​​​Understanding Risk-based Internal Auditing

Comments Views

This last week, I attended a presentation by Ranjit Singh at the annual conference Singapore. He did a good job of explaining that internal audit needs to move from auditing risks in a business process or at a location (i.e., what matters to operating management responsible for those areas) to auditing risks that matter to the organization as a whole.

Ranjit made the fine point that internal audit doesn't actually audit the risks; we audit the controls that provide reasonable assurance that risks are at acceptable levels. (I should add that the risk management processes for identifying, assessing, and evaluating the risks should be considered as controls for this purpose.)

He also pointed out that we need to understand what those controls are and then determine how we should go about auditing them, and that will include considering how important each control is to managing the risk as well as our assessment of the risk that the control does not operate as intended (what we sometimes call 'control risk').

It's not always easy to identify all the controls relied upon to manage a business risk. They may be in multiple locations and business processes (including IT), and may operate at different levels of the organization (corporate, division, location, etc.)

I would like to recommend two pieces of IIA guidance on how to identify the controls relied upon to manage a business risk:

By the way, the world of internal auditing is moving away from the traditional concept of an 'audit universe', which identifies locations and processes that may be audited, to a 'risk universe'. The latter identifies and then is used to prioritize the risks that matter to an organization.

Why is this important? Because our role as internal auditors is to provide assurance over the management of risks to organizational objectives; it is not to provide assurance over individual audit entities.

I welcome your comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.​



Comment on this article

comments powered by Disqus
  • IIA Quality_July 2020_Blog 1
  • IIA Online Testing_July 2020_Blog 2
  • IIA Training_July 2020_Blog 3