Governance, Risk & Control
Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
IIA Guidance on Governance
2110 - Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
- Promoting appropriate ethics and values within the organization
- Ensuring effective organizational performance management and accountability
- Communicating risk and control information to appropriate areas of the organization
- Coordinating the activities of and communicating information among the board, external and internal auditors, and management
2110.A1 - The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.
2110.A2 - The internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives.
Related IPPF Practice Guides on Governance
Related IPPF Practice Advisories on Governance
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
IIA Guidance on Risk
2120 - Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:
- Organizational objectives support and align with the organization's mission
- Significant risks are identified and assessed
- Appropriate risk responses are selected that align risks with the organization's risk appetite
- Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness.
Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
2120.A1 - The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:
- Reliability and integrity of financial and operational information
- Effectiveness and efficiency of operations and programs
- Safeguarding of assets
- Compliance with laws, regulations, policies, procedures, and contracts
2120.A2 - The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
2120.C1 - During consulting engagements, internal auditors must address risk consistent with the engagement's objectives and be alert to the existence of other significant risks.
2120.C2 - Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization's risk management processes.
2120.C3 - When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.
Related IPPF Position Papers on Risk Management
Related IPPF Practice Guides on Risk
Related IPPF Practice Advisories on Risk
Risk/ERM Resources from the IIA Bookstore
Enterprise Risk Management
Joint White Paper on Risk Management from The IIA and RIMS
Risk Management and Internal Audit: Forging a Collaborative Alliance
Control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
IIA Guidance on Control
2130 - Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
2130.A1 - The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the:
- Achievement of the organization's strategic objectives.
- Reliability and integrity of financial and operational information.
- Effectiveness and efficiency of operations and programs.
- Safeguarding of assets.
- Compliance with laws, regulations, policies, procedures, and contracts.
2130.C1 - Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization's control processes.
Related IPPF Practice Advisories on Control
Related IPPF Practice Guides on Control