Enterprises need to identify all the business risks they face—financial and operational as well as social, ethical, and environmental—and to manage them at an acceptable level. Understanding risks is a major component of achieving Sarbanes-Oxley (SOx) and internal controls compliance, through the COSO internal control framework and AS5 auditing standards; internal audit, in both its assurance and its consulting roles, can play a significant role in contributing to this management of risk. A frequently used term in internal control standards and procedures, risk has too often been one of those terms where many internal auditors have said, “Yes, we must consider risks!” even though their understandings and assessments of risk have not been consistently well understood or defined. One professional’s concept and understanding of risk may be very different from someone else’s, even though they are both working for the same enterprise and in similar areas. This has been particularly true for managers and internal auditors working to improve both COSO internal controls and SOx-related compliance; there has not been a consistent understanding of what is meant by this concept of risk.

Particularly to support an understanding of both COSO and SOx internal controls, internal auditors need to have a good understanding of risk management on an enterprise level and how it impacts their skills for building and developing effective internal control ...