This document contains two sample audit reports that can be used by auditors to review the enterprise risk management (ERM) function of an organization.
Testing involved activities such as documenting enterprisewide policy guidelines, implementing an ethics hotline and company code of conduct, and documenting and integrating risk mitigation and oversight. The following observations were noted as a result of testing:
Considerable progress with development and implementation of the ERM program has been made since the program’s inception.
The Operational Risk Management component of the ERM program is in its infancy but evolving rapidly.
Executive management’s expectations of the ERM function, beyond the expectation of compliance with regulatory mandate, are not fully defined.
The organizational structure complies with stated objectives. Looking forward and considering future program development, there will be the opportunity to reflect on leading ERM practices.