Both the current IIA Standards and the draft update have two risk assessments.
The first is during the annual audit planning process (which is updated as needed). A list of auditable entities is developed, an “audit universe”, and they are prioritized based on risk (perhaps also on the value of an audit). The higher “risk” entities are then included in the audit plan.
2010 – Planning (current standard)
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.
X
Standard 9.5 Internal Audit Plan (draft update)
Requirements
The chief audit executive must develop an internal audit plan that supports the achievement of the organization’s objectives.
The chief audit executive must base the internal audit plan on a documented assessment of the organization’s strategies, objectives, and risks. This assessment must be informed by input from senior management and the board as well as an understanding of the organization’s governance, risk management, and control processes. The assessment must be performed at least annually.
Note: the update has removed the requirement that the plan be risk-based.
X
The second is at the engagement level.
2200 – Engagement Planning (current standard)
Internal auditors…
