Internal Auditing Should Not Fail to Audit Its Own Risk Management Practices

The IIA’s International Standard 2010: Planning, states:

“The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.”

There are some who believe that this standard has two meanings: (a) the work performed should be prioritized based on the organization’s risks and goals, and (b) in developing its plan, the chief audit executive should understand, assess, and respond to risks to the achievement of internal auditing’s goals and objectives, including the plan.

I believe the International Standards for the Professional Practice of Internal Auditing clearly mean (a), but a well-run internal audit function should perform (b) as well.

Here are some of the risks that might be considered, in no particular order:

  • An incomplete or inaccurate risk assessment.
  • A failure to update the risk assessment as the business changes.
  • Auditees withholding information or providing deceptive information.
  • Poor performance by the auditor.
  • Poor supervision by audit management.
  • Poor reputation due to poor audit services.
  • Inappropriate intervention by management.
  • Lack of appropriate support by the audit committee.
  • An inadequate audit committee or board (e.g., one that directed internal auditing not to review specific areas).
  • Failure to complete planned projects.
  • Ineffective reporting and communication to management and the audit committee.
  • Inadequate resources.
  • Insufficiently competent resources.
  • Inadequate systems and processes.
  • Failure to satisfy any regulatory requirements, or requirements of the external auditor who places reliance on internal auditing.
  • Management failure to complete remediation as intended.
  • Inadequate decision-making in planning or budgeting of the audit process.

How many internal audit departments perform this kind of risk assessment in a formal fashion and take action where necessary? How many would pass an audit of their risk management practices?

I welcome your comments.

Posted on Mar 18, 2009 by Norman Marks

Share This Article:    

  1. Good list Mark and helpful.  I would add that an informal/formal QA is a natural companion to this effort and adds itsown structure to assist the CAE.  I suspect some QA's undertaken today have more of a functional perspective (example, quality of working papers) and fail to tie that to the associated risks of information integrity and sufficiency of supporting documentation.

  1. Excellent list, Norman.  Very comprehensive.  I agree with John's suggestion to add a QA process.  I assume you include "inadequate training" in "insufficiently competent resources".  If not, I would include it in the list as a separate item.

  1. Along these same lines, it seems that a significant portion of some audit risk assessments is based on the kinds of quantitative measures that are listed in the professional standards.  Norm's list goes beyond those quantitative measures into more qualitative issues that affect risk assessment.  A September 2008 whitepaper by Paisley raises some very specific concerns about traditional approaches to audit risk assessment.  I don't have the url for the whitepaper, but the title is "Risk Rating the Audit Universe".  It should be easy to find on the Paisley web site.

  1. Good list Norman and glad to see your usual leadership role in such activities. I really appreciate it. One point on the listing in the second bullet. The risk assessment should be updated whether the business changes or does not change and ideally it should be updated before the actual changes have occured so that internal audit can make maximum contributions as necessary. The events impacting a business are both external and internal which result in various risks. Most internal audit functions that I know of get there after the fact and not before. It is being tuned into the entire ERM system in play.

    Arnold Schanfield


  1. As I have found one of the unique featured post about why everyone really wants it. It's really one of the knowledgeable contents for me. Thanks for sharing some of exclusive contents in the same source.

Leave a Reply