search

What enterprise risk management roles should the internal auditor undertake and not undertake?

1 years ago
Komentar: 0
Dibaca: 5

By The Institute of Internal Auditors UK and Ireland & The Institute of Internal Auditors, USA.

In conjunction with the newly released Committe of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework, The Institute of Internal Auditors (IIA), in coordination with its IIA- UK and Ireland affiliate, has issued a position paper on The role of Internal Audit in Enterprise-wide Risk Management. The paper's purpose is to assist chief audit executives (CAEs) in responding to enteroprise risk management (ERM) issues in their organizations. The paper suggests ways for internal auditors to maintain the objectivty and indpendence required by The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) when providing assurance and consulting services.

Internal auditing's core role with regard to ERM is to provide objective assurance to the board on the effectiveness of an organization's ERM activeties to help ensure key business risks are being managed appropriately and the system of internal control is operating effectively.

Recommended Roles

The main factors CAEs should take into the account when determining internal auditing's role are whether the activty raises any threats to the internal auditors' independence and objectivity, and whether it is likely to improve the organization's risk management,control, and governance processes. The IIA's position paper indicates which role which roles internal auditing should and should not play throughout the ERM process.

Core internal auditing roles in regard to ERM.

* Giving assurance on risk management processes.

* Giving assurancr that risk are correctly evaluated.

* Evaluating risk management processes.

* Evaluatting the reporting of key risks.

* Reviewing the management of risks.

Legitimate internal auditing roles with safeguards.

* Facilitating identification and evaluation of risks.

* Coaching management in responding to risks.

* Coordinating ERM activities.

* Consolidating the reporting on risks.

* Maintaining and developing the ERM framework.

* Championing establishment of ERM.

* Developing risk management strategy for board approval.

Roles internal auditing should not undertake.

* Setting the risk appetite.

* Imposing risk management processes.

* Management assurance on risks.

* Taking decisions on risk responses.

* Implementing risk responses on management's behalf.

* Accountability for risk management.

The Institute emphasizes that organization should fully understand that management remains responsible for risk management. Internal auditors should provide advice, and challenge or support management's decisions on risk, as opposed to making risk management desisions. The nature of internal auditing's responsibilities should be documented in the audit charter and approved by the audit committee. Finally The Role of Internal Audit in Enterprise-wide Risk Management is attched.

Established in 1941, The IIA serves approximately 95,000 members in internal auditing, governance, internal control, IT audit, eductionation and security worldwide. The Institute is the recognized authority, principal educator, and acknowledge leader in certification, ressearch, and technologicalguidance for the profession worldwide.

Position Sattement

The Institute of Internal Auditors

The Role of Internal Audit in Eterprise-wide Risk Management

Itroduction

Over the last few years, the importance to strong corporate governance of managing risk has been increasingly acknowledged. Organisations are under pressure to indentify all the business risks they face, social, ethical and environment as well as financial and operational, and to explain how they manage them to an acceptable level. Meanwhile, the use of enterprise-wide risk management framwork has expanded, as organisations recognise their advantages over less coordinated approaches to risk management.

Internal audit, in both its assurance and its consulting roles, contributes to the management of risk in variety of ways. In 2002 The Institute of Internal Auditors - UK and Ireland issued a position statement on The Role of Internal Audit in Risk Management to provide guidance to members on the roles that were permissible and the safeguards needed to protect internal audit's independence and objectivity. This new position statement supersedes the earlier one and takes account of recent developments from around the world in the field risk management and internal audit.

What is Enterprise-wide Risk Management ?

People undertake risk management activities to identify, assess, manage, and control all kinds of events or situations. These can range from single projects or narrowly defined types of risk e.g. market risk, to the threats and opportunities facing the organisation as whole. The principles presented in this position statement can be used to guide the involvement of internal audit in all forms of risk management but we are particularly interested in enterprise-wide risk management because this is likely to improve an organisation's governance processes.

Enterprise-wide risk management (ERM) is a structured, consistent and continuous process across whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.

Responsibility for ERM

The board has overall responsibility for ensuring that risks are managed. In practice, the board will delegate the operation of the risk management framwork to the management team, who will be responsible for completing the activities below. There may be a separate function that co-ordinates and project-manages these activities and brings to bear specialist skills knowledge. Everyone in the organisation plays a role in ensuring successful enterprise-wide risk management but the primary responsibility for indenitfying risks and managing them lies with management.

Benefits of ERM

ERM can make a major contribution towards helping an organisation manage the risk to achieving its objectives. The benefits include :

* Greater likelihood of achieving those objectives;

* Consolidated reporting of disparrate risk at board level;

* Improved understanding of the key risks and their wider implications;

* Identification and sharing of cross business risks;

* Greater management focus on the issues that really matter;

* Fewer surprises or crises;

* More focus internally on doing the right things in the right way;

* Increased likelihood of change initiatives being achieved;

* Capability to take on greater risk for greater reward and

* More informed risk-taking and decision-making.

The activities inclueded in ERM

* Articulating and communicating the objectives of the organistion;

* Determining the risk aooetite of the organisation;

* Establishing an appropriate internal environment, including a risk management framework;

* Identifyting potential threat to the achievement of the objectives;

* Assessing the risk i.e the impact and the likelihood of the threat occurring;

* Selecting and implementing responses to the risk;

*Undertakng control and other response activities;

* Communicating information on the risk in a consistent manner at all levels in the organisation;

* Ccentrally monitoring and coordinating the risk management processes and the outcome, and

* Providing assurance on the effectiveness with which risks are managed.

Position statement :

The Role of internal Audit in the Enterprise-wide Risk Management

Providing assurance on ERM

One of the key requirements of the board or its equivalent is to gain assurance that risk management processes are working effectively and that key risks being managed to an acceptable level.

It is likely that the assurance will come from different sources. Of these, assurance from management is fundamental. This should be comlemented by the provision of objective assurance, for which internal audit is a key source. Other sources include external audit and independent specialist reviews. Internal audit will normally provide assurances on three areas :

* Risk management processes, both their design and how well they are working;

* Management of those risks classifed as 'key', including the effectiveness of the controls and other responses to them; and

* Reliable and appropriate assessment of risks and reporting of risk and control status.

The role of internal audit in ERM

Internal auditing is an independent, objective assurance and consulting activity. Its core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management.

Indeed, research has shown that board directors and internal auditors agree that the two most important ways that internal audit provides value to the organisation are in providing objective assurance that the major business risks are being managed appropriatey and providing assurance that the risk management and internal control framework is operating effectively.

Presents range of ERM activities and indicates which roles an effective professional internal audit function should and, equally importantly, should not undertake.

The key factors to take into account when dwtermining internal audit's role are whether the activity raises any threats to the internal audit function's independence and objectivity and whether it is likely to improve the organisation's risk management, control and governance processes.

1- Core Internal audit roles in regard to ERM :

* Reveiewing the management of key risks.

* Evaluating the reporting of key risks.

* Evaluating risk management processes.

* Giving assuarnce that risks are correctly evaluated.

* Giving assurance on the risk management processes.

2- Legitimate internal audit roles with safeguards :

* Developing RM strategy for board approval.

* Championing establishment of ERM.

* Maintaining & developing the ERM framework.

* Consolidated reporting risks.

* Co-ordinating ERM activities.

* Coaching management in responding to risks.

* Facilitating identification & evaluation of risks.

3- Roles internal audit should not undertake :

* Setting the risk appetite.

* Imposing risk management processes.

* Management assurance on risks.

* Taking decisions on risk responses.

* Implementing risk responses on management's behalf.

* Accuntability for risk management.

The activities on the (1)- core internal audit roles in regard to ERM, are all assurance activities. They from part of the wider objective of giving assurance on risk management. An internal audit function complying with the Inertnational Standards for the Professional Practice of Internal Auditing can and should perform at least some activities.

Internal audit may provide consulting services that improve an organisation's governance, risk management, and control processes. The extent of internal audit's consulting in ERM will depend on the other resources, internal and external, available to the board and on the risk maturity of the organisation and it is likely to very over time. Internal audit's expertise in considering risks, in understanding the connection between risks and governance and in facilitation mean that it is well qualified to act as champion and even project manager for ERM, especially in the early stages of its introduction. As the organisation's risk maturity increases and risk management becomes more embedded in the operations of the business, internal audit's role in championing ERM may reduce. Similarly, if an organisation employs the services of a risk management specialist or function, internal audit is more likely to give value by concentrating on its assurance role, than by undertaking the more consulting activities. However, if internal audit is has not yet adopted the risk-based approach represented by the assurance activities on the (1) core internal audit roles in regard to ERM.

It is unlikely to be equipped to undertake the consulting activities in the the (2)- Legitimate internal audit roles with safeguards. The consulting roles shows that internal audit may undertake in relation to ERM. In general (3)- the roles internal audit should not undertake dial with the internal audit ventures, the greater are the safeguards that that required to ensure that its independence and ojectivity are maintained.

Some of the consulting roles that internal audit may undertake are :

* Making availble to management tools and techniques used by internal audit to analyse risks and controls;

* Being a champion for introdusing ERM into the organisation, leveraging its expertise in risk management and control and its overall knowledge of the organisation;

* Providing advice, facilitating workshops, coaching the organisation on risk and control and promoting the development of a common language, framework and understanding;

* Acting as center point for coordinating, monitoring and reporting on risk; and

* Supporting managers as they work to identify the best way to mitigate a risk.

The key factor in deciding whether consulting services are compatible with the assurance role is to determine whether the internal auditor is assuming any management responsibility. In case of ERM, internal audit can provide consulting service so long as it has no role in actually managing risks - that is management's responsibility - and so long as senior management actively endorses and supports ERM. We recommend that, whenever internal audit acts to help the management team to set up or to improve risk management processes, its plan of work should include a clear strategy and timeline for migrating the responsibility for these activities to members of the management team.

Safeguards

Internal audit may extend its involvement in ERM, as mansion in paragrahp (2), provide certain conditions apply. The conditions are :

* It should be clear that management remains responsible for risk management.

* The nature on internal audit's responsobilities should be documented in the audit charter and approved by the audit Committee.

* Internal audit should not manage any of the risk on behaif of management.

* Internal audite should advice, challenge and support to management decisions making, as opposed to taking risk management decisions themselvs.

* Internal audit cannot also give objective assurance on any part of the ERM framework for which it is responsible. Such assurance should be provided by other suitably qualified parties.

* Any work beyond the assurance activities should be recognised as consulting engagmeent and the implementation standards related to such engagements should be follwed.

Skills and body of knowledge

Internal auditors and risk managers share some knowledge, skills and values. Both, for example, understand corporate governance requirements, have oriject management, analytical and facilitation skills and values having a healthly balance of risk rather than extreme risk-taking or avoidance behaviours. However, managers such serve only the management of the organisation and do not have to oprovide independent and objective assurance to the audit committee. Nor should internal auditors who seek to extend their role in ERM underestimate the risk managers' specialist areas of knowledge (such as risk transfer and risk quantification and modelling techniques) which are outside the body of knowledge for most internal auditors. Any internal auditor who cannot demonstrate the approprite skills and knowledge should should not undertake work in area of risk management. Furthermore, the head of internal audit should not provide consulting services in this area if adequate skills and knowledge are not available within the internal audit function and cannot obtained from elsewhere.

CONCLUSION

Risk management is a fundamental element of corporate governance. Management is responsible for establishing and operating the risk management framework on behaif of the board. Enterprise-wide risk management brings many benefits as a result of its structured, consistent and coordinated approach. Internal audit's core role in relation to ERM should be to provide assurance to management and to board on the effectiveness risk management. When internal audit extends its activities beyond this core role, it should apply certain safeguards, including treating the engagements as consulting services and, therefor, applying all relevant Standards in this way, internal audit will protect its independence and the objectivity of its assurance services. Within these constraints, ERM can help raise the profile and increase the effectiveness of internal audit.

Q&A What

Pos Terkait

What effect does drinking alcohol and taking a prescription drug or over the counter medicine have
What effect does drinking alcohol and taking a prescription drug or over the counter medicine have

Which is the operator takes the result of two queries
Which is the operator takes the result of two queries

What is the probability of drawing a black card on the first draw and a red card on the second row?
What is the probability of drawing a black card on the first draw and a red card on the second row?

Why might a person choose to go to a primary care physician rather than a specialist for a particular problem?
Why might a person choose to go to a primary care physician rather than a specialist for a particular problem?

What are new requirements imposed by management government or some external influence referred to as?
What are new requirements imposed by management government or some external influence referred to as?

Wo wird der neue opel combo gebaut
Wo wird der neue opel combo gebaut

Why folate is important during pregnancy
Why folate is important during pregnancy

What is the time by which completion of an activity can be delayed without affecting the start of succeeding activities?
What is the time by which completion of an activity can be delayed without affecting the start of succeeding activities?

What must be considered in determining the number of samples to be taken in a particular study
What must be considered in determining the number of samples to be taken in a particular study

What couples are still together from ready to love
What couples are still together from ready to love

Periklanan

BERITA TERKINI

PHPRad rest api
1 years ago . by LuridDiversity
Cara screenshot panjang di HP Samsung A10s
1 years ago . by CurlyEmployment
Cara menghilangkan amoniak pada kolam lele
1 years ago . by PortentousOverseer
Cara Live streaming di YouTube lewat HP
1 years ago . by ListeningMeasurement
Google Sheets conditional formatting custom formula Text contains
1 years ago . by PrescribedFunctionality
Bagaimana cara instal TWRP?
1 years ago . by Blue-greenSolicitation
Python x if not None else y
1 years ago . by BedraggledJenny
Where can I download JDK 10?
1 years ago . by Well-establishedEnvoy
Cara membuat playlist lagu
1 years ago . by MischievousComputing
Makanan yang menyebabkan sembelit pada ibu hamil
1 years ago . by PrimDishonesty

Toplist Popular

#1
Top 8 uma substância pura nunca constituirá um sistema heterogêneo 2022
1 years ago
#2
Top 5 wilo fluidcontrol schaltet nicht ab 2022
1 years ago
#3
Top 7 texto de aniversário para melhor amiga chorar 2022
1 years ago
#4
Top 8 warum kein blutspenden nach piercing 2022
1 years ago
#5
Top 4 aponte o nome das penínsulas/países que se localizam em cada península destacadas com letras no mapa 2022
1 years ago
#6
Top 8 o que é pirangagem 2022
1 years ago
#7
Top 8 warum schnappt mein hund nach meiner hand 2022
1 years ago
#8
Top 8 o que é gluten free 2022
1 years ago
#9
Top 7 beko waschmaschine (wmb 71643 pte reset) 2022
1 years ago
#10
Top 8 mondeo mk3 türgriff öffnet nicht 2022
1 years ago

Periklanan

Terpopuler

Periklanan

Tentang Kami

Legal

Dukungan

Social

homeendefrjpkoptzhhiitthtr
Copyright © 2024 ketiadaan Inc.