RIBEIRO, Renor Antonio Antunes 
RIBEIRO, Renor Antonio Antunes. Internal Audit and Risk Management in a European Railway Transport Company. Revista Científica Multidisciplinar Núcleo do Conhecimento. Year 06, Ed. 03, Vol. 16, pp. 107-126. March 2021. ISSN: 2448-0959, Access Link:
With the population increase in large cities and metropolitan regions, there was an increase in the demand for rail transport. Although it is an efficient and inexpensive alternative to road transport, because it is used every day by thousands of people, the railway sector requires adequate risk management related to accidents, attacks, preventive maintenance, spare parts, so as not only to ensure the regularity and efficiency of transport services, but also to ensure the safety of users. Thus, the general objective of this article is to know the roles of internal audit and risk management sector in a public railway company in Portugal, and thus address the safety risks of railway operations. The specific objectives are: conceptualizing risks and risk management; understand the role of internal audit and the relationship of internal audit and risk management; understand some of the risks of the rail sector; understand how the internal audit and risk management of the company analyzed act to meet the safety risks of passengers. The theme is justified by the need to know which sectors are responsible for preventing harmful events for the safety of people and what measures these organizational bodies implement in order to mitigate the causes and/or consequences of potential events harmful to the safety of rail transport users. The methodology used in this work was the literature review and the application of two in-depth interviews, with the person responsible for risk management and with the internal auditor of the Portuguese railway transport company. Finally, the results were presented and discussed, in comparison with the authors studied.The research shows that, according to the interviewees’ reports and according to the authors consulted, the internal audit has the role of both evaluating risk management and advising the risk management sector of the analyzed company, in order to promote improvements in the management of users’ safety risks.
Keywords: risks, management, transport, rail, safety.
With the increase in the populations of large cities, especially in peripheral areas, new demands have emerged for transport solutions to meet an increasing number of people, including workers, students and liberal professionals. An efficient and inexpensive alternative to road transport, which helps to reduce air pollution and congestion, is rail transport. However, since rail transport is used every day by thousands of people in most major cities around the world, the use of this modal requires adequate management of risks related to accidents, attacks, preventive maintenance, spare parts, so as not only to ensure the regularity and efficiency of transport services, but also to ensure the safety of users.
The general objective of this article is to know the roles of internal audit and risk management sector in a public railway company in Portugal, and to address the safety risks of railway operations. Thus, we have the following specific objectives: conceptualize risks and risk management; understand the role of internal audit and the relationship of internal audit and risk management; understand some of the risks of the rail sector; understand how the internal audit and risk management of the company analyzed act to meet the safety risks of passengers. The relevance of the theme is both due to the history of rail accidents around the world and the growing possibility of threats of terrorist attacks, which can cause hundreds of deaths. Thus, the theme is justified by the need to know which sectors are responsible for preventing harmful events for the safety of people and what measures these organizational bodies implement in order to mitigate the causes and/or consequences of potential events harmful to the safety of rail transport users.
In order to achieve the objectives proposed by this article, we present the concepts of risk management, the three-line model, the role of internal audit in risk management, as well as the complementarity between the functions of internal audit and risk management. Next, we discuss some authors who deal with aspects related to rail risks. The methodology used was the literature review and the application of two (2) in-depth interviews with the person responsible for risk management and with the internal auditor of the Portuguese railway transport company. Finally, the results were presented and discussed, in comparison with the authors studied. Finally, we conclude that, according to the interviewees’ reports and according to the authors consulted, the internal audit has the role of both evaluating risk management and advising the risk management sector of the analyzed company.
2. THEORETICAL FOUNDATION
2.1 RISK MANAGEMENT
According to the IIA (2009), the risk is “the possibility of an event that has an impact on the achievement of objectives. Risk is measured in terms of impact and possibility of occurrence” (IIA, 2009, p. 9). For FERMA, risk management “is the process by which organizations mechanically analyze the risks inherent to their activities, with the aim of achieving a sustained advantage in each individual activity and in all activities” (FERMA, 2002, p. 3) .
According to Drogalas (2014), risk management is the tool to be used to reduce business risks. For Ruud (2001) “a disciplined approach to value creation requires an organization to effectively manage all significant and probable risks” (RUUD, 2001 p. 2). Therefore, the risk should be considered at all levels of the organization, i.e. both at the macro and at the micro or departmental level.
For ABNT (ISO 31000:2018), all activities of an organization involve risk. Organizations through their identification and analysis, to then assess whether or not the risk should be modified by their treatment. Risk management is directly related to the organization’s objectives, that is, it represents control over all factors that can affect the achievement of institutional objectives. According to Santos (2009), “the inherent premise of corporate risk management is that every organization exists to generate value for stakeholders.”
2.2 THE MODEL OF THE THREE LINES
The model of the three lines of defense was published in 2013 by the Institute of Internal Auditors (IIA, 2013) as a benchmark of good governance practices for organizations of any size or sector. In 2020 this model underwent an update, being called the “Model of the three lines of the IIA 2020” (IIA, 2020). In this model of the IIA (2020), the first line has roles more related to the delivery of products and / or services in its area of operation, to internal customers. Second-line bodies are responsible for providing expert frontline assistance, including advice and advice on risk management improvements (IIA, 2020). According to Miranda (2019), the first line managers are responsible for the risks they face in their respective sectors, and it is up to the second line to supervise and verify compliance of the managers of the first line.
The third line is responsible for evaluating the internal controls of the first two lines, a role that is responsible for the internal audit. The IIA (2020, p.3), argues that “the internal audit provides independent and objective evaluation and advice on the adequacy and effectiveness of governance and risk management”.In turn, Barbosa (2020), points out that the internal audit acts with objectivity and independence, to improve the entity’s processes, of which risk management is part. In the same vein, Ribeiro (2020c), notes that the internal audit assesses risk management, in order to verify that the internal controls of the management are, in fact, mitigating the risks according to the appetite of the organization. For the IIA (2009), the internal audit is an independent activity for the evaluation of risk management, and also as one of its tasks is advice on the improvement of processes, without co-management (IIA, 2009).
2.3 THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT
According to Pickett (2005), the internal audit of the past did not contribute, in a preponderant way, to add value to management, acting only after the realization of losses and/or in a post-management act, sometimes in a police and/or punitive manner. Another approach to risk-based auditing is the shift ing of the focus of the work, shifting the focus from internal control analyses to risks.
According to the IIA (2004) “the main role of internal audit in the risk management process is (…) contribute to ensuring that key business risks are being managed appropriately” (IIA, 2004, p. 5) by ensuring that internal controls work effectively. Therefore, the internal audit “should evaluate and contribute to improve risk management, internal controls and governance” (IIA, 2004, p. 5). As the process is put into practice, COSO (2007) also provides for the possibility of evaluating the risk management system to be made by the internal auditor.
We emphasize that the internal audit should not be responsible for risk management, considering that its role is limited only to contributing to the good management of the organization’s resources and work processes. Thus, the independence and objectivity of the Internal Audit are ensured through the fulfillment of an advisory and non-executive role, being, the maximum managers and the respective risk managers, those responsible for the preparation and management of the risk (DELOITTE, 2014).
For Pickett (2005), internal auditing is an independent and objective consulting and assurance activity that is guided by a philosophy of adding value to improve the organization’s operations. According to the IIA (2009), internal auditing provides value to the organization, providing objective assurance that key risks are being managed properly and that the internal controls framework is operating effectively.
Therefore, according to Ribeiro (2019), the new role of internal audit ing comes in a context of greater transparency and accontability, in addition to strong instability and uncertainty, in public or private organizations that better manage the risks associated with their activity and that will enjoy more competitive advantages than other organizations with less capacity to deal with risk.
2.4 COMPLEMENTARITY BETWEEN INTERNAL AUDIT AND RISK MANAGEMENT
The internal audit and the risk management department have complementary roles, since the internal audit provides an independent assessment of the effectiveness of risk management and the effectiveness of internal controls. For the IIA (2013), internal auditors (within the framework of the third line of defense) provide the organization’s managers with assessments of the effectiveness of risk management governance and internal controls, including how departments and risk managers, as well as advisory boards and bodies (first and second line of defense) act on risk management and internal controls.
In the same sense, the Brazilian Institute of Corporate Governance – IBGC (2015), stresses that the work of the internal audit should be aligned with the organization’s strategy, in accordance with the risk matrix, and it is up to the internal audit to act proactively both in the measurement of compliance in compliance with the applicable standards and in the improvement of controls, rules and procedures (IBGC, 2015).
In turn, for Trains of Portugal (2016), in the context of risk-based management and auditing, risk management and internal audit functions are complementary in the way they address the risk theme and how they compete for the objectives of organizations, with internal audit providing management support, with a view to promoting institutional objectives (COMBOIOS DE PORTUGAL , 2016):
The evaluation carried out by the internal audit includes all elements of the risk management and internal control structure, which includes the internal control environment and all elements of the organization’s risk management structure, such as risk identification, risk assessment and response, information and communication, as well as monitoring. This interaction of auditing for the improvement of internal controls contributes to the continuous effectiveness of the internal control system (AICPA, 2005).
As for the process of Risk Management and evaluation of management by the internal audit, when management identifies needs for new internal controls due to the identified risks, the Internal Audit process is directed to the evaluation of the same controls.Therefore, the internal audit provides a support, collaboration and monitoring service of the Risk Management process established by the management of the entity (COMBOIOS DE PORTUGAL, 2016).
According to Pickett (2005), internal audit and risk-based management have complementary roles. Thus, internal auditors have much to contribute to the managers of the entity and in the same way, managers will be able to contribute to the work of the internal audit. According to the same author, internal auditors have more knowledge in internal controls and risk management than managers of the organization. In turn, managers have more knowledge of the business than auditors. Thus, auditors can obtain the knowledge of the business from management and managers can appropriate the techniques and methodologies of risk-based management from contact with auditors, in order to fill the gap between internal audit and entity management (PICKETT, 2005).
Although internal auditors and managers have specific functions within the entity, the internal audit sector, with independence and knowledge of risk-based audit techniques can contribute to the improvement of management by issuing reports to assist management in its functions and needs (RIBEIRO, 2020B). It should be highlighted that, according to Ribeiro (2019), the audit went from a purely accounting approach to a risk-based approach. The performance of the internal audit can also occur in the role of a counselor or a mentor. This is the most innovative role and the one that adds the most value to the internal audit, being the final result of the risk-based approach (LIMA, 2014).
2.5 RISK MANAGEMENT IN THE RAILWAY SECTOR
In an environment of uncertainty, characteristic of the current stage of our society, it is essential to evaluate the risks to which we are subjected. According to El-Koursi; Mitra and Bearfield (2010), the European Commission has set out a railway policy to encourage the liberalisation of the railway industry in all member states of the European Union, with the railway safety directive as a key part. For Castro (2018), the risk is increasingly passing through our society, and it is important to minimize vulnerabilities to the fullest. In this sense, Landoll (2006) believes that risk assessment is essential for its management, and can verify whether existing control processes are effective enough so that we can understand if the level of protection available is sufficient.
In the railway sector, a large concentration of people using compositions can potentiate risk situations. According to Felgueiras (2015), high levels of passenger concentration are a factor that can trigger risk situations. Therefore, it is necessary to manage the risks that can cause harm to passengers and people in general, considering that for De Viseu (2016), accidents reflect little or no preparation for their possible occurrence, which occurs by gaps in the determination of the risks associated with rail transport. Moreover, according to Berrado et al (2010), they understand that technological and legislative changes in the European Union can pose new risks in the sector, which may result in an increase in the number of accidents, so that the suggested risk management structure can be integrated into a global safety management system in the rail sector.
Martins (2017) advocates risk analysis and assessment to improve efficiency in railroad operations. According to Nedeliakova et al (2020), continuous improvement is a basic principle for achieving quality in rail passenger transport, so that it is necessary to understand the individual processes related to the risks in each transport company, and can rely on various quality improvement tools, available worldwide, to understand and analyze processes and services. Rato (2013) argues that trust in systems generates several advantages, as in other transport sectors. However, Oliveira (2018) points out that, although technology can be a tool that facilitates the protection of users, it cannot be seen as the only alternative to eliminate all risks, because there must be integration with other techniques, protocols and tools to generate a security system that operates in layers.
The context of risk management involves both the rail system itself and the external context, as well as risks associated with maintenance, spare parts, changes in infrastructure, among others. For Martins (2017),
Risk assessment is a very important tool in the management of railway operations. Ip’s risk assessment is based on four key areas:
Risks associated with the provision of maintenance services and supply of materials;
Risks arising from the activities of entities outside the railway system;
risks arising from the introduction of significant changes to railway infrastructure; – Risks associated with the activities of the infrastructure manager (MARTINS, 2017, p. 46).
To meet the risks in the rail sector, risk analysis and prioritization play a key role. According to Martins (2017), these analyses, by identifying vulnerabilities and establishing controls that can increase the levels of security of operations, provide efficient management of operations. Portela (2014) believes that this efficiency implies directing efforts to the most relevant risks, with a view to being virtually impossible to address all risks. In order to verify the most relevant risks, Rato (2013, p. 62) used the Pareto diagram, which is used to evaluate the reliability of the systems, through statistical analysis. In the same sense, Basu (2004) argues that by the Pareto diagram it is possible to identify the most relevant flaws, understanding, through this principle, that 80% of the consequences are caused by 20% of the causes.
With regard to the consequences of rail risks, the materialisation of risks can have consequences for people, property and the environment, but one of the ways to mitigate these risks is through preventive maintenance. In this regard, De Viseu (2016) points out that the consequences of the materialization of rail risks fall on persons, goods and the environment, which are expressed in terms of bodily harm, material and operational damage, which can be direct and/or indirect. In addition, Rato (2013) argues that preventive maintenance has the advantage of reducing the risk of serious accidents, contributing to the increase in the safety of transport systems and users/users.
In fact, the knowledge of what risks are most frequent in rail transport is of fundamental importance for the implementation of appropriate controls, especially with regard to traffic monitoring and control systems, maintenance of compositions and railway infrastructure, among others. According to De Viseu (2016), the analysis of the risks of rail accidents should consider technical failures, human errors, increased flow of people, technological level, geographic factors, socioeconomic issues, conflicts, conflicts, economic and political shocks. According to Martins (2017), traffic monitoring and control are performed in order to reduce risks to users, as well as act in a way that reduces the problems that happen to occur. In addition, Decree-Law No. 151/2014 requires the adoption of a safety management system in order to evaluate existing controls and risks.
With regard to the types of railway accidents, De Viseu (2016) classifies rail accidents as: derailment; obstruction or crossing the road; collision between compositions, or between compositions and other objects, such as automobiles and buildings; trampling; explosion, fire or electrocution; structural collapse of bridges, tunnels and roads; indirect natural factors, which can trigger the other types. Due to these types of events that may occur, for Martins (2017) the management of the railway system should be more rigorous, with the scheduling of maintenance, use of specific control tools and with good response time, in order to offer the least possible embarrassment, including in coping with unforeseen situations.
In order to promote the development of specific objectives on a consistent basis of argumentation, this article used as a basis a descriptive research, which, according to Silva (2003), is the one that aims to identify the characteristics of the phenomenon under analysis and establish relationships between the variables. Thus, data collection was initially performed through a literature review, with the knowledge of risk management frameworks, such as ISO, COSO, as well as in publications in the area of rail transport, based on research of key words and concepts. To know the perception of the people involved with the risk management and internal audit of the railway transport company under analysis, two (2) in-depth interviews were conducted with the head of the risk management department and with the internal auditor of the company. These interviews, according to Gil (2008), can be used for in-depth theme research in qualitative research.
The interviewees’ discourses were submitted to a content analysis, which, according to Bardin (1977), covers the reading of all material, with the selection of words and sets of words that make sense, followed by the classification of these words or phrases into categories or themes. Thus, the information was treated in a qualitative analysis, which, for Gil (2008, p. 175), is used for experimental research, when “there are no predefined formulas or recipes to guide researchers”. The interviews were conducted in Portugal, at the company’s headquarters to better know its environment, because according to Denzin and Lincoln (2006), this approach focuses on the environment in which the phenomenon occurs, for better understanding. This research, in comparison with the frameworks and literature consulted, allowed the discussion of the results and conclusion about the roles played by the audit and the risk management sector, in the company in question, for the management of safety risks of rail transport users.
4. RESULTS AND DISCUSSION
Due to data collection and analysis of the content of the interviews, we identified the main topics reported, such as: railway safety risks; risk management and internal audit roles; improving risk management and adopting good practices adopted in other organisations; and alignment of risk management with strategic planning and organizational culture. Thus, we will deal with the interviewees’ reports, in comparison with the authors referenced in this article, according to the following items.
4.1 RAILWAY SAFETY RISKS
Regarding the safety risks in rail transport, both the risk manager and the internal auditor reported that the activity, besides being old, is of crucial importance in the management of the public company itself. For the risk manager, this activity has been done for a long time, taking into account that it is part of the safety concerns of users in the rail sector:
It is, risk management in CP is an already quite old activity, namely in terms of security risk management. That is, traditionally the railway that makes the intensive record of all events is, which has to do with events. yes, in the security area. And based on this, in this record, makes a statistical monitoring of accidents and incidents.
For the internal auditor interviewed, in addition to the concerns about the work done to comply with the legislation, the concern is to assess the safety risks of users. And as described by Ribeiro (2020a), risk management plans are accompanied by internal audit, and for the case on screen these risks are those related to the safety of users.
our safety management plan requires the adoption of routines for the evaluation of internal quality audits. There are internal and external audits, there are a number of obligations, so there are audits that are mandatory, mandatory, with principles of renewal, monitoring out there, and there are others that we will check certain types of situations, with a lot of emphasis on what is the part of railway safety. We are looking a lot at the security system, how the equipment is and how the behaviour of the passengers on board the trains is. That is, these issues, we understand that are of capital importance of a railway company, in safety.
The interviewees’ reports about the concern with the safety risks of users in the railroad sector are corroborated by De Viseu (2016), Martins (2017) and Rato (2013), who consider the various risk factors of railway accidents, so that the ignorance of these risks has the consequence of the occurrence of damage to people, property and the environment.
4.2 ROLES OF RISK MANAGEMENT AND INTERNAL AUDIT
The risk manager understands that his work serves as a subsidy for the planning of the internal audit. This report is in accordance with Pickett (2205), stating that auditors will be able to obtain the knowledge they need from management. Thus, the internal audit plan considers the risks with greater probability and impact, and risk management serves as a subsidy for the work of the internal audit, as can be seen from the following excerpt:
The audit since 2000, from 2007, began to take into account the problems that were presented by the bodies. And from 2011 and 2012 the audit plan is made looking at the survey of risk management, among other aspects. In other words, let’s see what is there in the risk management plan, in red, particularly there are more important issues.
The risk manager’s speech is in accordance with Ribeiro (2020a), when reporting that internal audit and risk management have complementary roles, so that the planning of the audit considers the risk assessment carried out by the risk management sector. Regarding the focus on the most important risks, Portela (2014) reinforces that it is impossible to comprehensive all risks, and the most relevant ones should be prioritized to optimize efforts. In addition, the interaction of internal audit and managers contributes to the continuous improvement of internal controls (AICPA, 2005).
Therefore, according to the opinion of the manager interviewed, risk management points to the risks with greater probability and impact, being important to meet legal regulations and for the internal audit, which uses these critical risks in its audit plan. Thus, it is perceived that the manager is aware of the roles of the second and third line, so that the internal audit will verify the most critical risks of risk management.
The risks most likely to impact come as input to the annual audit plan. These criteria are an interesting way to validate the audit plan. The public statute requires the realization of the risk management to be done formally, i.e. the public manager cannot, is not exempt from knowing its business risks.
This exchange of information is in agreement with Pickett (2005), because according to the author, internal audit and risk management have complementary roles. For AICPA (2005), this iteration between internal audit and risk management contributes to the improvement of internal controls. In fact, the internal auditor corroborates the manager’s statement that the annual audit plan has as one of the focuses the risk management elaborated by the company’s risk sector, with emphasis on the risks with greater probability and impact:
This annual audit plan is based, on the one hand, on those aspects that we believe are fundamental, but also because of the risks that are described in the risk management plan, looking at those that are the critical risks.
4.3 IMPROVING RISK MANAGEMENT
With regard to the improvement of risk management in the company, both the risk manager and the internal auditor demonstrate that it is necessary to know a set of technical knowledge applicable to the work, such as international standards and good practices adopted in other companies. This understanding is in accordance with Nedeliakova et al (2020), which considers that the use of quality tools for the continuous improvement of rail services is recommended. In turn, Berrado et al (2010), highlight the changes that have occurred in the sector in recent years, both in legislative and technological terms, with risk management as a tool for the safety management of rail transport.
Therefore, the internal auditor highlighted the importance of applying ISO 9001/2015 to understand the work processes within the company. According to him, the internal audit has to focus on a wide range of internal processes.
the audit has to look at the management of the whole, doesn’t it? So that’s what when we’ve been certified by ISO 9001 what we’re saying is that I have, let’s say a management system, meets a set of requirements, works according to a set of requirements, which deal with several areas. Therefore, there are a number of internal factors, of what is a chain of processes for the realization of products and services.
This continuous improvement of internal controls, through the iteration between internal audit and management is defended by the AICPA (2005), and for Pickett (2005), internal auditors have much to contribute to management. With regard to compliance with good practices adopted in other companies, the risk manager points out that:
Trying to see if someone’s already doing the job somewhere for us to copy, isn’t it? We can copy the best practices others are doing. We have many difficulties because this is inherent in our company. We have a lot of daily work of all nature and we are already here in risk management, which is a tremendous effort.
This need to seek best practices is in line with that advocated by El-Koursi, Mitra and Bearfield (2010), who point out that one of the elements defined by the European Commission for railway policy are the requirements that all railway companies and infrastructure managers in European member states implement a safety management system, and this safety risk management policy should be adopted by all companies operating in the European Union.
4.4 STRATEGIC PLANNING AND CULTURE
The interviewees demonstrated their concern with strategic planning and the concern to elaborate and execute risk management covering not only operational issues involving short-term, but also the medium and long term. In this way, the participants emphasized the importance of incorporating risk management into the organization’s culture. Thus, the manager reported that “in the background the role of risk management, is to make evident to the organization, what are the problems that can be faced in the short, medium and long term”. For his part, the internal auditor reported that “the risk does not also come from a culture, which is assumed by us that has to do with the transformation of 9001”. The statement of the internal auditor is in line with the IBG (2015), which stresses that the work of the internal audit should be aligned with the company’s strategy.
Regarding the evolution of the role of internal audit, the risk manager reported that in the “beginnings, therefore, the issue of auditing is very much linked to aspects (…) financial scope, (..). However, all this has been evolving (…)” These considerations are in agreement with Ribeiro (2019), who points out that the role of auditing has evolved from a compliance verification approach to focus on risk management processes.
For its part, the internal auditor stressed that while the state focuses on the financial issue, internal audit and risk management should focus efforts on passenger safety.
And the internal audit should not focus its efforts on this financial assessment as there are other more important and more sensitive areas, such as security, which involves human lives, workers, equipment and which has several risks.
The participants’ statements are in accordance with the IIA (2013), in which the auditors should provide managers with assessments on the effectiveness of the company’s risk management, including how risk managers act on management. In turn, COSO (2007) also stresses that the risk management system should be assessed by the auditor.
Therefore, it is verified that the participants’ discourses are aligned with each other and with the authors referenced and with emphasis on the management of passenger safety risks, so that concern with legal and financial aspects also exists, but that emphasis should be made on the most critical risks, in alignment with best practices, in accordance with strategic planning and seeking to implement a culture of risks in the company.
Due to the above, due to the increase in the number of rail users in large cities and metropolitan regions, considering the safety risks to users of this transport modal, it is necessary that companies take processes or risk management systems to face risks of accidents, environmental risks, risks of terrorist attacks, among others. In view of this reality, the authors consulted and the interviewees’ reports demonstrate the role played by the internal audit and the risk management department to support the management of risks to the safety of rail users.
Thus, there was a transformation of the role of internal audit in the literature consulted and in the interviewees’ reports, which went from a mere verification of accounting and financial aspects to a body to verify the effectiveness of risk management and advice to the manager. Thus, both management, as well as the internal audit, in the role of third line, act together in the continuous improvement of risk management, and, according to the interviewees’ report, this role is exercised in the railway company analyzed, with regard to the safety risks of users.
Therefore, the interviewees’ discourses regarding the role of risk management and internal audit are aligned with the best practices and the literature consulted, in order to act in their respective areas of competence to implement, evaluate, monitor and constantly improve the management of safety risks of rail transport passengers, in the Portuguese company analyzed.
ABNT NBR ISO 31000: Gestão de riscos – diretrizes – risk management – guidelines. Rio de Janeiro, 2009.
ABNT NBR ISO 31000: Gestão de riscos – diretrizes – risk management – guidelines. Rio de Janeiro, 2018.
AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS (AICPA), AICPA Committee Handbook for 2005 (2006). AICPA Committees. 211. Disponível em: https://egrove.olemiss.edu/aicpa_comm/211. Acesso em: 29.01.2021
BARBOSA, Euro Gama; DANTAS, José Alves; SANTOS, Daniel Novais. Gestão dos Recursos de Tempo de Auditoria: Modelo Matemático de Estimação e de Controle. Revista TCU, v. 145, p. 30, 2020.
BARDIN, L. Análise de conteúdo. Lisboa: Edições 70, 1977.
BERRADO, Abdelaziz et al. A framework for risk management in railway sector: application to road-rail level crossings. Open Transportation Journal, p. 19p, 2010.DE VISEU, Bombeiros do Distrito. Abordagem Geográfica dos Riscos Associados ao Transporte Ferroviário: os Grandes Acidentes Ferroviários no Mundo e em Portugal. Disponível em: https://www.riscos.pt/wp-content/uploads/2018/Encontros/XENR/Aprst/XENR_conf_inag.pdf. Acesso em: 14.12.2020.
CASTRO, Madalena Lopes Sardica Velez de et al. Diagnóstico de comportamentos de risco: o metropolitano de Lisboa. 2018. Tese de Doutorado. Dsiponível em: http://comum.rcaap.pt/bitstream/10400.26/25030/1/Madalena%20Castro.pdf. Acesso em: 14.12.2020.
COMBOIOS DE PORTUGAL. Plano de Gestão de Riscos 2016: Inclui os Riscos de Corrupção e Infrações Conexas. Portugal: Gabinete de auditoria interna, qualidade e ambiente. Maio, 2016. Disponível em: https://www.cp.pt/StaticFiles/Institucional/1_a_empresa/2_principios_bom_governo/planocorrupcao.pdf; Acesso em: 14.01.2021
COSO – Committee of Sponsoring Organizations of the Treadway Commission. Gerenciamento de Riscos Corporativos – Estrutura Integrada. 2007. Disponível em: https://www.coso.org/Documents/COSO-ERM-Executive-Summary-Portuguese.pdf. Acesso em: 10/08/2020.
DELOITTE. The value killers revisited. A risk management study. 2014. Disponível em: https://www2.deloitte.com/content/dam/Deloitte/br/Documents/audit/ValueKiller.pdf; Acesso em 15.12.2020.
DENZIN, N. K. e LINCOLN, Y. S. Introdução: a disciplina e a prática da pesquisa qualitativa. 2. ed. Porto Alegre: Artmed, 2006.
DROGALAS, G.; KARAGIORGOS, T.; PAZARSKIS, M.; CHRISTODOULOU, P. Internal auditing as a main tool for efficient risk assessment. Macedonia: Department of Business Administration University of Macedonia. MIBES 2007. Disponível em: http://mibes.teilar.gr/proceedings/2007/poster/Karagiorgos-Drogalas-Pazarskis-Christodoulou.pdf; Acesso em: 14.12.2020.
EL-KOURSI, E. M.; MITRA, Subhabrata; BEARFIELD, G. Harmonising safety management systems in the European railway sector. Safety Science Monitor, v. 11, n. 2, p. 14p, 2007.
FELGUEIRAS, S. R. C. C. Ação policial face à ação coletiva: Teoria para uma estratégia de policiamento de multidões. Lição inaugural abertura do ano letivo 2015/2016, 2015.
FERMA – Federation of European Risk Management Associations. Norma de gestão de riscos. AIRMIC, ALARM, IRM: 2002, translation copyright FERMA: 2003. Disponível em: https://www.ferma.eu/app/uploads/2011/11/a-risk-management-standard-portuguese-version.pdf. Acesso em: 10/08/2020.
GIL, Antonio Carlos. Métodos e técnicas de pesquisa social. 6. ed. Ediitora Atlas SA, 2008.
IBCG – Instituto Brasileiro de Governança Corporativa. Código das Melhores Práticas de Governança Corporativa. 5º ed. 2015. Disponível em: https://edisciplinas.usp.br/pluginfile.php/4382648/mod_resource/content/1/Livro_Codigo_Melhores_Praticas_GC.pdf. Acesso em: 10/08/2020.
IIA – THE INSTITUTE OF INTERNAL AUDITORS. Position statement: The Role of Internal Audit in Enterprise-wide Risk Management. September, 2004. Disponível em: http://www.iiajapan.com/pdf/data/erm/ERM.pdf. Acesso em: 13.12.2020.
IIA – THE INSTITUTE OF INTERNAL AUDITORS. Position paper: the role of internal auditing in enterprise-wide risk management. January, 2009. Disponível em: https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20Management.pdf; Acesso em 13.12.2020.
IIA – THE INSTITUTE OF INTERNAL AUDITORS. Declaração de Posicionamento do IIA. As três linhas de defesa no gerenciamento eficaz de riscos e controles. Janeiro 2013. The Institute of Internal Auditors. Disponível em: http://www.iiabrasil.org.br/new/2013/downs/As_tres_linhas_de_defesa_Declaracao_de_Posicionamento2_opt.pdf; Acesso em 13.12.2020.
INSTITUTO DE AUDITORES INTERNOS. Modelo das três linhas do IIA 2020: uma atualização das três linhas de defesa. 2020. Disponível em: http://www.iabrasil.org.br/new/2013/downs/As_tres_linhas_de_defesa_Declaracao _de_Posicionamento2.pdf. Acesso em: 28 dez. 2020.
LANDOLL, Douglas J.; LANDOLL, Douglas. The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press, 2005.
LIMA, L. C. M. de. Controle interno na administração pública: o controle interno na administração pública como um instrumento de accountability. Brasília: Escola da Advocacia Geral da União (AGU), 2012, 72p.
MARTINS, Sara Filipa Grencho. Gestão e controlo de circulação de tráfegos rodoviário e ferroviário. 2017. Tese de Doutorado. Instituto Superior de Engenharia de Lisboa. Disponível em: https://repositorio.ipl.pt/bitstream/10400.21/7171/1/Disserta%c3%a7%c3%a3o.pdf. Acesso em: 14.12.2020.
MIRANDA, Rodrigo Fontenelle de Araújo. Módulo 1-Introdução à gestão de riscos: estruturas de gerenciamento e bases normativas. 2019. Disponível em: https://repositorio.enap.gov.br/bitstream/1/4088/1/Modulo%201-Estruturas%20de%20Gerenciamento%20e%20Bases.pdf. Acesso em: 29.01.2021.
NEDELIAKOVA, Eva et al. Sustainability of railway undertaking services with lean philosophy in risk management—Case study. Sustainability, v. 12, n. 13, p. 5298, 2020. Disponível em: https://www.mdpi.com/2071-1050/12/13/5298. Acesso em: 14.12.2020.
OLIVEIRA, J. L. Apontamentos Sobre Segurança nos Transportes Públicos, Apresentação PowerPoint. Lisboa, 2018.
PORTELA, Gerardo. Gerenciamento de Riscos Baseado em Fatores Humanos e Cultura de Seg: Estudo de Caso de Simulação Computacional do Comportamento Humano. Elsevier Brasil, 2014.
PICKETT, K. H. S.; PICKETT, J. M. Auditing for managers: the ultimate risk management tool. TEXTBOOK. March, 2005. Disponível em: http://www.wiley.com/WileyCDA/WileyTitle/productCd-EHEP000933.html; Acesso em: 13.12.2020.
RATO, João Carlos Mourão. Gestão da manutenção da frota das UQE-S2300. 2013. Tese de Doutorado. Faculdade de Ciências e Tecnologia. Disponível em: https://run.unl.pt/bitstream/10362/10119/1/Rato_2013.pdf Acesso em: 14.12.2020.
RIBEIRO, Renor Antonio Antunes. O papel da auditoria interna na gestão de riscos em entidades do setor público de Portugal e do Brasil. 2019. Dissertação de Mestrado.
RIBEIRO, Renor. Gestão de Riscos no Setor Público: normas e padrões internacionais, análise das legislações nacionais de Portugal e do Brasil e aplicação na base normativa do setor público. 1ª ed. Brasília: Athenas Editora, 2020.
RIBEIRO, Renor. Gestão de Riscos em Organizações Públicas: normas e padrões internacionais utilizados para a gestão de riscos, etapas do processo e análise da base normativa de Portugal e do Brasil. 1ª ed. Lisboa: Edições Exlibris, 2020.
RUUD, T. F.; BODENMANN, J. M. Corporate governance und interne revision: neuorientierung der internen revision, um einen zentralen beitrag zu einer effektiven corporate governance zu leisten. Der Schweizer Treuhänder 6-7/2001, S.521 – 534. Disponível em: https://www.alexandria.unisg.ch/61949/1/Corporate%20Governance%20und%20Interne%20Revision.pdf >. Acesso em: 14.12.2020.
SANTOS, R. F. Gestão de Risco e Controle Interno. 2009. Disponível em: http://pt.scribd.com/doc/35413699/Gestao-de-Risco-e-Controle-Interno-com-COSO; Acesso em: 17.12.2020.
SILVA, E. L.; MENEZES, E. M. Metodologia da pesquisa e elaboração de dissertação. 4. ed. rev. atual. Florianópolis: UFSC, 2005.
APPENDIX – FOOTNOTE REFERENCE
2. Available from: https://www.ferma.eu/app/uploads/2011/11/a-risk-management-standard-portuguese-version.pdf
3. Available in: https://dre.pt/web/guest/pesquisa/-/search/58273537/details/normal?q=+Decreto-Lei+n.%C2%BA151%2F2014
 Master in Public Administration at Universidade do Minho – UMINHO (Portugal), MBA in Strategic Management in Public Administration, Specialist in Public Administration at UMINHO, Specialist in Educational Planning, Graduated in Mechanical Engineering from UFC, Graduated in Physics from UECE, Graduated in Music Education from UnB.
Submitted: March, 2021.
Approved: March, 2021.