Appendix A
Auditing the Risk Management Process: A Case Study
Our aim in this presentation is to illustrate the way the corporate risk management process may be audited through a simple case study using the risk-assessed control evaluation (RaCE) approach discussed in Chapter 9. The presentation covers an audit of the corporate risk management arrangements that exist in a large organization with a head office and hundreds of local offices.
The audit was taken from the annual audit plan that was agreed by the audit committee. It was seen as a high-profile audit in that it would examine the overall arrangements for providing a robust risk management process that covers the entire organization.
The auditor prepared a draft terms of reference, objectives and approach to the planned audit. The terms of reference were reviewed with management prior to the commencement of the audit to provide a comprehensive understanding of the areas to be covered and the approach to be adopted. The objectives, scope of the corporate risk management audit, along with selected extracts of key audit documentation, are set out below. Note that detailed audit planning documents, interview records and testing schedules that would normally be prepared for this type of audit are not included in this case study.
Systems related business objectives
It is a requirement of the corporate risk management strategy that potential opportunities and threats to the achievement by the service of its objectives are effectively ...