PA 2110-2: Governance: Relationship With Risk and Control

Primary Related Standard

2110 Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Communicating risk and control information to appropriate areas of the organization. Coordinating the activities of and communicating information among the board, external and internal auditors, and management.

1. The International Standards for the Professional Practice of Internal Auditing defines governance as the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. 2. Governance does not exist as a set of distinct and separate processes and structures. Rather, there are relationships among governance, risk management, and internal controls. 3. Effective governance activities consider risk when setting strategy. Conversely, risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management). 4. Effective governance relies on internal controls and communication to the board on the effectiveness of those controls. 5. Control and risk also are related, as control is defined as any action taken by management, the board, and other parties to manage risk and increase the likelihood that established goals will be achieved. 6. The chief audit executive should consider these relationships in planning assessments of governance processes: An audit should address those controls in governance processes that are designed to prevent or detect events that could have a negative impact on the achievement of organizational strategies, goals, and objectives; operational efficiency and effectiveness; financial reporting; or compliance with applicable laws and regulations. (See Practice Advisory 2110-3.) Controls within governance processes are often significant in managing multiple risks across the organization. For example, controls around the code of conduct may be relied upon to manage compliance risks, fraud risks, etc. This aggregation effect should be considered when developing the scope of an audit of governance processes. If other audits assess controls in governance processes (e.g., audits of controls over financial reporting, risk management processes, or compliance), the auditor should consider relying on the results of those audits.

Issued: April 2010

PA 2110-2

2010 The Institute of Internal Auditors