HB Delivering assurance based on AS/NZS 4360:2004 Risk Management

Transcription

1 HB Delivering assurance based on AS/NZS 4360:2004 Risk Management HB

2 HB Handbook Delivering assurance based on AS/NZS 4360:2004 Risk Management Originated as HB Revised and redesignated as GB Revised and redesignated as HB COPYRIGHT Standards Australia All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher. Published by Standards Australia, GPO Box 476, Sydney, NSW 2001, Australia ISBN

3 HB Preface This Handbook was prepared by a joint Working Group formed by the Institute of Internal Auditors Australia and the Joint Standards Australia/Standards New Zealand Technical Committee OB-007, Risk Management, and forms part of the series of publications based on AS/NZS 4360, Risk management. It was prepared to help assurance providers to plan and implement their activities using the information arising from the AS/NZS 4360:2004 Risk Management process; advise assurance providers how to assure an organisation s risk management framework and process; suggest a systematic approach to the design and assurance of controls; provide a common language and common processes for risk management specialists and auditors thereby enhancing communication between them and promoting Risk Management within their organisations. Authors were Pamela Finger, representing the Australian Government Department of Finance and Administration; Andrew MacLeod of Brisbane City Council, representing the Institute of Internal Auditors Australia; Michael Parkinson of KPMG, representing the Institute of Internal Auditors Australia; Grant Purdy of Broadleaf Capital International Pty Ltd, representing the Minerals Council of Australia. This handbook builds on and is a companion to Standards Australia Handbook HB : Governance, risk management and control assurance. That handbook draws linkages between objectives and risk management to suggest how a truly integrated risk management system that provides the foundation for sound governance can be created. HB 254 provides a conceptual view of all forms of control assurance while this handbook gives practical advice on how to plan and implement independent assurance.

4 3 HB Contents Page 1 Scope and objectives 1.1 Enterprise risk management (ERM) Terminology and definitions Summary of the risk management process 2.1 General Communicate and consult Establish the context Identify risks Analyse risks Evaluate risks Treat risks Monitor and review Risk management and assurance 3.1 Linking risk management to assurance Strategic and organisation-wide approaches to risk management Assurance and the risk management process Internal audit involvement in risk management Developing an assurance strategy 4.1 Step 1: Identifying the assurance needs of the organisation Step 2: Identifying who the assurance providers are and their scope of operation Step 3: Identify and document assurance mechanisms Step 4: Design the assurance review program Step 5: Develop an annual review program Step 6: Measuring the strategy Planning an engagement 5.1 Engagement scope Engagement objectives Engagement procedures Rational use of resources Skills and body of knowledge Feedback and follow up from assurance processes 6.1 Reporting lines... 44

5 HB Reporting the individual assurance engagement Ensuring action Designing and improving controls 7.1 Identifying and measuring control gaps Designing controls Adding controls to an existing process Assurance of the risk management process 8.1 Process element approach Key principles approach Maturity model approach APPENDIX A Example priority model... 65

6 5 HB Scope and objectives This Handbook is a practitioners guide for internal auditors and any other assurance provider such as: External auditors. Information system control professionals internal or external auditors, security professionals etc. Safety, health and environmental auditors. Quality auditors. This Handbook amplifies HB 436:2004* and the IIA s Professional Practices Framework' with respect to using and assuring the AS/NZS 4360:2004 risk management process. In particular it describes how to use the risk management process to: develop an assurance strategy; plan an assurance engagement; report the assurance program; and design controls. The Handbook also provides a guide to assessing the adequacy of risk management process. Following the processes in this Handbook will help organisations achieve the condition where 'the company's risk management and internal compliance and control system is operating efficiently and effectively in all material respects'. It will also help internal auditors in particular comply with Standard 2010 (Planning), 2100 (Nature of work) and 2110 (Risk management) of the IIA 'Professional Practices Framework'. It is not the intention of this Handbook to provide guidance on the risk management process itself or to instruct internal auditors on their professional responsibilities. * Risk Management Guidelines: companion to AS/NZS 4360:2004 Standards Australia ISBN Institute of Internal Auditors, Inc 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. Australian Stock Exchange Corporate Governance Council- Principles of Good Corporate Governance and Best Practice Recommendations, Principle 7: Recognise and manage risk Standards Australia

7 HB Enterprise risk management (ERM) Enterprise-wide Risk Management or just Enterprise Risk Management is a term in common use. COSO * has defined it as: a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Many organisations are moving to adopt consistent and holistic approaches to risk management and this Handbook takes the approach that Risk Management is a management process that is, ideally, fully integrated into the management of the organisation. It applies at all levels of the organisation: enterprise level, function level or business unit level. Therefore this document does not generally distinguish ERM from any other form of risk management. 1.2 Terminology and definitions Assurance In the context of internal auditing, an Assurance Service is an objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Consistent with this we have, for the purposes of this document, defined: Assurance: a process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk Inherent risk/exposure Financial reporting has long had a concept of Inherent Risk that has been defined as: the susceptibility of the subject matter information to a material misstatement, assuming that there are no related controls There seem to be several other general definitions for Inherent Risk commonly used. For example: The risk found in the environment and in human activities that is part of existence. ** * The Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management Integrated Framework, COSO 2004 IIA Professional Practices Framework, Glossary AUS Framework for Assurance Engagements, Australian Accounting Standards Board, June 2004 ** Mc2 Management Consulting (David McNamee) Standards Australia

8 The remainder of this document is available for purchase online at SAI Global also carries a wide range of publications from a wide variety of Standards Publishers: Click on the logos to search the database online.