The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems.
The internal audit activity must assist the organisation in maintaining effective controls.
The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to the risks within the organisation.
The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes.
Internal auditors must develop and document a plan for each engagement.
This practice advisory provides strongly recommended guidance on using a top-down, risk-based approach.
Objectives must be established for each engagement.
Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review.
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives.
Internal auditors must develop and document work programmes that achieve the engagement objectives.