Internal Audit Role Expanding Further into Risk Areas

With more companies focusing on enterprise risk management and strategic risk, the role of internal auditors is being expanded to include risk identification and risk management, a study by the Institute of Internal Auditors (IIA) and Protiviti has found.

According to Relationships and Risk, Insights from Stakeholders in North America, the top three areas where respondents wish to expand the role of internal audit involve identifying and managing risk. Of 433 North American stakeholders surveyed, 85% said they want internal audit involved in identifying known and emerging risk areas; 78% would like to see internal audit facilitating and monitoring effective risk management practices by operational management; and 78% want audit to identify appropriate risk management frameworks, practices and processes.

The survey also found that 58% of stakeholders believe internal audit should be more active in assessing strategic risk.

When asked to choose the best avenues for internal audit to improve its role in responding to the organization’s strategic risks, stakeholders said:

  • Internal audit should focus on strategic risks as well as operational, financial, and compliance risks during audit projects.
  • Internal audit should periodically evaluate and communicate key risks to the board and executive management.

The report concluded that chief audit executives (CAEs) should consider methods to meet and surpass the needs and expectations of their stakeholders, including:

  • Focusing on risk activities—risk identification and management—when performing advisory services.
  • Demonstrating an understanding of strategic risks in all audit work. Educating stakeholders on ways you can give attention to nontraditional strategic risks.
  • Building soft skills. Communication and relationship building are needed to set priorities when there are competing expectations.

Similar Posts:

3 thoughts on “Internal Audit Role Expanding Further into Risk Areas

  1. Totally agree as long as the independence of the auditor is maintained

  2. Totally agree. However, care should be taken while evaluating risk is that of window dressing.

  3. It is essential that internal audit understand the the risk method/s used within their organisation. It is also essential that the audit program in based on testing the health of controls contained in a risk register.

    One issue I face every day is the balance between the internal risk method adopted for strategic department risks vs the risk method I need to apply (mandatory) under the Australian Standards and State Legislation for the life cycle management of an asset base. From an engineering (and my) perspective it is important that the auditor has key knowledge in enginerring principles and/or asset management experience (or at least esposure to) the systems and processes applied to the assets.

Leave a Reply

Your email address will not be published. Required fields are marked *