This audit report sample reviews the enterprise risk management (ERM) function of an organization. It focuses on a baseline review, assessing the function’s elements in relation to standards, regulatory guidance and company policies. In this example, the review found that the company’s management had made significant progress with the establishment of its ERM program, especially given the company’s scale and short timeframe since inception. This includes putting in place sound ERM practices and structural components.
The review is carried out in four phases: (1) information gathering and project planning; (2) understanding ERM’s current state with regard to design and governance, infrastructure, information management and future planning; (3) evaluation of the ERM program in relation to standards and regulatory guidance for risk management activities; and (4) gap analysis and summarization of findings and recommendations.