As noted in March 2012 IIA Practice Guide – Coordinating Risk Management and Assurance, management and the board are responsible for establishing an effective enterprise-wide risk management system. This includes assurance that risk management is integrated into the organization.
IIA’s Practice Advisory 2120-1 requires the internal audit activity to evaluate the effectiveness of the risk management process.
Internal audit’s evaluation should include consideration of the following:
- Assurance that all applicable departments were included in the accumulation of the risk assessment
- The comprehensiveness of the risk listing
- Assurance that the company’s risks are within the limits of its risk appetite
- The assessment of the timeliness of reporting on risk management results
- The appropriateness of reporting lines for risk monitoring activities
- Review of the completeness of management’s risk analysis and actions taken to remedy issues raised in the risk management process
In order to perform the assessment, internal audit must also be familiar with:
- current developments within the company’s industry, including regulatory requirements, economic risks, competition, etc.
- the company’s policies, the organization’s strategies
- the company’s risk appetite
Managing risk has become increasingly important in recent years. Ensure that your company not only has established a risk assessment process, but that internal audit assesses that process, as they assess any other organizational control.
© 2012 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.