Professional Documents
Culture Documents
Management.
Explain Enterprise Risk Management
• Risk is the possibility of an event occurring that will have an impact on
the achievement of objectives.
• Enterprise risk is the possibility of an event occurring that may reduce
the likelihood that the organization will achieve its objectives.
• Effective control provides reasonable assurance that the organization
will achieve its objectives reliably (by reducing uncontrolled risk to an
acceptable level), and therefore includes the identification and
mitigation of risk.
Explain Enterprise Risk Management
• Risk models enable management to classify risks, establish acceptable
tolerance limits for these risks, and test controls to ensure that
uncontrolled risks remain within the established tolerances.
• Enterprise risk management is a process to identify, assess, manage,
and control potential events or situations, to provide reasonable
assurance regarding the achievement of the organization’s objectives
Explain How Risk Models Can Help Identify Specific
Risks and Set Appropriate Tolerance Limits.
• A number of risk models (frameworks) have been developed to help
identify the risks related to an organization’s activities and plans. The
risks faced by businesses vary from organization to organization and
should be identified by the organization’s management.
• Risk tolerances (limits) define the amount of residual, uncontrolled risk
that the board and management are prepared to consider as
acceptable. For example, a company could determine the amount of
foreign currency risk that it is prepared to accept and implement
processes to hedge exposures in excess of that amount. The amount of
exposure that the company is prepared to accept would be its “risk
tolerance” or “limit.”
Explain the Role of the Internal Auditor in
the Risk Management Process.
• Internal auditing includes assisting the organization by identifying and
evaluating significant exposures to risk and contributing to the
improvement of risk management and control systems. The internal
auditor should monitor and evaluate the effectiveness of the
organization’s risk management system.
• The purpose of internal auditing (in the context of risk management)
is to assess the appropriateness and adequacy of management’s
actions to avoid, share, transfer, and control risks to keep them within
the defined control limits or tolerances.
Explain the Role of the Internal Auditor in
the Risk Management Process.
• The internal audit activity itself is not immune from risks, including
those of audit failure, false assurance, and reputation risks. It needs to
take the necessary steps to ensure that it is managing its own risks.
Explain how the role of the internal auditor changes
when there is no established risk management process.
• If an organization has not established a risk management process, the
internal auditor should bring this to the attention of management
together with suggestions for establishing such a process.
• If requested, internal auditors can play a proactive role in assisting
with the initial establishment of a risk management process for the
organization.
• Internal auditors can facilitate or enable risk management processes,
but they should not “own” or be responsible for the management of
the risks identified.
Explain how auditors use risk assessment to assist in audit
planning, and compare this approach with traditional
approaches to internal auditing.
• Traditional approaches and risk-based auditing approach compared:
Risk-based auditing starts by reviewing the organizational objectives, then considers
the business risks that impact the achievement of those objectives, and examines the
methodologies in place to mitigate those risks. Risks can be avoided, shared, or
transferred rather than controlled. Riskbased auditing also explicitly accepts that
there will always be some risk that must be accepted, but the acceptable amount
must be kept within the limits established by the board and management.