ABSTRACT
This chapter argues that one of the most important and least understood areas impacting Internal Audit is the culture of the organisation and its attitude to risk. It is essential for the audit function to establish the organisation's risk culture, whether it is predominantly risk averse or risk embracing and whether the culture is perceived to be the same in the area under review as at corporate level. It describes the two main risk cultures: risk-averse culture and risk-embracing culture. Risk management is the process by which risks are identified, evaluated and controlled, the extent to which the organisation responds positively to the opportunities faced whilst at the same time understanding and seeking to control any factors that could prevent its success. Risk management involves four key stages, known as the 'Risk Management Cycle': Identification of each risk, Evaluation of each risk, Control of each risk and Monitoring.
