Are internal auditors fooling themselves when they say they are using a risk-based approach?
My good friend and esteemed[1] risk management practitioner and thought leader, Alexei Sidorenko, challenged me to disagree and comment on one of his latest posts: Creating a risk-based audit plan, is it a myth?
Have a look at what he wrote and then come back to my comments.
You might be interested in a debate Alex and I had on ERM, integrating risk assessment into decision-making and success management.
Alex is correct with several of his observations, including several criticisms of the IIA’s May 2020 practice guide (PG), Developing a Risk-Based Internal Audit Plan.
He quotes the second part (italicized for convenience) of this section of guidance (recommended, not mandatory guidance):
Organizations that have implemented ERM may have created a comprehensive risk register (also known as a risk inventory or risk universe). Internal auditors may use management’s information as one input into internal audit’s organizationwide risk assessment. However, in alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected…
