



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Best practice in Enterprise Risk Management
Typology: Thesis
1 / 6
This page cannot be seen from the preview
Don't miss anything!




Best Practices in Risk-Based Internal Auditing 1 of 6
by Sheryl Vacca
In designing risk-based auditing and monitoring activities, it is important that the internal auditor works closely with the organization’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimize and mitigate risks for the organization. These discussions should also include leadership from the legal, compliance, and risk management functions, if they are not already a part of the senior leadership team.
This process should include performing periodic audits to determine compliance with respect to applicable regulatory and legal requirements, and to provide assurance that management controls are in place for the detection and/or prevention of noncompliant behavior. Additionally, risk-based auditing and monitoring should include mechanisms to determine that management has implemented corrective action through an ongoing performance management process to address any noncompliance.
Once the common framework for the risk-based auditing and monitoring program has been established, four key tasks must be performed:
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) helped to define “risk” as
any event that can keep an organization from achieving its objectives. 1 According to the COSO model, risk is viewed in four major areas:
There are several ways in which risk assessments in these areas can be conducted. These include the use of:
Once risks have been identified, a prioritization process is needed to identify the likelihood of the risk occurring, the ability of management to mitigate risk (i.e. are there controls in place for risk, regardless of
Best Practices in Risk-Based Internal Auditing 2 of 6
the likelihood of those risks of occurring?), and the impact of risk on the organization. Risk prioritization is an ongoing process and should include periodic reviews during the year to ensure that previous prioritization methods, when applied in real time, are still applicable for the risk.
It is important that senior leadership participate in, and agree with, the determination of the high-risk priorities for the audit and monitoring plan. This will ensure management buy-in and focus on risk priorities. Also, with managers involved at the development stage of the plan, they will be educated as to the type of activities being planned and the resources needed to conduct these activities. Hence, during the plan year, if there are changes, management will understand the need for additional resources or a change in focus in the plan as the business environment and priorities may change.
The International Standards for the Professional Practice of Internal Audit (IIA), Standard 2120 says “The internal audit activity must evaluate the effectiveness and contribute to the improvement of the risk
management processes.” 2
This is done through the development and execution of the risk-based auditing and monitoring plan.
Risk assessments and prioritization are important elements in the development of your risk-based auditing and monitoring plan. Considerations related to the plan should also include:
IIA Standard 2120.A1 identifies the focus of the risk assessment process: “The internal audit activity must evaluate risk exposures related to the organization’s governance, operations, and information systems regarding the:
The process of risk assessment continues through the execution of the plan where the engagement objectives would reflect the results of the risk assessment. Risk-based auditing and monitoring is ongoing and dynamic with the needs of the organization.
Each activity should have a defined framework which will provide management with an understanding of the overall expectations and approach as you execute the plan. The framework for your activities should include the following actions:
Best Practices in Risk-Based Internal Auditing 4 of 6
Figure 1. Benefits of an effectively executed risk-based auditing and monitoring plan
In summary, effectiveness in the development and execution of the risk-based audit and monitoring plan will be determined by the integrity and characteristics of the overall audit and monitoring process. Effective audit and monitoring activities will assist in the identification of weaknesses in controls, management’s action to correct those weaknesses, and follow-up to ensure that timely mechanisms have been put in place to strengthen controls for mitigating the business risks. Additionally, risks will be detected, deterred and/or prevented with effective auditing and monitoring activities.
Scenario: An organization with multiple businesses in several geographic locations is conducting an enterprise-wide risk assessment. It is noted during the risk assessment that, due to recent financial losses, the organization is going through a consolidation of business units and reduction in force. This has been identified as a high-risk priority area for the auditing and monitoring plan for the next fiscal year.
In planning the audit on the risk area of business consolidation, the following considerations should be included:
The overall purpose of this type of risk-based auditing is to work with management in “real time,” to add value to the organization in regard to its strategic and best business interest, and to provide input on
Best Practices in Risk-Based Internal Auditing 5 of 6
processes before they become “fixed.” After management believes it has the “fixes” in place, then the second part of the audit will help to provide assurances that the risks identified are no longer risks and that no new gaps or lack of controls have developed around the process of business consolidation and reduction in workforce.
The development of an effective risk-based auditing and monitoring program includes several key elements:
1 The Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Framework: Draft (2003). Published in 2004 as Enterprise Risk Management—Integrated Framework and available from www.coso.org
(^2) Institute of Internal Auditors. Professional Practice Standards 2120-Risk Management and Section A1.,
January, 2009.
Best Practice