The IIA's International Standard 2010: Planning, states:
"The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals."
There are some who believe that this standard has two meanings: (a) the work performed should be prioritized based on the organization's risks and goals, and (b) in developing its plan, the chief audit executive should understand, assess, and respond to risks to the achievement of internal auditing's goals and objectives, including the plan.
I believe the International Standards for the Professional Practice of Internal Auditing clearly mean (a), but a well-run internal audit function should perform (b) as well.
Here are some of the risks that might be considered, in no particular order:
- An incomplete or inaccurate risk assessment.
- A failure to update the risk assessment as the business changes.
- Auditees withholding information or providing deceptive information.
- Poor performance by the auditor.
- Poor supervision by audit management.
- Poor reputation due to poor audit services.
- Inappropriate intervention by management.
- Lack of appropriate support by the audit committee.
- An inadequate audit committee or board (e.g., one that directed internal auditing not to review specific areas).
- Failure to complete planned projects.
- Ineffective reporting and communication to management and the audit committee.
- Inadequate resources.
- Insufficiently competent resources.
- Inadequate systems and processes.
- Failure to satisfy any regulatory requirements, or requirements of the external auditor who places reliance on internal auditing.
- Management failure to complete remediation as intended.
- Inadequate decision-making in planning or budgeting of the audit process.
How many internal audit departments perform this kind of risk assessment in a formal fashion and take action where necessary? How many would pass an audit of their risk management practices?
I welcome your comments.