HB 158-2006

1 - HB 158-2006 Delivering assurance based on AS/NZS 4360:2004 Risk Management
3 - Preface
4 - Contents
6 - 1 Scope and objectives
7 - 1.1 Enterprise risk management (ERM)
7 - 1.2 Terminology and definitions
7 - 1.2.1 Assurance
7 - 1.2.2 Inherent risk/Exposure
9 - 1.2.3 Audit
10 - 1.2.4 Controls
10 - 1.2.5 Organisations
12 - 2 Summary of the risk management process
12 - 2.1 General
13 - 2.2 Communicate and consult
14 - 2.2.1 Requirements
14 - 2.2.2 Linkages
14 - 2.3 Establish the context
15 - 2.3.1 Requirements
15 - 2.3.2 Linkages
16 - 2.4 Identify risks
16 - 2.4.1 Requirements
16 - 2.4.2 Linkages
17 - 2.5 Analyse risks
17 - 2.5.1 Requirements
17 - 2.5.2 Linkages
18 - 2.6 Evaluate risks
18 - 2.6.1 Requirements
18 - 2.6.2 Linkages
19 - 2.7 Treat risks
20 - 2.7.1 Requirements
20 - 2.7.2 Linkages
20 - 2.8 Monitor and review
21 - 2.8.1 Requirements
21 - 2.8.2 Linkages
22 - 3 Risk management and assurance
22 - 3.1 Linking risk management to assurance
23 - 3.2 Strategic and organisation-wide approaches to risk management
24 - 3.3 Assurance and the risk management process
25 - 3.4 Internal audit involvement in risk management
27 - 4 Developing an assurance strategy
28 - 4.1 Step 1: Identifying the assurance needs of the organisation
28 - 4.2 Step 2: Identifying who the assurance providers are and their scope of operation
29 - 4.2.1 Organisational management
30 - 4.2.2 Internal audit
30 - 4.2.3 External audit
31 - 4.3 Step 3: Identify and document assurance mechanisms
31 - 4.3.1 The organisation needs assurance that all material risks have been identified
32 - 4.3.2 The organisation needs assurance that risks have been accurately analysed and evaluated
33 - 4.3.3 The organisation needs assurance that controls are both adequate and effective
33 - 4.3.4 The organisation needs assurance that intolerably high risks are being properly addressed by management
34 - 4.4 Step 4: Design the assurance review program
34 - 4.4.1 Identifying key controls
35 - 4.4.2 Planning and prioritising review
36 - 4.5 Step 5: Develop an annual review program
37 - 4.5.1 Scheduling reviews based upon risk
37 - 4.5.2 Scheduling based on information need
38 - 4.5.3 Scheduling based on other factors
38 - 4.5.4 Priority model and resource constraints
39 - 4.5.5 The annual internal audit plan
40 - 4.6 Step 6: Measuring the strategy
41 - 5 Planning an engagement
41 - 5.1 Engagement scope
42 - 5.2 Engagement objectives
42 - 5.3 Engagement procedures
43 - 5.4 Rational use of resources
43 - 5.5 Skills and body of knowledge
45 - 6 Feedback and follow up from assurance processes
45 - 6.1 Reporting lines
46 - 6.2 Reporting the individual assurance engagement
46 - 6.2.1 Communicate and consult
46 - 6.2.2 Establish Context
47 - 6.2.3 Risk identification
47 - 6.2.4 Risk analysis
47 - 6.2.5 Risk evaluation
48 - 6.2.6 Risk treatment
49 - 6.2.7 Monitor and review
49 - 6.3 Ensuring action
51 - 7 Designing and improving controls
51 - 7.1 Identifying and measuring control gaps
52 - 7.1.1 Management responsibilities
53 - 7.1.2 Other assurance activities
53 - 7.2 Designing controls
54 - 7.2.1 Step 1 – Output from the Risk Assessment Process
55 - 7.2.2 Step 2 – Define Design Intent
55 - 7.2.3 Step 3 – Detailed Design
55 - 7.2.4 Step 4 - Evaluation
56 - 7.2.5 Step 5 - Implementation
56 - 7.3 Adding controls to an existing process
58 - 8 Assurance of the risk management process
59 - 8.1 Process element approach
59 - 8.1.1 Element 1 Communication
59 - 8.1.2 Element 2 Setting the context
60 - 8.1.3 Element 3 Risk identification
60 - 8.1.4 Element 4 Risk analysis
60 - 8.1.5 Element 5 Risk evaluation
61 - 8.1.6 Element 6 Risk treatment
61 - 8.1.7 Element 7 Monitor and review
61 - 8.2 Key principles approach
63 - 8.3 Maturity model approach
66 - Appendix A - Example priority model

This Handbook is a practitioners' guide for internal auditors and any other assurance provider such as External auditors; Information system control professionals - internal or external auditors, security professionals etc; Safety, health and environmental auditors; Quality auditors. This Handbook amplifies HB 436:2004 and the IIA's 'Professional Practices Framework' with respect to using and assuring the AS/NZS 4360:2004, Risk management process. In particular it describes how to use the risk management process to: Develop an assurance strategy; Plan an assurance engagement; Report the assurance program; and Design controls.

Originated as HB 158-2002.
Revised and redesignated as GB 158-2004.
Revised and redesignated as HB 158-2006.