Practice Guide: Coordinating Risk Management and Assurance

Risk management* is fundamental to organizational control and critical to providing sound corporate governance. It touches all of the organization’s activities. The establishment of an effective enterprise-wide risk management system is a key responsibility of management and the board; which are responsible for adopting a holistic approach to the identification of organizational risks, creating controls to mitigate those risks, and monitoring and reviewing the identified risks and established controls. They should ensure that risk management is integrated into the organization, at both the strategic and operational levels.

Standard 2050: Coordination states, “The chief audit executive [CAE] should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.” This responsibility requires the CAE’s inclusion and participation in the organization’s assurance provider framework. This framework can consist of internal audit, external audit, governance, risk management, or other business control functions/disclosures performed by the organization’s management team. Inclusion and participation in this framework helps ensure that the CAE is aware of the organization’s risks and controls in relation to organizational goals and objectives.