That is not an exaggeration.
I have spoken to multiple IIA leaders for more than a decade, including a series of chairs of the IIA’s Standards Committee, about the need to update guidance on internal audit’s risk assessment and audit plan.
This month, the IIA published a new Practice Guide: Developing a Risk-based Internal Audit Plan. Practice Guides (PG) are recommended guidance but not mandatory.
I was excited!
I became even more so when I saw that they had taken up a number of issues I had been speaking about (along with many others) for years.
Here are some of the shining lights in the PG (with my highlights):
- In today’s business environment, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks.
- To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
- Comprehensive risk-based planning enables the internal audit activity to properly align and focus its limited resources to produce insightful, proactive, and future-focused assurance and advice on the organization’s most pressing issues.
- While the annual risk assessment is the minimum…