Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

The Internal Audit Risk Assessment

Comments Views

​I am not talking about the risk assessment that drives the audit plan. I am talking about the risk that the internal audit function will not achieve its objectives!

The external audit profession has standards that require that they identify and assess the risk of an incorrect opinion on the financial statements or the system of internal control over financial reporting. (In the U.S., these are standards established by the Public Company Accounting Oversight Board. In 2010, they released Auditing Standards 8 through 15 on the issue.)

The question is whether the CAE performs a risk assessment that identifies, assesses, and then treats risks to the efficient and effective delivery of quality internal audit services to the board and other stakeholders.

I'm not an expert on The IIA's quality assurance program, but I don't see any reference in The IIA's International Standards for the Professional Practice of Internal Auditing that requires such a risk assessment.

I see a lot of objectives and mandates, but I don't see where the CAE is expected to identify, assess, and then treat risks to them.

As CAE, I would certainly consider risks such as:

  • The possibility that the audit risk assessment is incomplete or inaccurate, leading to the "wrong" audit plan.
  • Audit staffing (including both quality and quantity) is insufficient to deliver quality results on every engagement.
  • The board, audit committee, and management fail to understand those results and their implications for the governance and management of the organization (such as the need to change strategies).
  • Audit communications fail to provide the information our stakeholders need, when they need it, in actionable form.
  • Expectations from the board, audit committee, and management limit, due to their lack of knowledge, the services performed and the value delivered by internal audit.
  • Changes in the business are not identified promptly so that the audit plan can be updated.

Does your CAE perform such a risk assessment? How confident are you in it?

I welcome your comments.

Please join the conversation by subscribing to this post — see below.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3