HB 1582010

Delivering assurance based on ISO 31000:2009 Risk management Principles and guidelines

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

HB

HB 1582010

Handbook
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Delivering assurance based on ISO 31000:2009 Risk managementPrinciples and guidelines

Originated as HB 1582002. Revised and redesignated as GB 1582004. Revised and redesignated as HB 1582006. Second edition 2010.

COPYRIGHT Standards Australia Limited and the Institute of Internal AuditorsAustralia All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher. Published by Standards Australia GPO Box 476, Sydney, NSW 2001, Australia ISBN 978 0 7337 9489 6

HB 1582010

PREFACE This Handbook was prepared by a joint Working Group formed by the Institute of Internal Auditors Australia (IIA - Australia) and the Joint Standards Australia/Standards New Zealand Technical Committee OB 007, Risk Management, and forms part of the series of publications based on ISO 31000:2009, Risk ManagementPrinciples and Guidelines. It was prepared to (a) (b) (c) (d) help assurance providers to plan and implement their activities using the information arising from the (ISO 31000:2009) risk management process; advise assurance providers how to provide assurance over an organizations risk management framework and process when they are aligned to ISO 31000:2009; suggest a systematic approach to the design and assurance of controls; provide a common language and common processes for risk management specialists and auditors/assurance providers thereby enhancing communication between them and promoting risk management within their organizations.

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

Authors were (i) (ii) (iii) (iv) Pamela Finger, representing the Risk Management Institution of Australasia; Andrew MacLeod of Brisbane City Council, representing the Institute of Internal Auditors Australia; Michael Parkinson of KPMG, representing the Institute of Internal AuditorsAustralia; and Grant Purdy of Broadleaf Capital International Pty Ltd, representing the Minerals Council of Australia.

This handbook builds on and is a companion to Standards Australia Handbook HB 2542005, Governance, risk management and control assurance. That handbook draws linkages between objectives and risk management to suggest how a truly integrated risk management system that provides the foundation for sound governance can be created. HB 254 provides a conceptual view of all forms of control assurance while this handbook gives a practical advice on how to plan and implement independent assurance. The IIA Research Foundation recommends this handbook for its practical advice on how to plan and implement independent assurance and assess the adequacy of risk management framework and process in compliance with The IIAs International Standards 2010 Planning, 2100 Nature of Work, and 2120 Risk Management. It draws from The IIAs International Professional Practices Framework with respect to using and assuring the ISO 31000:2009 risk management process, and is a welcome addition to any research library. In Australia ISO 31000:2009 is published as AS/NZS ISO 31000:2009.

HB 1582010

CONTENTS Page SECTION 1 SCOPE AND OBJECTIVES 1.1 GENERAL.................................................................................................................... 5 1.2 ENTERPRISE RISK MANAGEMENT (ERM) ............................................................... 6 1.3 TERMINOLOGY AND DEFINITIONS........................................................................... 6 SECTION 2 SUMMARY OF THE RISK MANAGEMENT PROCESS 2.1 GENERAL.................................................................................................................. 11 2.2 COMMUNICATE AND CONSULT.............................................................................. 12 2.3 ESTABLISH THE CONTEXT ..................................................................................... 13 2.4 IDENTIFY RISKS....................................................................................................... 14 2.5 ANALYSE RISKS....................................................................................................... 15 2.6 EVALUATE RISKS .................................................................................................... 16 2.7 TREAT RISKS ........................................................................................................... 17 2.8 MONITOR AND REVIEW .......................................................................................... 18 SECTION 3 RISK MANAGEMENT AND ASSURANCE 3.1 LINKING RISK MANAGEMENT TO ASSURANCE .................................................... 20 3.2 STRATEGIC AND ORGANIZATION-WIDE APPROACHES TO RISK MANAGEMENT ......................................................................................................... 21 3.3 ASSURANCE AND THE RISK MANAGEMENT PROCESS ...................................... 22 3.4 ASSURANCE OF A RISK MANAGEMENT FRAMEWORK........................................ 23 3.5 INTERNAL AUDIT INVOLVEMENT IN RISK MANAGEMENT ................................... 26 SECTION 4 DEVELOPING AN ASSURANCE STRATEGY 4.1 GENERAL.................................................................................................................. 28 4.2 STEP 1: IDENTIFYING THE ASSURANCE NEEDS OF THE ORGANIZATION ........ 29 4.3 STEP 2: IDENTIFYING WHO THE ASSURANCE PROVIDERS ARE AND THEIR SCOPE OF OPERATION .......................................................................................... 29 4.4 STEP 3: IDENTIFY AND DOCUMENT ASSURANCE MECHANISMS....................... 31 4.5 STEP 4: DESIGN THE ASSURANCE REVIEW PROGRAM...................................... 33 4.6 STEP 5: DEVELOP A RISK-BASED REVIEW PROGRAM ........................................ 39 4.7 STEP 6: MEASURING THE STRATEGY ................................................................... 41 SECTION 5 PLANNING AN ENGAGEMENT 5.1 GENERAL.................................................................................................................. 43 5.2 ENGAGEMENT SCOPE ............................................................................................ 43 5.3 ENGAGEMENT OBJECTIVES .................................................................................. 43 5.4 ENGAGEMENT PROCEDURES................................................................................ 44 5.5 RATIONAL USE OF RESOURCES .......................................................................... 44 5.6 SKILLS AND BODY OF KNOWLEDGE ..................................................................... 45 SECTION 6 REPORTING ON THE ASSURANCE PROGRAM 6.1 GENERAL.................................................................................................................. 46 6.2 REPORTING LINES .................................................................................................. 46 6.3 REPORTING THE INDIVIDUAL ASSURANCE ENGAGEMENT................................ 47 6.4 ENSURING ACTION.................................................................................................. 49

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

HB 1582010

Page SECTION 7 DESIGNING AND IMPROVING CONTROLS 7.1 GENERAL.................................................................................................................. 50 7.2 IDENTIFYING AND MEASURING CONTROL GAPS ................................................ 50 7.3 DESIGNING CONTROLS .......................................................................................... 52 7.4 ADDING CONTROLS TO AN EXISTING PROCESS................................................. 55 SECTION 8 ASSURANCE OF THE RISK MANAGEMENT PROCESS AND FRAMEWORK 8.1 GENERAL.................................................................................................................. 56 8.2 RISK MANAGEMENT PROCESS ELEMENT APPROACH ....................................... 57 8.3 KEY PRINCIPLES APPROACH................................................................................. 59 8.4 MATURITY MODEL APPROACH .............................................................................. 61
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

APPENDIX A

EXAMPLE PRIORITY MODEL ...................................................................... 64

HB 1582010

STANDARDS AUSTRALIA
HANDBOOK

Delivering assurance based on ISO 31000:2009 Risk managementPrinciples and guidelines

S E C T I O N
1.1 GENERAL

S C O P E

A N D

O B J E C T I V E S

This Handbook is a guide for internal auditors and any other assurance provider such as:
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

(a) (b) (c) (d)

External auditors. Information system control professionals internal or external auditors and security professionals. Safety, health and environmental auditors. Quality auditors.
1 2

This Handbook draws on the revised HB 436 , which is still to be published, and the IIAs International Professional Practices Framework' (IPPF) with respect to using and assuring 3 the ISO 31000:2009 risk management process. In particular, it describes how to use the risk management process to (i) (ii) (iii) (iv) develop a risk-based assurance strategy and program; plan an assurance engagement; report the assurance program; and design controls.

The Handbook also provides a guide to assessing the adequacy of risk management framework and process. Following the processes in this Handbook will help organizations to assess whether management has designed and implemented the risk management and internal control system to manage the companys material risks and reported whether those risks are being managed effectively and provide analysis and independent appraisal of the adequacy and effectiveness of the companys risk management and internal control 4 system . It will also help internal auditors in particular comply with Standard 2010 (Planning), 2100 (Nature of Work) and 2120 (Risk Management) of the IPPF. It is not the intention of this Handbook to provide guidance on the risk management process itself or to instruct internal auditors on their professional responsibilities.

1 2 3

Risk Management Guidelines: companion to ISO 31000:2009, Standards Australia, ISBN 0 7337 5960 2 Institute of Internal Auditors, Inc 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. The international risk management standard ISO 31000:2009 Risk ManagementPrinciples and guidelines may be published in local jurisdictions under a different designation. In Australia and New Zealand it is published as AS/NZS ISO 31000:2009. ASX Corporate Governance Council- Corporate governance principles and recommendations, 2 nd ed 2007 Principle 7: Recognise and manage risk. Standards Australia Limited and the Institute of Internal AuditorsAustralia

www.standards.org.au

HB 1582010

1.2 ENTERPRISE RISK MANAGEMENT (ERM) Enterprise-wide Risk Management or just Enterprise Risk Management is a term in common 5 use. COSO has defined it as: a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity 6 objectives. Many organizations are moving to adopt consistent and holistic approaches to risk management and this document takes the approach that risk management is a management process that is, ideally, fully integrated into the management of the organization. It applies at all levels of the organization: enterprise level, function level or business unit level. Therefore this document does not generally distinguish ERM from any other form of risk management.
This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

ISO 31000:2009 provides guidance for the framework of risk management within any organization. This framework is applicable for organizations of any size and may be used as a structural guide for practical application or evaluation of ERM. 1.3 TERMINOLOGY AND DEFINITIONS 1.3.1 Risk The definition of risk from ISO 31000:2009 is used in this document. Risk: effect of uncertainty on objectives. Terms that are not otherwise defined in this document should be given their dictionary definition. 1.3.2 Assurance In the context of internal auditing, Assurance Services are an objective examination of evidence for the purpose of providing an independent assessment on governance, risk 7 management, control processes for the organization. Consistent with this we have, for the purposes of this document, defined: Assurance: a process that provides a level of confidence that objectives will be achieved within an acceptable level of risk. 1.3.3 Inherent risk/Potential exposure Financial reporting has long had a concept of Inherent Risk that has been defined as: the susceptibility of the subject matter information to a material misstatement, assuming that 8 there are no related controls There seem to be several other general definitions for Inherent Risk commonly used. For example: (a) (b) The risk found in the environment and in human activities that is part of existence.
9

The likelihood that an accounting or auditing engagement will fail to comply with 10 professional standards, assuming the firm does not have a quality control system.

5 6 7 8 9 10

The Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk ManagementIntegrated Framework, COSO 2004 International Professional Practices Framework 2009, (IPPF) Glossary AUS108.49 Framework for Assurance Engagements, Australian Accounting Standards Board, June 2004 David McNamee, MC2 Management Consulting, see www.pleier.com http://www.nepr.org/risk.html www.standards.org.au

Standards Australia Limited and the Institute of Internal AuditorsAustralia

This is a free preview. Purchase the entire publication at the link below:

This is a free 7 page sample. Access the full version at http://infostore.saiglobal.com.

HB 158-2010, Delivering assurance based on ISO 31000:2009 - Risk management - Principles and guidelines

Looking for additional Standards? Visit SAI Global Infostore Subscribe to our Free Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more Do you need to Manage Standards Collections Online? Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Do you want to know when a Standard has changed? Want to become an SAI Global Standards Sales Affiliate? Learn about other SAI Global Services: LOGICOM Military Parts and Supplier Database Metals Infobase Database of Metal Grades, Standards and Manufacturers Materials Infobase Database of Materials, Standards and Suppliers Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us