7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
1/17
IPPF Prai Gi
AssessInG theAdequAcy oF
RIsk MAnAGeMent
usInG Iso 31000
deceMbeR 2010
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
2/17
www.theiia.org/guidance / B
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
Table o Contents
exiv smmar ..................................................................................... 1
Iri ................ ................. ................. ................ ................. ............. 1
Ri Maagm i orgaizai ....................................................... 2
Iral Aiig a Ri Maagm ....................................................5
Iral Ai Rviw f Ri Maagm ............................................... 6
oaiig Ai evi ............................................................................ 8
Ara f Ri Maagm Pr ............................................ 9
Aig qali f
Ri Maagm dmai ............................................................ 13
Ar .............. ................. ................. ................ ................. ................. ... 14
Rviwr & crir .........................................................................14
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
3/17
www.theiia.org/guidance /
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
exiv smmarMany organizations are moving to adopt consistent and
holistic approaches to risk management and recognize that
risk management is a management process that should be
ully integrated with the management o the organization.
It applies at all levels o the organization enterprise level,
unction level, and business-unit level.
The risk management ramework must be designed to suit
the organization: its internal and external environment. For
risk management to be eective, the ramework in any or-ganization, regardless o size or purpose, should contain
certain essential elements. This guide details three ap-
proaches to assurance o the risk management process: a
Process Elements approach; an approach based on Princi-
ples o Risk Management; and a Maturity Model approach.
The assurance process that is used should be tailored to the
organizations needs.
Internal auditors should have a means o measuring the
eectiveness o risk management in an organization. This
can be achieved by the examination o criteria that reectaspects o the risk management process. The criteria used
must be relevant, reliable, understandable, and complete.
The aggregate o the observations should allow the audi-
tor to orm a conclusion on the organizations level o risk
management maturity.
The quality o an organizations risk management process
should improve with time. Implementing eective risk
management true ERM oten takes several years. One
o the key criteria that internal auditors should consider is
whether there is a suitable ramework in place to advancea corporate and systematic approach to risk management.
This practice guide uses ISO 31000 as a basis or the risk
management ramework. Other rameworks may be used to
perorm the risk assessment. This guidance does not imply implicit or explicit endorsement o this or any other ramework.
IriOver the last ew years, the importance o managing risk
as part o strong corporate governance has been increas
ingly acknowledged. Organizations are under pressure to
identiy the signifcant business risks they ace social
ethical, and environmental as well as strategic, fnancial
and operational and to explain how they manage them
The use o enterprise-wide risk management rameworkshas expanded as organizations recognize the advantages o
coordinated approaches to risk management.
Risk management is defned in the Glossary o the Inter-
national Standards or the Proessional Practice o Inter-
nal Auditing (Standards) as a process to identiy, assess
manage, and control potential events or situations to pro
vide reasonable assurance regarding the achievement o
the organizations objectives.1 A comprehensive risk man-
agement ramework provides an end-to-end link between
objectives, strategy, execution o strategy, risks, controlsand assurance across all levels in the organization.
Enterprise risk management (ERM) or more properly
enterprise-wide risk management is a term in common
use. The Committee o Sponsoring Organizations o the
Treadway Commission (COSO) defnes it as a process
eected by an entitys board o directors, management
and other personnel, applied in strategy setting and across
the enterprise, designed to identiy potential events that
may aect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding theachievement o entity objectives.
ISO 31000 (Section 4.1) states that the success o risk
management will depend on the eectiveness o the
1 This is consistent with the International Organization or Standardizations (ISOs) defnition o risk management, which is coordinated activities to direct and control an organizationwith regard to risk. (ISO Guide 73:2009 Defnition 2.1)
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
4/17
www.theiia.org/guidance / 2
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
management ramework providing the oundations andarrangements that will embed it throughout the organiza-
tion at all levels.2 A risk management ramework reers
to the components and organization o risk management
within an entity.
Standard 2120 states the internal audit activity must
evaluate the eectiveness and contribute to the improve-
ment o risk management processes. It continues with
the ollowing interpretation.
Interpretation: Determining whether risk management processes are eective is a judgment resulting rom the internal
auditors assessment that:
Organizational objectives support and align with the
organizations mission;
Signifcant risks are identifed and assessed;
Appropriate risk responses are selected that align risks
with the organizations risk appetite; and
Relevant risk inormation is captured and commu
nicated in a timely manner across the organization,
enabling sta, management, and the board to carry outtheir responsibilities.
The internal audit activity may gather the inormation to
support this assessment during multiple engagements. The
results o these engagements, when viewed together, provide
an understanding o the organizations risk management pro
cesses and their eectiveness.
Risk management processes are monitored through ongoing
management activities, separate evaluations, or both.
The starting point or improving an organizations approachto risk management should be a gap analysis that takes
stock and evaluates what processes and systems are pres-
ent now. I any o the essential parts are missing, it is high-
ly unlikely that risk management will become eective.
Internal auditors have an important role to play in assessing
and improving risk management in their organizations, andassessing the organizations risk management activities is a
critical component in that eort.
This practice guide uses the structure and some o the ter
minology o ISO 31000. While ISO 31000 is not designed
as a basis or certifcation, its concepts and structures orm
a basis or assessing any risk management process. The ISO
31000 ramework is not the only risk management rame
work in common use, and this guidance does not imply any
endorsement o this particular ramework.
Ri Maagm i orgaizaiGovernanceThe ISO 31000 Risk Management Standard provides
guidance or the ramework o risk management appli
cable or organizations o any size. ISO 31000 defnes
a risk management ramework as a set o components
that provide the oundations and organizational arrange-
ments or designing, implementing, monitoring, reviewingand continually improving risk management throughout
the organization.3 The risk management ramework, re
gardless o the level o ormality, is inherently embedded
in an organizations overall strategic and operational poli
cies and practices. Organizational arrangements include
plans, relationships, accountabilities, resources, process
es, and activities. The diagram on page 3 (Figure 1) shows
a conceptual model that can be used or analysis o these
arrangements.
The internal auditor should assess whether the rame-work takes into consideration and defnes risk manage-
ment responsibilities and the risk management strategy
and whether the elements o the ramework allow or the
building o a risk-smart workorce and environment while
still allowing or responsible risk-taking and innovation.
2 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o theInternational Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org
3 Ibid.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
5/17
www.theiia.org/guidance / 3
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
Responsibilities or Risk Management
The International Organization or Standardization (ISO)defnes risk attitude as an organizations approach to as-
sess and eventually pursue, retain, take or turn away rom
risk.4 Management is responsible or setting the organi-
zational attitude regarding risk and the board is respon-
sible or determining whether the risk attitude is aligned
with the best interests o shareholders.
Boards provide governance oversight o ERM and should
understand key elements o ERM, ask management about
risks, and concur on certain management decisions.
Stakeholders should be given sufcient inormation to un-derstand the risk attitude o management and the board,
in order to invest in accordance with their tolerances or
potential variation in perormance. Organizations com-
municate levels o risk through quarterly and annual re-
ports, press releases, investor calls, etc.
The board has overall responsibility or ensuring that risks
are managed and that there is an adequate risk manage-
ment system in place. In practice, the board will delegate
the operation o the risk management ramework to the
management team. There may be a separate unction
with specialized skills and knowledge that coordinates
and project-manages these activities, but everyone in the
organization plays a role in ensuring successul enterprise
wide risk management, and the primary responsibility or
identiying and managing risks lies with management.
Monitoring and Assurance
The application o ERM changes over time. The riskattitude can change due to internal or external actors
once-eective risk responses may become irrelevant, and
control activities may become less eective or no lon-
ger be perormed. Changes can be brought about by the
arrival o new personnel, changes in entity structure, or
Mandateand
commitment
Design offramework formanaging risk
Monitoring andreview of theframework
Continualimprovement
of theframework
Implementing
riskmanagement
Figure 1 Framework or Managing Risk (ISO 31000)
4 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o the Inter-national Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
6/17
www.theiia.org/guidance / 4
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
introduction o new processes. Furthermore, entity objec-tives, as well the nature o potential events or conditions
that may aect the achievement o those objectives, will
change. Accordingly, management needs to determine
whether the ERM components continue to be relevant
and able to address new risks.
A critical element o a sound risk management system is
monitoring to ensure it is perorming as intended. Moni-
toring can be done in two ways: through ongoing activi-
ties or separate evaluations. This combination o ongo-
ing monitoring and separate evaluations will ensure thatERM maintains its eectiveness over time.
ERM processes incorporate periodic evaluation o risks
and risk ratings. The greater the degree and eectiveness
o ongoing monitoring, the less the need there may be or
separate evaluations. The requency o separate evalua-
tions necessary or management to have reasonable as-
surance about the eectiveness o ERM is a matter o
managements judgment. In making that determination,
consideration is given to the nature and degree o chang-
es, the competence and experience o the people imple-menting risk responses and related controls, the nature
and signifcance to the business o the risks that are being
managed and the results o the ongoing monitoring.
Ongoing monitoring is built into the normal, recurring op-
erating activities o an entity. It can be more eective than
separate evaluations, because it is perormed on a real-
time basis, reacting dynamically to changing conditions,
and is ingrained in the entity. Problems will oten be iden-
tifed most quickly by ongoing monitoring processes since
separate evaluations take place ater the act. Some enti-ties with sound ongoing monitoring activities will none-
theless conduct a separate evaluation o ERM, or portions
thereo. The perceived level o objectivity is greater or
separate evaluations than or sel-monitoring.
An entity that perceives a need or requent separate
evaluations should ocus on ways to enhance its ongoing
monitoring activities and, thereby, to emphasize buildingin rather than adding on monitoring activities.
The need or assurance arises rom the governance pro-
cesses o an organization. Its origin is in the stewardship
relationship between the board o an organization and
its stakeholders. This stewardship relationship positions
boards to establish processes to both delegate and limit
power to pursue the organizations strategy and direction
in a way that enhances the prospects or the organizations
long-term success. Assurance processes allow the board
to monitor the exercise o that power.
The internal audit activity will normally provide assur-
ance over the entire risk management process, including
risk management activities (both their design and operat
ing eectiveness), management o those risks classifed
as key (including the eectiveness o the controls and
other responses to them), verifcation o the rigor and reli
ability o risk assessments, and reporting o the risk and
control status.
With responsibility or monitoring and assurance activitiestraditionally being shared among various parties, includ
ing line management, internal auditing, risk management
specialists, and the compliance unction, it is important
that assurance activities be coordinated to ensure re
sources are used in the most efcient and eective way. It
is common or organizations to have a number o separate
groups perorming dierent risk management advisory
compliance, and assurance unctions independently o
one another. Without eective coordination and report
ing, work can be duplicated or key risks may be missed or
misjudged.
The chie audit executive (CAE) is directed by Standard
2050 to coordinate activity with other assurance provid
ers. The use o an assurance map can help achieve this
oering an eective tool to manage and communicate this
coordination. Practice Advisory 2050-2 provides more in
ormation regarding Assurance Maps.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
7/17
www.theiia.org/guidance / 5
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
Iral Aiig a RiMaagmStandard 2100 states that the internal audit activity
must evaluate and contribute to the improvement o gov-
ernance, risk management, and control processes using a
systematic and disciplined approach. The internal audit
activity oten has a role providing independent and objec-
tive assurance to the organizations board regarding the
eectiveness o an organizations ERM activities. This
helps ensure key business risks are being managed appro-priately and the organizations system o internal controls
is operating eectively and efciently.
Risk management is a management process that pro-
motes the cost-eective achievement o organizational
objectives; assurance provides reliable inormation about
the achievements o risk management activity. Assurance
and risk management are complementary processes.
In support o the risk management process, internal au-
diting and other independent assurance providers wouldassess whether:
The risk management process has been applied
appropriately and all elements o the process are
suitable and sufcient.
The risk management process is in keeping with the
strategic needs and intent o the organization.
All signifcant risks have been identifed and are be-
ing treated.
Controls are being correctly designed in keeping
with the objectives o the risk management process.
Critical controls are adequate and eective.
Review by line management and other nonaudit
assurance activities are eective at maintaining and
improving controls.
Risk treatment plans are being executed.
There is appropriate and as-reported progress in the
risk management plan.
In support o the assurance process, the risk managementprocess will:
Establish an organization-specifc, documented risk
management ramework.
Provide a structured analysis o the risks o the
organization recording:
m The organizational objective(s) and their
associated risks.
m Potential exposures and assessments o current
risk.
m The organizational position responsible or
managing each risk.
m The key control systems established to manage
each risk.
It is not uncommon or the internal audit activity o an
organization to work in close cooperation with the risk
management unction. Some organizations do not have a
ormal risk management unction and, in this case, inter-
nal auditing oten provides more extensive risk manage-
ment consulting services to the organization. Internal au-
diting may provide risk management consulting, provided
certain conditions apply:
It should be clear that management remains re-
sponsible or risk management. Whenever internal
auditing consults with the management team to set
up or improve risk management processes, its plan
o work should include a clear strategy and timeline
or migrating the responsibility or these activities to
members o management.
Internal auditing cannot give objective assurance
on any part o the risk management ramework orwhich it is responsible. Such assurance should be
provided by other suitably qualifed parties.
The nature o such services provided to the organi-
zation should be documented in the internal audit
charter and be consistent with other internal audit
responsibilities.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
8/17
www.theiia.org/guidance / 6
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
Any consulting advice or challenge to (or supporto) managements decision-making does not involve
internal auditing making risk management decisions
themselves.
The IIA Position Paper The Role o Internal Auditing in
Enterprise-wide Risk Management includes the ollow-
ing diagram that illustrates a range o ERM activities and
indicates which roles an eective proessional internal au-
dit unction should and should not undertake.
Iral Ai Rviw f RiMaagmFor higher risk areas where management has acknowl-
edged the need to improve controls, there may be an op-
portunity or internal auditing to add value to the organi-
zation through consulting activities. The middle third o
audit activities in Figure 2 above represent advisory and
consulting activities, delivered at the entity or business
unit/departmental level, in a manner that should maintain
internal auditings independence and objectivity.
Although such advisory and consulting activities can be avaluable part o an audit plan, the scope o this Practice
Guide ocuses on the assurance activities described on
the let side o the an. Such activities can be categorized
in three primary types:
Assurance on the risk management process itsel.
Assurance on signifcant risks and management as-
sertions.
Follow-up o risk treatment plan status.
Assurance on the Risk Management ProcessAssurance on the risk management process itsel can beperormed to provide reasonable assurance to senior man-
agement and the board that an organizations risk manage
ment program is eectively designed, documented, and
operating to achieve its objectives. Potential questions
that such assurance should be designed to answer could
include:
Does the risk management program have adequate
commitment rom organization management, includ-
ing adequate stature and resources in relation to
ssecorptnemeganamksirehtn
oecnarussagniviG d
etaulaveyltc
errocerask
sirtahtecn
arussagniv
iGses
secorptne
megana
mksirg
nitaulav
E
sksir
yekf
ognit
roper
ehtgni
taula
vE
sksir
yekf
otne
mega
nam
eht
gniw
eive
R
sksi
rfo
noit
aula
vedn
ano
itac
ifit
nedi
gnit
atili
caF
sksi
rot
gni
dno
pser
nit
neme
gana
mgni
chao
C
sei
tivi
tca
MR
Egni
tani
dro
oC
sk
sir
no
gni
tro
per
deta
dil
os
no
Ckr
ow
em
arf
MR
Ee
htg
nip
ole
ve
dd
na
gni
niat
nia
M
MR
Efo
tne
mhsil
bat
se
gni
noi
pma
hC
lavorppadraob
rofygetarts
MRE
gnipoleveD
tnemeganamksirrofytilibatnuoccA
flahebstnemeganamnosesnopserksirgnitnemelpmI
sesnopserksirnosnoisicedgnikaT
sksirnoecnarussatnemeganaM
sessecorptnemegana
mksir
gnisopmI
etiteppaksir
ehtgnitte
S
Core internal audit rolesin regard to ERM
Roles internal auditshould not undertake
Legitimate internal auditroles with safeguards
Figure 2 Internal Audit Role in ERM
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
9/17
www.theiia.org/guidance / 7
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
risks, and is it an appropriate part o organizationalprocesses and decision-making?
Are the risk management ramework design and risk
evaluation criteria appropriate or the internal and
external context (environment) o the organization?
Is there adequate defnition and communication o
requirements, risk evaluation criteria, and account-
ability or the development, implementation, and
maintenance o the risk management ramework and
specifc risk area evaluations?
Is the risk attitude established at the proper level inthe governance structure o the organization?
Are internal communication and reporting mecha-
nisms adequate to ensure that key outcomes o the
risk management activities are communicated appro-
priately within the organization (balancing transpar-
ency with sensitivity)?
Do reports to stakeholders adequately reect the
organizations attitude to and treatment o risks?
Are external communication and reporting mecha-
nisms adequate to comply with relevant legal,regulatory, corporate governance, and disclosure
requirements?
Do adequate perormance measures and reporting
exist to monitor the design and eectiveness o the
risk management ramework?
Are risk evaluation criteria, appetites, responses, and
escalation/reporting requirements consistently ap-
plied in practice across the organization? Are people
with the appropriate knowledge responsible or risk
identifcation? Is the current state o risk identifca-
tion adequate?
Are the risk ramework and related processes and
controls modifed as business conditions and organi-
zational needs change?
Are people with the appropriate knowledge respon-
sible or risk analysis, evaluation, and treatment/
response? Are these activities adequately reviewed
and approved?
Are risk treatment plans and status monitored andadequately communicated with appropriate levels o
management and the board?
Assurance on Signifcant Risks andManagement Assertions
During all other assurance work where the scope relates
to higher potential exposures identifed in an organiza-
tions risk management process, audit procedures and
communications should be designed to evaluate manage-
ments assertions on the eectiveness o controls in bring-
ing risk within an organizations risk tolerance threshold.
Reports to management (and the board) can describe the
potential exposure and managements assessment o cur-
rent risks (with the implied value o the controls in place)
together with the audit evaluation o the risk ratings. Any
dierences should be ed into managements risk man-
agement process or consideration.
The cumulative eect over time o such assurance activi-
ties over specifc risk areas in a risk-based audit plan will
provide assurance not only over those specifc risk areas,but serve as assurance o the eectiveness o the overall
risk management process.
Follow-up o Risk Treatment Plan Status
For risk treatment or control remediation plans relating to
higher potential exposures, especially where plans are rel-
atively longer in duration, it may be appropriate to moni-
tor perormance against the plan. At a minimum, such
monitoring should be designed to provide management
with an assessment o progress against milestones andvalidate risk treatment plan status reports to the board.
In addition, such monitoring can assess the plan struc-
ture, resources, accountabilities, project management,
etc. and provide recommendations and considerations to
enhance the likelihood o plan success.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
10/17
www.theiia.org/guidance / 8
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
oaiig Ai eviIn audits o the risk management process o an organiza-
tion, Practice Advisory 2120-1, Assessing the Adequacy o
Risk Management Processes, paragraph 8, states:
Internal auditors need to obtain sufcient and appropri-
ate evidence to determine that the key objectives o the
risk management processes are being met to orm an
opinion on the adequacy o risk management processes.
In gathering such evidence, the internal auditor might
consider the ollowing audit procedures:
Research and review current developments, trends,
industry inormation related to the business conduct-
ed by the organization, and other appropriate sources
o inormation to determine risks and exposures
that may aect the organization and related control
procedures used to address, monitor, and reassess
those risks.
Review corporate policies and board minutes to
determine the organizations business strategies, risk
management philosophy and methodology, appetite
or risk, and acceptance o risks.
Review previous risk evaluation reports issued by
management, internal auditors, external auditors,
and any other sources.
Conduct interviews with line and senior manage-
ment to determine business unit objectives, related
risks, and managements risk mitigation and control
monitoring activities.
Assimilate inormation to independently evaluate the
eectiveness o risk mitigation, monitoring, and com-
munication o risks and associated control activities.
Assess the appropriateness o reporting lines or risk
monitoring activities.
Review the adequacy and timeliness o reporting on
risk management results.
Review the completeness o managements risk
analysis and actions taken to remedy issues raised byrisk management processes.
Determine the eectiveness o managements sel-as-
sessment processes through observations, direct tests
o control and monitoring procedures, testing the
accuracy o inormation used in monitoring activities
and other appropriate techniques.
Review risk-related issues that may indicate weak-
ness in risk management practices and, as appro-
priate, discuss with senior management and the
board. I the auditor believes that management has
accepted a level o risk that is inconsistent with the
organizations risk management strategy and policies,
or that is deemed unacceptable to the organization,
reer to Standard 2600 and related guidance or ad-
ditional direction.
Dierent techniques can be used to obtain audit evi-
dence, including:
Observations or example, by being present when
risk management is carried out at the dierent levels
o the organization rom the board and all the waydown to individual departments, programs, projects,
and the employees.
Interviews.
Document reviews or example, agendas,
supporting documents and minutes rom board,
executive, or other senior management commit-
tees, strategic plans, and supporting documents or
resourcing decisions.
Results rom previous audits.
Reliance on the work o others.
Analytical techniques or example, root cause
analysis o detected aults.
Process mapping.
Statistical analysis or example, analysis o the
types o incident or near misses.
Risk model review and assessment.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
11/17
www.theiia.org/guidance / 9
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
Surveys.Analysis o control sel-assessment.
Oten, a combination o dierent audit techniques will
be used to gather sufcient inormation and evidence
to reach a conclusion. The auditor selects the most
appropriate procedure or the audit objective o the
assignment. The auditor also assesses whether sufcient
resources and skills are available to perorm all the work
required to provide sufcient support or an opinion. The
auditor considers whether it might be prudent to decline
to express the opinion or to qualiy the opinion by exclud-ing certain areas or risks rom the scope o the opinion i
sufcient resources or skills are not available.
The requirement or evidence will vary depending on
the kind o opinion the auditor wishes to render. Posi-
tive assurance provides the highest level o assurance
and normally also requires the most evidence to sup-
port the opinion. Such an opinion implies not only, or
example, whether controls/risk mitigation processes are
adequate and eective, but also that sufcient evidence
was gathered to be reasonably certain that evidence to thecontrary, i it exists, would have been identifed.
Negative assurance does not provide as much assur-
ance and thereore normally does not require as much
audit evidence. When rendering negative assurance, the
auditor, or example, states that based on the work done,
nothing came to the auditors attention. By rendering
such an opinion, the auditor takes no responsibility or
the sufciency o the audit scope and procedures to fnd
all signifcant concerns or issues. Such an opinion is gen-
erally considered less valuable than positive assurance.
More extensive guidance on opinions can be ound in
the Practice Guide Formulating and Expressing Internal
Audit Opinions.
Audit conclusions should be actual, objective, andbacked by sufcient audit evidence. Sufciency implies
the audit evidence is actual, adequate, and convincing so
that a prudent, inormed person would reach the same
conclusions as the auditor. Audit evidence must be
appropriately documented and organized.
The audit activity must not unknowingly provide any level
o alse assurance (reerence PA 2120-2: Managing the
Risk o the Internal Audit Activity, paragraph 8). False
assurance is a level o confdence or assurance based on
perceptions or assumptions rather than act. In manycases, the mere act that the internal audit activity
is involved in a matter may create some level o alse
assurance. The scope o internal audit activity involve-
ment may be misunderstood and, consequently, alse
assurance may result.
Ara f RiMaagm Pr
A governing body should be able to determine the extentto which the risk management process in its organization
meets the needs o the organization and has adopted gen-
erally accepted good practice. Risk management is a criti-
cal component o the system o internal control, so def-
cient risk management processes are an indicator that the
organizations system o internal control may be defcient
It is important that an organization obtains assurance
on its risk management process. This assurance must ac-
commodate the possibility that the internal auditor might
not be unctionally independent o the risk managementunction. In this case, assurance may be sought rom an
external party.
Three orms o assurance process that may be used in
assessing a risk management process are outlined below:5
5 These approaches are quoted rom HB158:2010 Delivering assurance based on ISO 31000:2009 Risk management Principles and guidelines, A joint publication o StandardsAustralia, IIA-Australia, and the I IA Research Foundation. HB158 provides a more extensive discussion o these and other issues.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
12/17
www.theiia.org/guidance / 10
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
Process elements approachKey principles approach
Maturity model approach
While each orm is sel-contained, they each oer a dier-
ent perspective on the eectiveness o a risk management
process in an organization. Oten, the adoption o more
than one approach can yield the most inormative and use-
ul results. The risk management process should be ap-
propriately tailored to the organization, its size, culture ob-
jectives, and risk profle. Thereore, the assurance process
also needs to be tailored to the organizations needs.
The results o any desk-based review must be validated
by examining whether the risk management ramework is
operating eectively in practice. This means that this type
o assurance activity should not be conducted in isolation
and should always accompany or involve normal control-
based assurance that determines whether:
Risks are being eectively identifed and appropri-
ately analyzed.
There is adequate and appropriate risk treatment andcontrol.
There is eective monitoring and review by manage-
ment to detect changes in risks and controls.
Process Element Approach
This approach checks whether each element o the risk
management process is in place. It is essential to validate
managements expressions o intent through sufcient
audit evidence to substantiate that the element is being
satisfed in practice. Management representation alonewould rarely be sufcient. ISO 31000 identifes seven
components o the risk management process:
Element 1 Communication: Sound risk manage-
ment requires structured and ongoing communica-
tion and consultation with those who are aected bythe operations o the organization or activity.
Element 2 Setting the Context: The external en-
vironment (political, social, etc.) and internal envi-
ronment (objectives, strategies, structures, ethics,
discipline, etc.) o the organization or activity must
be understood beore the ull range o risks can be
identifed.
Element 3 Risk Identifcation: Identiying the risks
should be a ormal, structured process that considers
sources o risk, areas o impact, and potential events
and their causes and consequences.
Element 4 Risk Analysis: The organization should
use a ormal technique to consider the consequence
and likelihood o each risk.
Element 5 Risk Evaluation: The organization
should have a mechanism to rank the relative impor-
tance o each risk so that a treatment priority can be
established.
Element 6 Risk Treatment: Sound risk manage-
ment requires rational decisions about risk treat-
ment. Classically, such treatment is to avoid the
activity rom which the risk arises, share the risk,
manage the risk by the application o controls, or ac-
cept the risk and take no urther action.
Element 7 Monitor and Review: Monitoring
includes checking the progress o treatment plans,
monitoring controls and their eectiveness, ensuring
that proscribed activities are avoided, and checking
that the environment has not changed in a way that
aects the risks.
Key Principles Approach
This approach is based on the concept that to be ully
eective, any risk management process must satisy a
minimum set o principles or characteristics. ISO 31000
6 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o theInternational Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org.
7 Ibid.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
13/17
www.theiia.org/guidance / 1
IPPF Practice Guide
Assessing the Adequacy of
Risk Management Using ISO 31000
includes a section (Clause 4) on these principles. An au-dit based on these principles would assess to what extent
they are true or the risk management process in an orga-
nization:
Risk management creates and protects value.6
This implies the application o the most rigorous risk
management when the value at stake is highest. It
also suggests that a range o techniques applicable at
various levels o exposure should be available in the
organization.
Risk management is an integral part of organi-
zational processes.7 Risk management should not
be seen as an add-on task.
Risk management is part of decision-making.8
The more important the decision, the more explicit
this association should be.
Risk management explicitly addresses uncer-
tainty.9 Risk assessments would be expected to
document areas o uncertainty and consider how
best to address the uncertainty identifed.
Risk management is systematic, structured,
and timely.10
Risk management is based on the best avail-
able information.11 Obtaining inormation can be
expensive and the process should provide guidance
on what constitutes sufcient inormation.
Risk management is tailored.12 It is not an out-
o-the-box process and must match the operations o
the organization.
Risk management takes human and cultural
factors into account.
13
The processes must be
appropriate to the competence and culture o thosewho must use them.
Risk management is transparent and inclusive.14
There should be appropriate and timely involvement
o stakeholders.
Risk management is dynamic, iterative, and
responsive to change.15 The process should be
regularly reviewed and respond to changes in the
organization and its environment so that it remains
relevant.
Risk management facilitates continual im-provement and enhancement of the organiza-
tion.16 Risk management should mature along with
other organizational processes.
Maturity Model Approach
The maturity model approach builds on the assertion tha
the quality o an organizations risk management process
should improve with time. Immature systems o risk man-
agement yield very little return or the investment that has
been made and oten operate as a compliance overhead or
an imposition, more concerned with the reporting o risksthan with their eective treatment. Eective risk manage
ment processes are developed over time, with additiona
value being provided at each step in the maturation pro-
cess. This approach provides an assessment o where the
organizations risk management process lies on the matu-
rity curve, so that the board and management can assess
whether it meets the current needs o the organization
and is maturing as expected.
A key aspect of the Maturity Model approach is the link
ing of risk management performance and progress in the
8 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o the Inter-national Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org.
9 Ibid.10 Ibid.11 Ibid.12 Ibid.13 Ibid.14 Ibid.15 Ibid.16 Ibid.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
14/17
www.theiia.org/guidance / 12
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
execution o a risk management plan to a perormancemeasurement and management system. The outputs rom
such a system can be presented to senior management and
the board as evidence o improvement in risk management.
The components or such a system normally consist o:
A protocol o perormance standards, considering
current approaches to risk management and antici-
pating uture strategic needs. Perormance standards
are normally supported by a list o more detailed
perormance requirements that enable measurement
o any improvement in perormance.
A guide to how the standards and sub-requirements
can be satisfed in practice.
A means o measuring actual perormance against
each standard and sub-requirement.
A means o recording and reporting perormance and
improvements in perormance.
The periodic independent verifcation o manage-
ments assessment.
Clause 4 o ISO 31000 contains a list o practical andimportant principles that should be the starting point
or any maturity evaluation. These principles address not
onlydoes the process element or system existbut also is i
eective and relevant or your organisationand does it add
value.In act, the frst principle is that risk management
must add value.
Actual perormance against each perormance standard
is assessed using some system o maturity measurement
that gives credit or intent, but ull scores can only be ob-
tained by the complete implementation and practical application o the standard. A possible system or measuring
maturity (based on the original idea o Capability Matu-
rity Models developed by the Carnegie Mellon University
is shown below.
MeAsuRe none VeRy LIttLe soMe Good coMPLete
Meaning Very little or no
compliance with the
requirement in any
way.
Only limited
compliance with the
requirement.
Management
supports the intent,
but compliance in
practice is poor.
Limited compliance
with element state-
ment. Certainly agree
with the intent, but
limited compliance in
practice.
Management
completely
subscribes to the
intent, but there is
partially complete
compliance in
practice.
Absolute compliance
with the element
statement in intent
and in practice at
all times and in all
places.
Figure 3 Maturity Model source HB158
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
15/17
www.theiia.org/guidance / 13
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
Aig qali f RiMaagm dmaiThe extent o documentation o an entitys ERM will vary
with the entitys size and complexity. Larger organizations
usually have written policy manuals, ormal organization
charts, written job descriptions, operating instructions,
inormation system owcharts, and so orth. Smaller, less
complex organizations typically have considerably less doc-
umentation.
Many aspects o ERM may be inormal and undocument-
ed and yet can be regularly perormed and highly eec-
tive. These activities may be tested in the same ways as
documented activities. The act that elements o ERM are
not documented does not necessarily mean that it is not
eective or cannot be evaluated. An appropriate level o
documentation, however, usually makes monitoring more
efcient. It is helpul in other respects too. It acilitates
employees understanding o how the process works and
their particular roles, and makes it easier to make modifca-
tions when necessary.
In deciding to document the evaluation process itsel, the
internal auditor will usually draw on existing documenta-
tion o the entitys ERM processes. Existing documentation
will typically be supplemented with additional documents
prepared by the auditor, including evidence o the tests and
analyses perormed in the assessment process. The nature
and extent o documentation normally is more substantive
when statements about ERM are made to other parties.
When management intends to make a statement to exter-nal parties regarding ERM eectiveness, it should consider
developing and retaining documentation to support the
statement. The internal auditor should consider whether:
A strategy or managing risk inormation rom all
sources is in place.
Necessary inrastructure or communicating riskinormation is in place.
There are common defnitions.
There are guidelines or the creation, deletion, and
sharing o risk inormation.
There are adequate resources assigned.
Technology is cost efcient and used where
appropriate.
A proactive approach is taken or monitoring.
Risk inormation is part o the planning process.Risk inormation is integrated with perormance
inormation.
These considerations and any decisions made to imple-
ment activities/processes should be documented. Such
documentation may be useul i the statement is subse-
quently challenged.
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
16/17
www.theiia.org/guidance / 14
IPPF Prai Gi
Aig Aa f
Ri Maagm uig Iso 31000
ArAndrew MacLeod, CIA
Patricia A. MacDonald
Benito Ybarra, CIA
Trygve Sorlie, CIA, CCSA
Brian Foster, CIA
Teis Stokka, CIA
Rviwr a crir
Douglas J. Anderson, CIA
Steven E. Jameson, CIA, CCSA, CFSA
James A. Rose, III, CIA
7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk
17/17
About the InstituteEstablished in 1941, The Institute o Internal
Auditors (IIA) is an international proessional as-
sociation with global headquarters in Altamonte
Springs, Fla., USA. The IIA is the internal audit
proessions global voice, recognized authority, ac-
knowledged leader, chie advocate, and principal
educator.
About Practice Guides
Practice Guides provide detailed guidance orconducting internal audit activities. They include
detailed processes and procedures, such as tools
and techniques, programs, and step-by-step ap-
proaches, as well as examples o deliverables.
Practice Guides are part o The IIAs Internation-
al Proessional Practices Framework. As part o
the Strongly Recommended category o guidance,
compliance is not mandatory, but it is strongly
recommended, and the guidance is endorsed by
The IIA through ormal review and approval pro-
cesses. For other authoritative guidance materialsprovided by The IIA, please visit our website at
www.theiia.org/guidance.
DisclaimerThe IIA publishes this document or inormation-
al and educational purposes. This guidance mate-
rial is not intended to provide defnitive answers
to specifc individual circumstances and as such
is only intended to be used as a guide. The IIA
recommends that you always seek independent
expert advice relating directly to any specifc situ-
ation. The IIA accepts no responsibility or any-
one placing sole reliance on this guidance.
Copyright
The copyright o this position paper is held by The
IIA. For permission to reproduce, please contact
The IIA at [email protected].
GLobAL heAdquARteRs t: +1-407-937-1111
247 Maitland Ave. F: +1-407-937-1101
Altamonte Springs, FL 32701 USA W: www.theiia.org