Professional Documents
Culture Documents
Coordinating Risk MGMT & Assurance 2012
Coordinating Risk MGMT & Assurance 2012
COORDINATING
RISK MANAGEMENT
AND ASSURANCE
March 2012
IPPF – Practice Guide
Coordinating Risk Management and Assurance
Table of Contents
Executive Summary......................................................................................... 1
Introduction.................................................................................................... 1
Risk Management and Assurance (Assurance Services)................................. 1
Assurance Framework..................................................................................... 2
The Respective Roles of Risk Management, Internal Audit, Compliance,
and other Assurance Providers........................................................................ 4
Coordination Role of the CAE.......................................................................... 4
Using the Risk Management Process in Internal Audit Planning...................... 6
Preparation of Assurance Maps...................................................................... 8
Feedback on Significant Risk Areas in Internal Audit Reports......................... 8
Assessment by Internal Audit of the Adequacy of Risk Management............... 8
The Promotion of Risk Management by Internal Audit..................................... 9
Where Internal Audit Facilitates Risk Managment......................................... 10
Impact on Internal Audit Where a Formal Risk Management
Function Does Not Exist................................................................................ 10
www.globaliia.org/standards-guidance / B
IPPF – Practice Guide
Coordinating Risk Management and Assurance
www.globaliia.org/standards-guidance / 1
IPPF – Practice Guide
Coordinating Risk Management and Assurance
www.globaliia.org/standards-guidance / 2
IPPF – Practice Guide
Coordinating Risk Management and Assurance
• There is appropriate and as-reported progress in the provision of a formal statement of compliance or comfort
risk management plan. to an external body.
In support of the assurance process, the risk management The assurance objectives will dictate the assurance strate-
process should: gy and level of rigor employed, but the basic requirements
include assurance that:
• Establish an organization-specific, documented risk
management policy and framework. • All material risks have been identified.
• Assign responsibility for effective identification and • Risks have been accurately analyzed and evaluated.
management of significant risks.
• Key controls are both adequate and effective.
• Provide a structured analysis of the risks of the orga-
nization recording: • Management is appropriately addressing intolerable
risks.
– Risks, their associated exposures, and current risk
ratings. There are three fundamental classes of assurance provid-
– The organizational objective(s) to which the risk ers, differentiated by the stakeholders they serve, their
applies. level of independence from the activities over which they
provide assurance, and the robustness of that assurance.
– The organizational position responsible for identi- They are:
fying and managing each risk.
– Key control systems established to identify and • Those who report to management or are part of
manage each risk. management (management assurance), including
individuals who perform control self-assessments,
The assurance strategy is closely aligned with the corpo- quality auditors, environmental auditors, and other
rate or other strategic plans of the organization. The legal, management (designated assurance personnel).
legislative, cultural, and economic environment in which
• Those who report to the board, including internal
the organization is operating, as well as the nature of the
audit.
organization’s activities and its long-term plans drives as-
surance needs. • Those who report to external stakeholders (financial
statement assurance), a role traditionally fulfilled by
It is an important first step to identify who will be the the independent/statutory auditor.
users of organizational assurance. Clearly, the board and
The level of assurance desired will vary depending on the
management are the primary users. Other users may in-
risk and other factors such as regulations. Who should
clude the owners, regulators, government, or customers
provide that assurance will vary based on the ability of the
for whom the organization is a critical supply component.
assurance provider to deliver the necessary level of inde-
In today’s highly interconnected economy, external enti-
pendence and objectivity, as well as the historical organi-
ties may require assurance of the organization as part of
zational design of the entity and skill sets available within
their own risk management process.
the assurance group.
The required assurance may range from providing comfort
to the board when they need to approve the formal finan-
cial statements or the contents of the annual report to the
www.globaliia.org/standards-guidance / 3
IPPF – Practice Guide
Coordinating Risk Management and Assurance
The Respective Roles of Risk their design and operating effectiveness), management of
those risks classified as high risk (including the effective-
Management, Internal Audit, ness of the controls and other responses to them), veri-
www.globaliia.org/standards-guidance / 4
IPPF – Practice Guide
Coordinating Risk Management and Assurance
ensure that the CAE is aware of the organization’s risks nance or risk management function. Regardless of the ori-
and controls in relation to goals and objectives. gin of the report, it is important that the CAE can rely on
the techniques and methods performed by the assurance
Most internal audit functions perform annual and engage- providers.
ment-based risk assessment activities to help prioritize
risks according to their potential impacts on the organiza- A thorough, documented and continuous risk manage-
tion’s achievement of goals and objectives. At the macro- ment process is part of good governance and an important
level, these activities assist the internal audit activity to management tool to provide assurance that appropriate
develop a proposed audit plan to submit to the board. At controls are in place to achieve the objectives of an orga-
the micro-level, these activities help prioritize the scope nization.
of audit work and assurance being provided by internal
audit engagements. The establishment of an effective enterprise-wide risk
management system is a key responsibility of manage-
It is important that the work performed by assurance ment. Boards and management are responsible for adopt-
providers is understood and assessed by the CAE on an ing a holistic approach to the identification of organi-
ongoing basis. This helps ensure that appropriate due pro- zational risks, creating controls to mitigate those risks,
fessional care is exercised in the performance of internal monitoring and reviewing the identified risks and controls,
audit work, including risk assessment activities performed and ensuring that risk management is integrated into the
to derive proposed audit plans submitted to the board. organization — both at the strategic and operational lev-
This also helps the board understand the coverage pro- els. Some organizations have delegated independent risk
vided by the organization’s assurance providers to better management functions, but others do not have an inde-
assess appropriate assignment of resources and potential pendent risk management function and require internal
exposures due to non-coverage. audit to provide consulting services in this area. Internal
audit can assist in identifying, evaluating, and facilitating
Coordination between assurance providers includes regu- risk management methodologies. Internal audit also is re-
lar sharing of reports and outcomes of assurance activities. sponsible for evaluating the effectiveness and contribut-
This formal coordination should occur on a regular basis ing to the improvement of the risk management process.
and include time for discussion and review of techniques
and methods used to reach conclusions. This includes Identifying risks in a systematic way supports sound deci-
management’s responses and an understanding of activi- sion making. It is about performing a thorough analysis of
ties performed to mitigate any risks or control deficiencies the organization on various levels, describing events that
identified. might occur, deciding on the importance of those risks,
and developing adequate measures to deal with them.
The CAE may develop an annual report to be shared with
the organization’s board and executive management team.
This report should outline the organization’s assurance
provider framework, the coverage of the assurance being
provided, areas of high risk, and residual/un-mitigated risk
areas within the organization. Another alternative would
be for the CAE to coordinate the development and dis-
tribution of this report through the organization’s gover-
www.globaliia.org/standards-guidance / 5
IPPF – Practice Guide
Coordinating Risk Management and Assurance
Using the Risk Management to base internal audit plans and individual audit engage-
ments on the main identified internal risks and controls.
Process in Internal Audit
Planning Internal audit should prepare short- and long-term au-
dit plans to ensure that their activities are covering the
The documentation of risk management in an organiza- main risk areas and internal controls of the organization.
tion can be at various levels below the strategic risk man- As business circumstances can change substantially, con-
agement process. Many organizations have developed risk tinuous monitoring and periodic revision of annual plans
registers that document risks below the strategic level, — with at least yearly reviews of longer term plans — are
providing documentation of significant risks in an area needed to ensure that audit plans are flexible, based on
and related inherent and residual risk ratings, key con- up-to-date information and cover changing priorities and
trols, and mitigating factors. An alignment exercise can risk areas.
then be undertaken to identify links between the items
included in the audit universe documented by the internal Standard 2010: Planning states that “the [CAE] must es-
audit activity and risk categories and aspects described in tablish risk-based plans to determine the priorities of the
the risk registers. internal audit activity, consistent with the organization’s
goals.” Also, Standard 2010.A1 states “the internal audit
Some organizations may identify several high (or higher) activity’s plan of engagements must be based on a docu-
inherent risk (potential exposure) areas. While these risks mented risk assessment, undertaken at least annually. The
may warrant internal audit attention, it is not always pos- input of senior management and the board must be con-
sible to review all of them. Where the risk register shows sidered in this process.”
a high, or higher, ranking for inherent risk (or major po-
tential exposure) in a particular area, and the current risk Standard 2120: Risk Management states, “the internal au-
remains similarly high with no action by management or dit activity must evaluate the effectiveness and contribute
internal audit planned, the CAE should report those areas to the improvement of risk management processes.”
to the board with details of the risk analysis and reasons
for the lack of, or ineffectiveness of, internal controls. The following are steps to consider in the preparation of
internal audit plans to determine risks and exposures that
In addition to evaluating the effectiveness of the organi- may affect the achievement of the organization’s goals and
zation’s risk management process and contributing to its objectives:
improvement, internal audit also uses the results of the
• Research and review corporate documents such as
risk management process to develop annual audit plans
enterprise business plans, strategic plans, enterprise
and individual audit engagements.
risk assessments, yearly reports, minutes of board
meetings, minutes of management meetings, outside
Internal audit is often asked to deliver better results with
reports, external audit reports and other appropriate
strained resources. This can be achieved by strategically
sources.
placing internal audit work where it can be most effective
in delivering the best results and having the highest effect • Review previous internal audit plans, progress re-
on the outcome of the strategic and operational goals of ports, and works in progress.
the business entity. One of the tools of achieving this is • Consult senior management of the organization and
www.globaliia.org/standards-guidance / 6
IPPF – Practice Guide
Coordinating Risk Management and Assurance
solicit information regarding concerns or risks areas. ditors must address risk consistent with the engagement’s
• Conduct a risk assessment of the issues and deter- objectives and be alert to the existence of other signifi-
mine priorities for the annual audit plan. cant risks.”
www.globaliia.org/standards-guidance / 7
IPPF – Practice Guide
Coordinating Risk Management and Assurance
regarding which issues are material and will be audited CAE can take this one step further and help in the cre-
in light of the audit’s objective, and take into consider- ation of an assurance map for the organization. This will
ation other factors such as auditability, resources, and not only assist the board in providing governance over-
time lines. The results of the risk assessment should be sight, but also will assist the CAE in ensuring the audit
presented and discussed with management of the entity activity is optimizing its resources for maximum assurance
under review to ensure their concurrence and validation. value, and creating a more connected assurance commu-
nity through effective coordination.
Preparation of Assurance Maps
Boards will use various sources to gain reliable assurance,
Feedback on Significant Risk
including management, internal audit, and third parties. Areas in Internal Audit Reports
Many organizations operate with separate internal audit,
During all assurance work, particularly where the scope
risk, and compliance functions, and it is not uncommon
relates to significant potential exposures identified in an
for organizations to have a number of separate groups
organization’s risk management process, audit approach,
performing different risk management functions indepen-
audit procedures, and communications should be de-
dently of one another. As discussed in Practice Advisory
signed to evaluate management’s assertions on the effec-
2050-2, an assurance map is a valuable tool for coordi-
tiveness of controls in bringing risk within an organiza-
nating these risk management and assurance activities to
tion’s risk tolerance threshold.
increase the efficiency and effectiveness of assurance in-
vestments made by an organization. Assurance maps can
Reports to management and the board can describe the
help:
potential exposure and management’s assessment of cur-
rent risks (with the implied value of the controls in place)
• Identify duplication and overlap in assurance cover-
together with the audit evaluation of the risk ratings. Any
age, allowing the board and senior management to
differences should be fed into management’s risk manage-
decide if the overlap is necessary, intentional, or
ment process for consideration.
should be eliminated.
• Define scope boundaries and roles and responsibili- The cumulative effect over time of such assurance ac-
ties for various assurance providers to ensure the tivities over specific risk areas using a risk-based audit
right resources are focused on the right risks. This plan will provide assurance not only over those areas, but
can enhance the effectiveness of assurance providers also on the effectiveness of the overall risk management
by ensuring they are focused on the areas that need process.
their attention, and by clearly articulating the expec-
tations of the board and senior management.
• Assist in identifying any gaps in assurance coverage
Assessment by Internal Audit
that need to be addressed. of the Adequacy of Risk
It is the responsibility of the CAE to understand the as- Management
surance requirements of the board and the organization,
clarify the role the internal audit activity fills, and the level Internal audit should provide assurance as required by
of assurance it provides. However, given their unique van- Standards 2100: Nature of Work, 2120: Risk Management
tage point to assurance activities in the organization, the and 2400: Communicating Results to senior management,
www.globaliia.org/standards-guidance / 8
IPPF – Practice Guide
Coordinating Risk Management and Assurance
and ultimately the board, that the organization is managing the effectiveness of the status of the risk manage-
its risks effectively. Insofar as internal audit will need to in- ment system to senior management and the board.
clude the adequacy of risk management within this scope
there are two dimensions to consider: The CAE has three important functions in the review of
risk management, and as in any other audit assignment:
1. Whether the risk management function includes
all appropriate risk areas within its remit. • Test the controls.
• Report any missing or ineffective controls.
2. Whether the risk management function is operat-
ing effectively. • Recommend improvements.
www.globaliia.org/standards-guidance / 9
IPPF – Practice Guide
Coordinating Risk Management and Assurance
Internal audit’s review of risk identification, risk evalua- in Enterprise-wide Risk Management (January 2009),
tion, control identification and evaluation, and appropri- describes roles that are appropriate for internal audit in
ate risk treatments challenges and enhances risk registers regard to risk management.
and the risk management framework.
Impact on Internal Audit Where
Where Internal Audit Facilitates a Formal Risk Management
Risk Management Function Does Not Exist
Some organizations do not have a formal risk management
When an organization does not have a risk management
function, and in this case the internal audit activity may
function, it typically requires increased effort from the
provide risk management consulting services to the or-
CAE to communicate risk management and assurance
ganization. Internal audit may provide risk management
activities to the board. Increased importance is placed on
consulting provided certain conditions apply:
the quality of the internal audit risk assessment as the sole
• It should be clear that management remains respon- view of risk the board may be exposed to.
sible for risk management even in those organizations
The CAE should promote the risk management function
where internal audit has been asked to facilitate the
as an important activity that assists the organization in
risk management program. Internal audit should
achieving its objectives, and provides recommendations
not manage any risks on behalf of management, nor
for establishing such a process. If requested, the CAE can
make final decisions regarding the enterprise’s risk
play a proactive consultative role in assisting with the ini-
appetite or level of resource allocation to control or
tial establishment of a risk management process for the
mitigate risk. Whenever internal audit acts to help
organization. However, while the internal audit function
the management team to set up or to improve risk
can facilitate or enable the creation of risk management
management processes, the audit committee should
processes, they should not be responsible for the process-
approve its plan of work.
es or management of the identified risks. Initially, the in-
• The nature of internal audit’s responsibilities should ternal audit function can facilitate management’s risk as-
be documented in the internal audit charter and ap- sessment processes; however, it is advisable to have such
proved by the board. Any work beyond the assurance facilitation activities separated from assurance activities
activities should be recognized as a consulting en- in the CAE’s organization.
gagement and the implementation standards related
to such engagements should be followed. If internal audit’s role exceeds normal assurance and
• Internal audit should provide advice, challenge, and consulting activities such that independence could be
act as a support to management’s decision making, impaired, the CAE should conform to the disclosure re-
as opposed to making risk management decisions. quirements of the Standards.
Internal audit cannot give objective assurance on any
part of the risk management framework for which it
is responsible. Other suitably qualified parties should
provide such assurance.
The IIA’s Position Paper, The Role of Internal Auditing
www.globaliia.org/standards-guidance / 10
IPPF – Practice Guide
Coordinating Risk Management and Assurance
Authors:
Andrew MacLeod, CIA, CMIIA
Patricia Macdonald
Andy Robertson
Reviewers:
Doug Anderson, CIA, CRMA
www.globaliia.org/standards-guidance / 11
About the Institute Disclaimer
Established in 1941, The Institute of Internal The IIA publishes this document for informa-
Auditors (IIA) is an international professional tional and educational purposes. This guidance
association with global headquarters in Altamonte material is not intended to provide definitive an-
Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and as
profession’s global voice, recognized authority, such is only intended to be used as a guide. The
acknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen-
pal educator. dent expert advice relating directly to any specific
situation. The IIA accepts no responsibility for
About Practice Guides anyone placing sole reliance on this guidance.
Practice Guides provide detailed guidance for
conducting internal audit activities. They include Copyright
detailed processes and procedures, such as tools Copyright ® 2012 The Institute of Internal
and techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, please
proaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org.
Practice Guides are part of The IIA’s IPPF. As
part of the Strongly Recommended category
of guidance, compliance is not mandatory, but
it is strongly recommended, and the guidance
is endorsed by The IIA through formal review
and approval processes. For other authoritative
guidance materials provided by The IIA, please
visit our website at https://globaliia.org/standards-
guidance.
120362