TIAPS ALB_Module 2A. Governance and Managerial Accountability

Module 2: Good 

Governance, 

Managerial 

Accountability, 

Developing Strategy, 

and Data Analysis 

TIAPS Albania 2023/24 

1

2

Table of Contents 

Module 2: Good Governance, Managerial Accountability, Developing Strategy, and Data 

Analysis ........................................................................................................................................... 5 

Introduction .................................................................................................................................. 5 

Relevant Standards ..................................................................................................................... 7 

Relevant Competencies .............................................................................................................. 7 

References and Additional Reading............................................................................................ 7 

2A. Governance and Managerial Accountability ............................................................................ 8 

2A Learning Outcomes ................................................................................................................ 8 

2A.1 Governance Revisited ........................................................................................................ 8 

2A.2 Risk Management ............................................................................................................. 12 

2A.2.1 Risk Concepts ............................................................................................................ 14 

2A.2.2 Risk Identification ....................................................................................................... 15 

2A.2.3 Risk Analysis and Evaluation ..................................................................................... 16 

2A.2.4 Risk Responses ......................................................................................................... 19 

2A.2.5 Monitoring .................................................................................................................. 20 

2A.3 COSO Internal Control – Integrated Framework.............................................................. 21 

2A.4 Decision-Making, Risk Management, and Managerial Accountability ............................. 23 

2A.5 Entity-wide Risk Management .......................................................................................... 27 

2B. Managing People.................................................................................................................... 30 

2B Learning Outcomes.............................................................................................................. 30 

2B.1 Leadership ........................................................................................................................ 30 

2B.1.1 Styles of Leadership .................................................................................................. 30 

2B.1.2 Delegation .................................................................................................................. 31 

2B.1.3 Leadership as Service ............................................................................................... 32 

2B.2 Talent Management Strategies ......................................................................................... 35 

2B.3 Motivation .......................................................................................................................... 38 

2B.3.1 Maslow’s Pyramid ...................................................................................................... 38 

2B.3.2 McGregor’s Theory X, Theory Y ................................................................................ 39 

2B.3.3 Vroom’s Expectancy Theory ...................................................................................... 39 

2B.3.4 Hertzberg’s Two-Factor Model................................................................................... 39 

2B.4 Competency Frameworks…………………………………………………….…………..41 

3

2C. Quality Assurance .................................................................................................................. 44 

2C Learning Outcomes ............................................................................................................. 44 

2C.1 The Need for Quality Assurance ...................................................................................... 44 

2C.2 Elements of Internal Audit Quality Assurance .................................................................. 46 

2D. Managing the Internal Audit Activity ....................................................................................... 49 

2D Learning Outcomes ............................................................................................................. 49 

2D.1 Managing the Internal Audit Function............................................................................... 49 

2D.2 Internal Audit Strategic Planning ...................................................................................... 53 

2D.2.1 Engagement Work Program ...................................................................................... 53 

2D.2.2 Internal Audit Plan...................................................................................................... 53 

2D.2.3 Internal Audit Strategic Plan ...................................................................................... 54 

2D.3 Advanced Professional Practices ..................................................................................... 57 

2D.3.1 Using Digital Tools ..................................................................................................... 58 

2D.3.2 Agile Auditing ............................................................................................................. 60 

2D.3.3 Lean Auditing ............................................................................................................. 62 

2D.3.4 New and Evolving Risk Areas.................................................................................... 63 

2E. Data Analytics for Internal Auditing ........................................................................................ 70 

2E Learning Outcomes.............................................................................................................. 70 

2E.1 Data Analytics and Internal Auditing ................................................................................. 70 

2E.2 Data Analytics Methods .................................................................................................... 72 

2E.2.1 Variance Analysis ....................................................................................................... 72 

2E.2.2 Trend Analysis ............................................................................................................ 73 

2E.2.3 Reasonableness Testing ............................................................................................ 73 

2E.2.4 Ratio Estimation ......................................................................................................... 73 

2E.2.5 Benchmarking ............................................................................................................ 73 

2E.3 Data Analytics Tools .......................................................................................................... 74 

2E.4 Data Visualization ............................................................................................................. 77 

References and Additional Reading ............................................................................................. 80 

4

Module 2: Good Governance, Managerial Accountability, 

Developing Strategy, and Data Analysis 

Introduction 

The TIAPS program has been developed for public sector internal auditors typically with 

three to five years of relevant experience, including those who are or who aspire to be in 

supervisory and managerial positions. It is suitable for those who are familiar with how to 

plan and perform internal audit services and communicate findings and insights. It aims to 

develop a deeper practical understanding of the contribution internal audit makes to 

organizational effectiveness and improvement as well as exploring how to coordinate and 

optimize internal audit resources and services. This includes building relationships with key 

stakeholders, developing a strategy for the internal audit function, managing people and 

other resources, enhancing quality and effectiveness through adoption of advanced 

practices, providing audit opinions, and supervising audit engagements. 

The TIAPS program comprises four modules: 

Module 1: Audit and Assurance 


Analysis 

Module 3: Accounting Fundamentals 

Module 4: Introduction to Performance Audit 


Analysis builds on the concepts explored in Module 1: Audit and Assurance to ensure 

internal audit’s provision of relevant, high quality, and timely assurance and advice. The 

module examines the principles of decision-making and managerial accountability to support 

organizational risk management and internal control. It also identifies the roles and 

responsibilities of internal audit management and leadership especially in respect of 

managing resources, people, and quality. The module is organized as follows: 

2A. Governance and Managerial Accountability 

2A.1 Governance Revisited 

2A.2 Risk Management 

2A.3 COSO Internal Control – Integrated Framework 

2A.4 Decision-Making, Risk Management, and Managerial Accountability 

2A.5 Entity-wide Risk Management 

2B. Managing People 

2B.1 Motivation 

5

2B.2 Talent Management Strategies 

2B.3 Motivation 

2B.4 Competency Frameworks 

2C. Quality Assurance 

2C.1 The Need for Quality Assurance 

2C.2 Elements of Internal Audit Quality Assurance 

2D. Managing the Internal Audit Activity 

2D.1 Managing the Internal Audit Function 

2D.2 Internal Audit Strategic Planning 

2D.3 Advance Professional Practices 

2E. Data Analytics for Internal Auditing 

2E.1 Data Analytics and Internal Auditing 

2E.2 Data Analytics Methods 

2E.3 Data Analytics Tools 

2E.4 Data Visualization 

References 

6

Relevant Standards 

Reference is made throughout the TIAPS program to relevant international standards, principally 

those of The Institute of Internal Auditors (IIA) included in the International Professional Practices 

Framework (IPPF). Other standards and frameworks, most notably the COSO Internal Control – 

Integrated Framework, are also noted where appropriate. 

At the time of writing, The IIA is undertaking a major review of the IPPF with an expected period of 

public exposure in 2023. The content of this module reflects the 2017 edition (published in 2016 and 

effective from the start of 2017). Participants should anticipate major revisions to the structure and 

content of the IPPF, although fundamental principles about the practice of internal auditing are 

unlikely to change significantly. This program will be updated once the revisions to the IPPF are 

finalized and formally introduced. 

Relevant Competencies 

Reference is made throughout the material to relevant competencies taken from the IIA’s Internal 

Audit Competency Framework. The purpose of including these statements, which describe 

competencies at three levels (General Awareness, Applied Knowledge, and Expert), is to remind 

students of the practical nature of this program. To develop competencies, knowledge acquired by 

reading, reflection, and experience needs to be applied to practical situations and supported by 

appropriate attitudes and values. Personal and professional development is a continuous process. 

The IIA’s Internal Audit Competency Framework is designed for all internal auditors, is based on 

global research, and represents recognized best practices. The statements are necessarily brief and 

much more detail and information is needed to substantiate and contextualize the content. The 

statements can be regarded as signposts to help internal auditors and their managers navigate their 

careers, identifying opportunities for ongoing advancement to remain competent and best able to 

meet or exceed the needs and expectations of their stakeholders. 

References and Additional Reading 

References are given at the end of this module. Participants are encouraged to read these to provide 

greater understanding of the topics. The items have been selected to complement the content 

included in this module and to offer internal auditors relevant, practical guidance. 

7

2A. Governance and Managerial Accountability 

2A Learning Outcomes 

On completion of this section, students will be better able to: 

• Describe the principles of effective decision-making. 

• Assess the effectiveness of risk management. 

• Apply the COSO model of internal control to support understanding of organizational 

governance. 

• Explain the importance of managerial accountability to governance, risk 

management, and internal control. 

• Evaluate the effectiveness of managerial accountability. 

• Describe the principles supporting entity-wide risk management. 

2A.1 Governance Revisited 

IIA Internal Audit Competency Framework: Common Business Processes 

General Awareness: Describe the risk and control implications of common business 

processes (human resources, procurement, contracting, product development, project 

management, sales, marketing, logistics, management of outsourced processes, etc.). 

Applied Knowledge: Examine the risks and controls related to the organization’s business 

processes. 

Expert: Recommend actions to address risks related to the organization’s business 

processes. 1 

Module 1 Audit and Assurance described internal audit’s contribution to governance and in 

doing so identified the key components of governance in the public sector with reference to 

important models. The need for the structures and processes that constitute governance 

arises due to accountability and uncertainty. Public officials have a duty of care to citizens 

whose resources they are using to achieve a public benefit. Consequently, managers and 

leaders must adopt appropriate measures to ensure their actions and behaviors are likely to 

fulfill organizational purpose economically, effectively, efficiently, ethically, and sustainably. 

To achieve this, they must lead, direct, and oversee activities and make timely interventions 

as required. Well-intentioned plans and actions, however, cannot guarantee desirable 

outcomes. Resources, systems, people, and events are unreliable and unpredictable. Risk 

management and internal control – key components of governance – are needed to provide 

reasonable assurance objectives will be achieved within an acceptable margin of error. 

Internal audit’s contribution is to provide greater transparency and insight. This helps 

governing bodies 2 extend their oversight across the entity and receive independent 

assurance on the adequacy and effectiveness of governance, risk management, and internal 

control to complement and supplement reports received from management – including risk 

and compliance functions – regarding performance, position, and prospects. Internal audit 

1 

Internal Audit Competency Framework, The IIA, 2022. 

2 

Refer to Module 1 section 1A.2 for a description of governing bodies and the many forms they may take in the public sector. 

8

also serves management through assurance and advice, acting as a well-informed strategic 

advisor and champion of innovation and change. 

External audit provides additional transparency by ensuring external stakeholders receive 

reliable reports on all aspects of public sector activity. Internal and external auditors have a 

broadly similar purpose (although they have important differences), operate according to 

compatible professional standards, and act independently from (i.e., without responsibility for 

or interference by) the areas they review. 

Guidance from the Chartered Institute of Internal Auditors provides a useful comparison 

between internal auditors and external auditors, summarized in the table below and adapted 

for relevance to the public sector. 3 

Primary clients 

Purpose of 

assurance 

Coverage or 

nature of work 

Internal Audit 

Management and the governing 

body. 

To provide transparency and 

insight to senior management and 

the governing body on all aspects 

of governance, risk management, 

and internal control, to enable 

better decision-making, and to 

facilitate innovation and 

improvements. 

“Internal audit covers all categories 

of risks and their management, 

starting from their identification, 

taking in various responses to 

risks, including traditional internal 

financial and non-financial controls 

and including the flow of 

information around the 

[organization] about risk. Internal 

auditors also cover governance 

processes and the internal control 

environment that seeks to mitigate 

risk and governance issues.” 

External Audit 

Superior entity, where applicable 

(such as line ministry), parliament, 

and the public. 

“To add verification, credibility, and 

reliability to reports” from public 

entities to government and from 

government to the public. “An 

external audit process ensures that 

[an organization]’s internal controls, 

processes, guidelines and policies 

are adequate, effective and in 

compliance with governmental 

requirements, industry standards and 

[organizational] policies. This type of 

audit also ensures that reporting 

mechanisms prevent errors in 

financial statements.” 

External auditors typically conduct: 

• Financial audits 

• Compliance audits 

• Performance audits 

The purpose of the financial is to 

confirm: 

• The accuracy and completeness 

of the client's accounting records. 

• Whether the client's accounting 

records have been prepared in 

accordance with the applicable 

accounting framework. 

• Whether the client's financial 

statements present fairly its 

results and financial position. 

Performance audits evaluate the 

3 

Position paper: Internal audit's relationship with external audit, Chartered Institute of Internal Auditors, 2020. 

9

Timing and 

frequency 

Focus of 

opinion 

Responsibility 

for 

improvement 

Internal auditing is a permanent 

presence in the organization and 

conducts engagements according 

to organizational priorities and risks 

based on a planned schedule as 

well as ad hoc missions. 

Internal audit provides assurance 

on the adequacy and effectiveness 

of governance, risk management, 

and internal control, which may 

include an opinion. 

“Improvement is fundamental to the 

role of internal audit. Working 

within the organization on a 

constant basis allows internal 

auditors to identify current or 

emerging weaknesses and advise 

and facilitate managers’ efforts to 

improve processes. At the same 

time, internal auditors have a 

professional duty to avoid usurping 

the responsibility of managers to 

manage.” 

economy, effectiveness, and 

efficiency of projects and initiatives in 

terms of their outcomes and impacts. 

Compliance audits identify the 

conformance with policies, 

regulations, and other requirements. 

External audits (especially financial 

audits) tend to follow a cyclical 

pattern tied to annual reporting 

requirements. 

“The external audit focus is 

predominantly on validating that the 

financial statements are a true and 

fair representation of past 

performance.” 

“External auditors have no explicit 

responsibility to improve their clients’ 

governance or risk management 

processes. They have a duty to 

report internal control problems that 

they come across as part of their 

work.” 

We may also add the primary accountability of the head of the internal audit unit is to the 

governing body of the organization while external auditors of the Supreme Audit Institution 

are accountable to parliament, often reporting to a representative committee, the cabinet 

office, the head of government or the head of state. 

Governance, risk management, and internal control can be understood as different facets of 

the same thing. Their purpose is to provide reasonable assurance of organizational success. 

They operate at every level throughout an organization. Every activity, decision, plan, and 

behavior contributes in some way – positively or negatively – to the entity’s economy, 

effectiveness, efficiency, integrity, and sustainability. 

Governance is the broadest of the three concepts. Its focus concerns the highest-level 

objectives, strategies, structures, processes, and decisions, and is driven by ultimate 

10

accountability to stakeholders. “Those charged with governance” typically refers to the 

members of the governing body and may include those with executive and nonexecutive 

roles. 

• Risk management takes account of the inherent uncertainty in all goal-oriented 

activity with the aim of optimizing outcomes, not to eliminate risk (which is impossible 

without abandoning all goals and actions to achieve them) but to take better 

decisions. Both taking an action and refraining from doing so constitute taking a risk. 

Managing risk is part of the responsibility of management, although the governing 

body should ensure there are appropriate structures and processes in place. This 

may include individuals or teams with a specific focus on risk and compliance (i.e., 

second line roles) to provide additional expertise, oversight, and challenge. 

• Internal control (sometimes referred to as control or managerial internal control 

(MIC)) describes management’s responses to risk. 

As noted in Module 1, not all entities have separate “second line” functions. The 

responsibility for managing risk, however, remains within management regardless of 

structure. Where there are no distinction second line functions, the task of managing risks 

sits with those who also have first line roles. 

2A.1: Reflection 

The term “internal control” sometimes creates a negative image – especially among 

managers – and can be a barrier to establishing a good understanding of the role and 

importance of governance, risk management, and internal audit – which are also terms that 

are not well understood. 

Have you experienced difficulties communicating the purpose of internal control as well as 

governance, risk management, and internal audit? 

How do you – or how could you – explain these terms to your audit clients and 

stakeholders to avoid such difficulties? 

In what ways, if any, does your internal audit function engage with other internal and 

external assurance providers (such as risk and compliance functions, legal counsel, financial 

controllers, financial officers, and external auditors)? 

Are there ways in which internal audit could work more closely with other internal and 

external assurance providers while maintaining appropriate safeguards for independence? 

11

2A.2 Risk Management 

IIA Internal Audit Competency Framework: Risk Management 

General Awareness: Describe fundamental concepts of risk and risk management; describe 

risk management frameworks. 

Applied Knowledge: Use a risk management framework to identify potential threats; examine 

the effectiveness of risk management within processes and functions. 

Expert: Appraise the methods used to assess the effectiveness of risk identification and 

management. 4 

Risk management is the attempt to apply awareness and understanding of risks to 

strategizing, goal setting, planning, decision-making, deployment of resources, operational 

activity, monitoring, reporting, and forecasting. It is most effective when it is holistic (entitywide), 

consistent (supported by a common framework and terminology), and integrated 

(built-in rather than bolted-on). A general principle is that whoever is responsible for an 

activity or goal is also responsible for managing the associated risks. An entity may assign 

individuals or teams with specialist second line roles (e.g., risk management, compliance, 

information security, legal counsel, and financial control) to provide support for managers 

focused on first line roles (i.e., “front of house” services to clients and “back office” services 

to enable the organization to operate, such as administration, HR, finance and accounting, 

and IT, noting that many back office functions also have a focus on control). However, the 

general principle of risk ownership remains. 

In their approach to risk management, some organizations consciously adopt a formal 

framework, such as COSO Enterprise Risk Management – Integrating with Strategy and 

Performance or ISO 31000: Risk Management. There are benefits in doing so, including 

having a ready-made objective benchmark of recognized best practice and a valuable tool 

for assessment and training. There are also disadvantages, including the need to ensure the 

model is relevant and the risk of getting distracted by excessive detail. Any approach needs 

to be appropriate, and its adoption should be incremental to match the needs and maturity of 

the entity. In all cases, internal audit is expected to evaluate the effectiveness of risk 

management and contribute to its improvement, in accordance with Standard 2120 – Risk 

Management of the IPPF. 

Risk is commonly defined in connection with the attainment of objectives and allows for both 

favorable and adverse variances from desired outcomes. Three useful and similar definitions 

of risk are given below. 

• IIA: The possibility of an event occurring that will have an impact on the achievement 

of objectives. Risk is measured in terms of impact and likelihood. 5 

• ISO: The effect of uncertainty on objectives. 6 

• COSO: The possibility that events will occur and affect the achievement of 

objectives. 7 

4 


5 

International Professional Practices Framework, The IIA, 2016. 

6 

ISO 31000:2018 Risk Management, ISO, 2018. 

7 

COSO Enterprise Risk Management – Integrating with Strategy and Performance, COSO, 2017. 

12

It is worth quoting IIA Standard 2120 – Risk Management in full as it succinctly directs 

auditors to consider key factors when determining the effectiveness of risk management 

processes. 

2120—Risk Management 

The internal audit activity must evaluate the effectiveness and contribute to the 

improvement of risk management processes. 

Interpretation: 

Determining whether risk management processes are effective is a judgment resulting 

from the internal auditor’s assessment that: 

• Organizational objectives support and align with the organization’s mission. 

• Significant risks are identified and assessed. 

• Appropriate risk responses are selected that align risks with the organization’s 

risk appetite. 

• Relevant risk information is captured and communicated in a timely manner 

across the organization, enabling staff, management, and the board to carry out 

their responsibilities. 

The internal audit activity may gather the information to support this assessment during 

multiple engagements. The results of these engagements, when viewed together, 

provide an understanding of the organization’s risk management processes and their 

effectiveness. 

Risk management processes are monitored through ongoing management activities, 

separate evaluations, or both. 

2120.A1 The internal audit activity must evaluate risk exposures relating to the 

organization’s governance, operations, and information systems regarding the: 

• Achievement of the organization’s strategic objectives. 

• Reliability and integrity of financial and operational information. 

• Effectiveness and efficiency of operations and programs. 

• Safeguarding of assets. 

• Compliance with laws, regulations, policies, procedures, and contracts. 

2120.A2 The internal audit activity must evaluate the potential for the occurrence of fraud 

and how the organization manages fraud risk. 

2120.C1 During consulting engagements, internal auditors must address risk consistent 

with the engagement’s objectives and be alert to the existence of other significant risks. 

2120.C2 Internal auditors must incorporate knowledge of risks gained from consulting 

engagements into their evaluation of the organization’s risk management processes. 

13

2120.C3 When assisting management in establishing or improving risk management 

processes, internal auditors must refrain from assuming any management responsibility 

by actually managing risks. 8 

Risk management involves multiple steps, to identify, assess, and implement responses to 

risks that are relevant to the organization and its objectives. The overall approach of risk 

management should be: 

• Planned, focused, and systematic. 

• Relevant to organizational need and priorities. 

• Maintained continuously as objectives and conditions change. 

• Monitored and adjusted as required. 

The process should be cyclical and iterative allowing for continuous improvement. 

Figure: Iterative and Cyclical Risk Management 

2A.2.1 Risk Concepts 

There are many related terms used regarding risk management. Internal auditors should 

make sure their meaning is clear when discussing risk with members of management and 

the governing body. It is useful to agree a common taxonomy and to keep it simple. Some 

common terms are defined in the table below. However, some alternative definitions are 

possible, and the most important things are clarity and agreement. 

8 

International Professional Practices Framework, The IIA, 2016 

14

Concept 

Risk capacity 

Risk attitude 

Risk appetite 

Risk 

tolerance 

Risk universe 

Risk profile 

Risk severity 

Risk 

response 

Inherent risk 

Residual risk 

Definition and Application 

The ability to tolerate risk without significant failure. 

A general disposition or mindset with respect to risk, such as being risk 

averse or risk hungry. 

The level of risk an organization is willing to take, often expressed for 

categories (or classes) of risks. 

Risk appetite for specific activities or objectives, including acceptable 

variations beyond broader risk appetite, at least on a temporary basis. 

The totality of risks that may impact an organization. 

The aggregate pattern of significant risks across key activities. 

A measure of the level of risk (usually based on likelihood and impact). 

An organization’s actions taken in recognition of a risk to manage its 

impacts and/or likelihood within the limits agreed according to appetite and 

tolerance. 

The level (severity) of a risk to which an organization is (theoretically) 

exposed in the absence of any risk responses (controls). 

The level (severity) of a risk to which an organization is exposed with risk 

responses (controls) in place. 

Risk appetite is an important concept since it sets the tone for risk management. COSO 

Guidance, Risk Appetite: Critical to Success, provides useful discussion on this topic. 

The COSO Enterprise Risk Management—Integrating with Strategy and 

Performance defines risk appetite as: The types and amount of risk, on a broad level, 

an organization is willing to accept in pursuit of value. 

Inherent in this definition are several key points. Risk appetite: 

• Is intentionally broad to apply across an organization, recognizing that it may 

differ within various parts of the organization while remaining relevant in 

changing business conditions. 

• Focuses on risk that needs to be taken to pursue strategies that enhance 

long-term success. 

• Recognizes that risk is more than individual decisions. 

• Links to value – it is tied to the choices the organization makes on how it 

creates and preserves value. 9 

2A.2.2 Risk Identification 

The process of risk management begins with risk identification. Risks do not exist in the 

abstract but relate to objectives. Where there are no objectives there are no risks. Two 

individuals or entities in the same circumstances may face different risks or different levels of 

risk exposure because they have different goals. To answer the question “what are the 

risks?” we must first answer the question “what are the objectives?” Therefore, risk 

identification starts with a review of an organization’s purpose, goals, strategies, and targets. 

This can also be applied to departments, projects, and systems. 

9 

Risk Appetite: Critical to Success, COSO, 2020. 

15

Risk identification needs to be maintained on a regular basis. As internal and external 

conditions and goals change, the risk profile also evolves. New risks arise from new 

conditions (such as a change of leader, introduction of a new policy, changes to legislation 

and regulations, implementation of new systems, and shifts in economic and social factors). 

The process of risk identification often includes a combination of: 

• Review of purpose, goals, strategies, and targets. 

• Review of performance, position, and prospects. 

• Brainstorming workshops with key individuals. 

• Consideration of each class of risk or each major department, systems, or process. 

• Review of the existing risk register. 

• Review of previous audits and inspections. 

• Consideration of relevant guidance, articles, journals, and other literature. 

• Consultation with subject matter experts. 

Internal auditors are likely to be involved in supporting this process. The extent to which 

internal audit is asked to help will depend on the level of risk maturity (see below). They may 

facilitate risk self-assessment workshops and provide training. The head of internal audit 

should also make an independent risk assessment as part of the process of planning the 

schedule of engagements but must include the input of senior management and the 

governing body, in accordance with Standard 2010. 

2010.A1 The internal audit activity’s plan of engagements must be based on a 

documented risk assessment, undertaken at least annually. The input of senior 

management and the board must be considered in this process. 10 

2A.2.3 Risk Analysis and Evaluation 

Risk workshops and other processes can yield long lists of risks. Some will be more 

important than others and many risks in the risk universe require little or no attention. To 

make this determination requires analysis and evaluation. This allows managers to prioritize 

and decide on appropriate risk responses. 

Not all risks are relevant or significant. Purely theoretical or hypothetical risks with very 

limited likelihood can safely be ignored. However, so-called black swan events occur 

infrequently and are hard to predict but may have significant impacts. In some parts of the 

world tornadoes, earthquakes, or hurricanes may occur although it is difficult to know where 

and when. There may also be very rare scenarios where such events are combined with 

conditions like tsunamis, wildfires, or high tides making the impacts that much greater. They 

are highly unlikely but that does not mean organizations (and individuals) can dismiss the 

possibility because from time to time such things will occur. The global Covid-19 pandemic 

caused rapid and widespread disruption. Nevertheless, many individuals and organizations 

had warned governments that such a scenario was possible. As we encroach more into the 

natural environment and encounter species with which humans have had little previous 

contact, the chances of diseases jumping to humans increase. Coupled with rapid mass 

global transportation significantly multiplies the chance of viruses spreading quickly. 

10 International Professional Practices Framework, The IIA, 2016 

16

Impact 

Other than black swan events, organizations must also consider emerging risks which are 

those with a high degree of uncertainty, often accompanied with high volatility, and with the 

potential for far-reaching and widespread consequences. They arise from conditions not 

previously experienced and so the posible chains of events and impacts are difficult to 

estimate. Risks arising from climate change, artificial intelligence, and geo-politics fall into 

this category. It is hard to prepare for the unknown, but organizations need to keep these in 

view, learn what they can from available information, and maintain active preparedness in 

the form of contingency plans as far as possible. This may include avoiding undue reliance 

on single organizations or territories for critical supplies and having built-in flexibility in 

operations. This is similar to business continuity and disaster recovery planning. We may not 

know what the cause may be, but we can prepare for denial of access to buildings, power 

outages, disruption to supply lines, loss of key personnel, staff shortages, and other social, 

political, environmental, or economic turmoil. 

Aside from black swan events and emerging risks, it is possible to classify, evaluate, and 

prioritize risks. Classifications are developed to match the characteristics of the organization. 

Classes or categories may include: 

• Strategic risk. 

• Operational risk. 

• Financial risk. 

• Reporting risk. 

• IT risk. 

• Compliance risk. 

• Cybersecurity risk. 

• Reputational risk. 

The categories help with the process of managing risks and the choice of categories used 

should be made to suit organizational needs. Risk appetite may vary according to class of 

risk. Some broad topics, such as ESG (environmental, social, and governance), can 

represent risks in multiple classes, in the case of ESG this could include reputational, 

financial, reporting, and compliance risks. 

Evaluation of risks can include attaching descriptive or numerical values. Likelihood and 

impact are usually the two most important dimensions, although others may be considered. 

Sometimes a grid is used similar to the one shown below. 

Severe 

Major 

Moderate 

Minor 

Insignificant 

Rare Unlikely Moderate Likely Highly 

likely 

Likelihood 

Figure: Risk Severity Matrix 

17

Impact 

Risks can be placed on the matrix according to their relative severity. Red, yellow, and green 

shading can be used to create a heat map. Alternative numerical values may be attached, as 

shown below. 

5 5 10 15 20 25 

4 4 8 12 16 20 

3 3 6 9 12 15 

2 2 4 6 8 10 

1 1 2 3 4 5 

1 2 3 4 5 

Likelihood 

Figure: Risk Severity Matrix – Numerical 

In this case, severity has been calculated as a product of likelihood and impact. However, an 

organization may be more concerned about a risk with a likelihood of 3 and an impact of 5 

than a risk with a likelihood of 5 and an impact of 3. We can tolerate more likely but less 

impactful events than less likely but more impactful ones. This suggests impact could be 

weighted if desired to reflect this. Other factors may also be considered, such as: 

• Vulnerability: how susceptible is the organization to certain types and levels of 

impact? 

• Velocity: how quickly will the impact be felt once the initial event has occurred? 

• Volatility: how much changeability and uncertainty is there regarding the 

circumstances and our assessment of likelihood and impact? 

• Simultaneous occurrence: if two or more related or unrelated impacts are felt at the 

same time, how will the organization be able to cope? Risks with lower individual 

severity may combine to create more significant impacts. 

There are many ways in which risk can be quantified with varying levels of sophistication and 

granularity. There is a trade-off to be had. If a model is too simple it can reduce the value of 

quantifying risks. Three-point scales (whether qualitative or quantitative) are unlikely to be 

sufficient to reflect the real differences in levels of risk exposure faced by an organization. In 

models with an odd number of gradations there is a natural tendency to fall into the middle, 

after discounting the upper and lower extremes. This also reduces the effectiveness of the 

exercise. 

On the other hand, if a model is too complex it may become unwieldy. The effort involved in 

determining very fine gradations may exceed the benefits it yields. The process of evaluation 

should not get in the way of what the aim is. The purpose is to identify areas of risk that 

require attention and help with prioritization and determination of a proportionate response. 

COSO Risk Assessment in Practice provides useful guidance on this and related topics. 11 

It is important to remember the exercise of risk evaluation is not a perfect science. 

Organizations should be careful not to get seduced or distracted by the numbers. Risk 

evaluation is a tool to support the analysis, prioritization, and subsequent responses. For 

senior management and the governing body, the key questions are: what do we need to be 

focused on, what are we doing about it, and are our current responses effective? 

11 

Risk Assessment In Practice, COSO, 2012. 

18

2A.2.4 Risk Responses 

Having identified, classified, evaluated, and prioritized risks, the next stage is to determine 

appropriate responses. “Control” can suggest the response to a risk is always to restrict or 

reduce its impact but since some of the impacts of uncertainty on objectives are favorable – 

we sometimes exceed targets and forecasts, and new opportunities arise – then some of the 

responses are to take advantage of rather than limit risks. Risk responses can serve to 

manage either likelihood or impact or both. 

The aim of responses is to ensure the residual risk severity falls within the expressed risk 

appetite. Responses need to be proportionate in terms of cost and effort in relation to the 

size of the risk. Basic responses are described below. 

Basis Risk 

May include 

Responses 

Treat 

Reduce, mitigate, enhance, exploit, leverage, or optimize 

Terminate 

Avoid or abandon the activity or goal 

Transfer 

Share (e.g., through insurance), spread, or outsource 

Tolerate 

Accept or pursue 

The effectiveness of the response can be measured by the difference between the inherent 

and residual risk severity. Sometimes these risk responses are used in combination. There is 

always an element of “tolerate” with regard to the residual risk unless the response is to 

terminate. Often public sector entities operate in areas of high risk – such as military combat, 

major construction, infectious diseases, nuclear power, and emergency response services – 

that need to be managed but cannot be terminated. 

Regular components of the control environment (described in section 2A.3) – such as 

training, awareness raising, and well-communicated codes of conduct and policies – serve 

as general controls. A very common control is segregation of incompatible duties (as 

discussed in Module 1 Audit and Assurance under measures to address fraud risk). Consider 

the following specific controls for risks associated with cash receipts and payments: 

• Set tight limits on the number of people who can perform sensitive roles, such as 

authorizing payments and signing checks. 

• Assign separate cash drawers for each employee responsible for collecting cash and 

record a daily tally. 

• Endorse checks at the point of receiving them to restrict their usage. 

• Do not allow employees to draw cash for personal use. 

• Do not collect amounts in excess of what is due and offer “cash back.” 

• Issue numbered receipts and keep a copy. 

• Deposit cash as soon as possible with deposit slip, otherwise secure undeposited 

amounts. 

• Keep blank checks secure. 

• Make checks out to specific payee (not “cash” or similar or left blank). 

• Conduct regular reviews and reconciliations and investigate irregularities. 12 

12 

Local Management Guide: The Practice of Internal Controls, Office o the New York State Comptroller, 2010. 

19

These are all designed to treat (through mitigation) the risk of money going missing through 

error or fraud. Most reduce likelihood. Setting authorization limits and making regular 

reviews reduce impact by restricting how much could go missing before the problem is 

identified. 

Financial speculation, investments in new technology, promotion of innovation to stimulate 

economic growth and address climate change, issuing government bonds, and adjusting 

interest rates and levels of taxation are examples of how the public sector can seek to 

exploit uncertainty. 

2A.2.5 Monitoring 

Monitoring is a key part of the risk management process. This includes monitoring controls 

to ensure they are operating as expected and maintaining a close watch for changes in the 

risk landscape. Routine monitoring should be conducted by those implementing the controls 

and their supervisors. Completing reconciliations and stock takes are a form of monitoring. 

Inspections and audits may also be undertaken. Monitoring should include a combination of 

periodic and ad hoc review. Automated systems make it easier to maintain close monitoring 

and reports may be generated to highlight irregularities. 


Think about the structures, processes, and resources in your organization that collectively 

represent risk management. 

What formal provisions are made in your organization for risk management? 

Is there a coherent, entity-wide approach to managing organizational risks? 

Is risk management connected with strategic and operational planning, reporting, 

monitoring, and performance management? 

Is there a common framework and agreed terminology used to describe risk? 

Is responsibility for risks and controls delegated down the organization to teams and 

individuals? 

20

2A.3 COSO Internal Control – Integrated Framework 

IIA Internal Audit Competency Framework: Internal Control 

General Awareness: Identify types of controls. 

Applied Knowledge: Use an internal control framework to examine the effectiveness and 

efficiency of internal controls. 

Expert: Evaluate and recommend improvements to the organization’s internal control 

framework; assess the organization’s implementation of its internal control framework. 13 

The best known and most widely used model for internal control is COSO Internal Control – 

Integrated Framework (2017). It is commonly adopted in the public sector and sometimes 

written into legislation. For example, it is a part of the European Union accession 

requirements within the model of Public Internal Financial Control (PIFC) (see Module 3 

Accounting Fundamentals). 

The COSO model comprises five interrelated elements: 

• Control environment. 

• Risk assessment. 

• Control activities. 

• Monitoring. 

• Information and communication. 

There is a natural intersection between risk management and internal control, especially in 

the components of risk assessment and control activities. 

Figure: The Five Elements of Internal Control 

• The internal control environment is the overall framework for control. It is established 

through diligent leadership, consistent tone-at-the-top, a commitment to integrity and 

transparency, regular awareness-raising and training, clarity of roles and 

responsibilities, and appropriate and documented delegation of authority. 

• Risk assessment is needed to identify, evaluate, and prioritize uncertainties that may 

impact the achievement of objectives. Risk assessment should form part of 

strategizing, planning, decision-making, operations, monitoring, and evaluation. 

13 


21

• Control activities are the responses developed to manage risks within acceptable 

limits. Controls may be a combination of preventive, detective, and corrective 

measures implemented as part of normal operating procedures and should be 

proportionate in terms of cost and effort in relation to the level of risk. Training should 

be provided as necessary. Implementing and maintaining control activities must be 

documented and included within a description of roles and responsibilities. 

• Systematic monitoring is a necessary part of ensuring the adequacy and 

effectiveness of control activities to determine they are operating as intended. As 

objectives and risks change, it is likely control activities will need to be adjusted and, 

in some cases, removed. Routine and ad hoc monitoring is undertaken by 

supervisors and line managers as well as periodically by inspectors and internal and 

external auditors. 

• Finally, the effectiveness of internal control is dependent on systems of information 

and communication to maintain up-to-date descriptions of processes and escalate 

issues to the appropriate level of authority in the event of a control failure. 

Any system of control needs to be cost-effective, proportionate to risks and priorities, 

compatible with organizational culture, and integrated within decision-making and 

operations. 


COSO Internal Control – Integrated Framework is central to the model of PIFC (Public 

Internal Financial Control). 

How well is COSO Internal Control – Integrated Framework understood in your 

organization – by senior leaders, managers, and staff? 

What role can the internal audit function play to promote greater awareness and 

understanding regarding internal control and the COSO Internal Control – Integrated 

Framework? 

Based on your insights on the adequacy and effectiveness of internal control in your 

organization, which area or areas have the greatest need or opportunity for improvement 

(control environment, risk assessment, control activities, monitoring, and information and 

communication)? 

22

2A.4 Decision-Making, Risk Management, and Managerial 

Accountability 

The principles of decision-making, risk management, and managerial accountability are 

closely related. 

Every organization or system requires a set of explicit and implicit rules to operate, 

sometimes referred to as bureaucracy. When the rules are burdensome in comparison with 

the objectives and complexity of the task, they can have a negative impact on effectiveness 

and efficiency. Excessive bureaucracy is known as red tape. Otherwise, formal and informal 

rules ensure activity is organized and purposeful. Specialization and the division of 

responsibilities increase and improve performance. Entities establish structures and 

hierarchies as ways of organizing resources and functions, taking care to ensure there is 

clarity to avoid unintended gaps and unnecessary duplication as well as appropriate 

interconnection to maintain organizational coherence. 

However, rules are insufficient to complete every task. If they were, organizations would not 

need managers. Organizations are not machines. They are human undertakings. The 

function of managing is effectively one of making decisions. Tasks that do not require 

decision-making we can describe as purely administrative where one is simply abiding by 

rules and following instructions. In many cases, such tasks can be automated. In reality, 

there are few roles that lack any degree of discretion. 

In highly centralized organizations, important decision-making is made at the highest levels 

of authority. This can be appropriate when there is a strong need for uniformity and limited 

need for decision-making at lower levels, such as in an army or when junior team members 

have very limited knowledge and experience. In other situations, centralization can lead to 

bottlenecks where lengthy decision-making processes are carried out by individuals who are 

remote from operations, and there is often a failure to utilize talent which can lead to 

demotivation and demoralization. In centralized bodies, internal control is equated with 

following rules and is enforced through inspection. Most employees are therefore carrying 

out administrative tasks requiring multi-tiered signoffs as a paper trail and ex-ante approval 

for appropriations, commitments, disbursements, etc. Such a system is heavily focused on 

the legality and regularity (i.e., on compliance) of transactions and rather less on 

effectiveness and performance. 

Organizations with decentralized decision-making and control are more agile and 

responsive. Employees’ expertise is more appropriate to their tasks, thus creating greater 

job satisfaction and engagement. Internal control operates most effectively at the level at 

which decisions are taken. Those closest to the action are best placed to understand and 

intervene. Tasks should be delegated to the lowest level at which sufficient competency 

exists to complete them successfully. It is otherwise an ineffective use of talent (and the 

financial resources necessary to pay for it) to have someone over- or under-qualified for their 

role. 

Managers make decisions to help achieve goals that satisfy the purpose of the team, 

division, department, entity, and governing administration. We have said previously that 

taking goal-oriented actions and taking risks are the same thing. Knowledge of risks helps 

prepare for a range of possible outcomes. The purpose of risk management is to enable 

23

managers to make good decisions. Independent assurance and advice from internal audit 

has the same purpose. 

Effective internal control is dependent on delegation of authority and powers to an 

appropriate level of activity. Accountability flows up the chain of command and ultimately to 

the highest levels of government. However, within this structure individuals are empowered 

to take actions in a reasonable manner regulated by suitable preventive and detective 

controls. Delegation of powers and responsibilities should be achieved without relieving the 

person who is delegating from responsibility for exercising those powers and responsibilities. 

Managerial accountability is defined as: 

A process whereby managers at all levels are responsible for, and may be required to 

explain, the decisions and actions taken to meet the objectives of the organisation [or 

section thereof] they manage. Managerial accountability implies responsibility for 

sound financial management at all levels, i.e., the adequate organisation, procedures 

and reporting of the results of the organisation. 14 

This does not just apply to financial resources or managers at the senior level. Every 

employee making decisions is a manager in this sense. In other words, “managerial 

accountability is an approach to public management in which managers are held 

accountable for results by assigning them responsibility, accompanied by delegated authority 

for decision making, and the autonomy and resources necessary to achieve the expected 

results.” 15 Delegation of authority must be executed in a carefully considered way. It 

introduces risks at every point where decisions are made. Hence, delegation of authority 

must be accompanied by appropriate controls to provide “guard rails” within which managers 

are authorized to use their judgment. There should be a documented schedule of delegation 

starting with entity objectives and showing a cascade of decision-making authority down the 

organization to appropriate teams and individuals. 

Figure: Components of Managerial Accountability 

14 

Compendium of the public internal control systems in the EU Member States 2012, Publications Office of the European 

Union, 2012. 

15 

Managerial Accountability in the Western Balkans, Sigma, 2018. 

24

Managerial accountability requires firstly that there is clear delegation of responsibility and 

secondly that managers are held to account, meaning they accept the consequences for 

their behavior, decisions, and performance, and are treated appropriately. This may include: 

• Being required to improve upon any substandard work, submit to increased 

supervision, and undertake additional training. 

• Receiving recognition (positive feedback, praise, rewards, bonuses, pay increases, 

promotion, and other opportunities.) 

• Receiving approbation (constructive criticism, loss of privileges, demotion, reassignment, 

suspension, and potentially loss of position.) 

This also entails a need for systematic and reliable performance reporting. Delegation is only 

executable if it genuinely combines responsibility, decision-making authority, and autonomy. 

• Responsibility: Tasks need to be defined and assigned formally and included in the 

manager’s role description. 

• Authority: Managers need to have the commensurate level of authority to fulfil the 

responsibilities assigned to them. 

• Autonomy: Managers must be able to make decisions freely within their assigned 

area of responsibility and have the necessary resources to achieve this. 

Autonomy allows managers to make decisions about financial and other resources in pursuit 

of goals with the possibility of getting this wrong. This is not the same as merely following 

detailed regulations, standards, and procedures. It involves the application of reasoning and 

judgment. 

The purpose of internal control is reasonable assurance of success in a manner that is 

economic, effective, efficient, ethical, and sustainable. Success includes operating in 

conformance with legislation, regulation, policies, and other requirements and excitations. 

Internal control can be achieved by delegating responsibility, authority, and autonomy to the 

level of decision-making and activity and applying suitable controls as limits on managerial 

powers. The purpose is not to establish autonomous self-governing entities. It is common for 

governments to exercise direct control over the most significant assets and liabilities in the 

interests of national fiscal discipline. However, an increase in delegated responsibility 

supports more dynamic and responsive internal control. Managers are accountable for the 

consequences of their actions and behaviors and are duly incentivized to make continuous 

improvements. In some environments, managers are asked to make an annual declaration 

for their accountability for performance and internal control. 

Taken together, internal audit and managerial accountability are sometimes referred to as 

the double-lock of financial management. Their purpose is to improve the ways in which 

public resources are managed. Performance management is only as good as the 

effectiveness of internal control which in turn is dependent on the reliability of risk 

identification and assessment. Therefore, it is imperative that risk management activities are 

integrated into every stage of planning and operations, maintaining focus on the most 

significant risks to objectives. 

The role of internal audit is to support this process through independent assurance, insights, 

and advice, helping managers identify risks and design efficient and effective responses to 

25

them. Where controls are not working as intended, are focused on lower priority risks, or are 

disproportionate to the likelihood or impact of risks, they should be redesigned accordingly in 

the interests of economy, effectiveness, and efficiency. 

Prerequisites for Managerial Accountability 

• Clarity of roles of responsibilities with sufficient differentiation at all levels as well as 

between entities (including ministries and their subordinated entities). This includes 

responsibility for the implementation of internal control aligned with the objectives and 

risks of each activity. 

• Alignment with policies and procedures. 

• Risk-based strategic and operational planning. 

• Commitment by managers to act in the best interests of the organization. 

• Quality control to ensure substandard work is not accepted. 

• Organizational goals integrated within the planning process that are cascaded down to 

departments, divisions, teams, and individuals. Goals should be SMART, prioritized, and 

documented. 

• Formalized schedule of delegation of responsibility, authority, and autonomy appropriate 

to levels of competency, to include devolved budgetary responsibility. Requirements for 

the process of delegation may be defined by law with very specific procedures to confirm 

transfer of responsibilities. More generally, organizations and leaders may assign tasks 

and duties from within their own span of responsibilities to members of their department 

or team. In all cases, delegation should be planned and documented carefully. 

• Regular assessment of managers’ competencies. 

• Performance evaluation and appraisal policies that ensure expectations are clearly 

communicated, supported, monitored, evaluated, and recognized. 

• Adequate supervision. 

• Training and professional development. 

• Implementation of a suitable entity-wide risk management framework. 

• Implementation of a suitable system of internal control, coordinated, and managed 

across the entity. Procedures and controls must be documented. 

• Merit-based and transparent recruitment and promotion. 

• Systematic monitoring and reporting of performance. 


How would you describe the decision-making process in your organization – as highly 

centralized, highly decentralized, or somewhere in between? 

Consider the prerequisites listed above for managerial accountability. Which of these may 

be a cause of limiting the effective managerial accountability in your organization? 

What can internal audit do to strengthen managerial accountability in your organization? 

Do the principles of managerial accountability apply to the internal audit function? Do audit 

team members have appropriate levels of responsibility, authority, and autonomy? 

26

2A.5 Entity-wide Risk Management 

Within each assurance engagement, internal auditors evaluate the adequacy and 

effectiveness of risk management and provide insights to support improvements. 

Additionally, the head of internal audit is often expected to offer an opinion on risk 

management for the organization as a whole. Risk management should be planned 

holistically to ensure consistency, coherence, and comprehensiveness. It is only at an 

aggregate level that an entity can consider its full risk profile. 

COSO describes entity-wide risk management as: 

The culture, capabilities, and practices, integrated with strategy-setting and 

performance that organizations rely on to manage risk in creating, preserving, and 

realizing value. It…includes practices that management puts in place to actively 

manage risk…[and] addresses more than internal control [to include] strategy-setting, 

governance, communicating with stakeholders, and measuring performance. Its 

principles apply at all levels of the organization and across all functions. 16 

The following table illustrates some of the key differences between risk management at a 

departmental, team, or process level and entity-wide risk management. It also distinguishes 

less mature from more mature risk management practices. 

Increasing Risk 

Management Maturity 

Characteristic 

Risk management at a 

departmental, team, and process 

level 

Approach • Tactical. 

• Focus on individual 

departments or classes of risk. 

• May be reactive, short-term, 

and fragmented. 

• May be based on periodic or 

sporadic risk assessments. 

• Likely to focus on likelihood 

and impact only. 

Guiding principle • Attention to risk tolerances. 

• Focus on detective and 

preventive controls. 

Primary goals • Minimize losses, improve 

efficiencies, increase gains. 

Responsibility • Primarily the departmental 

leader or process owner. 

Scope • Risks within department, team, 

or process. 

• Focus on operational risks 

relevant to departmental, team, 

or process goals. 

Entity-wide Risk Management 

• Strategic. 

• Holistic organizational view. 

• Pro-active, long-term, and 

integrated. 

• Continuous risk assessment 

process. 

• May consider other risk 

dimensions (such as volatility 

and correlation) in addition to 

likelihood and impact. 

• Attention to risk appetite. 

• Focus on leveraging opportunity 

as well as implementing control. 

• Fulfilment of organizational 

mission. 

• Should be assigned to a senior 

official. 

• All aspects of organizational 

activity, strategy, and planning. 

• Focus on strategic risks and 

aggregated operational risks 

relevant to organizational goals. 

16 

COSO Enterprisewide Risk Management: Integrating with Strategy and Performance, COSO, 2017. 

27

As organizations develop and mature, so too should their organizational risk management. 

There are numerous models for risk management maturity sharing many common elements. 

The purpose of a model is to provide an initial assessment of current status, identify 

opportunities for improvement, and help establish a planned approach for increasing 

maturity. This is a process internal audit is well-placed to support. 

The Risk Maturity Model (RMM) 17 is one such model with five levels of maturity: 

1. Ad hoc. 

2. Initial. 

3. Repeatable. 

4. Managed. 

5. Leadership. 

The assessment is based on consideration of seven elements related to entity-wide risk 

management (ERM): 

Element 

1. Adoption of 

ERM-based 

process 

2. ERM Process 

Management 

3. Risk Appetite 

Management 

4. Root Cause 

Discipline 

5. Uncovering 

Risks 

6. Performance 

Management 

7. Business 

Resiliency and 

Sustainability 

Focus 

Risk culture and level of executive or board-level support for 

enterprise risk management. 

Adoption of ERM methodology throughout the culture and decisions, 

and how well the risk management program follows best practice 

steps to identify, assess, evaluate, mitigate, and monitor risks. 

Awareness around risk-reward trade-offs, accountability for risk, 

defining risk tolerances, and whether the organization is effective in 

closing the gap between potential and actual risk. 

Risk identification by source, or root cause, versus the symptoms and 

outcomes they produce. Focusing on the root cause of a risk and 

classifying them accordingly will strengthen response and mitigation 

efforts. 

Quality and coverage of risk assessments. It examines the method of 

collecting risk information, the risk assessment process, and whether 

enterprise-wide trends and correlations can be uncovered from the 

risk information. 

Execution of visions and strategy. It evaluates the strength in planning, 

communicating, and measuring core enterprise goals with a riskbased 

process, and the extent to which progress deviates from 

expectations. 

Integration of business continuity, operational planning, and other 

sustainability activities with a risk-based methodology. 

Internal audit may adopt such a model, apply it to their evaluation of risk management, and 

use it to help management identify opportunities and set goals for continuing improvement. 

17 

www.riskmaturitymodel.org 

28


Use the Risk Maturity Model (or something similar) to assess the maturity of risk 

management in your organization. You may need to make an educated guess for any 

elements you are not wholly sure of. 

On a scale of 1-5 (where 1 is ad hoc, 2 initial, 3 repeatable, 4 managed, and 5 leadership) 

or similar, what score would you attribute to risk management maturity in your organization? 

What factors are the most significant in contributing to the risk management maturity in 

your organization? 

What role can internal auditing play to help management continue to improve risk 

management maturity? 

29

TIAPS ALB_Module 2A. Governance and Managerial Accountability

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?