Risk and Control Process Effectiveness Reporting

Created by

Jinny D

Cards (6)

The CAE is responsible for reporting on the overall effectiveness of the organization’s internal control and risk management processes to both senior management and to the board.
The CAE needs to form a holistic opinion regarding the general state of internal control in the organization, usually once each year.
To promote continuous improvement in maintaining effective controls, the internal audit activity typically provides the board and senior management with what?
An overall assessment or compiled results of control evaluations accumulated from individual audit engagements.
What may the CAE recommend to promote continuous improvement in maintaining effective controls?
The implementation of a control framework if one is not already in place.
Actions that enhance the control environment (e.g., a “tone at the top” that promotes a culture of ethical behaviour and a low tolerance for noncompliance).
What should the communication to the board and the senior management regarding opinions on IC RM process include?
The scope, scope limitations, and time period that the opinion pertains to.
Whether other assurance providers or other projects were used to provide input.
An executive summary of the opinion.
Reference to the risk or control framework used to form the opinion.
The overall opinion plus any reasons for an unfavourable opinion if there was one.
If the board and SM are not familiar with risk management and its impact on oversight & business decisions, the CAE can?
Review the role of the board, senior management, operations, and internal auditing in the risk management process. e.g., tutorial, workshop in an annual meeting, or training for new members; Reviewing laws, regulations, and standards that affect the governance and operations as an agenda item for a board/audit committee meeting. In these meetings, present GRC best practices;
Facilitating workshops to identify emerging risks in the business environment.