How Do I ... Help Manage Organizational Risk?

The auditor’s role in risk management should involve three key activities: assessing the organization’s risk management process, using the risk assessment to develop an audit plan, and expressing an overall opinion regarding the quality of controls designed to mitigate risk. Each activity is integral to effective risk-based audit processes and represents an essential component to achieving overall audit success.

Internal auditors should begin their assessment work by determining whether a risk management process is in place. If one does not already exist, internal auditing should promote a formal process appropriate for the organization’s culture, size, complexity, management style, and business objectives. If a risk management process does exist, internal auditors should assess its adequacy and effectiveness by:

  • Determining whether risks arising from business strategies and activities are identified and prioritized.
  • Ascertaining whether management and the audit committee have determined the level of acceptable risk.
  • Ensuring there is a process by which controls are designed to reduce or manage risks to the levels deemed acceptable by management and the audit committee.
  • Periodically monitoring and reassessing the organization’s risk and the effectiveness of controls to manage it.
  • Ensuring that managers responsible for risk management periodically provide the audit committee with reports on the results of the risk management process.

Once the adequacy of the risk management process is confirmed, the chief audit executive should use the risk assessment as the primary source for identifying areas meriting inclusion in the annual audit plan. Internal auditors should also use the risk assessment as the starting point for identifying the business units responsible for managing the risks and for assessing whether any significant risks have been omitted.


Internal auditing should promote a process of risk oversight whereby the internal and external auditors coordinate to provide feedback to the audit committee on the quality of systems for risk management, as well as financial and operating control. Internal auditing must then communicate with the audit committee and assist it in ensuring that it is receiving a coherent opinion with no overlaps or omissions in assurance. Additionally, internal auditing should address the following constantly evolving points with the audit committee in the context of the internal audit work plan:

  • A definition of internal control.
  • The scope of internal control components.
  • The scope of the opinion to be provided.
  • Positive or negative phrasing of the opinion.

At the end of the day, the scope of audit work and the form of opinion acceptable to management and the audit committee is their choice. Internal auditing can be said to be doing its job if it provides information consistent with the previously agreed-upon conditions, whatever those may be.

Adapted from "Risk Responsibilities" by Peter Stokhof (Internal Auditor, "Back to Basics," August 2008).



Share This Article:    

InternalAuditor's role
With global economies merging and new risks raising their heads this is an excellent article on how the auditor can safeguard the safety, soundness and profitability of an enterprise
Posted By: Aziz Ur Rahman
2010-04-18 6:15 AM
Risk Management
This article gives to the Internal auditor a very good hindsight on the approach that he or she should adopt while reporting on risk issues.
Posted By: Youveraj Nathoo
2010-03-31 3:55 AM

Good Work!
Posted By: Moges Abreham
2009-11-10 9:07 AM
Risk based Internal Auditing (RBIA)
It is appreciated to make your self avilable for supporting others. THis is realy a positive thinking sharing the knowledge for others. May I aks you assistance in regard to RISK? Currently the issue RBIA is on my table. I wnat A clear process to achive it and and the risk matrix sample and how to level it high, midium and low. Thanks
Posted By: Yared Esayiyas
2009-09-10 8:16 AM
Risk Responsibilities
I have clearly understood the topic on risk responsibilities.
Posted By: Alex Msiska
2009-08-21 9:42 AM
how do manage organizational Risk?
It is a beautiful article on the subject making the process easiest not only to understand but to practise as well.I pray God may bless the author with power to contribute more on the subject.The real empowerment lies in making people grasp the meaning of philosophy and enabling them to put it to practice in real life for collective benifit.
Posted By: Pervaiz Akhter Siddiqi
2009-08-15 7:07 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Vision University  

IIA Academic_Nov 2013




facebook IAO