2

4

3

5

Internal Audit

Department’s Risk & Compliance Coordinator

Enterprise Risk Management & Compliance Assurance

External Auditor

I, IV

I, II, III

II, III, IV

I, II, III, IV

Giving assurance on the risk management process

Management assurance on risks

Reviewing the management of key risks

Evaluating the reporting of key risks

In implementing IT System internal audit should ensure that internal audit does not own risk.

Internal audit team should abstain from direct responsibility for decision making

Internal audit’s responsibility of risk should be time bound and should be short term with a clear road map in this regard.

All of the above

Risk and Audit Awareness Committee (RAAC)

Risk Management Committee (RMC)

Forum between Audit and Risk Management Committee (FARMCOM)

Enterprise Wide Opportunity and Risk Management Committee (EORM)