Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.

IIA Standard 1130.A1


We need to be clear about the audit role in risk management, and this is not as straightforward as it appears. There are various different interpretations of the audit role. Both internal and external audits have the potential to make a fundamental impact on the success or otherwise on the efforts of an organization to get risk management in place and running. This input is further explained:

Internal auditing is an organizational function, established by top management to monitor the organization's risk management and control processes. By review of the critical control systems and risk management processes, the internal auditor can provide important assistance to organizational management.1

In practice, audit roles may include:

  • Being a risk champion
  • Offering education and guidance
  • Providing formal recommendations that promote risk-based controls
  • Being a center of research and best practice
  • Coordinating risk management efforts across the organization
  • Providing objective assurances on the state of risk management
  • Regularly disclosing operational risk levels during and after specific audits
  • Driving a change program that ...

Get Auditing the Risk Management Process now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.