Recently, I have shared a number of related posts on risk-based internal auditing (RBIA) that received a lot of attention:
One of the comments was by a CAE, Paul Hicks (thank you), who said that he had been practicing risk-based internal auditing for 15-20 years, ever since it came out. He was referring to a 2003 Position Paper on Risk Based Internal Auditing from what is now the Chartered Institute of Internal Auditors (UK and Ireland). Unfortunately, it is no longer available on the Institute’s website, so I have made my copy available here: https://app.box.com/s/5mjlzotbcqoejup5ffyk9oga5ht8teli.
The Position Paper did not invent risk-based internal auditing. I recall discussing it 30 years ago with practitioner, teacher, and author David McNamee – as discussed in a post of mine for the IIA in 2003: Explaining Modern Risk-Based Auditing.
This old Position Paper has some excellent content that is worth reading, including (with my emphasis):
The objective of RBIA is to provide independent assurance to the board that:
- The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended.
- These risk management processes are of sound design.
- The responses…