Limitation of Liability/Disclaimer of Warranty: Although the publisher and author have used their best efforts to prepare this book, they make no representations or warranties as to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranty of merchantability or fitness for a specific purpose. The Institute of Internal Auditors (IIA) is the primary international professional association, organized worldwide, dedicated to promoting and developing the practice of internal auditing.
CONTENTS
Determining Risk Management Maturity 33 Introduction 33
Audit Approach Model: Phase One 144 Audit Approach Model: Phase Two 150 Audit Approach Model: Phase Three 153 Audit Approach Model: Phase Four 162 Audit Approach Model: Final 165 Summary 172. Bad Practice Model: Phase Three 189 Bad Practice Model: Phase Four 193 Poor Practice Model: Finale 196 Summary 200.
PREFACE
The FrameWork (FW) books set out various models, supported by reference materials, that can be used to ensure that best practice indicators can be assessed for their impact on actual practice. HowTo (HT) books use similar patterns, but focus more on checklists and worked examples that can be used to implement aspects of the respective underlying frameworks.
LIST OF ABBREVIATIONS
WHY RISK MANAGEMENT?
The other aspect of the model relates to top management (ie, the people who sit in the firing line to get the job done). Corporate strategy will result in various objectives that will need to be delivered to ensure that the organization is successful (ie, the overall mission is achieved).
DETERMINING RISK MANAGEMENT MATURITY
The internal auditor should seek guidance from management and the board of directors on the role of the audit activity in the risk management process. As the organization's risk maturity increases and risk management becomes more embedded in the business, the role of internal audit in defending ERM may diminish. Management and board are responsible for the risk management and control processes of their organization.
Many organizations understand how auditors need to put some space between themselves and the coordination of the risk management process. Risk assessment processes in the internal audit planning process are not sufficient for an adequate organizational risk management process35. Ultimately, it is the role of executive management and the audit committee to determine the role of internal audit in risk management.
Management and the board are responsible for the risk management and control processes of their organisation. The board and management receive periodic reports on the results of the risk management processes. Australian/New Zealand Standard: A Guide to Using AS/NVS 4360 Risk Management in the Internal Audit Process – HB 158 2002, p.
ENTERPRISE-WIDE RISK MANAGEMENT
This is what some call silo activities, where each part of the organization works independently of other parts, as seen in the following example. These formats have evolved from a fragmented view of risk management, with pockets of the organization working to different and incompatible standards. ENTERPRISE RISK MANAGEMENT MODEL: PHASE TWO We have so far developed a model that illustrates the old view of disparate risk management, which needs to be pulled together to make sense to the people at the top of the organization.
The most important instrument for bringing together thinking and decision-making about risk and control is risk policy. Another part of the ERM platform relates to how this process fits into the business, as shown in the following example. The next feature of the model relates to the need to integrate ERM with the rest of the business.
We have said that ERM is about getting the risk concept into and inside the business systems. Align risk activities through a well-considered risk policy driven by the need to bring risk management into all parts of the organization. Ensure that risk is captured throughout the enterprise and that it is aligned with the communication systems that move up, down and across all parts of the organization.
RISK APPETITE
We use this chapter to draw a model that captures some of the most important considerations around risk appetite. A process to identify, assess, manage and control potential events or situations to provide reasonable assurance as to the achievement of the organization's objectives.14. We have established a framework for assessing risk appetite and argued that the defined tolerance depends on the importance of the relevant objectives.
High tolerance: Business opportunities. The level of risk that can be tolerated may be quite high in areas where you would like to encourage creativity and some experimentation, even with a lot of uncertainty, as long as this does not transfer risk to any of the other three groups. Low tolerance: Executive control. The lowest level of risk tolerance refers to business areas where top management is involved in the control of control. Conversely, an organization will want a whole set of triggers where there is little appetite for problems to erupt in a more important part of the business.
This should be identified in order to reduce the potential impact of the main threats to the achievement of the main objectives of the area under study. 27. Use this model to define the factors that can be used to benchmark the level of risk considered acceptable to the business. For each of the factors from the model, define what can be seen as a low, medium or high level of risk tolerance in relation to what can be tolerated and what needs to be controlled much more tightly.
CONTROL RISK SELF-ASSESSMENT
However, if the board is concerned about security issues, this topic can be used again to guide the CRSA program. The next part of the model relates to the role of the audit/risk committee. Staff awareness of the importance of the CRSA process is illustrated in the following example.
Some organizations rely on the expertise and presence of the facilitator to drive the way CRSA is run and used. We need to enrich our model of CRSA by adding more considerations (ie the control culture and the way CRSA can be applied across the organization). The attitude and actions of the board and management regarding the importance of control in the organization.
The image on the right of the model is about effective facilitation, which is important in the CRSA process. The final part of this phase of the model is the task of reporting upward on the control state. An important contextual issue for the internal auditor is the risk tolerance for the organization as a whole.
DEVELOPING AN AUDIT APPROACH
Internal auditors must conduct a preliminary assessment of the risks associated with the activity under review. Continuous review of the risk management framework to report on the extent to which it is reliable. One of the tasks of a board is to establish and maintain the organization's risk management and control processes.
Ensure that the charter, role and activities of internal audit are clearly understood and responsive to the needs of the audit committee and the board. By incorporating components of the organization's strategic plan, the audit universe will consider and reflect the overall business objectives. The audit universe will normally be influenced by the results of the risk management process.
The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.32. A crucial aspect of auditing the risk management process is the role of the risk register. Condition. The factual evidence found by the internal auditor during the investigation (what is found).
THE ILLUSION OF PERFECTION
Each review of ERM will address the various initiatives and will consider some of the well-written documentation and reporting software installed. Some signs of the illusion of perfection are included in this chapter as a warning of what the auditor should look for when assessing the risk that risk management is not really working. Anyone, as long as it's done." That's why the risk industry is stepping in, and in the worst case, the risk police are checking every part of the organization to make sure people are eating, drinking and talking risk.
In general, management is responsible for the sustainability of the entire organization and accountability for the organization's actions, behavior and performance to owners, other stakeholders, regulators and the general public. Identifying risk exposures and using effective strategies to control them' is part of the illusion of perfection, in that an organization should seek to achieve its stated objectives, but the risk management process is. When managers are asked to focus on the risk management process, they can lose sight of the real business at hand.
The new social dimension pays attention to the needs of stakeholders and the demands of the blinding spotlight often created by business media that want to see quick returns with no room for failure. By investing in Disney, shareholders trust the board of directors to help shape the overall course of the company's operations and hold management accountable for its performance. Regulators, lawyers, and the media want to see organizations that are well-run, ethical, fully compliant, and growing at a respectable rate for the benefit of the economy and, by extension, society, and they want every organization to publish strong messages on how this is achieved.
