I am not talking about the risk assessment that drives the audit plan. I am talking about the risk that the internal audit function will not achieve its objectives!
The external audit profession has standards that require that they identify and assess the risk of an incorrect opinion on the financial statements or the system of internal control over financial reporting. (In the U.S., these are standards established by the Public Company Accounting Oversight Board. In 2010, they released Auditing Standards 8 through 15 on the issue.)
The question is whether the CAE performs a risk assessment that identifies, assesses, and then treats risks to the efficient and effective delivery of quality internal audit services to the board and other stakeholders.
I'm not an expert on The IIA's quality assurance program, but I don't see any reference in The IIA's International Standards for the Professional Practice of Internal Auditing that requires such a risk assessment.
I see a lot of objectives and mandates, but I don't see where the CAE is expected to identify, assess, and then treat risks to them.
As CAE, I would certainly consider risks such as:
- The possibility that the audit risk assessment is incomplete or inaccurate, leading to the "wrong" audit plan.
- Audit staffing (including both quality and quantity) is insufficient to deliver quality results on every engagement.
- The board, audit committee, and management fail to understand those results and their implications for the governance and management of the organization (such as the need to change strategies).
- Audit communications fail to provide the information our stakeholders need, when they need it, in actionable form.
- Expectations from the board, audit committee, and management limit, due to their lack of knowledge, the services performed and the value delivered by internal audit.
- Changes in the business are not identified promptly so that the audit plan can be updated.
Does your CAE perform such a risk assessment? How confident are you in it?
I welcome your comments.
Please join the conversation by subscribing to this post — see below.