This sample document includes the six elements of infrastructure for an organization's risk management audits.

The six elements of infrastructure is a useful tool for categorizing issues, understanding where problems are occurring within the organization and drawing conclusions to form the basis for recommendations. In Protiviti’s view, the elements of infrastructure should be considered when designing a new process or assessing an existing process. Also, the six elements are common to each process or function. These elements include business policies, business processes, people and organization, management reports, methodologies, and systems and data. These are the capabilities that each process or function should possess, and they provide a comprehensive and consistent framework to communicate the requirements for the appropriate operation of a process or function.

From a business policies perspective, it is important to have the following in place for the risk-based audit process:

• Internal audit strategies are linked to business strategies.
• Enterprise-level and engagement-level risk assessment methodologies exist.
• Risk reporting processes exist for external and internal stakeholders.
• Documented procedures on risk-based auditing exist.
• Common risk languages and risk models are utilized to encourage dialogue.