Every Chief Audit Executive has faced the same question from the board: how do you decide what to audit?
The answer, in every well-run internal audit function, is the same: the internal audit risk assessment. It is the disciplined process of identifying everything the organization does that could be audited (the audit universe), evaluating the risk associated with each auditable entity, and using those risk scores to build an annual audit plan that directs limited audit resources to the areas of greatest risk.
This is not a theoretical exercise. The 2024 Global Internal Audit Standards, released by The Institute of Internal Auditors (IIA) and mandatory as of January 9, 2025, make this explicit.
Standard 9.4 requires that the internal audit plan must be based on a documented assessment of the organization’s strategies, objectives, and risks.
The plan must be informed by the CAE’s understanding of the organization’s governance, risk management, and control processes, and must be performed at least annually.
If your audit plan is not built on a structured risk assessment, you are not conforming with the Standards. If your audit plan is based on a risk assessment that consists of the CAE’s gut feeling, you are not conforming with the Standards.
This guide walks through the complete process: building the audit universe from scratch, developing a defensible risk scoring methodology, converting scores into a prioritized annual audit plan, and maintaining the cycle year over year.
For the broader enterprise risk management context in which internal audit operates, see our guide to enterprise risk management.
What Is an Internal Audit Risk Assessment?
An internal audit risk assessment is the systematic process by which the internal audit function identifies, evaluates, and prioritizes the risks across the organization to determine where audit effort should be directed. It has three core components.
The audit universe is the comprehensive inventory of all auditable entities within the organization. An auditable entity can be a business process, a department, a geographic location, a system, a regulatory requirement, a project, or any other unit of activity that can be meaningfully audited.
The risk scoring methodology is the structured framework used to evaluate the risk associated with each auditable entity.
Risk scoring considers factors such as financial materiality, regulatory exposure, operational complexity, time since last audit, control environment quality, and strategic significance.
The risk-based audit plan is the output: a prioritized schedule of audit engagements for the planning period (typically one year), allocated based on risk scores and available audit resources.
The logic is straightforward. You cannot audit everything every year. Most internal audit functions have the capacity to cover 20-40% of their audit universe annually.
The risk assessment ensures that the 20-40% you do cover represents the highest-risk areas. For guidance on how risk assessment fits within the COSO framework that underpins internal control evaluation, see our article on the COSO framework and how it is used.
What the 2024 IIA Global Internal Audit Standards Require
The 2024 Global Internal Audit Standards (sometimes called The Redbook) represent a significant overhaul of the IIA’s professional framework. Released January 9, 2024, and mandatory as of January 9, 2025, the Standards consolidate previously fragmented guidance into a single 120-page document organized across five domains:
Purpose of Internal Auditing, Ethics and Professionalism, Governing the Internal Audit Function, Managing the Internal Audit Function, and Performing Internal Audit Services. The Standards are available from the IIA’s official Standards page.
Several specific standards directly govern the internal audit risk assessment and audit planning process:
| Standard | Requirement | Practical Implication |
| Standard 9.1 | The CAE must establish a risk-based internal audit plan to determine the priorities of the internal audit function consistent with the organization’s goals. | The audit plan must flow from a documented risk assessment, not from management requests, rotation schedules, or historical precedent alone. |
| Standard 9.4 | The internal audit plan must be based on a documented assessment of the organization’s strategies, objectives, and risks, informed by the CAE’s understanding of governance, risk management, and control processes. Must be performed at least annually. | The risk assessment must be documented, updated at least annually, and must consider the organization’s strategic context. The CAE cannot rely solely on management’s risk assessment unless the ERM process has been validated as effective. |
| Standard 9.5 | The CAE must coordinate with internal and external providers of assurance services and consider relying on their work. | The audit universe and plan should reflect what other assurance providers (external audit, compliance, quality assurance) are covering, to avoid duplication and identify gaps. |
| Standard 11.1 | For each engagement, the CAE must establish objectives that address the risks, controls, and governance processes associated with the activities under review. | Each audit engagement derived from the plan must have objectives that trace back to the risks identified in the risk assessment. |
A critical practical implication of Standard 9.4 is that if your organization has an Enterprise Risk Management (ERM) function, the internal audit function should not simply adopt the ERM risk register as the audit risk assessment.
The Standards indicate that IA should only rely on management’s risk information if IA has concluded that the risk management processes are effective.
This means the CAE should first assess the quality and maturity of the ERM function before using its outputs as inputs to audit planning.
Step 1: Building the Audit Universe
The audit universe is the starting point. If it is incomplete, the risk assessment will have blind spots, and the audit plan will miss critical areas.
Building a comprehensive audit universe requires systematic identification of every auditable entity across the organization.
Sources for Building the Audit Universe
- Organizational chart and business unit structure: Map every department, division, subsidiary, branch, and geographic location. Each may represent one or more auditable entities.
- Process inventory: Identify all key business processes: procure-to-pay, order-to-cash, hire-to-retire, record-to-report, treasury management, investment management, IT service management, claims processing, and so on. Business processes often cross departmental boundaries, so a process-based view complements the organizational view.
- Regulatory and compliance obligations: List all regulatory requirements, licenses, permits, and compliance obligations. Each may warrant a standalone audit (e.g., Anti-Money Laundering compliance, HIPAA privacy, SOX Section 404, OSHA recordkeeping).
- Strategic initiatives and major projects: Large-scale projects, system implementations, mergers, acquisitions, and transformation programs carry concentrated risk and should be included in the universe.
- IT systems and infrastructure: ERP systems, core banking platforms, SCADA systems, cloud environments, and critical applications each represent auditable entities.
- Third-party relationships: Significant vendors, outsourcing arrangements, and joint ventures, particularly those that handle sensitive data, perform critical functions, or have access to the organization’s systems.
- ERM risk register: If the organization maintains an enterprise risk register, cross-reference it with your audit universe to ensure high-risk areas identified by management are represented.
- Previous audit findings: Areas with significant past findings, unresolved issues, or repeat deficiencies should be explicitly included.
Audit Universe Template Structure
An effective audit universe template captures enough information about each auditable entity to support risk scoring. The following structure works for most organizations:
| Field | Description | Example |
| Audit Entity ID | Unique identifier for each auditable entity. | AU-FIN-001 |
| Audit Entity Name | Descriptive name of the auditable entity. | Accounts Payable Process |
| Category | Classification: Financial, Operational, IT, Compliance, Strategic, Project. | Financial / Operational |
| Owner | The business unit or executive responsible for the process, function, or area. | VP Finance / Controller |
| Description / Scope | Brief description of what the entity covers. | Invoice receipt, approval workflows, payment processing, vendor master data management, three-way matching. |
| Last Audit Date | When this entity was last audited. | Q2 2023 |
| Last Audit Rating | The overall rating from the last audit (if applicable). | Needs Improvement |
| Related Regulations | Applicable regulatory or compliance requirements. | SOX Section 404, IRS 1099 reporting |
| Risk Score (Calculated) | The composite risk score from the risk scoring methodology. | 3.8 / 5.0 (High) |
| Planned Audit Cycle | Target frequency based on risk rating. | Annual (High risk) |
A typical audit universe for a mid-sized organization contains 80-150 auditable entities. Large, complex organizations may have 200-400+. The key is completeness without granularity that makes the universe unmanageable.
An entity should be large enough to support a meaningful audit engagement (typically 2-6 weeks of fieldwork) but small enough to be assessed as a unit. For guidance on how risk identification feeds into the audit universe, see our article on the complete guide to the risk assessment process.
Step 2: Developing the Risk Scoring Methodology
The risk scoring methodology is the analytical engine that converts your audit universe into a prioritized list.
A well-designed methodology is transparent (the board can see how scores are calculated), consistent (different assessors reach similar conclusions), and aligned with the organization’s risk appetite and strategic priorities.
Risk Factors
Most internal audit risk scoring methodologies assess each auditable entity across 8-12 risk factors. The factors should be tailored to the organization, but the following set covers the dimensions that matter in virtually every context:
| Risk Factor | What It Measures | Scoring Guidance (1-5 Scale) |
| Financial Materiality | The dollar value of transactions, assets, revenue, or expenditures associated with the entity. | 1 = Under $1M annually. 3 = $10M-$50M. 5 = Over $100M or material to financial statements. |
| Regulatory / Compliance Exposure | The significance of regulatory requirements and the consequences of non-compliance. | 1 = No specific regulatory requirements. 3 = Industry regulations with moderate penalties. 5 = High-consequence regulations (SOX, AML/BSA, HIPAA) with potential for enforcement action, fines, or license revocation. |
| Operational Complexity | The complexity of the processes, systems, and organizational structures involved. | 1 = Simple, standardized process. 3 = Moderate complexity with multiple systems. 5 = Highly complex with manual interventions, multiple handoffs, legacy systems, and significant judgment. |
| Control Environment Quality | The assessed strength of the existing control environment based on prior audits, management self-assessments, or known issues. | 1 = Strong controls, no significant findings. 3 = Adequate controls with some improvement areas. 5 = Weak controls, significant deficiencies, or no prior assessment. |
| Time Since Last Audit | How long it has been since the entity was last audited. | 1 = Audited within past 12 months. 3 = Audited 2-3 years ago. 5 = Never audited or not audited in 4+ years. |
| Management / Organizational Change | The degree of change in leadership, organizational structure, or key personnel. | 1 = Stable leadership and structure. 3 = Moderate turnover or restructuring. 5 = New leadership, major reorganization, or high turnover in key positions. |
| Strategic Significance | Alignment with and importance to the organization’s strategic objectives. | 1 = Limited strategic relevance. 3 = Supports a key strategic initiative. 5 = Core to the organization’s strategic plan or competitive advantage. |
| Technology / System Dependency | Reliance on IT systems and the risk associated with those systems. | 1 = Minimal IT dependency. 3 = Dependent on established systems with adequate IT controls. 5 = Heavy reliance on complex or legacy systems, recent implementations, or systems with known vulnerabilities. |
| Fraud / Integrity Risk | Susceptibility to fraud, misconduct, or integrity breaches. | 1 = Low inherent fraud risk. 3 = Moderate fraud risk factors present. 5 = High-value transactions, cash handling, significant management override capability, or history of fraud/misconduct. |
| Stakeholder / Reputational Sensitivity | Potential for adverse publicity, stakeholder concern, or reputational damage. | 1 = Low external visibility. 3 = Moderate public interest. 5 = High public visibility, media sensitivity, or direct impact on customers/beneficiaries. |
Weighting the Risk Factors
Not all risk factors carry equal importance. Weighting allows the methodology to reflect organizational priorities. A financial services firm might weight Regulatory/Compliance Exposure heavily.
A technology company might weight Strategic Significance and Technology Dependency higher. A public pension fund might weight Stakeholder/Reputational Sensitivity and Regulatory Exposure highest.
A common weighting approach assigns a percentage weight to each factor, with all weights summing to 100%. The weighted risk score for each entity is then calculated as:
Weighted Risk Score = Sum of (Factor Score x Factor Weight) for all factors
Example: If Financial Materiality has a weight of 15% and an entity scores 4, that factor contributes 0.60 to the composite score (4 x 0.15). Sum all weighted factor contributions for the entity’s total score.
The weighting should be reviewed and approved by the CAE and, ideally, discussed with the audit committee to ensure it reflects the board’s risk priorities.
For guidance on how Key Risk Indicators (KRIs) can inform the scoring of risk factors with quantitative data rather than subjective judgment alone, see our article on enterprise risk management key risk indicators.
Converting Scores to Risk Ratings
Once composite risk scores are calculated, classify each entity into risk tiers that drive audit frequency:
| Risk Rating | Score Range | Recommended Audit Frequency | Plan Implication |
| Critical | 4.5 – 5.0 | Annual (every audit cycle) | Mandatory inclusion in every annual plan. No deferral without board approval. |
| High | 3.5 – 4.4 | Annual to 18-month cycle | Strong candidate for inclusion. Defer only with documented justification and CAE sign-off. |
| Moderate | 2.5 – 3.4 | Every 2-3 years | Included on a rotational basis. Schedule based on available capacity after High/Critical coverage. |
| Low | 1.0 – 2.4 | Every 3-5 years | Lowest priority. Audit when capacity allows or when triggered by a change event. |
The score thresholds should be calibrated so that your High and Critical entities, collectively, can be covered within your annual audit capacity.
If 60% of your universe scores as High or Critical, either your scoring is too generous, your thresholds are too low, or your audit function is significantly under-resourced. A well-calibrated methodology typically produces a distribution of roughly 15-20% Critical/High, 40-50% Moderate, and 30-40% Low.
Step 3: Building the Risk-Based Annual Audit Plan
With the audit universe scored and classified, the annual audit plan is built by matching audit capacity to risk priorities.
Calculate Available Audit Capacity
Start by calculating the total audit days available for the planning period:
- Total available days: Number of auditors x working days per year (typically 230-240 days per auditor).
- Less non-engagement time: Subtract time for training, administration, quality assurance, management, leave, and other non-fieldwork activities. A common allocation is 60-70% of total time for direct audit work.
- Available engagement days: The net days available for conducting audit engagements.
- Divide by average engagement length: Estimate the average audit engagement at your organization (typically 15-30 days including planning, fieldwork, and reporting). This gives you the approximate number of engagements you can complete.
Example: A team of 8 auditors x 235 working days = 1,880 total days. At 65% utilization = 1,222 engagement days. At an average of 25 days per engagement = approximately 49 engagements per year. If your audit universe contains 120 entities, you can cover roughly 40% annually.
Allocate Engagements by Risk Tier
Populate the plan using a tiered allocation approach:
| Risk Tier | Entities in Universe | Target Coverage | Engagements Planned | Days Allocated |
| Critical | 8 | 100% | 8 | 240 (30 days avg) |
| High | 18 | 75% | 14 | 350 (25 days avg) |
| Moderate | 52 | 30% | 16 | 352 (22 days avg) |
| Low | 42 | 10% | 4 | 64 (16 days avg) |
| Management Requests / Emerging | – | – | 5 (reserve) | 100 (20 days avg) |
| Follow-up Engagements | – | – | 4 | 48 (12 days avg) |
| Total | 120 | – | 51 | 1,154 |
Notice the reserve allocation for management requests and emerging risks. The 2024 Standards (Standard 9.4) require the CAE to consider organizational changes and emerging risks throughout the year.
A rigid plan with no flexibility fails this requirement. A reserve of 10-15% of total capacity provides the buffer needed to respond to emerging risks, special investigations, and board or management requests without displacing planned engagements.
Document the Plan for Board Approval
The annual audit plan presented to the audit committee should include:
- Methodology summary: A brief explanation of how the risk assessment was conducted, what factors were scored, and how engagements were prioritized.
- Audit universe summary: The total number of auditable entities, the risk distribution (how many Critical, High, Moderate, Low), and the planned coverage ratio.
- Engagement schedule: Each planned engagement with the auditable entity name, risk rating, planned timing (quarter), estimated duration, and engagement objective.
- Resource summary: Total audit staff, available engagement days, utilization rates, and any resource constraints or co-sourcing needs.
- Coordination with other assurance providers: How external audit, compliance, and other second-line functions are covering aspects of the risk landscape, per Standard 9.5.
- Deferred engagements: Any High or Critical entities not included in the current year plan, with documented justification.
For guidance on structuring risk-based reports for board consumption, including traffic-light dashboards and decision-oriented formatting, see our article on best practices for risk-based internal audit.
Internal Audit Risk Assessment and the Three Lines Model
The risk assessment does not happen in a vacuum. Internal audit operates within a governance structure where roles and responsibilities for risk management are distributed across what the IIA calls the Three Lines Model (updated from the former Three Lines of Defense).
- First Line (Management): Owns and manages risks. Provides the operational data, process documentation, and management self-assessments that inform the audit risk assessment.
- Second Line (Risk Management, Compliance, Quality): Provides risk frameworks, policies, monitoring, and oversight. The ERM function’s risk register and compliance monitoring results are key inputs to the audit risk assessment. The CAE should evaluate the maturity of these functions before relying on their outputs.
- Third Line (Internal Audit): Provides independent, objective assurance on the effectiveness of governance, risk management, and control processes. The audit risk assessment is the mechanism by which the third line determines where to direct its assurance activities.
The practical implication is that the audit risk assessment should explicitly consider inputs from all three lines: management’s view of risk (first line), the ERM and compliance functions’ risk assessments (second line), and internal audit’s own independent perspective (third line).
When these three views diverge, the areas of disagreement often represent the highest-risk audit opportunities. For context on how the COSO and ISO 31000 frameworks govern these roles, see our article on COSO ERM vs ISO 31000.
Common Mistakes in Internal Audit Risk Assessment
Confusing the ERM risk register with the audit universe. The ERM risk register captures risks. The audit universe captures auditable entities (processes, functions, systems, locations). They overlap but are not the same thing.
A risk like ‘cybersecurity breach’ appears in the ERM register, but the audit universe translates it into specific auditable entities: network security controls, access management process, incident response procedures, vendor IT security, data backup and recovery.
Scoring with insufficient data. If the risk factor scores are based entirely on the CAE’s subjective assessment with no supporting data, the methodology lacks defensibility. Use quantitative data where available: financial transaction volumes, number of regulatory citations, employee turnover rates, system downtime statistics, prior audit findings.
Not refreshing the universe annually. Organizations change. New products launch, acquisitions close, regulations take effect, systems are implemented, and organizational structures shift.
The audit universe must be refreshed at least annually (and ideally on a rolling basis) to capture these changes. An audit universe that has not been updated in two years will have significant gaps.
Building the plan around management preferences instead of risk scores. Management may request audits of areas that are politically convenient or low-risk. The CAE must ensure the plan is driven by the risk assessment first. Management requests should be accommodated from the reserve capacity, not by displacing high-risk engagements.
Over-engineering the methodology. A risk scoring methodology with 25 factors, sub-factors, and a complex weighting algorithm is theoretically rigorous but practically unusable. Most organizations achieve a good balance with 8-12 factors and a straightforward weighted scoring approach. Complexity does not equal quality.
Not documenting the rationale for deferred engagements. If a High-risk entity is deferred from this year’s plan, the reason must be documented. If an incident later occurs in that area, the audit function needs to demonstrate that the deferral was a deliberate, risk-informed decision, not an oversight.
For guidance on how to use risk assessment questionnaires to supplement scoring with structured stakeholder input, see our article on the internal audit risk assessment questionnaire.
Maintaining the Cycle: From Annual Plan to Continuous Risk Assessment
The internal audit risk assessment is not a once-a-year exercise that produces a plan and then sits in a drawer. The 2024 Standards expect a dynamic, responsive approach.
Quarterly Refresh
Review and update risk scores quarterly based on new information: significant incidents, regulatory changes, organizational restructuring, management turnover, financial performance shifts, and findings from completed audits. Present updated risk profiles to the audit committee at each quarterly meeting.
Engagement-Level Risk Assessment
Each individual audit engagement should include its own detailed risk assessment during the planning phase (Standard 11.1). This engagement-level assessment identifies specific risks, controls, and testing priorities within the auditable entity. The engagement-level assessment may reveal that risks are higher or lower than anticipated in the annual assessment, which should feed back into the next refresh.
Emerging Risk Monitoring
Establish a process for monitoring emerging risks between formal assessment cycles. Sources include industry publications, regulatory alerts, peer organization incidents, management communications, and internal reporting (whistleblower hotline, compliance reports, operational metrics). When an emerging risk is identified, assess whether it warrants an unplanned audit engagement from the reserve capacity.
Post-Engagement Feedback Loop
After each audit engagement, update the audit universe with the engagement results: the date audited, the rating assigned, and the key findings.
This data directly feeds the next annual risk assessment. An entity that received a ‘Needs Significant Improvement’ rating should see its Control Environment Quality score increase, raising its composite score and potentially moving it into a higher risk tier for the next cycle.
For guidance on using qualitative and quantitative risk assessment techniques to strengthen the scoring process, see our article on performing a qualitative risk assessment for IT infrastructure.
Technology and Tools for Internal Audit Risk Assessment
While the risk assessment methodology can be executed in spreadsheets (and many organizations still do), purpose-built audit management systems offer significant advantages for maintaining the audit universe, automating risk scoring, tracking engagement status, and reporting to the audit committee.
- GRC platforms: Tools like Diligent, AuditBoard, Galvanize (now Diligent), TeamMate+, and Workiva provide integrated modules for audit universe management, risk assessment, engagement tracking, issue management, and board reporting.
- Data analytics: Tools like ACL (now Galvanize), IDEA, Python, and Power BI enable auditors to incorporate quantitative risk indicators into the scoring process, moving beyond purely subjective assessments.
- Continuous auditing and monitoring: Automated testing of controls and transactions can provide real-time risk indicators that inform the audit risk assessment dynamically.
Regardless of the tooling, the methodology must be owned by the CAE and understood by the audit team.
Technology enables the process but does not replace professional judgment. For more on how technology supports enterprise risk management, see our article on enterprise risk management technology practices.
Frequently Asked Questions
What is the difference between an internal audit risk assessment and an enterprise risk assessment?
An enterprise risk assessment (ERM) is a management-owned process that identifies risks to the organization’s strategic objectives across all risk categories (financial, operational, strategic, compliance, reputational).
An internal audit risk assessment uses inputs from the ERM and other sources to determine where internal audit should direct its limited assurance resources. The ERM assessment asks: what risks does the organization face? .
The audit risk assessment asks: given those risks (and others), what should internal audit examine? The audit risk assessment also considers audit-specific factors that the ERM does not, such as time since last audit, prior audit findings, and control environment quality.
How many auditable entities should be in the audit universe?
There is no single right number. The audit universe should be comprehensive enough to cover all significant auditable activities but manageable enough to assess and maintain. For mid-sized organizations, 80-150 entities is typical.
For large, complex organizations, 200-400+ is common. The right number depends on organizational complexity, industry, geographic footprint, and regulatory environment. If entities are too large (e.g., ‘Finance Department’), the risk scores become meaningless because they average across too many diverse activities. If entities are too small (e.g., ‘Travel expense approval for the marketing department’), the universe becomes unmanageable.
Should the audit committee approve the risk scoring methodology?
The methodology should be developed by the CAE and the audit team, reviewed with senior management for input on risk factors and weightings, and presented to the audit committee for approval.
The committee does not need to approve every score for every entity, but it should understand and endorse the methodology, the weighting structure, and the resulting risk distribution. This transparency strengthens the audit function’s credibility and helps the committee fulfill its oversight responsibilities.
How does the 2024 IIA Standard 9.4 change audit planning requirements?
Standard 9.4 makes explicit what was implicit in the prior Standards: the audit plan must be based on a documented assessment of the organization’s strategies, objectives, and risks.
The key change is the emphasis on documented assessment and the requirement that the CAE not rely solely on management’s risk information unless the ERM process has been validated as effective.
This means internal audit functions that previously adopted the ERM register without independent evaluation must now either validate the ERM process or conduct their own independent risk assessment.
What if my organization does not have an ERM function?
Many organizations, particularly smaller ones, do not have a formal ERM function. In that case, the internal audit function must conduct its own independent risk assessment. This is actually more common than most people assume, and the 2024 Standards contemplate this scenario.
The CAE builds the audit universe using the sources described in this guide (organizational charts, process inventories, regulatory requirements, strategic plans, management interviews) and applies the risk scoring methodology independently. The absence of ERM does not reduce the obligation to conduct a risk-based audit plan; it increases the CAE’s responsibility to perform a thorough assessment.
How do Topical Requirements affect the audit plan?
The 2024 IPPF introduces Topical Requirements, which are mandatory when internal audit conducts assurance engagements on specific topics covered by a Topical Requirement.
The IIA has released a Topical Requirement on cybersecurity and has indicated plans for additional topics including sustainability, third-party management, IT governance, and fraud risk management. When a risk assessment results in a topic covered by a Topical Requirement being included in the audit plan, the engagement must conform with both the Global Internal Audit Standards and the applicable Topical Requirement.
Conclusion: The Risk Assessment Is the Plan’s Foundation
The quality of your annual audit plan is a direct function of the quality of your risk assessment. A rigorous, well-documented, annually refreshed risk assessment produces a plan that directs limited audit resources to the areas of greatest risk and greatest value. A superficial risk assessment produces a plan that may cover the wrong things, miss critical risks, and ultimately fail to serve the board and the organization.
The process is not complicated. Build a complete audit universe. Score each entity against defined risk factors with appropriate weights. Classify entities into risk tiers. Match your available capacity to the risk tiers, starting with the highest.
Document your methodology, your scores, your plan, and your rationale for any deferrals. Refresh the assessment at least annually and respond to emerging risks throughout the year.
The 2024 IIA Standards make this approach mandatory. But organizations that have been doing this well have always known that a risk-based audit plan is not just a Standards requirement. It is the only way to ensure that internal audit delivers the assurance the organization needs.
Strengthen your risk management and internal audit practice. From enterprise risk management frameworks to audit risk assessment methodologies, our resource library covers the standards and practical tools that risk and audit professionals rely on. Explore our guides at Risk Publishing to deepen your understanding of ISO 31000, COSO ERM, IIA Standards, and risk-based audit planning.
Sources and References
- The Institute of Internal Auditors. Global Internal Audit Standards (2024). theiia.org/en/standards/2024-standards/global-internal-audit-standards
- The Institute of Internal Auditors. International Professional Practices Framework (IPPF) 2024. theiia.org/en/standards/
- The Institute of Internal Auditors. Topical Requirements for Internal Auditing. theiia.org/en/standards/2024-standards/topical-requirements/
- KPMG. 2024 Global Internal Audit Standards: Summary and Key Changes. kpmg.com/us/en/articles/2024/global-internal-audit-standards.html
- COSO. Enterprise Risk Management – Integrating with Strategy and Performance (2017). Committee of Sponsoring Organizations of the Treadway Commission.
- ISO 31000:2018. Risk Management – Guidelines. International Organization for Standardization.
- The IIA. Three Lines Model: An Update of the Three Lines of Defense (2020).
- ACUA. New Global Internal Audit Standards Released: Summary for Higher Education. acua.org
- Diligent. New Global Internal Audit Standards: What Internal Auditors Need to Know. diligent.com
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.