IIA issues new risk management standards

ALTAMONTE SPRINGS, FLORIDA - Two new best practice advisory papers on risk management have been released by the international industry standards body the Institute of Internal Auditors (IIA).

The IIA says the guidelines aim to help internal audit assess the effectiveness of risk management and provide a firm's management and audit committee with assurance that appropriate systems, controls and operational risk management is in place.

"Although these practice advisories refer to different standards, they are closely related, as assessing risk and providing assurance are primary functions of professional internal auditors," says Heriot Prentice, standards and guidance director at the IIA.

The first paper, entitled Using the risk management process in internal audit planning (practice advisory 1010-2), aims to align the goals of internal audit with the organisation as a whole, as well as provide for a more proportional, risk-based approach to internal audit priorities.

The IIA says the audit plan should focus on reporting unacceptable risks with minimal controls or management actions required to mitigate them, outlining the control systems on which the firm is most reliant, distinguishing areas with a large differential between inherent residual risks, and highlighting areas of high inherent risk.

The second paper, entitled Assurance maps (practice advisory 2050-2), addresses board-level responsibility for managing potential killer risks to the business, providing an 'assurance map' showing reporting lines to management, board and external stakeholders - investors, shareholders and regulators.

The guidance highlights the purpose of the map is to prevent redundancy, and avoid some risk areas falling through gaps in reporting and responsibilities. The IIA highlights the enterprise-wide scope of audit providing this assurance across senior management, compliance, external audit, risk management, healthy and safety departments, and other stakeholders.

Mapping should include significant risk categories, as well as categories for risk ownership, inherent risk rating, residual risk rating, external audit coverage, internal audit coverage and other assurance provider coverage.