This is a simple question that has many non-simple aspects.
I am not going to deal today with the issue of whether internal audit should be performing a risk assessment when there is a perfectly adequate risk assessment made by management. I have shared my view before that internal audit should (after auditing management’s processes) rely on management’s work as much as possible. However, even when it is excellent, more needs to be done to determine what engagements to perform, as explained in Auditing that Matters.
I am also not going to deal today with the word “a” in the question. I have shared in this blog and in that book why any assessment has to be continuous. It is refreshing that the majority are moving away from relying on the obsolete annual assessment process, instead updating the assessment and the audit plan quarterly or (in a growing number of cases) monthly. But it needs to be continuous. Auditing at the speed of risk (or of the business, if you prefer that term) means updating your plans at that speed as well. Otherwise, you are likely to audit what used to matter, not what matters today or tomorrow.
Today, I want to talk about the four-letter word ‘risk’ in the question.
For most people the four-letter word refers either to events that might happen with an adverse effect on…
