Enterprise Risk Management (ERM) - Underlying principles:
Every entity, whether for-profit or not, exists to realize value for its stakeholders.
Source: Institute of Internal Auditors
The ERM Framework Entity objectives can be
viewed in the context of four categories:
Strategic Operations Reporting Compliance
The eight components of the frameworkare interrelated …
Source: Institute of Internal Auditors
Internal Auditors Play an important role in monitoring
ERM, but do NOT have primary responsibility for its implementation or maintenance.
Assist Management and the Board of Trustees in the process by: Monitoring Evaluating Examining Reporting Recommending improvements
Source: Institute of Internal Auditors
What are the Rules for Internal Auditors?
Graphic from Institute of Internal Auditors
Audit
Core
Act
ivit
ies
Shared ActivitiesM
gm
t Core A
ctivities
Risk Assessment
Risk assessment is the identification and analysis of risks. It forms a basis for determining how risks should be managed.
What is the purpose of a Risk Assessment?
Will allow SRH to understand the extent to which potential events might impact objectives.
Assess risks from two perspectives: Likelihood Impact
Measure risks based on Management input
Prioritize audit resources to focus on those areas with greatest risk exposure.
Impact vs. Probability
Control
Share Mitigate & Control
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
IMPACT
PROBABILITY
Source: Institute of Internal Auditors
Organizational Risk Assessment Process
Identify risk factors and give them weights
Identify objectives/assets/auditable activities
Analyze risks and assign ratings to the risks
Review the results with Management and the Board of Trustees
“Most of the things worth doing have been declared impossible before they were done.”
-Louis Brandeis
Internal auditors can add value by:
Reviewing processes
Advising on internal controls and risk mitigation
Coordinating and analyzing annual risk assessments
Implementing a risk-based approach to the Annual Audit Plan taking into consideration the Annual Risk Assessment
Internal Audit Standards 2010.A1 – The Internal Audit Plan
should be based on an Annual Risk Assessment
2120.A1 – Internal Audit should evaluate the adequacy and effectiveness of controls
2210.A1 – Audits should be: Planned to identify and assess risks Based on the results of Annual Risk
Assessment