Recently, there has been an increased focus on the importance of managing risk as part of an overall strong corporate governance and enterprise risk management (ERM) program. With this new emphasis comes a responsibility for Internal Audit to assess the effectiveness of the risk management strategy within the organization. Though there are multiple risk management frameworks, this guide uses ISO 31000 as the basis for the risk assessment. This article discusses management’s role and the types of approaches for Internal Audit to measure the effectiveness of risk management within their organization.
The organization should not conduct the ERM process in isolation. Instead, involve all key stakeholders and use the following control-based assurance framework:
- Effectively identify and appropriately analyze risks.
- Implement adequate and appropriate risk treatment and control.
- Management effectively monitors and reviews processes to detect changes in risks and controls.
The organization’s ERM approach should change over time as internal and external factors change. For example, changes may occur due to the arrival of new personnel, changes in entity structure, new processes, and if the business objective changes. In the same way, the assessment of the ERM process must occur on an ongoing basis.
Responsibilities
Management is responsible for determining the organization’s risk attitude and the Board is responsible for determining if the risk attitude supports the best interests of stakeholders. Internal Audit should assess whether the company’s framework takes into consideration and defines risk management responsibilities and strategy, and whether the elements of the framework allow for building a risk-smart environment while still allowing for responsible risk-taking.
Monitoring and Assurance
Organizations must monitor risk management systems to ensure they are performing as intended. Most organizations accomplish monitoring through ongoing activities, separate evaluations, or a combination of these two methods. Ongoing monitoring is often most effective since it is completed on a real-time basis, can react dynamically to changing conditions, and is ingrained in the organization.
Line management, internal audit, risk management specialists, and the compliance function often share the monitoring responsibility. As a result, it is important for the organization to coordinate assurance activities to ensure it uses resources efficiently and effectively.
Internal Audit’s Role
IIA Standard 2100 states, “the internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”
Internal audit provides the following types of risk management assurance:
- Assurance on the risk management process itself
- Assurance on significant risks and management assertions
- Follow-up of risk treatment plan status
These assurance services provide reasonable assurance to senior management and the board regarding the effectiveness of design, documentation and operation of the organization’s risk management program. The end goal is to have the risk management process achieve the organization’s objectives.
Internal audit can utilize one or more of the following approaches when assessing an organization’s risk management process:
- Process elements approach – verifies specific elements of the risk management process are in place
- Key principles approach – verifies the risk management process satisfies a minimum set of principles
- Maturity model approach – assesses where the risk management process falls on the maturity curve.
Internal audit must obtain sufficient evidence to provide assurance on risk management processes. The following is a listing of some of the many audit procedures that internal audit can utilize:
- Review corporate policies and board minutes to determine the organization’s business strategies, risk management philosophy, and risk appetite.
- Conduct interviews with line and senior management to determine business unit objectives, related risk, and management’s risk mitigation and control monitoring activities.
- Review the completeness of management’s risk analysis and remediation activities.
In general, this assurance review includes a combination of different audit techniques, such as observation, interviews, document reviews, analytical techniques, and surveys. These procedures must gather sufficient audit evidence to support any assurance provided by Internal Audit. It is important that internal audit tailor the assurance process to add the most value to their organization.
Generally, internal audit works closely with the risk management function. If the organization does not have a risk management function, risk management activities and consulting may fall under the purview of Internal Audit. In this case, Internal Audit should only perform this type of consulting service if the following conditions exist:
- It remains clear that management is responsible for risk management and internal audit does not make risk management decisions.
- Internal audit does not provide objective assurance for any parts of the risk management framework for which it is responsible.
- Internal audit services are documented in the internal audit charter and consistent with other responsibilities.
As more stakeholders look for effective ERM processes within an organization, both management and Internal Audit must step up to the plate. Providing reasonable assurance can provide needed comfort to your key stakeholders in these turbulent times. For those organizations without an Internal Audit function, consider if there is value to outsourcing to provide independent assurance.
McKonly & Asbury is available for consultation on this or other Internal Audit matters. Please do not hesitate to contact, Elaine Nissley, MBA, CISA, PMP, CRISC, Principal, in charge of the Risk Management Services group. ENissley@macpas.com.
________________________________
[1] The Practice Guide – Assessing the Adequacy of Risk Management is located at http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/assessing-the-adequacy-of-risk-management/
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
In my opinion Risk management is a process of thinking systematically about all possible risks, problems or disasters before they happen and setting up procedures that will avoid the risk, minimize its impact, or cope with its impact. It is setting up a process where you can identify the risk and set up a strategy to control or deal with it.
Posted by: CCTV Surveillance Cameras | 11/16/2011 at 12:53 AM