Risk based internal auditing
Let’s go back to basics:
So if you want to be sure that your organization achieves its objectives, you have to check all the controls aiming to reduce all the risks which threaten the achievement of those objectives. Which internal auditing aims to do. The term Risk based internal auditing arose from the need to distinguish internal auditing in this widest sense from ‘traditional’ internal auditing:
So risk based internal auditing is identical to the internal auditing expected by modern standards, that is involving all the risks threatening all the organization’s objectives. I believe therefore that we should not concentrate on implementing risked based internal auditing but on expanding the narrow interpretation of internal auditing. Ideally we should forget the term risk based internal auditing and make internal auditing what it should be. However, to avoid confusion, I will continue using risk based internal auditing on the website and books but think of it as internal auditing with the boundaries pushed out. Let’s sum this up in the slogan:
Risk based internal auditing: pushing out the boundaries
The aim of this website, and the books and spreadsheets available from it, is to push out the boundaries of internal auditing by providing practical ideas on implementing (risk based) internal auditing. These ideas are not meant to represent ‘best practice’ but to be thought provoking.
There are four books with associated spreadsheets
1. Book 1: Risk based internal auditing -
2. Book 2: Compilation of a risk and audit universe. This book aims to show you how to assemble a Risk and Audit Universe (RAU) for a typical company and extract audit programs from it.
Links to books and other resources
If you have any comments, please e-
(My submission to the IIA on the proposed enhancements to the IPPF are here)