Practice Advisory 2120-1:
Assessing the Adequacy of Risk Management Processes
1. Risk management is a key responsibility of senior management and the board. To achieve its business objectives, management ensures that sound risk management processes are in place and functioning. Boards have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. In this role, they may direct the internal audit activity to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management’s risk processes.
2. Management and the board are responsible for their organization’s risk management and
control processes. However, internal auditors acting in a consulting role can assist the
organization in identifying, evaluating, and implementing risk management methodologies and
controls to address those risks.