Académique Documents
Professionnel Documents
Culture Documents
DISCLAIMER
Copyright 2009 by The Institute of Internal Auditors and its Audit Executive Center located at 247 Maitland Avenue, Altamonte Springs, Fla. 32701-4201. All rights reserved. Published in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission from the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warrant as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be retained.
ACKNOWLEdGMENT
The IIA would like to specically acknowledge Richard J. Anderson, CFSA, CPA, for his extraordinary assistance in organizing and facilitating the CAE roundtable along with his work in authoring the nal report. Anderson is Clinical Professor for The Center for Strategy, Execution, and Valuation and Strategic Management Lab at DePaul University. J. Christopher Svare, managing director of Partners in Communication LLC in Northbrook, Ill., was also integral to the writing process and played a key role in developing the report.
TABLE OF CONTENTS
Introduction...................................................................................................1 1. Assess the Organizations Current Processes and Capabilities.....................3 2. Coordinate With Other Risk and Control Functions....................................4 Develop a Unied Approach ..........................................................4 Adopt an Enterprise View of Company Risks....................................5 Foster or Participate in an Enterprise Risk Council...........................5 3. Participate in Summits With Key Stakeholders. .........................................6 4. Help the Organization Develop Near-term Strategies. .................................6 5. Strengthen Top-level Communications.....................................................7 6. Dene Internal Auditings Role. ...............................................................8 7. Audit Risk Management Incrementally...................................................10 8. Assess Audit Skills and Capabilities. ......................................................11 9. Execute the Audit Strategy With Appropriate Reporting. ...........................13 10. Keep up With Evolving Practices...........................................................15
www.theiia.org
ii
management that might work well in your organization? To explore these and other related issues, The IIA recently hosted a roundtable discussion in San Diego focusing on current risk management challenges. Attendees included CAEs from Fortune 250 organizations as well as representatives from professional service rms, The Committee of Sponsoring Organizations of the Treadway Commission, and the National Association of Corporate Directors. Several key themes emerged from the discussion, forming the basis for a series of leading internal audit practices. These 10 risk management imperatives can help CAEs better serve their organization and ensure theyre keeping pace with evolving approaches to organizational risk.
www.theiia.org
In The IIAs August 2009 survey of risk management practices, 68.8 percent of respondents indicated that internal audit activities conducted organizationwide risk assessments at their organization.
Is the organization appropriately assessing its exposure to any high-impact, low-probability risks such as pandemic or systemic risks that could pose a major organizational threat? Has the organization established communication protocols and procedures to share risk information on an enterprisewide basis? Does the organization identify upside risk potential and share these insights with management and the board?
www.theiia.org
www.theiia.org
www.theiia.org
KEY SuGGESTION:
Evaluate managements risk management processes and maturity levels as part of your annual audit plan. Recent survey data conrm that risk management practices are continuing to evolve in most organizations. Accordingly, internal auditing needs to re-assess managements risk management processes and maturity periodically and revise the annual audit plan appropriately. As risk management processes mature and become more formal, internal auditing should increase its assurance coverage of them. Changes to the audit plan will also require internal auditing to consider the skills and tools it needs to keep pace with these maturing processes.
www.theiia.org
10
11
To meet heightened stakeholder expectations, CAEs need to conduct a critical assessment of their staff capabilities and resources. Important questions to consider include: Do you have the skills, expertise, and business knowledge needed to achieve your short- and longer-term objectives? If your organization has advanced risk management capabilities, can you provide assurance over risk management activities? Do you need third-party assistance to secure access to the actuaries, subject-matter experts, and specialists required to interact effectively with senior management and the audit committee? Do you have an adequate budget?
With the insights gained from such introspection, CAEs will be better able to address any gaps they discover between stakeholder demands on internal auditing and their ability to deliver on these demands.
www.theiia.org
12
of survey respondents provide assurance on the risk management process through written reports. provide written assurances that risks are correctly identied. provide consulting reports to improve or implement the risk management process. provide assurance through written reports on the management of key risks.
During the roundtable event, CAEs discussed the various ways they report on their auditing of risk management. Most indicated that they are auditing and reporting on one aspect of risk management at a time as opposed to performing a single, organizationwide audit and producing a report covering all of the enterprises risk
13
management processes. For example, at one roundtable CAEs organization, the internal audit function is currently reporting on the organizations risk responses and next year plans to review risk identication. At another CAEs company, internal auditing is prompting audits of individual risk functions, such as environmental health and safety, and issuing reports on that basis. CAEs also discussed the need to specify carefully the scope of their audits and resulting reports so as not to mislead readers into reaching conclusions that are more broadly based than is warranted by the scope of the work performed. Periodic reporting on risk to executive management and the audit committee was also a topic of discussion at the roundtable. Two common areas of focus for such reports, which are generally produced on a quarterly basis, are emerging risks and changes in the organizations risk prole.
www.theiia.org
14
CAEs are also advised to work with their chief stakeholders and other players in risk management to revisit organizational risk management practices and related internal audit strategies on a regular basis (quarterly, if possible). In doing so, CAEs should keep in mind the need to: Conduct ongoing risk assessments. Recognize change as its occurring. Monitor emerging risks across the enterprise. Maintain an incremental, step-by-step approach to ERM implementation. Keep executive management and directors aware of continuing developments in risk management.
THE INSTITUTE OF INTErNAL AUDITOrS
15
1. 2. 3. 4. 5. 6. 7.
What are the companys top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?
What size quarterly operating or cash loss has management and the board agreed is tolerable? Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure the success of risk management activities? How would a loss from a key risk affect top-management incentive compensation and planning/budgeting? What discussions about risk management have taken place at the board level or among top management when strategic decisions were made in the past? Give an example of how your company responded to a recent surprise in your industry. How did the surprise affect your company differently than others?
www.theiia.org
16
09/09458/RS/JP