Boards of directors and senior management of organizations worldwide are increasingly implementing enterprise-wide risk management practices in the aftermath of the financial crisis of 2007 and the economic recession of the ensuing two years. Newly published guidance from The Institute of Internal Auditors (IIA) can help organizations assess the adequacy of those practices as measured against the Geneva-based International Organization for Standardization’s (ISO’s) widely respected ISO 31000 framework.
“Our research with chief audit executives (CAEs) around the globe is telling us that internal auditors are being looked to more and more to offer independent, objective opinions about whether an organization’s risk management activities are effective,” says IIA Vice President of Standards and Guidance Beryl Davis, CIA. “The IIA guide Assessing the Adequacy of Risk Management Using ISO 31000 offers internal auditors three self-contained approaches to forming such a conclusion, each of which CAEs could tailor to meet the specific needs of their organization,” she says.
Taking a process elements approach can help internal auditors determine whether each of the seven foundational elements of the risk management process identified in ISO 31000 is in place, the guide says. These elements are: communication; setting the context; risk identification; risk analysis; risk evaluation; risk treatment; and monitoring and review.
The key principles approach is rooted in the concept that to be fully effective, the risk management process must satisfy a minimum set of principles or characteristics, the guide notes. Under ISO 31000, an effective risk management activity:
* Creates and protects organization value.
* Is an integral part of organizational processes.
* Is a key element of decision-making.
* Explicitly addresses uncertainty.
* Is systematic, structured, and timely.
* Is based on the best available information.
* Is tailored to the organization, its size, culture objectives, and risk profile.
ISO 31000’s maturity model approach stems from a foundational assumption that the quality of an organization’s risk management activity will improve over time. Adopting ISO 31000’s maturity model approach, the guide says, can help CAEs assess where their organization’s risk management process lies on this continuum and, by extension, enable the board to determine whether it meets the current needs of the organization and is maturing as expected.
“The IIA recognizes there are numerous reliable frameworks internal auditors can use to assess their ERM effectiveness,” Davis says. “Some of these frameworks – notably Enterprise Risk Management-Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – are used primarily in the Unites States, while others such as the ISO’s are used around the world,” she says. “The IIA’s new practice guidance based on ISO 31000 further expands The Institute’s offerings on how to leverage the advantages of the various frameworks available to organizations,” she adds.
A second practice guide newly published by The IIA, Measuring Internal Audit Effectiveness and Efficiency, is grounded in the professional requirement that the effectiveness, efficiency, and level of customer service of the internal audit activity must be assessed and monitored vigorously. “Internal auditing can add immense value and support continuous improvement by identifying business risks and inefficiencies,” Davis says. “However, the internal audit department’s effectiveness and efficiency, itself, must be monitored in order to build and maintain the internal auditor’s credibility. This can be accomplished by establishing a performance measurement process, identifying key performance measures, and monitoring and reporting on the level of customer service provided to internal audit stakeholders,” she says.
The 19-page guide describes how to establish performance measurement and monitoring processes and report the results effectively. The document’s extensive appendices, containing material such as sample internal audit performance metrics, dashboard reports, and stakeholder feedback surveys, should be of substantial value to CAEs. All IIA practice guides are strongly recommended elements of The IIA’s International Professional Practices Framework.
MORE ARTICLES ON INTERNAL AUDIT