistent risk language used throughout • Adequate and effective controls exist to mitigate the organization can be adopted by internal audit. risks. • There is an appropriate method of communicating www.globaliia.org/standards-guidance / 9
  • 12. IPPF – Practice Guide Coordinating Risk Management and Assurance Internal audit’s review of risk identification, risk evalua- in Enterprise-wide Risk Management (January 2009), tion, control identification and evaluation, and appropri- describes roles that are appropriate for internal audit in ate risk treatments challenges and enhances risk registers regard to risk management. and the risk management framework. Impact on Internal Audit Where Where Internal Audit Facilitates a Formal Risk Management Risk Management Function Does Not Exist Some organizations do not have a formal risk management When an organization does not have a risk management function, and in this case the internal audit activity may function, it typically requires increased effort from the provide risk management consulting services to the or- CAE to communicate risk management and assurance ganization. Internal audit may provide risk management activities to the board. Increased importance is placed on consulting provided certain conditions apply: the quality of the internal audit risk assessment as the sole • It should be clear that management remains respon- view of risk the board may be exposed to. sible for risk management even in those organizations The CAE should promote the risk management function where internal audit has been asked to facilitate the as an important activity that assists the organization in risk management program. Internal audit should achieving its objectives, and provides recommendations not manage any risks on behalf of management, nor for establishing such a process. If requested, the CAE can make final decisions regarding the enterprise’s risk play a proactive consultative role in assisting with the ini- appetite or level of resource allocation to control or tial establishment of a risk management process for the mitigate risk. Whenever internal audit acts to help organization. However, while the internal audit function the management team to set up or to improve risk can facilitate or enable the creation of risk management management processes, the audit committee should processes, they should not be responsible for the process- approve its plan of work. es or management of the identified risks. Initially, the in- • The nature of internal audit’s responsibilities should ternal audit function can facilitate management’s risk as- be documented in the internal audit charter and ap- sessment processes; however, it is advisable to have such proved by the board. Any work beyond the assurance facilitation activities separated from assurance activities activities should be recognized as a consulting en- in the CAE’s organization. gagement and the implementation standards related to such engagements should be followed. If internal audit’s role exceeds normal assurance and • Internal audit should provide advice, challenge, and consulting activities such that independence could be act as a support to management’s decision making, impaired, the CAE should conform to the disclosure re- as opposed to making risk management decisions. quirements of the Standards. Internal audit cannot give objective assurance on any part of the risk management framework for which it is responsible. Other suitably qualified parties should provide such assurance. The IIA’s Position Paper, The Role of Internal Auditing www.globaliia.org/standards-guidance / 10
  • 13. IPPF – Practice Guide Coordinating Risk Management and Assurance Authors: Andrew MacLeod, CIA, CMIIA Brian Foster, CIA Patricia Macdonald Andy Robertson Teis Stokka, CIA Benito Ybarra, CIA Reviewers: Doug Anderson, CIA, CRMA Andy Dahle, CIA Steve Jameson, CISA, CCSA, CFSA, CRMA David Zechnich, CIA, CPA www.globaliia.org/standards-guidance / 11
  • 14. About the Institute Disclaimer Established in 1941, The Institute of Internal The IIA publishes this document for informa- Auditors (IIA) is an international professional tional and educational purposes. This guidance association with global headquarters in Altamonte material is not intended to provide definitive an- Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and as profession’s global voice, recognized authority, such is only intended to be used as a guide. The acknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen- pal educator. dent expert advice relating directly to any specific situation. The IIA accepts no responsibility for About Practice Guides anyone placing sole reliance on this guidance. Practice Guides provide detailed guidance for conducting internal audit activities. They include Copyright detailed processes and procedures, such as tools Copyright ® 2012 The Institute of Internal and techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, please proaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org. Practice Guides are part of The IIA’s IPPF. As part of the Strongly Recommended category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is endorsed by The IIA through formal review and approval processes. For other authoritative guidance materials provided by The IIA, please visit our website at https://globaliia.org/standards- guidance. global headquarters T: +1-407-937-1111 247 Maitland Ave. F: +1-407-937-1101 Altamonte Springs, FL 32701 USA W: www.globaliia.org 120362