Standards & Guidance

	Audit Committee Resources
	CBOK Resources
	COSO Resources
	Leadership Development Resources
	Risk Resources
	Talent Management Resources

Position Papers

Global Public Sector Insights

Sarbanes-Oxley

UK Financial Services

Responses to Regulators

Reprint and Translate

Governance, Risk & Control

Governance

Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

IIA Guidance on Governance

2110 - Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

Promoting appropriate ethics and values within the organization
Ensuring effective organizational performance management and accountability
Communicating risk and control information to appropriate areas of the organization
Coordinating the activities of and communicating information among the board, external and internal auditors, and management

2110.A1 - The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.

2110.A2 - The internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives.

Related IPPF Practice Guides on Governance

Evaluating Corporate Social Responsibility/Sustainable Development	February 2010
Assessing Organizational Governance in the Private Sector	July 2012

Related IPPF Practice Advisories on Governance

PA 1000-1: Internal Audit Charter	January 2009
PA 1111-1: Board Interaction	January 2009
PA 2110-1: Governance: Definition	April 2010
PA 2110-2: Governance: Relationship With Risk and Control	April 2010
PA 2110-3: Governance: Assessments	April 2010

Risk

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

IIA Guidance on Risk

2120 - Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Interpretation
Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:

Organizational objectives support and align with the organization's mission
Significant risks are identified and assessed
Appropriate risk responses are selected that align risks with the organization's risk appetite
Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.

The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness.

Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

2120.A1 - The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:

Reliability and integrity of financial and operational information
Effectiveness and efficiency of operations and programs
Safeguarding of assets
Compliance with laws, regulations, policies, procedures, and contracts

2120.A2 - The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

2120.C1 - During consulting engagements, internal auditors must address risk consistent with the engagement's objectives and be alert to the existence of other significant risks.

2120.C2 - Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization's risk management processes.

2120.C3 - When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

Related IPPF Position Papers on Risk Management

The Role of Internal Auditing in Enterprise-wide Risk Management

January 2009

Related IPPF Practice Guides on Risk

Assessing the Adequacy of Risk Management	December 2010
GAIT for Business and IT Risk	January 2009
GTAG 10: Business Continuity Management	January 2009
Auditing Privacy Risks	July 2012

Related IPPF Practice Advisories on Risk

PA 2010-1: Linking the Audit Plan to Risk and Exposures	January 2009
PA 2010-2: Using the Risk Management Process in Internal Audit Planning	July 2009
PA 2020-1: Communication and Approval	January 2009
PA 2050-2: Assurance Maps	July 2009
PA 2060-1: Reporting to Senior Management and the Board	May 2010
PA 2120-1: Assessing the Adequacy of Risk Management Processes	January 2009
2120-2: Managing the Risk of the Internal Audit Activity	April 2009
2120-3: Internal Audit Coverage of Risks to Achieving Strategic Objectives	June 2013
2130-1: Assessing the Adequacy of Control Processes	January 2009

Risk/ERM Resources from the IIA Bookstore

Enterprise Risk Management

Joint White Paper on Risk Management from The IIA and RIMS

Risk Management and Internal Audit: Forging a Collaborative Alliance

Control

Control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

IIA Guidance on Control

2130 - Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2130.A1 - The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the:

Achievement of the organization's strategic objectives.
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations and programs.
Safeguarding of assets.
Compliance with laws, regulations, policies, procedures, and contracts.

2130.C1 - Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization's control processes.

Related IPPF Practice Advisories on Control

PA 2130-1: Assessing the Adequacy of Control Processes	December 2010
PA 2130.A1-1: Information Reliability and Integrity	December 2010
PA 2130-A1-2: Evaluating an Organization's Privacy Framework	January 2009

Related IPPF Practice Guides on Control

GAIT Methodology	August 2007
GTAG 1: Information Technology Controls	March 2012
GTAG 2: Change and Patch Management Controls: Critical for Organizational Success	March 2012
GTAG 8: Auditing Application Controls	July 2007
GTAG 9: Identity and Access Management	November 2007
Auditing External Business Relationships	May 2009

New Guidance

Due Process

COSO Resources

Regulator Responses

New IPPF Resources
Educate staff, colleagues, and stakeholders on these changes by utilizing these tools:

The 2013 Red Book is still a useful and binding reference source as a majority of the content has not changed and remains valid. The IIA Bookstore (powered by the Internal Audit Foundation) is exploring an online tool with searchable, on-demand access to all IPPF content. Learn more in the FAQs.