Fundamentals of Risk Management
Internal audit activities
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
- Bu sahifa navigatsiya:
- Management responsibilities
|
Internal audit activities
419 There are advantages and disadvantages in having a close working relationship between risk management and internal audit. In many ways, there is a complementary fit between the two disciplines and there are benefits in having a common focus and co-ordinated planning related to the management of risk. Also, there is an opportu- nity for sharing best practice regarding risk management tools and techniques. However, there are also disadvantages in a common approach. It is desirable that line management realize that responsibility for deciding the level of control of a particular risk, the responsibility for implementing enhanced controls and the responsibility for auditing compliance are separate issues. Also, there will often be different reporting relationships in an organization between risk management and internal audit. Finally, internal audit are proud of their independent status, and closer involvement in the risk management decision making could compromise that independence. Management responsibilities An alternative way of allocating the responsibilities set out in Figure 35.1 is that internal audit is responsible for the activities that are identified as core internal audit roles. Risk management should facilitate and support the activities in the centre of the fan identified as legitimate roles for internal audit (with safeguards), and line management at the appropriate level should have responsibility for the roles identi- fied as activities that internal audit should not undertake. This alternative means of allocating the responsibilities illustrated in Figure 35.1 is shown in Table 35.2. The working relationship between risk management and internal audit will vary between organizations. The roles and responsibilities that are defined will be a reflec- tion of the structure that seems most suitable for an organization. The allocation of roles and responsibilities should take account of the guidance produced by the Institute of Internal Auditors referenced under Figure 35.1. A clear definition of the responsibilities of risk management, internal audit and line management is essential so that ownership of risk becomes clear. In summary, risk management can assist with the risk assessment activities and the design of the controls. Internal audit can provide support by auditing the controls to ensure that they are effective and efficient and that they have been fully implemented. However, the primary responsibility for the management of risk remains with the executive management of the organization. It is important that the activities of risk management and internal audit do not in any way diminish or undermine the owner- ship of risk by the management of the organization. This approach is also consistent with the statement in most of the risk management standards that risks should not be managed outside the contexts that give rise to the risk. |
