According to IIA guidance, an appropriate role for the internal audit activity with regard to the organization's risk management program is to attain an adequate understanding of the organization's key risk mitigation strategies. This enables internal auditors to evaluate the effectiveness of risk management processes and provide assurance on the adequacy of risk controls. Identifying and managing risks, ensuring risk management processes exist, and ensuring controls exist to mitigate risks are responsibilities of management, not internal audit.