The Scope of Internal Auditing
Over and over again the Standards specify what internal auditors should provide assurance and consulting on – the scope of internal auditing (governance, risk management and control processes).
Standard 2100 is one such injunction – “The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”
What are these processes that internal auditing has to evaluate and contribute to the improvement of?
The best way to describe them is with reference to the components of the COSO Internal Control (IC) and Enterprise Risk Management (ERM) frameworks.
The COSO framework models correlate with the IIA’s governance, risk management and control processes as follows:
IIA Scope of internal auditing | COSO IC-IF Components | COSO ERM-IF Components | Governance Processes | Control Environment | Internal Environment | Risk Management Processes | Risk Assessment | Objective Setting | | | Event (Risk) Identification | | | Risk Assessment | | | Risk Response | Control Processes | Control Activities | Control Activities | | Information and Communication | Information and Communication | | Monitoring | Monitoring |
Consider for example the interpretation to Standards 2120: “Determining whether risk management processes are effective is a judgement resulting from the internal auditor's assessment that: 1. Organizational objectives support and align with the organization's mission (Objective setting); 2. Significant risks are identified and assessed (Event [Risk] Identification, Risk Assessment); 3. Appropriate risk responses are selected that align risks with the organization's risk appetite (Risk Response) and relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities (Information and Communication). 4.
Standard 2100 is one such injunction – “The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”
What are these processes that internal auditing has to evaluate and contribute to the improvement of?
The best way to describe them is with reference to the components of the COSO Internal Control (IC) and Enterprise Risk Management (ERM) frameworks.
The COSO framework models correlate with the IIA’s governance, risk management and control processes as follows:
IIA Scope of internal auditing | COSO IC-IF Components | COSO ERM-IF Components | Governance Processes | Control Environment | Internal Environment | Risk Management Processes | Risk Assessment | Objective Setting | | | Event (Risk) Identification | | | Risk Assessment | | | Risk Response | Control Processes | Control Activities | Control Activities | | Information and Communication | Information and Communication | | Monitoring | Monitoring |
Consider for example the interpretation to Standards 2120: “Determining whether risk management processes are effective is a judgement resulting from the internal auditor's assessment that: 1. Organizational objectives support and align with the organization's mission (Objective setting); 2. Significant risks are identified and assessed (Event [Risk] Identification, Risk Assessment); 3. Appropriate risk responses are selected that align risks with the organization's risk appetite (Risk Response) and relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities (Information and Communication). 4.