There are three primary times when the internal auditor needs to consider risks to enterprise objectives.
The first is in assessing management’s processes for identifying, evaluating, assessing, and then addressing individual and aggregate risk to enterprise objectives. (This must be a continuing and not static activity in these dynamic times.) In other words, this is when internal audit assesses the effectiveness of the enterprise risk management program (ERM) or pieces of it (such as risk arising from manufacturing, supply chain and procurement, sales, safety, compliance, financial activities and reporting, human resources, the external context or environment, information security and cyber, and so on).
Then there is the development and maintenance of the (continuously updated) audit plan: which (actual or potential) sources of risk should be included in the scope of which audits.
Finally, the internal auditor needs to consider risks to enterprise objectives arising from a deficiency in internal controls (either in their design or operation) identified in an audit. How significant is it, should it be reported to the board and top management, and how important is it that it is addressed promptly.
In each of these, the auditor needs a yardstick or other way to make an evaluation.
Assessing the management of…
