Over the last few years, the need to manage risks has become recognised as an essential part of good corporate governance practice. This has put organisations under increasing pressure to identify all the business risks they face and to explain how they manage them. In fact, the activities involved in managing risks have been recognised as playing a central and essential role in maintaining a sound system of internal control. While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed. We believe that a professional internal audit activity can best achieve its mission as a cornerstone of governance by positioning its work in the context of the organisation's own risk management framework.