The concept of an organization’s risk appetite is a fundamental element to healthy governance. Yet it is typically focused primarily on financial risk considerations. How should the growing focus on non-financial risk, including ESG, influence how organizations view their risk appetite, and what can internal audit do to support that examination?
This Global Knowledge Brief, the first in a three-part series on governance, risk, and control (GRC) from The IIA, examines in detail this topic, the challenges of rethinking risk appetite with non-financial risk in mind, and the important role of internal audit in the process.
GRC Part 2: Quantifying Non-financial Risk
GRC Part 3: How Digital Transformation is Transforming GRC
This Maturity Model for Governance (the Maturity Model) is intended as a governance tool to be used in mapping the level at which the organisation is managed. Using the model may provide insight into the organisation’s current situation and create a basis for improvement, and thus contribute to the organisation’s achievement of goals.
The Maturity Model is based on the IIA Norway’s Guidelines for Governance (The Guidelines) from 2021. The Maturity Model is aimed at the same target group as The Guidelines, i.e., everyone with responsibility for governance in the private or public sector, as well as others who have a role in the governance area or an interest in the topic.
The Guidelines state that governance is about facilitating management and other employees in the fulfillment of their responsibilities and tasks to achieve the organisation’s goals, plan for good risk management and internal control, facilitate efficient and appropriate operations with the necessary follow-up and reporting, and establish effective, independent controls and assurance. The Guidelines break governance down into 17 components divided into four subjects, and this Maturity Model follows the same pattern.
Leveraging the significant knowledge gained in the application of ICIF to financial reporting over the past two decades, this guidline introduces “internal control over sustainability reporting” (ICSR) into the internal control lexicon. The new study references and expands on a 2017 study by three of the co-authors, “Leveraging the COSO Internal Control—Integrated Framework to Improve Confidence in Sustainability Performance Data,” which helped to spur the journey toward consistent standards and frameworks to achieve sustainability goals.
The supplemental guidance points to several key themes as organizations and practitioners begin or continue their journeys toward establishing and maintaining an effective system of internal control over financial and sustainable business information. Although ICSR is not yet well established in practice, the paper discusses crucial insights that can be gained from the experiences of those organizations that are leading the way. In the new study, each of the 17 principles in ICIF-2013 is explained and interpreted for application to sustainability. Additionally, “points of focus” from the ICIF are included along with practical insights and application of the supplemental guidance.
Geopolitical risk is becoming far higher in profile on the risk radar of most businesses and is a board agenda item – and according to our research conducted in support of this report, one which demands a collaborative response from risk and internal audit professionals.
Geopolitical risk is becoming far higher in profile on the risk radar of most businesses and is a board agenda item – and according to our research conducted in support of this report, one which demands a collaborative response from risk and internal audit professionals.
Chief audit executives consider geopolitical uncertainty a major risk, but internal audit spends little time on the subject, according to a report co-produced by the Chartered Institute of Internal Auditors. The Russia-Ukraine war, as well as changes in monetary policy and political leadership, are among contributors to geopolitical uncertainty, which is expected to remain heightened for a while, the report states.
This guidance fills a gap in the GTAG series by covering objectives, risks, and controls related to an organization’s communications ecosystem. By offering references to controls in widely used frameworks, this GTAG can improve an internal auditor’s familiarity with and use of such tools in their work.
“Auditing Network and Communications Management” offers a broad set of related processes that internal auditors should consider when auditing controls over an organization’s communications ecosystem.
An updated practice guide from the IIA.
The phrase «integrated auditing» holds little value for internal audit’s stakeholders. The key is the approach taken to integration considerations and the flexibility to deliver value based on context and the most important objectives and risks facing an entity, function, or process. To formulate their audit plans, auditors need more flexibility in considering integration options in a systematic way.
Integration considerations should cross all elements of the audit process that may provide beneficial results. Integration options can be broadly considered over four stages of the internal auditing process:
- Audit objectives and scope.
- Audit techniques and execution.
- Resource management and knowledge-sharing.
- Reporting and issues/solutions management.
These broader stages are intended to help auditors more systematically consider their integration options and may stimulate more innovative thinking and actions. The guide also features a section devoted to small audit functions. With limited staff and resources, these departments are often challenged to provide adequate risk coverage to their organizations.
This practice guide replaces «Integrated Auditing» released in 2012.
Applying Key Governance Tools and Frameworks
Organizations of all sizes and from all sectors are experiencing growing pressure to demonstrate how they manage sustainability risks and opportunities and report them publicly.
The focus of this paper is to show how integrated thinking and reporting, effective internal control, enterprise risk management (ERM), and independent assurance provided by internal audit functions align to help organizations achieve their objectives and meet stakeholder expectations. It is critical to long-term value creation to apply ERM broadly, including to environmental, social, and governance (ESG)-related risks, to understand their impacts and interdependencies throughout the value creation process, and to embrace the value of independent assurance.
The paper’s objectives are to:
- Increase understanding and awareness of integrated thinking and reporting.
- Demonstrate parallels among the COSO frameworks (Internal Control and ERM), The Institute of Internal Auditors’ (IIA’s) Three Lines Model, and the International Integrated Reporting Framework, in terms of:
- Informing the content, preparation, and presentation of an integrated report.
- Reinforcing the role internal audit plays in ensuring the integrity of information underpinning integrated thinking and reporting by providing independent assurance over that information.
- Helping organizations embed integrated thinking into their approach to ERM.
This paper, prepared by ecoDa on behalf of Governing Bodies, FERMA representing European Risk Managers and ECIIA representing Internal Auditors, focuses on good governance. Governance models such as the Three Lines foster cooperation among all functions and operations within a company, so that sustainability can be truly embedded in business operations and strategic sustainability-related objectives can be achieved.
Risk Management (Second Line) and Internal Audit (Third Line) are key forces to support the Board and Senior Management as essential parts of the Three Lines model, and more broadly. It shows why Directors, Risk Managers and Internal Auditors should act now so their companies can fulfill their sustainability responsibilities and expectations.
Most enterprises will pursue and strive for an effective business model which maximises the possibility of achieving the organisation’s objectives. The enterprise may have a range of objectives which are not automatically limited to financial and business goals, such as in the areas of social responsibility and sustainability. Operational risk concerns being conscious of to what extent operational choices and related operational risks may arise on the road to achieving all of these goals.
There are many definitions of operational risk. In these guidelines the four dimensions of protection of physical assets, people, organisation and technology form the basis of the definition of operational risk, because it has been shown that the root cause of operational risk events are often connected to these dimensions.
These conditions can either result in an upside or downside effect and contribute to increasing or reducing the probability of an organisation achieving its overall objectives.
De fleste virksomheter søker eller tilstreber gjerne en effektiv driftsmodell som maksimerer muligheten for å nå målene. Virksomheten kan ha ulike målsetninger slik som samfunnsansvar og bærekraft som ikke nødvendigvis er begrenset til finansielle og forretningsmessige målsettinger. Operasjonell risikostyring handler om å være bevisst hvilke operasjonelle valg og tilhørende operasjonelle risikoer som kan oppstå på vei mot å nå disse målene.
Det er mange definisjoner på hva operasjonell risiko er. I denne veilederen er de fire dimensjonene beskyttelse av fysiske eiendeler, mennesker, organisasjon og teknologi lagt til grunn for definisjonen av operasjonell risiko, fordi det viser seg at rotårsaken for operasjonelle risikohendelser ofte er knyttet til disse.
Disse forholdene kan enten ha en opp- eller nedsideeffekt, og er med på å øke eller redusere sannsynligheten for at organisasjonen når dens overordnende mål.
