IIA Releases Guidance for Auditors’ Risk Management Practices
A newly published guide by the Institute of Internal Auditors (IIA) aims to provide auditors “three self-contained approaches” to determining the effectiveness of an organization’s risk management practices, IIA Vice President of Standards and Guidance Beryl Davis said.
IIA has pointed to its recent research with chief audit executives (CAEs) worldwide revealing an increase in their implementation of risk management in the enterprise scale following the global financial meltdown in late 2007 for coming up with the guide, Assessing the Adequacy of Risk Management Using ISO 31000. Auditors can use it to reexamine the adequacy of existing practices in comparison to the Geneva-based International Organization for Standardization’s (ISO’s), IIA said.
Each of the approaches – namely, process elements, maturity model, and key principles – of the IIA guide can help CAEs meet the specific needs of their organization, Davis said.
According to IIA, the process elements approach enables auditors to determine whether the seven elements of risk management identified in ISO 31000 are properly located in the right places in which they are intended, citing the guide. The elements include communication, context setting, risk identification, risk analysis, risk evaluation, risk treatment, and monitoring and review.
IIA also cited the guide as stating that the key principles approach aids risk management to meet “minimum set of principles or characteristics” for internal auditors to be fully effective.
Furthermore, the maturity model approach lies in the concept of improving an organization’s risk management practices, IIA said. By putting this approach to practice, CAEs can have a better view on “where their organization’s risk management process lies on this continuum” that will subsequently tell the board whether “it meets the current needs of the organization” and meets its maturity expectation.
Aside from these approaches, Davis said that some other frameworks can also help internal auditors in assessing the effectiveness of their organization’s risk management practices like the Enterprise Risk Management-Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is adopted in the USA.