The statement is correct. Risk management and independent auditing are fundamentally different functions, although they are related within a corporate governance framework.

Risk Management is a proactive and continuous management process. Its primary purpose is to identify, analyze, evaluate, and treat potential risks that could hinder the achievement of an organization's objectives. It is an integral part of strategic planning and operational management, owned by the management of the organization.

Independent Auditing is a retrospective, objective, and systematic examination process. Its purpose is to provide independent assurance that an organization's risk management, governance, and internal control processes are operating effectively and in compliance with policies, standards, and regulations. Audits are performed by individuals or teams (internal or external auditors) who are independent of the operations they are auditing.

An audit may evaluate the effectiveness of the risk management process, but it is not the risk management process itself.

Stating that the proposition is "False" would incorrectly equate the two distinct disciplines. This would merge a core, ongoing management responsibility (risk management) with a separate, periodic assurance and verification activity (auditing). The independence of the audit function is critical to its value, a characteristic not inherent in the day-to-day management of risk.

1. ISO 31000:2018, Risk management — Guidelines: This international standard defines risk management as "coordinated activities to direct and control an organization with regard to risk." The standard outlines a framework and process that is integrated throughout the organization's management and decision-making. It does not describe this process as an independent audit. (Reference: ISO 31000:2018, Clause 4: Principles, Clause 5: Framework, and Clause 6: Process).

2. The Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards): The IIA, a globally recognized standard-setting body for the profession, clearly distinguishes the roles. Standard 2120 states, "The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes." This positions the audit function as an evaluator of risk management, not the executor of it. The standard emphasizes that "The internal audit activity must be independent, and internal auditors must be objective in performing their work." (Reference: IIA Standards, Standard 1100 – Independence and Objectivity; Standard 2120 – Risk Management).

3. COSO, Enterprise Risk Management—Integrating with Strategy and Performance: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is a foundational model for enterprise risk management (ERM). It defines ERM as "The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value." This framework is designed for management to implement. The audit function then provides assurance over the implementation and effectiveness of this framework. (Reference: COSO, Enterprise Risk Management—Integrating with Strategy and Performance, 2017, Executive Summary, p. iii).