HB 158-2010

1 - HB 158-2010 DELIVERING ASSURANCE BASED ON ISO 31000:2009 RISK MANAGEMENT-PRINCIPLES AND GUIDELINES
3 - PREFACE
4 - CONTENTS
6 - SECTION 1 SCOPE AND OBJECTIVES
6 - 1.1 GENERAL
7 - 1.2 ENTERPRISE RISK MANAGEMENT (ERM)
7 - 1.3 TERMINOLOGY AND DEFINITIONS
7 - 1.3.1 Risk
7 - 1.3.2 Assurance
7 - 1.3.3 Inherent risk/Potential exposure
9 - 1.3.4 Materiality
9 - 1.3.5 Audit
9 - 1.3.6 Controls
10 - 1.3.7 Organizations
12 - SECTION 2 SUMMARY OF THE RISK MANAGEMENT PROCESS
12 - 2.1 GENERAL
13 - 2.2 COMMUNICATE AND CONSULT
13 - 2.2.1 General
14 - 2.2.2 Requirements
14 - 2.2.3 Linkages
14 - 2.3 ESTABLISH THE CONTEXT
14 - 2.3.1 General
15 - 2.3.2 Requirements
15 - 2.3.3 Linkages
15 - 2.4 IDENTIFY RISKS
15 - 2.4.1 General
16 - 2.4.2 Requirements
16 - 2.4.3 Linkages
16 - 2.5 ANALYSE RISKS
16 - 2.5.1 General
17 - 2.5.2 Requirements
17 - 2.5.3 Linkages
17 - 2.6 EVALUATE RISKS
17 - 2.6.1 General
18 - 2.6.2 Requirements
18 - 2.6.3 Linkages
18 - 2.7 TREAT RISKS
18 - 2.7.1 General
19 - 2.7.2 Requirements
19 - 2.7.3 Linkages
19 - 2.8 MONITOR AND REVIEW
19 - 2.8.1 General
20 - 2.8.2 Requirements
20 - 2.8.3 Linkages
21 - SECTION 3 RISK MANAGEMENT AND ASSURANCE
21 - 3.1 LINKING RISK MANAGEMENT TO ASSURANCE
22 - 3.2 STRATEGIC AND ORGANIZATION-WIDE APPROACHES TO RISK MANAGEMENT
23 - 3.3 ASSURANCE AND THE RISK MANAGEMENT PROCESS
24 - 3.4 ASSURANCE OF A RISK MANAGEMENT FRAMEWORK
24 - 3.4.1 General
24 - 3.4.2 Mandate and commitment
26 - 3.4.3 Framework design
27 - 3.4.4 Monitoring, review and improvement
27 - 3.5 INTERNAL AUDIT INVOLVEMENT IN RISK MANAGEMENT
29 - SECTION 4 DEVELOPING AN ASSURANCE STRATEGY
29 - 4.1 GENERAL
30 - 4.2 STEP 1: IDENTIFYING THE ASSURANCE NEEDS OF THE ORGANIZATION
30 - 4.3 STEP 2: IDENTIFYING WHO THE ASSURANCE PROVIDERS ARE AND THEIR SCOPE OF OPERATION
30 - 4.3.1 Organizational management
31 - 4.3.2 Internal auditing
32 - 4.3.3 External auditing
32 - 4.4 STEP 3: IDENTIFY AND DOCUMENT ASSURANCE MECHANISMS
32 - 4.4.1 The organization needs assurance that all material risks have been identified
33 - 4.4.2 The organization needs assurance that risks have been accurately analysed and evaluated
34 - 4.4.3 The organization needs assurance that controls are both adequate and effective
34 - 4.4.4 The organization needs assurance that intolerably high risks are being properly addressed by management
34 - 4.5 STEP 4: DESIGN THE ASSURANCE REVIEW PROGRAM
34 - 4.5.1 Identifying key controls
35 - 4.5.2 Planning and prioritizing review
37 - 4.5.3 Assurance maps
40 - 4.6 STEP 5: DEVELOP A RISK-BASED REVIEW PROGRAM
40 - 4.6.1 General
40 - 4.6.2 Scheduling reviews based upon risk
40 - 4.6.3 Scheduling based on information need
41 - 4.6.4 Scheduling based on other factors
41 - 4.6.5 Priority model and resource constraints
42 - 4.6.6 The annual internal audit plan
42 - 4.7 STEP 6: MEASURING THE STRATEGY
44 - SECTION 5 PLANNING AN ENGAGEMENT
44 - 5.1 GENERAL
44 - 5.2 ENGAGEMENT SCOPE
44 - 5.3 ENGAGEMENT OBJECTIVES
45 - 5.4 ENGAGEMENT PROCEDURES
45 - 5.5 RATIONAL USE OF RESOURCES
46 - 5.6 SKILLS AND BODY OF KNOWLEDGE
47 - SECTION 6 REPORTING ON THE ASSURANCE PROGRAM
47 - 6.1 GENERAL
47 - 6.2 REPORTING LINES
48 - 6.3 REPORTING THE INDIVIDUAL ASSURANCE ENGAGEMENT
48 - 6.3.1 General
48 - 6.3.2 Communicate and consult
48 - 6.3.3 Establish context
48 - 6.3.4 Risk identification
48 - 6.3.5 Risk analysis
49 - 6.3.6 Risk evaluation
49 - 6.3.7 Risk treatment
50 - 6.3.8 Monitor and review
50 - 6.4 ENSURING ACTION
51 - SECTION 7 DESIGNING AND IMPROVING CONTROLS
51 - 7.1 GENERAL
51 - 7.2 IDENTIFYING AND MEASURING CONTROL GAPS
51 - 7.2.1 General
52 - 7.2.2 Management responsibilities
53 - 7.2.3 Other assurance activities, including control self-assessment
53 - 7.3 DESIGNING CONTROLS
53 - 7.3.1 General
54 - 7.3.2 Step 1-Output from the Risk Assessment process
54 - 7.3.3 Step 2-Define design intent
54 - 7.3.4 Step 3-Detailed design
55 - 7.3.5 Step 4-Evaluation
55 - 7.3.6 Step 5-Implementation
56 - 7.4 ADDING CONTROLS TO AN EXISTING PROCESS
57 - SECTION 8 ASSURANCE OF THE RISK MANAGEMENT PROCESS AND FRAMEWORK
57 - 8.1 GENERAL
58 - 8.2 RISK MANAGEMENT PROCESS ELEMENT APPROACH
58 - 8.2.1 General
58 - 8.2.2 Element 1-Communication
58 - 8.2.3 Element 2-Setting the context
59 - 8.2.4 Element 3-Risk identification
59 - 8.2.5 Element 4-Risk analysis
59 - 8.2.6 Element 5-Risk evaluation
59 - 8.2.7 Element 6-Risk treatment
60 - 8.2.8 Element 7-Monitor and review
60 - 8.3 KEY PRINCIPLES APPROACH
62 - 8.4 MATURITY MODEL APPROACH
65 - APPENDIX A - EXAMPLE PRIORITY MODEL

This Handbook is a guide for internal auditors and any other assurance providers. In particular, it describes how to use the risk management process to; develop a risk-based assurance strategy and program, plan an assurance engagement, report the assurance program, and design controls. The Handbook also provides a guide to assessing the adequacy of risk management framework and process.

Originated as HB 158-2002.
Revised and redesignated as GB 158-2004.
Revised and redesignated as HB 158-2006.
Second edition 2010.