How do you audit risk management?

0
67

Writing a novel was fun, especially as I have been told it is quite entertaining.

But I am back to the more serious business of writing about internal auditing and risk management, this time it’s a book about how to audit risk management.

It’s a challenge. Even with my many years of risk management and internal audit experience, as I write I am challenging myself and my previous ideas.

One of those ideas was that internal audit should provide assurance on the effectiveness of risk management’s enterprise risk management processes and controls.

I still believe that….

But there’s a problem.

Risk is everywhere and changing all the time.

It has to be considered in:

  • Objective and strategy-setting
  • Performance reporting (any time you have forecasts)
  • The thousands of strategic and tactical decisions being made all the time
  • Top management and board governance and oversight
  • Regulatory reporting

It is huge and reminds me of the old joke:

eat an elephant

Just as you can’t audit all the internal controls over every single source of risk in a single audit (unless you have a time machine), you can’t audit all of risk management in a single audit.

You need to audit it one bite at a time!

For example, you might have audits of these parts of the elephant:

  • Enterprise objective/strategy setting
  • The cascading of performance…

Подробнее…