One of the significant changes in the draft Global Internal Audit Standards (GIAS) is the removal of these “must” statements.
2110 – Governance
The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes.
2110.A1 – The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.
2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
I have for a very long time criticized these standards. It is not because these are not very serious potential sources of huge risk to the organization. It is because they should only be included in the audit plan when related risks merit.
While organizations usually die from the head down, is it necessary to audit governance processes every year? Is it necessary to audit every aspect of governance? In fact, very few internal audit functions ever audit the composition, operations, and effectiveness of the board of directors and their…
