21.Risk management and internal audit
Risk is the probability that an event or action may adversely affect the organization or activity under audit.
Risk management is the process of evaluating and controlling risk to ensure that the organization is managed as effectively as possible.
Risk management functions can exist within the organization to identify, monitor and measure risk and publish risk management policies.
Internal audit can ensure that it best adds value by using a risk based internal audit approach that maximizes the benefits to the organization and uses language that line management can understand.
This means explaining why controls are important on the basis of how they can minimize the impact of risk materializing.
Risk based internal auditing
Risk based internal auditing involves:
Working with line management to understand the risks within the activity or organization.
Identifying in a systematic way the types of risks and the significant and likelihood of risks materializing.
Assessing controls to manage risk, including those expected against those in place.
Testing controls to ensure that they operate and that they provide effective management of risk.
Making recommendations to line management for improving the operation, indicating the type and level of risk exposure.
Outsourcing of