Risk based internal auditing
Internal auditing is fundamentally about internal controls. What are internal controls? They are processes which aim to prevent harm, sometimes called risks. If you need to cross a road, you look left and right to avoid being hit by a car. Risks exist because we have objectives, in this case, to cross a road. But since we have objectives, we also have opportunities to achieve them. If we see a subway we can seize the opportunity and cross under the road safely.
So turning that all round:
There are two types of process that are relevant to internal auditing:
Internal auditing checks that these processes are working to enable the achievement of objectives.
An internal audit department provides an opinion as to whether an organization is likely to achieve its objectives based on the management of opportunities and risks. In other words, do the decisions being made and the internal controls operating maximize the likelihood that objectives will be achieved?
Internal auditing used to be primarily concerned with financial systems and, possibly, computer controls. The term 'risk based internal auditing' is applied to audits decided on the basis of risks and the books available from this website use this methodology.
The aim of this website, and the books and spreadsheets available from it, is to provide practical ideas on implementing internal auditing focused on the achievement of objectives. These ideas are not meant to represent ‘best practice’ but to be thought provoking.
There are four books with associated spreadsheets. Click the heading to be taken to the page giving more details, or click the navigation buttons on the left:
1. Book 1: Risk based internal auditing -
2. Book 2: Compilation of a risk and audit universe. This book aims to show you how to assemble a Risk and Audit Universe (RAU) for a typical company and extract audit programs from it.
3. Book 3: Three views on implementation. Looks at the implementation of risk based internal auditing from three points-
4. Book 4 Audit Manual. This shows the audit working papers from an accounts payable audit and therefore provides a detailed account of how a risk based audit is carried out in practice.
If you are interested in Specifying, Choosing and Implementing Computer Systems, check out my website at www.systemsimplementation.co.uk
To provide practical ideas as to how to implement risk based internal auditing. It’s based on my 30 years experience of accounting systems, about half of these being in the internal audit department of a UK company (£5bn turnover), where I was the Group Head of Internal Audit (Chief Audit Executive).
Internal auditing provides an independent and rational opinion to an organization as to whether it is likely to achieve its objectives, based on the management of opportunities and risks
My comments to the IIA on their draft of Global Internal Audit Standards are here