Keeping with today’s theme “internal auditors are not risk managers”, here’s something I quite enjoyed courtesy of a report from Marsh in New Zealand called The 2008 State Sector Risk Management Practices Report. Page 17 it reads:
Internal Auditors play an important role in evaluating the risk management processes of an organisation and advocating their continued improvement.
However, to preserve its organisational independence and objective judgement, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function.
Internal auditors typically perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, and top-down risk assessment), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects – not to identify, prioritise, and manage risks directly for the enterprise.