My congratulations to IIA Australia for their recent White Paper, Managing Internal Audit Function Risks. I thank Ehab Saif for sharing it on LinkedIn.
As the paper says:
ISO 31000 ‘Risk management – Guidelines’ defines Risk as the “effect of uncertainty on objectives”. Like organisations, Internal Audit Functions also have objectives impacted by uncertainty. However, Internal Audit Functions spend most, if not all, their time looking at their organisation’s governance, risk management and control processes. But how often do Internal Audit Functions look internally at their own function to assess if their key risks and controls are being managed effectively?
The paper has a long list of sources of risk to internal audit’s effectiveness, the achievement of its mission and objectives.
Nearly a year ago, I wrote a blog post, Do practitioners practice what they preach? I said:
As practitioners, we talk about understanding and incorporating risk (including opportunities) into management practices, both strategic and tactical.
But do we practice what we preach?
Let me take three different groups:
- Risk officers (which would include safety, InfoSec and cyber risk practitioners, and so on)
- Internal auditors
- Board members
In the section on internal auditors, I wrote:
Internal Auditors
These…