Abstract:
The role of internal auditing in assisting with the mitigation of key risks threatening organisations has increased,
not least, for example, in ensuring that engagements are performed more effectively and efficiently, and that all the
key risks of organisations are addressed, but also to ensure that scarce internal audit resources are used optimally.
This article describes the development of a model that can be used by internal auditors to perform this task. The
model was developed from a study of the academic literature, current business practice norms, and other
documentation whereafter it was tested in a practical scenario, and input from heads of internal audit departments
in prominent South African organisations was obtained. The findings of the study, inter alia, support the use of the
model. However, a concern is that the risk management strategy currently implemented by organisations is not
mature enough for internal auditing to rely on the outcome of the risk management process, a prerequisite for the
model to function optimally. A second concern is that internal auditing is reluctant to use a pure risk-based
approach when performing audit engagements and still prefers to use a control-based approach with more
emphasis placed on high risk areas.
