I have been saying for many years, well before the IIA started the process that resulted in the Global Internal Audit Standards (GIAS), that the Standards are not enterprise risk-based – and they should be.
Let me remind you what they mandate, and then explain with a couple of real-life examples, how GIAS will get you to perform the wrong audit.
This is fine, please note my highlights:
Standard 9.4: Internal Audit Plan
Requirements: The chief audit executive must create an internal audit plan that supports the achievement of the organization’s objectives.
The chief audit executive must base the internal audit plan on a documented assessment of the organization’s strategies, objectives, and risks. This assessment must be informed by input from the board and senior management as well as the chief audit executive’s understanding of the organization’s governance, risk management, and control processes. The assessment must be performed at least annually.
But then there is this:
Standard 13.2: Engagement Risk Assessment
Requirements: Internal auditors must develop an understanding of the activity under review to assess the relevant risks. For advisory services, a formal, documented risk assessment may not be necessary, depending on the agreement with relevant stakeholders.
To…
