The Institute of Internal Auditors has published new professional guidance on how to assess the adequacy of risk management and measure the effectiveness and efficiency of a company’s internal audit function.
Boards of directors and senior management of organizations worldwide are increasingly implementing enterprise-wide risk management practices in the aftermath of the financial crisis of 2007 and the economic recession of the ensuing two years, the IIA noted Wednesday. The newly published guidance from the IIA can help organizations assess the adequacy of those practices as measured against the Geneva-based International Organization for Standardization’s widely respected ISO 31000 framework.
“Our research with chief audit executives around the globe is telling us that internal auditors are being looked to more and more to offer independent, objective opinions about whether an organization’s risk management activities are effective,” said IIA vice president of standards and guidance Beryl Davis in a statement. “The IIA guide ‘Assessing the Adequacy of Risk Management Using ISO 31000’ offers internal auditors three self-contained approaches to forming such a conclusion, each of which CAEs could tailor to meet the specific needs of their organization.”
Taking a process elements approach can help internal auditors determine whether each of the seven foundational elements of the risk management process identified in ISO 31000 is in place, the guide said. These elements are: communication; setting the context; risk identification; risk analysis; risk evaluation; risk treatment; and monitoring and review.
The key principles approach is rooted in the concept that to be fully effective, the risk management process must satisfy a minimum set of principles or characteristics, the guide notes. Under ISO 31000, an effective risk management activity:
• Creates and protects organization value.
• Is an integral part of organizational processes.
• Is a key element of decision-making.
• Explicitly addresses uncertainty.
• Is systematic, structured, and timely.
• Is based on the best available information.
• Is tailored to the organization, its size, culture objectives, and risk profile.
ISO 31000’s maturity model approach stems from a foundational assumption that the quality of an organization’s risk management activity will improve over time. Adopting ISO 31000’s maturity model approach, the guide says, can help CAEs assess where their organization’s risk management process lies on this continuum and, by extension, enable the board to determine whether it meets the current needs of the organization and is maturing as expected.
A second practice guide newly published by the IIA, “Measuring Internal Audit Effectiveness and Efficiency,” is grounded in the professional requirement that the effectiveness, efficiency and level of customer service of the internal audit activity must be assessed and monitored vigorously. The 19-page guide describes how to establish performance measurement and monitoring processes and report the results effectively. The document contains extensive appendices, containing material such as sample internal audit performance metrics, dashboard reports, and stakeholder feedback surveys.
“Assessing the Adequacy of Risk Management Using ISO 31000” and “Measuring Internal Audit Effectiveness and Efficiency” are available to IIA members as a free PDF download at:
