Risk assurance technique

ISO 31000:2018 35 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/12/Risk-Assurance-Techniques-and-Audit-Committee-Oversight.wav

Risk assurance is the process of providing confidence to stakeholders that an organization’s risk management practices, internal controls, and governance frameworks are effective in identifying, assessing, managing, and mitigating risks. It involves evaluating whether these systems are aligned with strategic objectives, regulatory requirements, and industry standards, ensuring that the organization can achieve its goals while minimizing potential losses or disruptions. Risk assurance is an essential part of managing risks in an organization. It ensures that major risks are well-handled and that critical controls are effective and properly implemented. Audit committees often discuss how seriously departments handle risks and controls. While the risk manager and internal auditor can give their opinions, the audit committee relies on objective evaluations of each department’s performance and risk culture as the main source of assurance. Depending on the organization, the audit committee may use various sources for risk assurance, including internal and external audits. External auditors generally focus on validating financial and accounting processes, while internal audits assess broader risk management practices. Assurance also comes from reviewing and monitoring risk activities, which include:

  • Checking how the risk management process operates.
  • Assessing the quality of risk controls in place.
  • Measuring success in reducing risks and achieving business goals.
  • Analyzing why high-risk projects succeeded.
  • Providing assurance across all these areas.

When a company seeks funding, such as a bank loan, it may need to demonstrate how its board ensures significant risks are managed. Assurance sources might include:

  • Evaluating the organization’s risk culture.
  • Reviewing internal audit reports and departmental reports.
  • Assessing the success of individual departments.

Some organizations use control risk self-assessment (CRSA) to identify weaknesses, with findings reported to the executive committee for corrective action. These measures give the board greater confidence and improve the company’s ability to secure funding. Risk assurance varies depending on the focus—strategy, operations, compliance, or specific risks. For example:

  • Hazard risks like health and safety often require annual reports.
  • Fraud incidents, especially in cash-handling organizations, are typically reviewed yearly.
  • Large projects may require post-implementation reviews to check if they were completed on time, within budget, and met expectations. Follow-up reviews might assess performance after the first year.

For risks tied to opportunities, like new business proposals, organizations are starting to perform risk assessments. Professional consultancy firms, for instance, often have committees to evaluate potential business opportunities. These evaluations include attaching a risk assessment to each proposal. In short, risk assurance involves multiple methods to ensure risks are managed effectively and decisions are supported by reliable evaluations.

Sources of risk assurance

  • Culture measurement – by use of a recognized framework such as CoCo or COSO in order to gain a quantitative evaluation of the control environment.
  • Audit reports – produced by internal audit and external auditors on a range of issues including risk assessment, implementation, compliance and training.
  • Unit reports – on such issues as risk performance indicators, CRSA, response to audit recommendations and reports on incidents that have occurred.
  • Performance of the unit – on risk-related issues, losses, significant weaknesses in control measures and details of any material losses suffered by the unit.
  • Unit documentation – on topics such as the risk management policy, health and safety policy, business continuity plans and disaster recovery plans.

Key Components of Risk Assurance:

  1. Evaluation of Controls: Ensures that internal controls are functioning as intended and effectively mitigating risks.
  2. Risk Management Processes: Reviews the organization’s risk identification, assessment, response, and monitoring activities.
  3. Compliance: Assures adherence to legal, regulatory, and policy requirements.
  4. Reporting and Communication: Provides transparent and reliable information on the organization’s risk profile and control effectiveness.

Risk Assurance Techniques

  • Internal Audits: Periodic reviews conducted by an internal audit team to assess the effectiveness of risk management, internal controls, and compliance. Focus on high-risk areas and provide recommendations for improvement.
  • External Audits: Independent evaluations by third-party auditors to verify the accuracy of financial statements, compliance, and the effectiveness of internal controls.
  • Risk Assessments: Systematic identification and analysis of potential risks to determine their impact and likelihood. Often includes scenario analysis, SWOT analysis, and risk heat mapping.
  • Control Testing: Tests specific controls to ensure they are operating as intended (e.g., cybersecurity controls, financial controls). Includes both manual and automated control testing.
  • Key Risk Indicators (KRIs): Metrics used to monitor changes in risk levels and provide early warning signals of potential issues. Examples include employee turnover rates, system downtime, or financial liquidity ratios.
  • Compliance Reviews: Assessments of adherence to legal, regulatory, and internal policy requirements. Focus on areas such as data protection, anti-corruption, and industry-specific regulations.
  • Enterprise Risk Management (ERM) Frameworks: Use of structured frameworks such as COSO ERM or ISO 31000 to ensure systematic risk management practices.
  • Continuous Monitoring: Use of technology and analytics to provide real-time insights into risk trends and control effectiveness.
  • Third-Party Assurance: Reviews of third-party service providers or supply chains to ensure their risk management and compliance align with organizational standards.
  • Control Self-Assessments (CSA): A collaborative process where business units assess their own risks and controls. Encourages ownership and accountability for risk management.

Purpose of Risk Assurance

  • Building Stakeholder Confidence: Demonstrates that risks are being managed effectively.
  • Enhancing Decision-Making: Provides reliable information for strategic and operational decisions.
  • Improving Resilience: Identifies gaps and areas for improvement to strengthen the organization’s risk posture.
  • Ensuring Compliance: Avoids legal and regulatory penalties by demonstrating adherence to requirements.

Roles and Responsibilities

A risk management policy should clearly outline the roles and responsibilities for managing risks and internal controls. The main goals of risk management are to meet mandatory requirements, provide assurance, support better decision-making, and improve the effectiveness of core processes. When assigning responsibilities, it’s important to consider key risks and separate roles for:

  • Setting strategy.
  • Designing controls.
  • Auditing compliance.

For example:

  • A head office might decide the level of security needed for the organization.
  • The production department could design the controls since security might be closely tied to their operations.
  • Internal audit would typically check if the security measures are followed correctly.

In other cases, a specialist or a head of security may handle the design of controls. Even small organizations should separate responsibilities, such as having one person design controls and another audit compliance. For instance, in a small charity, a non-executive board member might review financial controls to ensure they are effective and efficient. The risk manager’s role is to guide and facilitate these efforts, such as organizing workshops to identify risks like fraud and assigning responsibilities for managing them. However, the risk manager should not implement controls or audit compliance. Their focus should be on evaluating the effectiveness of controls and suggesting improvements.

Adding Value Through Internal Audits
Internal audits provide value by identifying areas for improvement and ensuring controls are effective. Factors that help auditors maximize value include:

  1. Understanding the organization – its culture, key people, and competitive landscape.
  2. Innovating – introducing new ideas, even if stakeholders don’t initially expect or ask for them.
  3. Adapting – exceeding stakeholder expectations by tailoring to the organization’s needs.
  4. Knowing best practices – staying updated on what the auditing profession considers valuable.

While the first three factors involve skills and personal qualities, keeping up with industry best practices is an ongoing challenge for auditors.

Audit committees

An increasing number of organizations are setting up audit committees to oversee key aspects of governance, risk, and compliance. These committees are typically composed of non-executive directors, with senior executive directors attending meetings as needed. A non-executive director, often referred to as the lead non-executive director, chairs the committee, though this role is usually separate from that of the non-executive chairman. The audit committee holds a unique position within the organization; it is not considered a sub-committee of the board but has the authority and independence to evaluate all organizational activities, including those of the board itself. While the audit committee is often seen as the guardian of compliance, its scope extends far beyond ensuring legal and regulatory adherence. The board of directors retains responsibility for the organization’s governance and risk management, including overseeing the first and second lines of defense. In contrast, the audit committee focuses on evaluating governance standards, ensuring adequate attention to risk management, and seeking assurance on compliance levels. This responsibility also includes reviewing the governance arrangements of the board itself, ensuring that all strategic, operational, and compliance-related matters are appropriately addressed.

In large organizations, specialized committees such as the nominations committee and the remuneration committee handle specific responsibilities like senior appointments and the design of pay structures. These committees, often made up of both executive and non-executive members, report to the board. However, the presence of these committees does not diminish the audit committee’s role. The audit committee assesses the effectiveness of the board as a whole, including its sub-committees, while maintaining its position as the ultimate monitor of governance, risk, and compliance across the organization. The audit committee’s responsibilities include ensuring that significant risks are correctly identified and that critical controls are implemented effectively. Although the committee does not manage risks or implement controls directly, it validates the adequacy of the risk management processes and seeks assurance on their effectiveness. It also oversees the organization’s internal control system, which encompasses financial and operational controls designed to ensure efficiency, effectiveness, and compliance with laws and regulations. By fulfilling these duties, the audit committee provides the organization with a robust mechanism for ensuring accountability and enhancing stakeholder confidence.

Responsibilities of the audit committee

  1. External audit
    • recommend the appointment and re-appointment of external auditors
    • review the performance and cost-effectiveness of the external auditors
    • review the qualification, expertise and independence of external auditors
    • review and discuss any reports from the external auditors
  2. Internal audit
    • review internal audit and its relationship with external auditors
    • review and assess the annual internal audit plan
    • review promptly all reports from the internal auditors
    • review management response to the findings of the internal auditors
    • review activities, resources and effectiveness of internal audit
  3. Financial reporting
    • review the annual and half-year financial results
    • evaluate annual report against requirements of the governance code
    • review disclosure by CEO and CFO during certification of annual report
  4. Regulatory reports
    • review arrangements for producing the audited accounts
    • monitor and review standards of risk management and internal control
    • develop a code of ethics for CEO and other senior management roles
    • annually review the adequacy of the risk management processes
    • receive reports on litigation, financial commitments and other liabilities
    • receive reports of any issues raised by whistleblowing activities

Risk management outputs

Risk management and internal audit should focus on the results of the risk management process and the desired impact on the organization. Risk management aims to increase the likelihood of achieving organizational goals, which aligns with the purpose of internal audit. Together, their efforts contribute to improved performance in four key areas: strategy, tactics, operations, and compliance (STOC). This is achieved by minimizing disruptions from risks and choosing effective processes suited to the organization. These processes require informed decisions and successful project planning and implementation, which both risk management and internal audit support. Strategic decisions are among the most critical for any organization. Both risk management and internal audit play important roles in guiding these decisions. For instance, risk management ensures that risk assessment workshops address strategic concerns, while internal audit evaluates the quality of the processes used to make these decisions. By working together, they help create strategies that are both effective and efficient. The key outcomes of risk management and internal audit include meeting legal obligations, providing assurance, supporting decision-making, and ensuring the organization’s processes are effective and efficient (MADE2). Collaboration between the two functions is crucial for achieving these goals. However, it’s important to maintain the independence of internal audit from executive management. This independence ensures internal audit can objectively evaluate processes without becoming overly involved in the day-to-day management of risks.

Control risk self-assessment

Internal audit teams often use a process called self-certification of controls in addition to performing physical audits. In this process, local senior management regularly (often yearly) submit a report confirming the level of risk assurance achieved in their department. This approach, known as control risk self-assessment (CRSA), is usually completed electronically or via the organization’s intranet. The CRSA questionnaire is typically designed based on established internal control frameworks, such as COSO, CoCo, or guidelines like the UK Financial Reporting Council’s 2014 risk guidance. These self-assessments not only confirm adequate internal controls and risk assurance but also highlight significant weaknesses in controls. This information helps internal auditors identify areas where additional controls might be necessary. The CRSA return may also require details of any major control failures that have occurred. To ensure consistency, the organization provides a benchmark to identify what constitutes a material failure. This benchmark is usually stricter than the one used by external auditors. For instance, if the external materiality threshold is set at £1 million, the CRSA process might require departments to report any control failure resulting in a loss of over £100,000.An organization’s approach to Control Risk Self-Assessment (CRSA) should focus on ensuring it is a systematic, collaborative, and transparent process that strengthens internal controls and enhances risk management practices. For example The executive has recommended the use of an annual ‘control risk self-assessment’ (CRSA) exercise, to be conducted by internal audit, as part of the annual review of corporate governance. Each year a sample of the governance policies will be chosen by the governance panel for inclusion in the CRSA exercise. Policy custodians will be required to help formulate questionnaires and report back on the feedback received from services to internal audit. The findings from the CRSA exercise, together with the assessment of compliance against each of the supporting principles and work carried out by internal audit in accordance with the annual audit plan will be drawn together into the annual governance statement, for review by the governance panel, the audit committee and the executive committee.

Here’s how the organization should approach CRSA:

  • Monitor and Improve: The organization should regularly review and refine the CRSA process based on feedback, changing risks, and evolving best practices. Continuous improvement ensures the process remains effective and relevant
  • Define Clear Objectives: The organization should establish the purpose of CRSA, such as identifying control gaps, evaluating risk assurance levels, and ensuring alignment with internal control frameworks like COSO or CoCo. The process should aim to promote accountability and improve the effectiveness of controls.
  • Engage Senior Management: Local senior management should actively participate in the self-assessment process, as they are closest to the operational risks and controls. Their involvement ensures that the process is grounded in practical realities and aligns with organizational objectives.
  • Develop a Comprehensive Questionnaire: The CRSA process should use a well-structured questionnaire based on relevant internal control frameworks. This questionnaire should cover critical aspects, including the adequacy of existing controls, areas of significant weakness, and instances of material control failures.
  • Leverage Technology: The process should be facilitated using electronic tools, such as online surveys or intranet portals, to streamline data collection, improve accuracy, and enable easy tracking and analysis of results.
  • Set Materiality Benchmarks: The organization should establish clear thresholds for reporting significant weaknesses and material failures. These benchmarks should be stricter than those used by external auditors to ensure early detection of potential risks.
  • Encourage Transparency: Employees and managers should feel confident to report weaknesses or failures without fear of blame. A transparent, non-punitive environment fosters honest self-assessments and helps in identifying genuine risks.
  • Analyze and Act on Findings: The results of CRSA should be reviewed systematically by internal auditors to pinpoint areas requiring additional controls or improvements. Significant issues should be escalated to senior management for action.
  • Provide Training and Guidance: Employees involved in the CRSA process should receive clear guidance and training on how to evaluate risks and controls effectively. This ensures consistency and reliability in the assessments.
  • Integrate with the Risk Management Framework: CRSA should be part of the broader risk management and governance processes. It should provide valuable inputs for risk assessment, audit planning, and control improvements.

Benefits of risk assurance

Corporate governance is a key focus for organizations and their stakeholders, and risk assurance should not just be a routine or checklist task. Organizations need to show that corporate governance is a management priority. Many understand the importance of being open about risk reporting, which requires strong communication efforts at all times. Once effective communication is in place, the organization must ensure it has positive updates to share with stakeholders. Risk assurance activities help provide confidence to all stakeholders, such as employees, suppliers, customers, government agencies, and both internal and external auditors. Risk assurance plays a vital role in an organization’s corporate governance and supports its strategic, tactical, operational, and compliance (STOC) processes. The advantages of solid risk assurance include building trust with stakeholders, reassuring sponsors and lenders, showing regulators good practices, preventing unexpected financial or operational issues, protecting the organization’s reputation, fostering a strong risk-aware culture, and enabling safe delegation of authority.

Although the external auditor’s work is not primarily for the organization’s benefit, the audit and risk assurance committee should still engage with it. They should review the results of external audits, address any identified weaknesses, and understand the external auditor’s planned approach. The committee should also examine how well the external auditor works with internal audit to improve overall efficiency, reduce unnecessary duplication, and enhance assurance. Additionally, they should assess the potential impact of any broader work by the external auditor, such as value-for-money assessments or recommendations for good practices.

Internal audit activities

In Enterprise Risk Management (ERM), internal audit is an independent and objective function that evaluates how effectively the organization identifies, assesses, manages, and mitigates risks to achieve its objectives. It plays a key role in providing assurance that the ERM framework is working as intended and supports the organization in enhancing its risk management practices. Internal Audit Activities in ERM:

  • Assessing the ERM Framework: Internal audit reviews the design and implementation of the ERM framework to ensure it aligns with the organization’s objectives and industry standards. This includes evaluating the structure, policies, and processes for risk identification, assessment, and response.
  • Testing Risk Controls: Internal audit examines the effectiveness of controls put in place to manage specific risks. This involves testing key controls to verify whether they are functioning as intended and identifying gaps that need remediation.
  • Reviewing Risk Assessments: Auditors evaluate the quality of risk assessments conducted by the organization. They verify that risks are being identified comprehensively, assessed consistently, and prioritized appropriately.
  • Providing Assurance on Risk Reporting: Internal audit ensures that risk reporting is accurate, transparent, and timely. It checks whether risk information provided to management and stakeholders supports informed decision-making.
  • Evaluating Risk Culture: Internal audit assesses the organization’s risk culture to determine whether employees and management understand and align their behavior with risk management expectations.
  • Monitoring Emerging Risks: Internal audit examines how well the organization identifies and prepares for emerging risks. This includes reviewing mechanisms for scanning the external and internal environment for new threats or opportunities.
  • Supporting Decision-Making: While maintaining independence, internal audit provides insights and recommendations to improve the organization’s risk management practices, contributing to better decision-making and strategic alignment.
  • Auditing Risk Governance: Internal audit reviews the roles and responsibilities of the board, risk committees, and management to ensure accountability and oversight in the ERM process.
  • Collaborating with Other Assurance Providers: Internal audit coordinates with external auditors, compliance teams, and other assurance functions to optimize efforts, reduce duplication, and provide comprehensive assurance over the risk management process.
  • Continuous Improvement of ERM: Internal audit identifies opportunities to enhance the ERM process by recommending improvements in policies, frameworks, and practices based on its findings and industry best practices.

Risk management and internal audit need to work closely together, though their specific roles will depend on the organization’s type, size, and nature. This relationship is crucial because effective risk management relies on four key outcomes, known as MADE2: meeting mandatory requirements from laws, customers, and standards; providing assurance to management and stakeholders; enabling informed decision-making; and ensuring effective and efficient core processes across the organization. To achieve these outcomes, cooperation among all stakeholders, including risk management and internal audit, is essential. Risk assurance activities and the significant role of internal audit are explored further in related chapters. Internal control, which involves procedures, checks, and methods to help organizations meet their goals, is closely linked to risk management. In larger organizations, internal audit often evaluates these controls, and in some cases, external firms may handle the internal audit function. Although internal audit and risk management have distinct roles, they share common interests. Risk management is typically an executive function, managed by senior executives, with the risk management committee often chaired by a board-level executive. Internal audit, on the other hand, focuses on risk assurance, a responsibility overseen by a non-executive audit committee in larger organizations. Since internal auditors validate the effectiveness of controls and procedures for managing risk, they should remain independent and not take on executive tasks like designing or implementing risk control measures.

A good system of internal control helps reduce risks but cannot completely prevent issues like poor decision-making, human mistakes, employees bypassing controls, management overriding rules, or unexpected events. Such a system offers reasonable confidence, though not a guarantee, that a company can achieve its business goals and operate smoothly and lawfully under foreseeable conditions. However, it cannot completely protect against failing to meet objectives, significant errors, losses, fraud, or violations of laws or regulations.

Role of internal audit

To successfully implement an Enterprise Risk Management (ERM) initiative, several activities are essential and fall under the responsibility of the internal audit department. These activities include reviewing how key risks are managed, evaluating how those risks are reported, and assessing risk management processes. Key tasks also involve setting the organization’s risk appetite, establishing risk management processes, and making decisions on how to respond to risks. Internal audit can be involved in certain activities, such as helping to identify risks, coordinating ERM efforts, developing the ERM framework, and supporting the establishment of ERM, as long as appropriate safeguards are in place. This division of responsibilities supports the “three lines of defense” model, where management handles the first line, risk management specialists handle the second, and internal audit manages the third. An important task of the audit department is setting audit priorities, especially when it comes to testing controls in relation to risk management. While risk management professionals are good at assessing risks and recommending appropriate controls, the internal auditor’s role is to test and ensure those controls are properly implemented and effective. The goal is to confirm that the intended level of risk has been achieved. If controls are found to be ineffective, they must be improved. Although risk management and internal audit can discuss and facilitate control issues, it is up to the line management to make the final decisions about controls and their effectiveness.

  • Core internal audit roles in regard to ERM
    • Giving assurance on the risk management processes
    • Giving assurance that risks are correctly evaluated
    • Evaluating risk management processes
    • Evaluating the reporting of key risks
    • Reviewing the management of key risks
  • Legitimate internal audit roles with safeguards
    • Facilitating identification & evaluation of risks
    • Coaching management in responding to risks
    • Co-ordinating ERM activities
    • Consolidated reporting on risks
    • Maintaining & developing the ERM framework
    • Championing establishment of ERM
    • Developing RM strategy for board approval
  • Roles internal audit should not undertake
    • Setting the risk appetite
    • Imposing risk management processes
    • Management assurance on risks
    • Taking decisions on risk responses
    • Implementing risk responses on management’s behalf
    • Accountability for risk management

Undertaking an internal audit

Conducting an internal audit involves several steps. First, the audit must be planned. Then, the fieldwork is carried out, where controls are tested. Afterward, an audit report is created, and finally, follow-up actions are taken. During the audit, the auditor gathers relevant information to understand the areas being reviewed. This analysis helps the auditor set priorities and objectives for the audit. For example, if auditing the supply chain, the auditor would collect details about contracts with suppliers. Fieldwork is often considered the most important part of the audit. The auditor may need to visit various locations, including supplier sites, if the audit focuses on the supply chain. The goal of the fieldwork is to understand the risks and controls in place to manage them. The auditor will test these controls to check their efficiency and effectiveness, through discussions with managers and staff, as well as observing operations. After the fieldwork, the auditor writes the audit report. This report evaluates how well the controls are working and may include suggestions for improvements if needed. The auditor also forms an independent opinion on the level of control in place to provide assurance to the audit committee. If the report includes recommendations, they should be agreed upon by the relevant management to increase the likelihood of their implementation. However, if the internal auditor believes the controls are insufficient but management disagrees, the issue should be escalated.

Undertaking an internal audit

Conducting an internal audit involves several steps. First, the audit must be planned. Then, the fieldwork is carried out, where controls are tested. Afterward, an audit report is created, and finally, follow-up actions are taken. During the audit, the auditor gathers relevant information to understand the areas being reviewed. This analysis helps the auditor set priorities and objectives for the audit. For example, if auditing the supply chain, the auditor would collect details about contracts with suppliers. Fieldwork is often considered the most important part of the audit. The auditor may need to visit various locations, including supplier sites, if the audit focuses on the supply chain. The goal of the fieldwork is to understand the risks and controls in place to manage them. The auditor will test these controls to check their efficiency and effectiveness, through discussions with managers and staff, as well as observing operations. After the fieldwork, the auditor writes the audit report. This report evaluates how well the controls are working and may include suggestions for improvements if needed. The auditor also forms an independent opinion on the level of control in place to provide assurance to the audit committee. If the report includes recommendations, they should be agreed upon by the relevant management to increase the likelihood of their implementation. However, if the internal auditor believes the controls are insufficient but management disagrees, the issue should be escalated.

  1. Planning
    • Initial contact: to inform the client (audit target) or involved association about the auditing and its objectives.
    • Initial meeting: conference meeting, so that the client can describe the areas for review and state the available resources and processes.
    • Preliminary survey: the auditors will gather all the needed data so they can have a good overview of the auditing.
    • Review internal control structure: the auditor will determine the priority areas for the audit to review.
    • Audit programme preparation: the audit programmes will outline the required fieldwork related to the audit topic/area.
  2. Fieldwork
    • Testing for the critical internal controls: this process tests if randomly selected records are accurate.
    • Regular updates: the auditor will carry out financial reporting, mostly in oral communication and the client may help in resolving any issues raised.
    • Drafting the audit summary: when fieldwork is done, the auditor will summarize findings, conclusions and recommendations.
  3. Audit report
    • Audit report: the report will be reviewed by the audit team before presenting it to the client for further review.
    • Creating the report: comments and suggestions on the first draft are taken into account in producing the final report. Distribution of the final audit reports to people involved, senior management, audit committee, as agreed.
  4. Follow-up
    • Audit follow-up: response from the client will be reviewed, so that the findings may be tested and resolved.
    • Reporting the audit follow-up: the effects of resolved and unresolved findings will be included in the follow-up.

Three line of defense

In many large organizations, the relationship between risk management and internal audit can be challenging. Internal audit focuses on ensuring that effective controls are in place and works with an agenda centered around this goal. Typically, the head of internal audit reports to the highest-ranking non-executive member of the board, sometimes even the chairman. On the other hand, the risk manager usually reports to an executive member of the board, such as the company secretary or finance director. This difference in reporting levels can be frustrating for the risk manager, but the roles of risk management and internal audit complement each other, providing an opportunity to improve the implementation of risk management procedures. Both risk management and internal audit should seek ways to work together without interfering with each other’s objectives. For example, both should attend risk assessment workshops. While the risk manager may lead the workshop, the responsibility for managing risk lies with the manager of each department. Internal auditors’ presence should not be seen as a threat by department managers. Internal auditors focus on ensuring that control measures are well-defined and can be audited. They test the effectiveness of these controls by requesting and analyzing information to establish facts. In essence, internal auditors believe that information plus testing equals facts.

A popular approach in recent times is the “three lines of defense” model, which aligns with the role of internal audit in enterprise risk management. This model is based on three key ideas:

  1. management has the main responsibility for managing risk,
  2. specialist risk management functions assist management in fulfilling this responsibility, and
  3. internal audit checks the effectiveness of the risk management process.

Management’s role is divided into three layers: top management (directors), middle management (managers), and staff. Specialist risk management functions may operate at the corporate level, supporting the development, implementation, monitoring, and improvement of the risk management framework. These functions, including business continuity and health and safety, perform a similar role as group-level risk management but focus on specific areas of risk

The three lines of defense approach also fits well with the concept of governance, risk, and compliance (GRC). The GRC approach sees the board as responsible for governance across the entire organization. In this role, the board relies on all three lines of defense to ensure that risk is properly managed. Non-executive directors, in particular, look to internal audit to provide assurance on a wide range of compliance matters within the organization. All organizations must maintain accurate financial records, often produced by an external accounting firm that also serves as the external auditor. These external auditors are required to confirm, or sometimes certify, the accuracy of the financial records, and they may be seen as the fourth line of defense. For organizations in highly regulated industries, regulators ensure compliance with rules and regulations and may be considered the fifth line of defense. The terminology used in these areas can vary from one organization to another, but the concept of dividing responsibilities into three lines of defense is a strong and effective way to ensure proper governance and compliance, and in some cases, the effective management of specific risks like tax risks. Risk management and internal control can collaborate in setting priorities for the upcoming year. When an organization creates a risk-based audit program, it focuses on the most significant risks facing the organization. The board may want both risk management and internal audit to work together to help make better strategic decisions, deliver projects more successfully, and improve efficiency in key processes.There are both advantages and disadvantages to having a close working relationship between risk management and internal audit. On the positive side, the two disciplines complement each other, and working together can help focus efforts and improve coordination in managing risk. It also allows for sharing best practices and useful risk management tools and techniques. However, there are some downsides to this close relationship. It’s important for line management to understand that the responsibility for deciding how much control is needed for a particular risk, for implementing those controls, and for auditing compliance are separate tasks. Additionally, risk management and internal audit often have different reporting structures within the organization. Lastly, internal audit values its independence, and getting too involved in risk management decisions could jeopardize that independence. To implement a risk-based audit program, internal audit should participate in risk assessment workshops, and risk management and internal audit should create a joint annual work plan. The goal is to make sure that the control measures discussed in risk assessments are clearly documented in the risk register as auditable controls, and that managers are aware of and meet their control responsibilities.

The “three lines of defense” is a concept that is becoming more popular in risk management. It is now widely used in financial services and is starting to be adopted in other areas, often through public sector procurement rules. However, it hasn’t yet been fully applied to risk management. Managing risk involves having clear roles and responsibilities for tasks like data management, transaction processing, gathering information, verifying it, and escalating issues when necessary. Here’s how the three lines of defense:

  • First Line: This involves having the right people who understand the core business processes. These people ensure that information is gathered and processed accurately.
  • Second Line: This is about monitoring the processes regularly. It includes creating frameworks and guidelines that the tax and finance teams work on together. These help in spotting problems early and identifying weaknesses in the process. Since people can make mistakes, these measures help catch them before they become bigger issues.
  • Third Line: This provides independent assurance that the processes is working well through internal and external audits. Internal auditors should understand tax risks, and core processes should be open to audits, as it’s better to have internal auditors find mistakes than to deal with a authority finding them later.

Five lines of assurance

There has been a lot of discussion about how the three lines of defence model works. For example, in an organization using this model, head office functions may play a role in multiple lines of defence. These functions, such as treasury, might be part of the first and second lines, and sometimes even the third line. In a large company, the treasury function manages the organization’s treasury needs as part of the first line. It also helps decide the strategy and tactics for the organization. In some cases, the internal audit team does not review the treasury function, so external auditors take on this responsibility. One issue with the three lines of defence model is that it works well for operational risks and compliance risks, but it doesn’t address the “upside” of risk, such as identifying missed opportunities. As a result, the work of risk management and internal audit may not cover all aspects of enterprise risk management. Another point is the role of the board of directors. The board provides assurance but is not usually considered a line of defense. The board both receives and gives assurance, including from external sources like external auditors. While the three lines of defense model is well-established, some organizations extend it to five lines of defence by including external auditors as the fourth line and regulators as the fifth line. However, this is different from the “five lines of assurance” approach that is being developed to enhance the model. The five lines of assurance model includes the following sources of assurance:

  1. The Board of Directors – Responsible for ensuring effective risk management and that risks are kept within acceptable levels.
  2. Senior Executives and Managers – In charge of maintaining the risk management process and delivering accurate information on key risks.
  3. Business Unit Leaders – Responsible for reporting on specific risks and ensuring objectives are met.
  4. Specialist Units – Experts in specific risks like treasury, safety, environment, and legal, responsible for managing related risks.
  5. Internal Audit – Provides independent and timely reports to the board on the effectiveness of risk management.

Organizations can adapt this model to fit their needs, but the main improvement of the five lines of assurance is that it divides the first line of defence into three groups: the board, senior executives, and business unit leaders. Each group is responsible for providing assurance in their areas. One of the benefits of the five lines of assurance model is that it requires better communication between the board, executives, and business leaders. It also encourages closer coordination between specialist risk units and internal audit. The focus is on providing overall assurance and promoting a risk-aware culture, rather than just designing and implementing controls. Because the five lines of assurance model emphasizes assurance, it is more relevant for managing strategic and tactical risks, including opportunities, than the three lines of defence model. However, external auditors and regulators still maintain their specific roles in both models.

Management responsibilities

An alternative way to assign responsibilities is that internal audit focuses on activities that are considered core to its role. Risk management should help and support these activities, ensuring they follow proper guidelines, while line management at the appropriate level takes responsibility for tasks that internal audit should not handle. The relationship between risk management and internal audit will vary from one organization to another, and the roles and responsibilities will reflect the structure that best fits the organization. It is important to clearly define the roles of risk management, internal audit, and line management so that ownership of risk is clear. In short, risk management can help with risk assessments and designing controls, while internal audit ensures these controls are working well and are properly implemented. However, the main responsibility for managing risk lies with the organization’s executive management. It’s crucial that the work of risk management and internal audit does not interfere with or take away from the management’s ownership of risk. This approach also aligns with the general principle in risk management standards that risks should be managed within the areas where the risks arise.

Allocation of responsibilities

  1. Internal audit activities
    • giving assurance on risk management processes
    • giving assurance that risks are correctly evaluated
    • evaluating risk management processes
    • evaluating the reporting of key risks
    • reviewing the management of key risks
  2. Risk management support
    • facilitating identification and evaluation of risks
    • coaching management in responding to risks
    • co-ordinating ERM activities
    • consolidated reporting on risks
    • maintaining and developing the ERM framework
    • championing establishment of ERM
    • developing RM strategy for board approval
  3. Management responsibilities
    • setting the risk appetite
    • imposing risk management processes
    • management assurance on risks
    • taking decisions on risk responses
    • implementing risk responses on behalf of management
    • accountability for risk management

Risk Reporting

Risk Reporting refers to the process of communicating information about risks that an organization faces, their potential impact, and the actions being taken to manage them. It is a key component of risk management, ensuring that stakeholders, such as the board, senior management, and external parties, have a clear understanding of the organization’s risk profile and how effectively those risks are being managed.

Purpose of Risk Reporting

  • Awareness: Inform stakeholders about key risks and their impact on organizational objectives.
  • Decision Support: Provide accurate and timely information to facilitate risk-informed decision-making.
  • Accountability: Demonstrate that risks are being actively managed and monitored.
  • Compliance: Meet regulatory and governance requirements for transparency.
  • Improvement: Highlight areas for enhancing risk management practices.

Types of Risk Reporting

  1. Internal Risk Reporting
    • Board Reports: Summaries of key risks, trends, and the effectiveness of risk management strategies presented to the board or risk committees.
    • Management Reports: Detailed operational and strategic risk reports for executives and department heads to guide decision-making.
    • Operational Reports: Risk reports generated for specific business units or functions, focusing on risks impacting day-to-day operations.
  2. External Risk Reporting
    • Regulatory Reports: Reports prepared to comply with legal and regulatory requirements, such as those for financial or environmental risks.
    • Stakeholder Reports: Disclosures to shareholders, investors, or customers about significant risks affecting the organization.
    • Public Disclosures: Risk information shared in financial statements, annual reports, or sustainability reports.
  3. Risk-Specific Reports
    • Strategic Risk Reports: Focused on risks that could affect long-term goals and strategies, such as market competition or regulatory changes.
    • Operational Risk Reports: Cover risks associated with processes, systems, or human errors that impact day-to-day operations.
    • Financial Risk Reports: Highlight risks related to liquidity, credit, market fluctuations, or investments.
    • Compliance Risk Reports: Focused on risks of non-compliance with laws, regulations, or internal policies.
    • Emerging Risk Reports: Address new or evolving risks, such as technological disruptions, geopolitical instability, or climate change.
  4. Ad Hoc Reporting: Reports generated for specific events or incidents, such as data breaches, supply chain disruptions, or health and safety issues.
  5. Dashboard or KPI-Based Reporting: Visual summaries of key risk indicators (KRIs) or other metrics that provide a snapshot of risk status at a glance.
  6. Scenario-Based or Stress Testing Reports: Analysis of how potential adverse events could impact the organization, often used for financial or operational risks.

Risk management involves creating and maintaining a variety of documents to support its activities. These documents can include:

  1. Risk management administration documents
  2. Risk response and improvement plans
  3. Event reports and recommendations
  4. Risk performance and certification reports

A risk management manual is essential for outlining the organization’s risk culture and control environment. It usually includes:

  • Established procedures for risk management
  • Action plans, like those in the risk register
  • Incident reports and recommendations for improvement
  • Performance reports showing how risks are managed

These documents ensure that risk management stays dynamic and responsive within the organization.

Importance of Risk Performance and Certification Reports

Risk performance and certification reports are increasingly critical, especially since the introduction of the Sarbanes-Oxley Act of 2002. These reports must meet the highest applicable standards while complying with specific regulations, such as:

  • Sarbanes-Oxley requirements for companies listed on the New York Stock Exchange.
  • Other regulations for organizations listed on different stock exchanges or operating in specialized sectors like charities or insurance.

These reports can include:

  • Operational management summaries.
  • Formal certifications by external auditors verifying financial results and the effectiveness of control systems.

Guidance and Communication

The Financial Reporting Council’s 2014 guidance emphasizes the board’s responsibilities in risk reporting. It highlights the importance of clear communication both to and from the board, covering internal operations and external disclosures.

Detailed Reporting and Special Reports

Organizations may need to produce multiple reports for different regulatory authorities. Some also publish special reports, like corporate social responsibility (CSR) reports, to highlight achievements in specific areas. For example, companies listed on the London Stock Exchange often include diverse risk-related topics in their disclosures. These reports ensure transparency, accountability, and alignment with regulatory and stakeholder expectations.

Risk management (RM) responsibilities of the board

The FRC risk guidance identifies the risk management responsibilities of the board and these
can be summarized, as follows:

  1. Risk management processes
    ● Ensure that RM is incorporated within normal processes.
    ● Identify the principal risks facing the company.
  2. Principal risks and risk appetite
    ● Assessment of risks to the business model and strategy.
    ● Risks the organization is willing to take or ‘risk appetite’.
  3. Risk culture and risk assurance
    ● Risk culture is embedded throughout the organization.
    ● Adequate RM and assurance discussions take place at the board.
  4. Risk profile and risk mitigation
    ● Risk profile of the company is kept under review.
    ● Measures to manage or mitigate the principal risks are taken.
  5. Monitoring and review activities
    ● Monitoring and review of risk management is undertaken.
    ● Monitoring and review is ongoing and not just annual.
  6. Risk communication and reporting
    ● Internal and external risk management communication takes place.
    ● Necessary risk information is communicated to and from the board

sarbanes–Oxley Act

The Sarbanes–Oxley Act (SOX) was introduced in response to corporate scandals in the U.S. involving false financial reporting. These scandals led to misleading financial statements. The main goal of SOX is to ensure that companies listed on U.S. stock exchanges provide accurate information.

Key Requirements of SOX

  1. Accurate Reporting: SOX requires companies to have controls ensuring all reported information is accurate.
  2. Validation of Data: Under Section 302, all company data must be validated to prevent errors or fraud.
  3. Detailed Risk Assessment: Companies must analyze risks that could lead to financial misstatements and establish strict processes for preparing financial statements.
  4. External Audit Attestation: As per Section 404, external auditors must review and confirm the accuracy of financial statements and the effectiveness of financial reporting systems.

Framework for Compliance

  • Companies must use an approved risk management framework, such as the COSO Internal Control Framework, to meet SOX requirements.
  • COSO’s ERM framework also covers these controls, helping organizations ensure accurate financial reporting.
  • SOX applies to U.S.-based companies and their subsidiaries worldwide. It also applies to foreign companies listed on U.S. stock exchanges.

Disclosures Committee

Many companies establish a disclosures committee to review and validate all information disclosed. This committee ensures compliance with SOX and has become a standard part of corporate governance, even for non-U.S. companies affected by SOX rules.

Challenges and Criticism

  • Cost and Complexity: Compliance with SOX is expensive and time-consuming, especially the detailed audits required.
  • Effectiveness: Critics question whether SOX has improved the accuracy of financial reports and note that its focus is on reporting accuracy rather than broader risk management practices.

Despite its challenges, SOX has become a key framework for ensuring financial transparency and accountability in global organizations. CEOs across the U.S. see the Sarbanes–Oxley Act as a reactionary law that is overly burdensome. However, they still identify “improper accounting practices” as the top ethical issue in business today. A survey by Georgia State University, involving nearly 300 CEOs from private and public companies, revealed the following:

  • Most CEOs believe the Sarbanes–Oxley Act has helped restore public and investor trust in corporate America.
  • Despite this, they feel the law has not improved ethical standards within their organizations.
  • Many also think the act was an overreaction to the unethical actions of a few executives and consider it unnecessary and overly demanding.

Risk reports by U.S companies

Companies listed on U.S. stock exchanges must provide detailed disclosures about potential risks. These reports focus on future risks rather than past incidents and are included in periodic filings like Form 10-K or Form 20-F. It’s common for these risk factor sections to span 3 to 10 pages. These sections often begin with a statement like, “Important factors that may cause future financial difficulties include, but are not limited to,” followed by a detailed list of risks, such as:

  • Regulatory changes
  • Market competition
  • Economic conditions
  • Customer loss
  • Fluctuating fuel costs or currency rates
  • Disruptions due to employee strikes, illness, or technology failures
  • Compliance with laws and tax changes
  • Impacts of weather, environmental regulations, and Sarbanes–Oxley costs

Each risk is typically explained further, with up to half a page of detail for each item. The Securities and Exchange Commission (SEC), which oversees U.S. stock exchanges, is also considering requiring companies to provide more detailed reports on their risk committee structures. This aligns with the SEC’s mission to protect investors, maintain fair and efficient markets, and support capital formation.

Risk report in a Form 20-F

In relation to industry, economic and environment risks, the following have been identified for further detailed comment:

  • risk of expiration of patents or marketing exclusivity
  • risk of patent litigation and early loss of patents, marketing exclusivity or trademark
  • risk of expiration or earlier loss of patents covering competing products
  • failure to obtain patent protection
  • impact of fluctuations in exchange rates
  • debt-funding arrangements
  • the risks of owning and operating a biologics and vaccines business
  • competition, price controls and price reductions
  • taxation
  • risk of substantial product liability claims
  • performance of new products
  • environmental/occupational health and safety liabilities
  • developing our business in emerging markets
  • product counterfeiting

Charities’ risk reporting

Risk reporting is mandatory for charities in most countries. Charities are generally expected to have robust risk management processes similar to those required for government departments or publicly listed companies. Below is a simplified version of the UK Charity Commission’s guidance on risk reporting:

Basic Reporting Expectations

Charities can use a simple narrative-style report that includes:

  • Acknowledgment of trustees’ responsibility for risk management.
  • Overview of how risks are identified.
  • Confirmation that major risks have been reviewed or assessed.
  • Assurance that control systems are in place.

Best Practices for Larger or Complex Charities

Larger charities may choose to provide more detailed reports. These should describe:

  • How major risks relate to the charity’s goals and operations.
  • Procedures that address not just financial risks but also operational and compliance risks.
  • Assessment of risks based on their likelihood and potential impact.
  • Ongoing monitoring and embedding of risk management into daily operations.
  • Regular review by trustees of key risk management outcomes.

Common Practices and Challenges

Most charities already consider risks in their daily activities. However, many view risk management and governance requirements as significant challenges, leading to a focus on compliance over fundraising efforts.

Example of a Risk Report for a Small Charity

A small charity’s risk report might include:

  • Processes to identify and prioritize significant risks.
  • Policies and procedures integrated into daily operations.
  • Analysis of strategy to highlight key risks to achieving objectives.
  • Procedures ensuring legal compliance, with regular updates to trustees.
  • Training for trustees on risk management and governance issues.
  • Annual reports to trustees on risk management activities and control effectiveness.
  • Additional reports highlighting major weaknesses or control failures.

This approach ensures that even smaller charities can effectively address and communicate their risk management practices.

Public-sector risk reporting

Risk management is mandatory for government departments and public sector organizations in most countries. Many government bodies provide detailed information about their risk management processes on their websites, which can be a valuable resource. However, these reports often do not include details about risk reporting to external stakeholders, as the information is already publicly accessible. The UK government has outlined key principles for risk reporting, including:

  • Openness and transparency
  • Involvement
  • Proportionality
  • Evidence-based decision-making
  • Responsibility

Government organizations often provide detailed explanations of their internal risk-reporting processes. For example, a typical report from a UK local government authority might include:

  • Monitoring of all strategic risks through quarterly risk review meetings.
  • Forwarding of reports from these reviews to the executive committee twice a year.
  • Including the strategic risk register in the annual strategic plan submitted to the full council.
  • Service-specific risks being managed within service group plans and monitored through directorate performance reviews.
  • Regular updates on these service risks provided to relevant council members twice a year.

This structured approach ensures transparency and accountability in managing and reporting risks within public sector organizations.

Government risk-reporting principles

  • Openness and transparency: The government will be open and transparent about its understanding of the nature of risks to the public and about the process it is following in handling them.
  • Involvement: The government will seek the wide involvement of those concerned in the decision process.
  • Proportionality: The government will act proportionately and consistently in dealing with risks to the public.
  • Evidence: The government will seek to base decisions on all relevant evidence.
  • Responsibility: Government will seek to allocate responsibility for managing risks to those best placed to control them.

Government report on national security

Governments have become more open about security threats in recent years, which is a significant improvement in risk communication. Many governments conduct national security threat assessments and share the findings publicly. For instance, the UK government published the National Security Strategy of the United Kingdom in 2011, followed by the National Risk Register from the Cabinet Office. These reports detail threats to national security, including:

  • Natural events: Extreme weather, coastal and river flooding, and outbreaks of human or animal diseases.
  • Major accidents: Industrial and transport-related incidents.
  • Malicious attacks: Targeting crowded areas, infrastructure, transportation systems, and electronic networks, including potential nuclear or unconventional attacks.

The reports also explain the measures in place to reduce these risks and analyze broader factors driving changes in risk levels, such as:

  • Political dynamics.
  • Climate change.
  • Competition for energy resources.
  • Poverty, inequality, and governance issues.
  • Globalization in economics, technology, and demographics.

This risk assessment highlights how deeply risk management is integrated into national government operations, showing its recognition at the highest levels. Using a risk attitude framework, the UK government seems confident in managing certain risks, like transport accidents, cyberattacks, and animal diseases. However, it is more cautious about risks such as industrial accidents, attacks on infrastructure, and severe weather. The government is especially concerned about coastal flooding and attacks on crowded places while identifying pandemics as a critical threat to national security. Protecting national security had become far more complex than a century ago when governments primarily focused on land and sea defence. Modern national security efforts now require addressing various interconnected and evolving threats.

Some governments are starting to understand how complex national security is and have come up with terms like “the comprehensive approach,” hoping it will solve the issue. However, in reality, this idea is mostly theoretical and rarely applied effectively where it matters most. At the same time, government structures and mindsets remain outdated. Ministers are evaluated on how well they protect their department’s boundaries, budget, and staff, while senior officials take a similar approach. Cooperation with other departments is often seen as a threat rather than an opportunity. Though everyone recognises it’s necessary, traditional, rigid hierarchies and siloed thinking make collaboration difficult. To address these challenges, governments need a complete overhaul to adopt more modern and flexible structures

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply