Governance And Risk

Management.
 Explain Enterprise Risk Management
• Risk is the possibility of an event occurring that will have an impact on
the achievement of objectives.
• Enterprise risk is the possibility of an event occurring that may reduce
the likelihood that the organization will achieve its objectives.
• Effective control provides reasonable assurance that the organization
will achieve its objectives reliably (by reducing uncontrolled risk to an
acceptable level), and therefore includes the identification and
mitigation of risk.
 Explain Enterprise Risk Management
• Risk models enable management to classify risks, establish acceptable
tolerance limits for these risks, and test controls to ensure that
uncontrolled risks remain within the established tolerances.
• Enterprise risk management is a process to identify, assess, manage,
and control potential events or situations, to provide reasonable
assurance regarding the achievement of the organization’s objectives
 Explain How Risk Models Can Help Identify Specific
Risks and Set Appropriate Tolerance Limits.
• A number of risk models (frameworks) have been developed to help
identify the risks related to an organization’s activities and plans. The
risks faced by businesses vary from organization to organization and
should be identified by the organization’s management.
• Risk tolerances (limits) define the amount of residual, uncontrolled risk
that the board and management are prepared to consider as
acceptable. For example, a company could determine the amount of
foreign currency risk that it is prepared to accept and implement
processes to hedge exposures in excess of that amount. The amount of
exposure that the company is prepared to accept would be its “risk
tolerance” or “limit.”
Explain the Role of the Internal Auditor in
the Risk Management Process.
• Internal auditing includes assisting the organization by identifying and
evaluating significant exposures to risk and contributing to the
improvement of risk management and control systems. The internal
auditor should monitor and evaluate the effectiveness of the
organization’s risk management system.
• The purpose of internal auditing (in the context of risk management)
is to assess the appropriateness and adequacy of management’s
actions to avoid, share, transfer, and control risks to keep them within
the defined control limits or tolerances.
Explain the Role of the Internal Auditor in
the Risk Management Process.
• The internal audit activity itself is not immune from risks, including
those of audit failure, false assurance, and reputation risks. It needs to
take the necessary steps to ensure that it is managing its own risks.
 Explain how the role of the internal auditor changes
when there is no established risk management process.
• If an organization has not established a risk management process, the
internal auditor should bring this to the attention of management
together with suggestions for establishing such a process.
• If requested, internal auditors can play a proactive role in assisting
with the initial establishment of a risk management process for the
organization.
• Internal auditors can facilitate or enable risk management processes,
but they should not “own” or be responsible for the management of
the risks identified.
 Explain how auditors use risk assessment to assist in audit
planning, and compare this approach with traditional
approaches to internal auditing.
• Traditional approaches and risk-based auditing approach compared:
Risk-based auditing starts by reviewing the organizational objectives, then considers
the business risks that impact the achievement of those objectives, and examines the
methodologies in place to mitigate those risks. Risks can be avoided, shared, or
transferred rather than controlled. Riskbased auditing also explicitly accepts that
there will always be some risk that must be accepted, but the acceptable amount
must be kept within the limits established by the board and management.

Traditional auditing begins with a consideration of controls, focusing only on the

design and effectiveness of the controls in meeting traditional control objectives of
ensuring accurate financial information, compliance with laws and policies,
safeguarding of assets, and achievement of effectiveness, efficiency, and economy of
operations.
Outline the governance responsibilities of the board
of directors or equivalent body in the private sector
Control and governance responsibilities for the board include the
following:
1. Approve and monitor mission, vision, and strategy.
2. Approve and monitor the organization’s ethical values.
3. Monitor management control.
4. Evaluate senior management.
5. Oversee external communications.
6. Assess the board’s own effectiveness.
 Explain the role of the audit committee of
the board of directors.
The role of the board’s audit committee usually includes the following
responsibilities:
• oversight of published financial information including annual financial
reports, interim reports, public disclosure documents, and so on
• oversight of the internal audit function
• oversight of internal financial controls
• oversight of the corporate code of conduct
• liaison with the external auditors
Outline the IIA performance standards on governance,
and the role of internal audit in corporate governance.
Internal auditing is integral to the organization’s governance process.
According to the IIA standards, the role of internal auditing includes the
responsibility to evaluate and improve governance processes as part of
the assurance function. The internal audit activity must assess and make
appropriate recommendations for improving the governance process.
Effective governance relies on internal controls and communication to
the board on the effectiveness of those controls. Internal audit’s unique
position within the organization enables internal auditors to observe
and formally assess the governance structure, its design, and its
operational effectiveness while remaining independent.