What Is a Risk Management Audit?

The risk management audit originated from internal audit and developed along the two paths of internal audit and management practice.

Risk management audit

The high-risk operating environment that modern enterprises face causes the change in the company's internal audit needs to be the internal background generated by risk management audits, and the trend of audit externalization eroding the professional space for internal audit survival is the external background generated by risk management audits. Enterprises have many risk points, and they need to be audited specifically, which has led to risk management audits.

According to the original Andersen professional Paul Sobel, in his book "Auditor's risk manage-ment guide: integrating auditing and ERM" in 2003, the modern auditing model has experienced four major The stages are: control-based audit, process-based audit (also known as business audit), risk-based audit (also known as risk-oriented audit), and risk-management-based audit, also known as risk management audit. Then the difference between the enterprise risk management audit model and the risk-based audit model and the control-based audit model lies in:

The risk management audit drivers are summarized as follows:

First, the risks faced by enterprises are increasing, and reducing the risks faced by enterprises is the key to achieving the goals of the organization;

Second, the desire for development of internal audit has led internal auditors to take risk management as an important area of internal audit;

Third, internal audit can play a unique role in risk management, including managing risks, controlling and guiding risk management strategies, and strengthening the degree of attention that management authorities attach to the opinions of internal audit departments;

Fourth, external audit has expanded risk assessment, a new assurance service business, which has to affect the internal audit community.

Enterprise risk management audit refers to the use of a systematic and standardized method by the internal audit department of the enterprise to conduct risk identification, analysis, evaluation, management, and processing based on testing risk management information systems, various business cycles, and related departments A series of audit activities evaluates the organization's risk management, control, and supervision processes to improve process efficiency and help the organization achieve its goals. It has its own characteristics:

1. Audit objective: determine the strategic objectives of the enterprise, the risk management strategy and the corresponding operating risks (inherent risks) and evaluate how the enterprise implements the effectiveness of risk management to achieve the corporate objectives.

2. Audit strategy: Understand corporate strategy, business and value goals, and business behavior. Identify the main inherent risks in achieving this goal and its business practices. Understand the enterprise's risk management strategy and risk management measures. Evaluate the enterprise's risk management measures and effectively reduce the risk to an acceptable level. Pay attention to the effectiveness of the risk management gap.

3. Testing method: The combination of substantial testing and compliance testing depends on the effectiveness of enterprise risk management.

4. Management recommendations: Identify risk management gaps at each critical point of risk.

Enterprise risk management audits absorb the advantages of other audit models, and at the same time pay attention to the effectiveness of the overall risk management of the company's strategy and performance. It not only considers the remaining audit risks acceptable to the auditors, but also the source of the inherent risks of the audit. That is, to identify and evaluate risks from the perspective of risk management activities carried out by the management of the enterprise, so as to further ensure the allocation of audit resources and the effectiveness of the audit from the perspective of both the auditor and the management of the enterprise.

An enterprise risk management audit should include the following:

1. Determine the soundness and effectiveness of the enterprise risk management mechanism by reviewing the soundness of the risk management organization, the rationality of the risk management procedures, and the existence and effectiveness of the risk early warning system:

2. Determine the appropriateness and effectiveness of risk identification by reviewing the rationality of risk identification principles and the appropriateness of risk identification methods;

3. Implement necessary audit procedures, review and evaluate the risk assessment process, and focus on the two factors of the possibility of risk occurrence and the severity of the impact of risk on the achievement of organizational goals. At the same time, internal auditors should fully understand the risk assessment methods and review the appropriateness and effectiveness of the risk assessment methods used by management.

Internal Audit Specific Standards No. 16-Risk Management Audit

Chapter I General Provisions

Article 1 In order to standardize the internal audit personnel to review and evaluate the risk management status in the internal control of the organization, this standard was formulated in accordance with the Basic Standards for Internal Audit.

Article 2 The risk management referred to in these Standards is the process of identifying and evaluating various uncertain events that affect the achievement of the organization's objectives, and taking countermeasures to control their impact within an acceptable range. The purpose of risk management is to provide reasonable assurance for the achievement of organizational goals.

Article 3 These Standards apply to the internal audit institutions, internal auditors of various organizations and their internal audit activities.

Chapter II General Principles

Article 4 Risk management is a basic component of internal control of an organization. The review and evaluation of risk management by internal auditors is one of the basic contents of internal control auditing.

Article 5 The management of the organization is responsible for determining the acceptable risk range, establishing and improving the risk management mechanism and making it effective.

Article 6 Risk management includes the following main stages:

(1) Risk identification, that is, identifying risks faced according to organizational objectives, strategic planning, etc .;

(2) Risk assessment, that is, assessing the likelihood and degree of impact of the identified risks;

(3) Risk response, that is, adopting countermeasures to control risks within the acceptable range of the organization.

Article 7 Internal audit institutions and personnel shall fully understand the organization's risk management process, review and evaluate its adequacy and effectiveness, and make suggestions for improvement.

Article 8 Risk management includes the overall organization and functional departments. Internal auditors can review and evaluate the overall risk management of the organization, as well as the risk management of functional departments.

Chapter III Review and Evaluation of Risk Management

Article 9 Internal auditors shall implement the necessary auditing procedures, review and evaluate the risk identification process, and focus on whether the internal and external risks facing the organization have been fully and appropriately confirmed.

Article 10 External risks refer to the uncertainty that affects the achievement of organizational goals in the external environment. It mainly comes from the following factors:

(1) changes in national laws, regulations and policies;

(2) changes in the economic environment;

(3) rapid development of science and technology;

(4) industry competition, resources and market changes;

(5) Natural disasters and accidental losses;

(6) Others.

Article 11 Internal risk refers to the uncertainty in the internal environment that affects the achievement of organizational goals. It mainly comes from the following factors:

(1) Defects in organizational governance structure;

(2) the characteristics of the organization's business activities;

(3) the nature of the organization's assets and the limitations of asset management;

(4) Failure or interruption of the organization's information system;

(5) The moral quality and professional quality of the organization personnel have not met the requirements;

(6) Others.

Article 12 Internal auditors shall implement the necessary audit procedures, review and evaluate the risk assessment process, and focus on the following two elements:

(1) the possibility of risk occurrence;

(2) The severity of the impact of risks on the achievement of organizational goals.

Article 13 Internal auditors shall fully understand the methods of risk assessment. Risk assessment can be carried out using qualitative or quantitative methods.

(1) A qualitative method refers to the use of qualitative terms to assess and describe the possibility of a risk and the extent of its impact.

(2) Quantitative methods refer to the use of quantitative methods to evaluate and describe the possibility of risk occurrence and the degree of its impact.

Article 14 Internal auditors shall review the risk assessment methods adopted by management, and shall consider the following factors:

(1) the characteristics of the identified risks;

(2) the adequacy and reliability of relevant historical data;

(3) the technical capabilities of management for risk assessment;

(4) assessment and measurement of cost-effectiveness;

(E) other.

Article 15 When assessing the adequacy and effectiveness of risk assessment methods, internal auditors shall follow the following principles:

(1) The adoption of qualitative methods requires full consideration of the opinions of relevant departments or personnel in order to improve the objectivity of the evaluation results;

(2) When the risks are difficult to quantify and the data required for quantitative evaluation are difficult to obtain, qualitative methods should generally be adopted;

(3) Quantitative methods generally provide more objective evaluation results than qualitative methods.

Article 16 Internal auditors shall implement appropriate audit procedures and review risk response measures. The risk response measures based on the results of the risk assessment mainly include the following aspects:

(A) Avoidance. Means taking steps to avoid risky activities;

(B) Accept. Means that no risk can be taken because the risk is already within the acceptable range of the organization;

(3) Reduction. Means taking appropriate steps to reduce the risk to an acceptable level for the organization;

(4) Sharing. It means taking measures to transfer risk to other organizations or insurance institutions.

Article 17 When evaluating the appropriateness and effectiveness of risk response measures, internal auditors shall consider the following factors:

(1) Whether the level of residual risk after taking risk response measures is within the acceptable range of the organization;

(2) whether the risk response measures adopted are suitable for the operating and management characteristics of the Organization;

(3) Evaluation and measurement of cost-effectiveness.

Article 18 Internal auditors shall report the results of the review and evaluation of the risk management process to the appropriate management of the organization and make recommendations for improvement.

Article 19 The results of the review and evaluation of risk management shall be reflected in the internal control audit report, and a special audit report shall be issued when necessary.

Chapter IV Supplementary Provisions

Article 20 These standards are issued and interpreted by the China Internal Audit Association.

Article 21 These Guidelines shall be implemented as of May 1, 2005.

IN OTHER LANGUAGES

• English
• Čeština
• Dansk
• Deutsch
• Svenska
• Français
• Italiano
• Nederlands
• Norsk
• Polski
• Português
• Español
• 日本語
• 한국어