Skip Ribbon Commands
Skip to main content
Sign In
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorStandards and GuidanceBreadcrumb SeparatorGuidance TopicsBreadcrumb SeparatorGovernance, Risk and Control
IIARF Icon

Governance, Risk & Control Governance, Risk & Control

Governance

Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

IIA Guidance on Governance

2110 - Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

  • Promoting appropriate ethics and values within the organization
  • Ensuring effective organizational performance management and accountability
  • Communicating risk and control information to appropriate areas of the organization
  • Coordinating the activities of and communicating information among the board, external and internal auditors, and management

2110.A1 - The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.

2110.A2 - The internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives.

Related IPPF Practice Guides on Governance

Evaluating Corporate Social Responsibility/Sustainable Development​

February 2010​

Assessing Organizational Governance in the Private Sector July 2012

Related IPPF Practice Advisories on Governance

PA 1000-1: Internal Audit Charter​ January 2009
PA 1111-1: Board Interaction​ January 2009​
PA 2110-1: Governance: Definition​ April 2010​
PA 2110-2: Governance: Relationship With Risk and Control​ April 2010​
PA 2110-3: Governance: Assessments​ April 2010​

Risk

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

IIA Guidance on Risk

2120 - Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Interpretation
Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:

  • Organizational objectives support and align with the organization's mission
  • Significant risks are identified and assessed
  • Appropriate risk responses are selected that align risks with the organization's risk appetite
  • Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.

The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness.

Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

2120.A1 - The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:

  • Reliability and integrity of financial and operational information
  • Effectiveness and efficiency of operations and programs
  • Safeguarding of assets
  • Compliance with laws, regulations, policies, procedures, and contracts

2120.A2 - The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

2120.C1 - During consulting engagements, internal auditors must address risk consistent with the engagement's objectives and be alert to the existence of other significant risks.

2120.C2 - Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization's risk management processes.

2120.C3 - When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

Related IPPF Position Papers on Risk Management

Related IPPF Practice Guides on Risk

December 2010
January 2009
January 2009​
Auditing Privacy Risks July 2012

Related IPPF Practice Advisories on Risk

PA 2010-1: Linking the Audit Plan to Risk and Exposures​​ January 2009​​
July 2009​​
PA 2020-1: Communication and Approval​​ January 2009​​
PA 2050-2: Assurance Maps​ July 2009​
PA 2060-1: Reporting to Senior Management and the Board​​ May 2010​​
PA 2120-1: Assessing the Adequacy of Risk Management Processes​​ January 2009​​
2120-2: Managing the Risk of the Internal Audit Activity​​ April 2009​
2120-3: Internal Audit Coverage of Risks to Achieving Strategic Objectives ​June 2013
2130-1: Assessing the Adequacy of Control Processes​ January 2009​​

Risk/ERM Resources from The IIA Research Foundation Bookstore

Enterprise Risk Management

Joint White Paper on Risk Management from The IIA and RIMS

Risk Management and Internal Audit: Forging a Collaborative Alliance


Control

Control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

IIA Guidance on Control

2130 - Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2130.A1 - The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the: 

  • Achievement of the organization's strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.

2130.C1 - Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization's control processes.

Related IPPF Practice Advisories on Control

PA 2130-1: Assessing the Adequacy of Control Processes December 2010​​
PA 2130.A1-1: Information Reliability and Integrity December 2010​​
PA 2130-A1-2: Evaluating an Organization's Privacy Framework January 2009​

Related IPPF Practice Guides on Control

GAIT Methodology August 2007​​
GTAG 1: Information Technology Controls March 2012​​
GTAG 2: Change and Patch Management Controls: Critical for Organizational Success March 2012​​
GTAG 8: Auditing Application Controls July 2007​​
GTAG 9: Identity and Access Management November 2007​​
May 2009​​
IPPF
Now Available! IPPF 2013 Edition
Order the 2013 Edition.