2120-3: Internal audit coverage of risks to achieving strategic objectives
Primary Related Standards
2120 - Risk Management
2120.A1
The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:
- Achievement of the organization's strategic objectives.
- Reliability and integrity of financial and operational information.
- Effectiveness and efficiency of operations and programs.
- Safeguarding of assets.
- Compliance with laws, regulations, policies, procedures, and contracts.
1. Executive management is responsible for identifying and managing risk in pursuit of the organization's strategic objectives. It is the board's responsibility to ensure that all strategic risks are identified, understood, and managed to an acceptable level within risk tolerance ranges. Internal audit should have an understanding of the organization's strategy, how it is executed, the associated risks, and how these risks are being managed.
2. To enable internal audit to focus on the critical risks to the organization, the organization's strategy should be a foundational element when developing a risk-based audit plan. This will align internal audit with the organization's strategic priorities and help ensure its resources are allocated to the areas of significant importance.
3. When developing the audit plan, internal audit should leverage the work of management and other assurance functions to help identify the risks that present the most significant threats and opportunities to the achievement of an organization's strategic objectives.
4. Strategic threats and opportunities will drive management's creation and prioritization of the organization's short-term and long-term strategic initiatives or the organization's most significant investments to deliver value to its stakeholders.
5. Internal audit should consider providing assurance services related to these strategic initiatives when developing its audit plan. This will allow internal audit to assess whether the strategic risks are being managed to an acceptable level through evaluating some or all of the mitigation efforts. It also may provide the opportunity for internal audit to deliver advisory services that directly impact the organization's evolution.
6. After determining the strategic risks to include in the audit plan, internal audit should assess whether all the required skills and knowledge exist in the internal audit department to execute applicable assurance or advisory engagements. Specialized skills and knowledge may need to be sourced (internally or externally) before the internal audit department is qualified to perform the work.
