#5 - Chapter 4

4 T H EDITION

Internal Auditing:
Assurance &
Advisory Services

Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
CHAPTER 4
Risk Management
Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
LEARNING OBJECTIVES
◼ Define risk and enterprise risk management.
◼ Discuss the different dimensions of the
Committee of Sponsoring Organizations of the
Treadway Commission’s exposure draft titled
Enterprise Risk Management – Aligning Risk
with Strategy and Performance.
◼ Discuss the different dimensions of ISO
31000:2009(E): Risk management – Principles
and guidelines.
◼ Articulate the relationship between governance
and enterprise risk management.
◼ Describe the different roles the internal audit
function can play in enterprise risk management.
◼ Evaluate the impact of enterprise risk
management on internal audit activities.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
STANDARDS RELEVANT TO
RISK MANAGEMENT
RISK MANAGEMENT DEFINITION
COSO Definition – “The possibility that events will occur and

affect the achievement of a strategy and objectives.”
 Begins with strategy formulation and setting business objectives
 Involves uncertainty
 Does not represent a single point estimate; it’s a range of possible
outcomes
 May relate to preventing bad things from happening or failing to
ensure good things happen
 Risks are inherent in all aspects of life
ENTERPRISE RISK MANAGEMENT
COSO Definition – “The culture, capabilities, and practices,

integrated with strategy-setting and its execution, that
organizations rely on to manage risk in creating, preserving, and
realizing value.”
 Recognizes both culture and capabilities
 Must be applied in practice
 Integrated with strategy-setting and its execution
 Manages risk to strategy and business objectives
 Linked to creating, preserving, and realizing value
OTHER KEY COSO DEFINITIONS
 Mission – “The entity’s core purpose, which establishes what it wants to

accomplish and why it exists.”
 Vision – “The entity’s aspirations for its future state or what the
organization aims to achieve over time.”
 Core Values – “The entity’s beliefs and ideals about what is good or bad,
acceptable or unacceptable, which influence the behavior of the
organization.”
 Strategy – “The organization’s plan to achieve its mission and vision and
apply its core values.”
 Business Objectives – “Those measurable steps the organization takes to
achieve its strategy.”
COSO ERM COMPONENTS

 Risk Governance and Culture - Risk governance
and culture together form a basis for all other
components of ERM.
 Risk, Strategy, and Objective Setting – ERM is
integrated into the entity’s strategic plan through the
process of setting strategy and business objectives.
 Risk in Execution – An organization identifies and
assesses risks that may affect an entity’s ability to
achieve its strategy and business objectives.
 Risk Information, Communication, and
Reporting – Communication is the continual,
iterative process of obtaining information and
sharing it throughout the entity.
 Monitoring Enterprise Risk Management
Performance – By monitoring ERM performance,
an organization can consider how well its
components are operating over time.
RISK GOVERNANCE AND
CULTURE PRINCIPLES
1. Exercises board risk oversight

2. Establishes governance and operating model
3. Defines desired organizational behaviors
4. Demonstrates commitment to integrity and ethics
5. Enforces accountability
6. Attracts, develops, and retains capable individuals
RISK, STRATEGY, AND
OBJECTIVE-SETTING PRINCIPLES
7. Considers risk and business context

8. Defines risk appetite
9. Evaluates alternative strategies
10. Considers risk while establishing business
objectives
11. Defines acceptable variation in performance
RISK IN EXECUTION PRINCIPLES
12. Identifies risk in execution

13. Assesses the severity of risk
14. Prioritizes risks
15. Identifies and selects risk responses
16. Develops portfolio view
17. Assesses risk in execution
RISK INFORMATION, COMMUNICATION,
AND REPORTING PRINCIPLES
18. Uses relevant information

19. Leverages information systems
20. Communicates risk information
21. Reports on risk, culture, and performance
MONITORING ERM
PERFORMANCE PRINCIPLES
22. Monitoring substantial change

23. Monitors ERM
ISO 31000 PRINCIPLES
1. Creates and protects value

2. Is an integral part of all organizational processes
3. Is part of decision-making
4. Explicitly addresses uncertainty
5. Is systematic, structured, and timely
6. Is based on the best available information
7. Is tailored
8. Takes human and cultural factors into account
9. Is transparent and inclusive
10. Is dynamic, iterative, and responsive to change
11. Facilitates continual improvement of the organization
ISO 31000 FRAMEWORK
 Mandate and commitment

 Design of framework for managing risk
 Implementing the risk management framework and process
 Monitoring the framework
 Continually improving the framework
ISO 31000 PROCESS
 Establish the context

 Assess the risks
 Treat the risks
 Monitor risks
 Establish a communication and consultation process
TOP-DOWN VIEW OF RISK
Enterprise risk management reduces

inherent risk (gross risk) to a more
acceptable residual risk (net risk) level.
 Inherent Risk - The combination of

internal and external risk factors in
their pure, uncontrolled state, or, the
gross risk that exists, assuming there
are no internal controls in place.
 Residual Risk – The portion of

inherent risk that remains after
management executes its risk
responses (sometimes referred to as net
risk).
ERM’S IMPACT ON ASSURANCE
 Risks at the process level must

relate to strategy and business
objectives
 Changes in processes or the
environment may affect the level
of risk
 Financial impact and other factors
may also impact the level of risk
SUMMARY
 Enterprise risk management must be integrated with strategy and

performance
 Both COSO and ISO have frameworks and processes to help promote that
integration
 Internal auditors can serve in many roles related to ERM, some of which
are assurance in nature and some advisory
• Certain roles may require safeguards be put in place
 An organization’s strategy and business objectives create inherent risks,
which impact the internal audit function’s charter and annual audit plan

#5 - Chapter 4

Uploaded by

Copyright:

Available Formats

#5 - Chapter 4

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

#5 - Chapter 4

Uploaded by

Copyright:

Available Formats

4 T H EDITION

Internal Auditing: Assurance &Internal

Internal Auditing: Assurance &Internal

RISK MANAGEMENT DEFINITION

COSO Definition – “The possibility that events will occur and

ENTERPRISE RISK MANAGEMENT

COSO Definition – “The culture, capabilities, and practices,

OTHER KEY COSO DEFINITIONS

 Mission – “The entity’s core purpose, which establishes what it wants to

COSO ERM COMPONENTS

1. Exercises board risk oversight

7. Considers risk and business context

RISK IN EXECUTION PRINCIPLES

12. Identifies risk in execution

18. Uses relevant information

22. Monitoring substantial change

ISO 31000 PRINCIPLES

1. Creates and protects value

ISO 31000 FRAMEWORK

 Mandate and commitment

ISO 31000 PROCESS

 Establish the context

TOP-DOWN VIEW OF RISK

Enterprise risk management reduces

 Inherent Risk - The combination of

 Residual Risk – The portion of

ERM’S IMPACT ON ASSURANCE

 Risks at the process level must

 Enterprise risk management must be integrated with strategy and

You might also like