Practice Guide: Auditing Conduct Risk
Guidance | August 15, 2020
Copyright Notice All content is protected by international copyright laws. You may reference or quote small portions of this document with proper attribution to The IIA, but unauthorized reproduction, distribution, or use beyond that, other than for your own personal use, is strictly prohibited and may constitute a violation of copyright law, resulting in civil and criminal penalties. Contact copyright@theiia.org for permission to use our materials.
The issue of conduct is not easily separated from an organization’s culture; rather, it is a distinct segment of culture as a whole.
Internal auditors can add value by assessing and reporting on their organization’s conduct risk management. The internal audit activity can help drive strong internal control risk management frameworks (including conduct risk) that align with stakeholder expectations, supporting boards, audit committees, and executive management in their oversight roles.
This guidance* will enable internal auditors to understand:
- The business significance of conduct risk in an organization’s control environment.
- The key components of conduct risk.
- Key stakeholder (including regulator) concerns and expectations related to conduct risk.
- Internal audit’s role in assessing and reporting on organizational culture and management of conduct risk.
- An approach to assess and report on an organization’s culture and management of conduct risk.