The auditor’s view should always be independent but the approach should always be risk-based, and objective-centric. It should also include the appropriate people, particularly where risks are being considered in decision-making. Making such decisions requires reliable, current information of good quality. The decisions taken should also address cognitive bias; different people have different views and biases, which can affect their assessments.
While proper documentation of all processes must be undertaken, organisations should also ensure that the desired attitude towards risk is developed in tandem. This means an appropriate organisational culture should be in place to influence the development of such attitudes. Ideally, buy-in from all key individuals should be obtained at all levels; there is a need to ensure that everyone is involved in the process. Risk professionals intending to further the risk management agenda in their respective organisations will have to equip themselves first with a comprehensive understanding of risk management and its principles.
It will also be helpful to understand and apply risk management standards such as ISO 31000 and COSO consistently. This understanding and application will have to be based on what the organisation requires from risk management, and must take into consideration how and where decisions are made, and what risks the organisation takes. Other factors to consider include what controls are in place, and if these are adequately designed. Control testing should be performed to determine if these are fit for purpose, and to obtain assurance that they are operating in the way they were intended. The organisation’s risk management maturity level can then be determined.
Results and the insights arising from them should be communicated to the relevant parties. In summary, when risk management is being audited, what is being sought is whether the organisation is applying it appropriately to its situation. This includes understanding its principles, the organisation’s needs and risks, its resources and control abilities, and whether these are operating as intended.
20 The IERP® Monthly Newsletter December 2021