The traditional approach to building the audit plan, consistent with what is described in PwC’s new paper Maximizing Internal Audit is to identify the higher risks to the organization (including strategic, operational, as well as financial and reporting risks). The CAE then develops a plan to audit as many of those as he can given scarcity of resources and technical skills, etc.

 In my last blog, I promised a look at the elements of governance - a logical next step. Back in December 2007, in the "Governance Perspectives" column of Internal Auditor magazine, I wrote about auditing governance. The article included a sidebar that showed where I see the primary governance activities occurring. Today, I want to review that and go a little deeper. I will use a definition of governance as including the activities of the board and its committees, plus those of the internal audit function and an ethics/compliance officer.

I have been blogging about GRC (in my personal blog), and it has been interesting to see how many views there are on what governance, risk management, and compliance (GRC) is all about. If you are on LinkedIn, you can see 65 comments on the topic (referencing my blog above) in the "Governance, Risk, and Compliance Management" discussion group.

Not only have there been many different views on what GRC is, but there are different views on what the "G" stands for. The IIA developed a position paper, based on work by the IIA-UK, titled Organizational Governance: Guidance for Internal Auditors. In it, they said: “There is no single, comprehensive, universally accepted definition of organizational governance.” How can auditors assess governance processes and practices, with related controls, when the term governance is not defined? If we look at some authoritative sources, we can work this out.

For the last month or two, I have been working on an IIA Practice Advisory on how to define which controls to include in the scope of an audit (hopefully, to be issued in early 2010). It is based on the popular Guide to the Assessment of IT Risk (GAIT) methodology (available to members here).

Tim Leech and I have been sharing our own perspectives on this question and would like your views.