When an internal audit consultant goes seriously wrong

0
447

In a recent post, I criticized Protiviti’s Brian Christensen for saying that internal audit should monitor risks. I said that was management’s job, not internal audit’s. If management is not doing that job, there’s a serious problem that internal audit should be reporting to the board. Brian replied, correctly and appropriately, that he agreed with me; internal audit should assess management’s processes for identifying and assessing risks and, if they are adequate, use them as the basis for developing the audit plan; if they are not adequate, that should be reported but internal audit still needs to do the work necessary to ensure the audit plan addresses the more significant risks to enterprise success – see also my recent post where I shared a 2003 Position Paper from (UK) IIA.

I accept and agree with Brian’s explanation.

But I cannot accept another piece of (mis)guidance from Protiviti.

Risk Awareness and Analytical Insight: Driving Audit Into the Future was written by two of the firm’s leaders in healthcare auditing.

It starts with a disturbing comment. Despite recent IIA surveys showing that an increasing number of IA functions are updating their audit plan on a more frequent basis, Protiviti says (my emphasis):

When it comes to risk awareness, the status quo for the past several years has…

Подробнее…