control, and governance
How Do I ... Help Manage Organizational Risk?
The auditor’s role in risk management should involve three key activities: assessing the organization’s risk management process, using the risk assessment to develop an audit plan, and expressing an overall opinion regarding the quality of controls designed to mitigate risk. Each activity is integral to effective risk-based audit processes and represents an essential component to achieving overall audit success.
ASSESS THE RISK MANAGEMENT PROCESS
Internal auditors should begin their assessment work by determining whether a risk management process is in place. If one does not already exist, internal auditing should promote a formal process appropriate for the organization’s culture, size, complexity, management style, and business objectives. If a risk management process does exist, internal auditors should assess its adequacy and effectiveness by:
Once the adequacy of the risk management process is confirmed, the chief audit executive should use the risk assessment as the primary source for identifying areas meriting inclusion in the annual audit plan. Internal auditors should also use the risk assessment as the starting point for identifying the business units responsible for managing the risks and for assessing whether any significant risks have been omitted.
Internal auditing should promote a process of risk oversight whereby the internal and external auditors coordinate to provide feedback to the audit committee on the quality of systems for risk management, as well as financial and operating control. Internal auditing must then communicate with the audit committee and assist it in ensuring that it is receiving a coherent opinion with no overlaps or omissions in assurance. Additionally, internal auditing should address the following constantly evolving points with the audit committee in the context of the internal audit work plan:
A VALUABLE ROLE
At the end of the day, the scope of audit work and the form of opinion acceptable to management and the audit committee is their choice. Internal auditing can be said to be doing its job if it provides information consistent with the previously agreed-upon conditions, whatever those may be.
Adapted from "Risk Responsibilities" by Peter Stokhof (Internal Auditor, "Back to Basics," August 2008).
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.