6
DEVELOPING AN AUDIT APPROACH
Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.
IIA Standard 2300
INTRODUCTION
We have used various models to describe risk management and the emerging ERM frameworks that are starting to appear across all types of organizations. We have also considered topics such as risk appetite and the risk cycle. We now turn to the all-important matter of auditing the risk management process, or at least determining approaches to this task. The nature of audit work is clearly spelled out in auditing standards:
The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.1
In defining how auditors add value to their organizations, we can turn to experienced practitioners for advice. One author argues that internal auditing adds value to the risk management environment by performing the following functions:2
- Reviewing risk management processes and internal control systems across the organization
- Identifying business risks and assessing internal controls designed to mitigate those risks in terms of reliability, integrity, compliance, protection, efficiency, and effectiveness
- Educating the organization with respect to the development and use of cost-efficient risk management processes, and the promotion of best practices through internal auditing's role as a change agent ...
Get Auditing the Risk Management Process now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
