Risk Management Auditing
Enterprises tend towards using risk based internal auditing to maximize the effectiveness of an audit by concentrating on the areas that may hurt the enterprise the most.
The activities involved in managing risks are identified as playing a central and essential role in maintaining a sound system of internal control. Because internal audit departments vary from organization to organization, many companies require internal audit consulting to ensure their departments are developed strategically.
This is where NorthArm can help with regard to risk management auditing to ensure that risks are properly identified and managed.
A risk management audit reviews how a risk management framework or system is developed managed and reviewed. The following elements would be looked at in a risk audit.
Risk Management Framework, Procedure or System
- Does the enterprise have a formal risk management framework that encompasses involvement of senior management?
- Does the framework detail the frequency of risk assessments and reviews?
- Is the risk register reviewed by senior manager at predetermin ed intervals?
- Are any defects in the design or operation of the framework followed up?
Risk Assessments, and Risk Controls
- When was the last time a risk was assessed?
- Who were the participants?
- What were the criteria, i.e. assumptions, boundaries, references?
- Is there a person designated to be responsible for the risk?
- What is the basis for estimating the impact of the consequences on the enterprise?
- How is the risk controlled?
- Have controls or barriers been identified to prevent or mitigate a risk?
- What type of control has been identified?
- Have critical controls been identified for major risks?
- How are controls designed, operated and verified?
- Is there an established basis for determining the objective and criteria of a control?
- How is the control operated and is there a verification process?
- Is there a person designated to operate a control and another person to verify its operation?
- Is there a person designated to be in overall charge of a control?