The formal IIA definition of internal auditing is repeated here as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
We need to understand risk and we need to appreciate the importance of risk management to an organization. Good corporate governance codes require the board to install a system of risk management and tell their shareholders about this system. This chapter addresses the concept of risk. We consider some of the material that has been written about risk and introduce a risk model that is developed throughout the chapter to illustrate how risk management works. We touch on important aspects of the risk management system relating to risk policies and tools such as enterprise-wide risk management and control self-assessment. The breakthrough by most larger organizations in utilizing business risk management across all aspects of the business has impacted the internal auditor's work and an important account of this move into a new phase of internal auditing was provided in 1998 by David McNamee and Georges Selim, who defined three stages in the development of internal auditing:
1. counting and observing;
2. systems of internal control;