This last week, I attended a presentation by Ranjit Singh at the annual conference Singapore. He did a good job of explaining that internal audit needs to move from auditing risks in a business process or at a location (i.e., what matters to operating management responsible for those areas) to auditing risks that matter to the organization as a whole.
Ranjit made the fine point that internal audit doesn't actually audit the risks; we audit the controls that provide reasonable assurance that risks are at acceptable levels. (I should add that the risk management processes for identifying, assessing, and evaluating the risks should be considered as controls for this purpose.)
He also pointed out that we need to understand what those controls are and then determine how we should go about auditing them, and that will include considering how important each control is to managing the risk as well as our assessment of the risk that the control does not operate as intended (what we sometimes call 'control risk').
It's not always easy to identify all the controls relied upon to manage a business risk. They may be in multiple locations and business processes (including IT), and may operate at different levels of the organization (corporate, division, location, etc.)
I would like to recommend two pieces of IIA guidance on how to identify the controls relied upon to manage a business risk:
By the way, the world of internal auditing is moving away from the traditional concept of an 'audit universe', which identifies locations and processes that may be audited, to a 'risk universe'. The latter identifies and then is used to prioritize the risks that matter to an organization.
Why is this important? Because our role as internal auditors is to provide assurance over the management of risks to organizational objectives; it is not to provide assurance over individual audit entities.
I welcome your comments.