Professional Documents
Culture Documents
Internal Audit Roles II
Internal Audit Roles II
This study unit is the second of two that address the nature of work of internal auditors. Their work
is defined in the pronouncements of The IIA. These pronouncements elaborate on the description of
the services performed by the internal audit activity provided in the Definition of Internal Auditing. It
stresses the improvement of governance, risk management, and control processes. However, the
internal auditors’ work regarding control is such a vital part of their responsibilities that it is treated
separately in Study Units 5 and 6.
Core Concepts
■ The risk management process identifies, assesses, manages, and controls potential risk
exposures.
■ Senior management and the board determine the role of the IAA in risk management.
■ Information reliability and integrity is a management responsibility.
■ The IAA periodically assesses information reliability and integrity practices and makes
recommendations.
■ The IAA evaluates compliance with laws and regulations concerning privacy.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
2 SU 4: Internal Audit Roles II
Interpretation:
Determining whether risk management processes are effective is a judgment resulting from
the internal auditor’s assessment that:
a. Organizational objectives support and align with the organization’s mission.
b. Significant risks are identified and assessed.
c. Appropriate risk responses are selected that align risks with the organization’s risk
appetite.
d. Relevant risk information is captured and communicated in a timely manner across
the organization, enabling staff, management, and the board to carry out their
responsibilities.
Risk management processes are monitored through ongoing management activities,
separate evaluations, or both.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 4: Internal Audit Roles II 3
6. The techniques used by various organizations for their risk management practices can
vary significantly. Depending on the size and complexity of the organization’s
business activities, RMPs can be:
● Formal or informal.
● Quantitative or subjective.
● Embedded in the business units or centralized at a corporate level.
7. The organization designs processes based on its culture, management style, and
business objectives. For example, the use of derivatives or other sophisticated capital
markets products by the organization could require the use of quantitative risk
management tools. Smaller, less complex organizations could use an informal risk
committee to discuss the organization’s risk profile and to initiate periodic actions. The
internal auditor determines that the methodology chosen is sufficiently
comprehensive and appropriate for the nature of the organization’s activities.
8. Internal auditors need to obtain sufficient, appropriate evidence to determine that the
key objectives of the RMPs are being met to form an opinion on the adequacy of
RMPs. In gathering such evidence, the internal auditor might consider the following
types of engagement procedures:
● Research and review current developments, trends, industry information, and
other appropriate sources of information to determine risks and exposures
that may affect the organization and related control procedures used to
address, monitor, and reassess those risks.
● Review corporate policies and minutes of board meetings to determine the
organization’s business strategies, risk management philosophy and
methodology, appetite for risk, and acceptance of risks.
● Review previous risk evaluation reports by management, internal auditors,
external auditors, and any other sources that may have issued such reports.
● Conduct interviews with line and senior management to determine business
unit objectives, related risks, and management’s risk mitigation and control
monitoring activities.
● Assimilate information to independently evaluate the effectiveness of risk
mitigation, monitoring, and communication of risks and associated control
activities.
● Assess the appropriateness of reporting lines for risk monitoring activities.
● Review the adequacy and timeliness of reporting on risk management results.
● Review the completeness of management’s risk analysis, actions taken to
remedy issues raised by RMPs, and suggest improvements.
● Determine the effectiveness of management’s self-assessment processes
through observations, direct tests of control and monitoring procedures, testing
the accuracy of information used in monitoring activities, and other appropriate
techniques.
● Review risk-related issues that may indicate weakness in risk management
practices and, as appropriate, discuss with senior management and the board.
If the auditor believes that management has accepted a level of risk that is
inconsistent with the organization’s risk management strategy and policies, or
that is deemed unacceptable to the organization, the auditor should refer to
Standard 2600 and any related guidance for additional direction.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
4 SU 4: Internal Audit Roles II
PA Summary
● Risk management is the responsibility of senior management and the board.
Management ensures that sound RMPs are in place and functioning. Boards
determine that RMPs are in place, adequate, and effective. The IAA may be directed
to examine, evaluate, report, or recommend improvements. It also plays a consulting
role in identifying, evaluating, and implementing risk management methods and
controls.
● If the organization has no formal RMPs, the CAE has formal discussions with
management and the board about their obligations for understanding, managing, and
monitoring risks.
● The CAE must understand management’s and the board’s expectations of the IAA in
risk management. The understanding is codified in the charters of the IAA and the
board.
● Senior management and the board determine the IAA’s role in risk management based
on factors such as (1) organizational culture, (2) abilities of the IAA staff, and (3) local
conditions and customs. That role may range from no role, to auditing the process as
part of the audit plan, to active, continuous support and involvement in the process, to
managing and coordinating the process. But assuming management responsibilities
and the threat to IAA independence must be fully discussed and board-approved.
● RMPs may be formal or informal, quantitative or subjective, or embedded in business
units or centralized. Processes are designed to fit the organization’s culture,
management style, and objectives. The IAA determines that the methods chosen
are comprehensive and appropriate for the organization.
● Sufficient, appropriate evidence needs to be obtained regarding attainment of the key
objectives to form an opinion on the adequacy of the RMPs. The internal auditor might
consider the following:
1) Current developments, trends, and industry information to determine risks
and exposures and related controls.
2) Corporate policies and minutes of board meetings to determine strategies,
philosophy, methods, appetite for risk, and acceptance of risks.
3) Previous risk evaluation reports by management, auditors, and others.
4) Interviews with line and senior management to determine objectives, related
risks, and risk mitigation and control monitoring activities.
5) Information to independently evaluate the effectiveness of risk mitigation,
monitoring, and communication of risks and controls.
6) Assessment of the appropriateness of reporting lines.
7) Review of the adequacy and timeliness of reporting on results.
8) Review of the completeness of management’s risk analysis and actions taken
to remedy problems.
9) Suggesting improvements.
10) Determining the effectiveness of management’s self-assessment processes,
e.g., through observation, direct tests of control and monitoring procedures, and
testing information used in monitoring.
11) Reviewing risk-related indications of weakness in RMPs and, as appropriate,
discussing them with management and the board. (Also see Standard 2600.)
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 4: Internal Audit Roles II 5
2010.A1 – The internal audit activity must evaluate risk exposures relating to the
organization’s governance, operations, and information systems regarding the:
● Reliability and integrity of financial and operational information;
● Effectiveness and efficiency of operations;
● Safeguarding of assets; and
● Compliance with laws, regulations, and contracts.
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud
and how the organization manages fraud risk.
2120.C1 – During consulting engagements, internal auditors must address risk consistent
with the engagement’s objectives and be alert to the existence of other significant risks.
2120.C2 – Internal auditors must incorporate knowledge of risks gained from consulting
engagements into their evaluation of the organization’s risk management processes.
2120.C3 – When assisting management in establishing or improving risk management
processes, internal auditors must refrain from assuming any management responsibility by
actually managing risks.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
6 SU 4: Internal Audit Roles II
Assurance
d. Assurance is needed about the effectiveness of RMPs and the management of key
risks to an acceptable level. Such assurance comes primarily from management.
1) Objective assurance also is provided by the IAA, external auditors, and
independent specialists. The IAA usually provides assurance about
a)
The design and effectiveness of RMPs
b)
Management of key risks, including the effectiveness of response
activities
c) Risk assessment
d) Reporting risk and control status
2) The IAA provides value to the organization primarily through giving objective
assurance that (a) key risks are properly managed and (b) the risk
management and control framework is effective.
e. The IAA also may provide consulting services, depending on the availability of other
resources and the organization’s risk maturity (the extent to which a robust risk
management approach has been applied).
1) As risk maturity increases, or if the organization has a risk management
specialist or function, the IAA’s consulting role tends to diminish.
2) The IAA may provide ERM consulting services if it does not actually manage
risks.
IAA Roles
f. With regard to ERM, the IAA has certain core roles and may play certain other
legitimate roles.
1) Core assurance roles
a) Giving assurance on risk management processes
b) Giving assurance that risks are correctly evaluated
c) Evaluating risk management processes
d) Evaluating the reporting of key risks
e) Reviewing the management of key risks
2) Legitimate consulting roles
a) Facilitating identification and evaluation of risks
b) Coaching management in responding to risks
c) Coordinating ERM activities
d) Consolidating the reporting on risks
e) Maintaining and developing the ERM framework
f) Championing establishment of ERM
g) Developing a risk management strategy for board approval
3) Roles not to undertake
a) Setting the risk appetite.
b) Imposing risk management processes.
c) Managing assurance on risks.
d) Making decisions on risk responses.
e) Implementing risk responses on management’s behalf.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 4: Internal Audit Roles II 7
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
8 SU 4: Internal Audit Roles II
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 4: Internal Audit Roles II 9
2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of
controls in responding to the risks within the organization’s governance, operations, and
information systems regarding the:
● Reliability and integrity of financial and operational information;
● Effectiveness and efficiency of operations;
● Safeguarding of assets; and
● Compliance with laws, regulations, and contracts.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
10 SU 4: Internal Audit Roles II
PA Summary
● Information reliability and integrity is a management responsibility for all critical
information regardless of its form.
● The CAE determines whether the IAA has competent audit resources for evaluating
internal and external risks to information reliability and integrity.
● The CAE determines whether senior management, the board, and the IAA will be
promptly notified about breaches and conditions that might represent a threat.
● Internal auditors assess the effectiveness of preventive, detective, and mitigative
measures against past and future attacks. They also determine whether the board
has been appropriately informed.
● Internal auditors periodically assess reliability and integrity practices and recommend
new or improved controls. Such assessments can be made as separate
engagements or as multiple engagements integrated with other elements of the
audit plan.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 4: Internal Audit Roles II 11
1. Another aspect of internal auditing’s role regarding information reliability and integrity is to
evaluate compliance with laws and regulations concerning privacy. Thus, internal auditors
assess the adequacy of the identification of risks and the controls that mitigate those risks.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
12 SU 4: Internal Audit Roles II
PA Summary
● Protection of personal information prevents such adverse consequences as legal
liability and loss of reputation.
● Privacy definitions vary: (1) personal privacy (physical and psychological); (2) privacy
of space (freedom from surveillance); (3) privacy of communication (freedom from
monitoring); and (4) privacy of information (collection, use, and disclosure of personal
information by others).
1) Personal information is any information that can be associated with a specific
individual or that might be combined with other information to do so.
● The board is ultimately accountable for managing privacy risk, e.g., by establishing
and monitoring a privacy framework. The IAA assesses the adequacy of
(1) management’s risk identification and (2) the controls that mitigate those risks.
● The IAA evaluates the privacy framework, identifies significant risks, and makes
recommendations. The IAA also considers (1) laws, regulations, and practices in
relevant jurisdictions; (2) the advice of legal counsel; and (3) the security efforts of IT
specialists.
● Depending on the level or maturity of the organization’s privacy practices, the role of
the internal auditor may be to (1) facilitate the development and implementation of the
privacy program, (2) evaluate management’s privacy risk assessment, or (3) perform
an assurance service regarding the effectiveness of the privacy framework. However,
assumption of responsibility may impair independence.
● The internal auditor identifies (1) personal information gathered, (2) collection
methods, and (3) whether use of the information is in accordance with its intended
use and applicable law.
● Given the difficulty of the technical and legal issues, the IAA needs the knowledge and
capacity to assess the risks and controls of the privacy framework.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 4: Internal Audit Roles II 13
4.3 SUMMARY
1. Risk management is a key responsibility of senior management. Boards ensure that
processes are in place, adequate, and effective. The IAA may be directed to examine,
evaluate, report, and recommend improvements. They also play a consulting role.
2. The IAA must evaluate the effectiveness and contribute to the improvement of risk
management processes.
3. To form an opinion on the adequacy of the RMPs, the IAA must determine that the key
objectives of the RMPs are being met.
4. Enterprise-wide risk management (ERM) is a structured, consistent, and continuous process
across the whole organization for identifying, assessing, deciding on responses to, and
reporting on opportunities and threats that affect the achievement of its objectives.
5. Business continuity management is a risk management approach to matching (a) business
continuity capabilities and (b) likely risks that is based on business value. The objective of
BCM is to restore critical processes and to minimize financial and other effects of a disaster
or business disruption.
6. Information reliability and integrity is a management responsibility for all critical information.
The CAE determines whether the IAA has competent audit resources for evaluating internal
and external risks to information reliability and integrity.
7. The board is ultimately accountable for managing privacy risks, e.g., by establishing and
monitoring a privacy framework. The IAA evaluates the framework, identifies risks, and
makes recommendations.
Copyright © 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com