The use of risk management principles in planning an internal audit engagement

Abstract

With the current growth in awareness of the value of internal audit services, the increased demand from various stakeholders, and the scarcity of competent internal auditors, the profession needs a new mindset, particularly in respect of the execution of internal audit activities. Although risk-based internal auditing is a fairly new concept, its implementation could assist internal auditors to audit 'smarter', that is, more effectively and efficiently. However, it is unclear whether the current concept of a risk-based internal audit engagement is in line with modern business practices, such as enterprise-wide risk management principles. Furthermore, it is also uncertain whether internal auditors share a single set of risk management principles and concepts, and how (or even if) these should be included in the internal audit engagement. This article explores the common understanding of what the planning phase of a risk-based internal audit engagement should entail when based on risk management principles, and identifies the organisational elements that should be in place that would make it easier for internal auditors to implement such a risk-driven approach when conducting engagements. The research methodology involved a literature review and structured interviews with chief audit executives of risk-mature organisations. The findings support the existence of uncertainty among chief audit executives regarding the use of risk management principles when performing risk-based internal audit engagements. Chief audit executives also appeared uncertain how to apply these principles to the planning and execution of internal audit engagements. Gaps and shortcomings identified by the research should be addressed by the Institute of Internal Auditors through developing more comprehensive guidance for their members.