Internal audit should have a plan for the work it will do, and by now we all know that audit plan should be continuously updated. It should be designed to address the more significant risks to the enterprise and its success.
XX
Management should have an enterprise risk management program that helps them identify and anticipate all the things that might happen (both risks and opportunities) that might affect the achievement of its objectives, its success. That information enables them to make the necessary informed and intelligent tactical and strategic decisions.
XX
There is synergy, but it is not 100%.
XX
Internal audit should try to take advantage of the work management and the CRO have done. But first it must audit their ERM program to ensure it is reliable.
Assuming it is reliable (meeting the needs of the organization, not just a compliance activity), it should provide the audit team with valuable information about management’s view of threats and opportunities.
XX
The audit team doesn’t simply take those same top risks and opportunities and slot related audits into the audit plan. It has to do at least these two things:
- Determine whether any assurance, advice, and insight from internal audit on those top risks and opportunities would be of value to top management and the board. Would there be a…
