Connect Support Advance

White Paper

Managing Internal
Audit Function
Risks
2024

This resource was prepared after the ‘Global Internal Audit Standards’ were published in 2024

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au

© 2022 - The Institute of Internal Auditors - Australia

 Managing Internal Audit
Function Risks
Contents management framework. These entities are also required
to disclose their material risks in their annual reports.
Introduction 2 Similarly, entities in the Australian public sector (Federal /
- Purpose 2 State and Territories / Local Government) are required to
- Background 2 maintain effective risk management frameworks mandated
Discussion 2 through policies, treasurers’ instructions, regulation and
other mechanisms.
- Issue 2
- History 2 Effective risk management is not achieved solely at the
- Risks Faced by an Internal Audit Function 3 board or executive level. It requires engagement by all
business units, divisions and functions of an organisation
- Risks Cascaded from Other Parts of the 4
Organisation including the Internal Audit Function.

- How the IIA Standards Help in Managing 4 Discussion

Internal Audit Risks Issue
- A Systematic, Disciplined Approach to 5
ISO 31000 ‘Risk management – Guidelines’ defines
Managing Internal Audit Risks
Risk as the “effect of uncertainty on objectives”. Like
- Critical Success Factors 7
organisations, Internal Audit Functions also have
- Considerations for Smaller Internal Audit 7 objectives impacted by uncertainty. However, Internal
Functions
Audit Functions spend most, if not all, their time looking
- The Impact of Unmanaged Internal Audit Risks 8 at their organisation’s governance, risk management
Conclusion 8 and control processes. But how often do Internal Audit
- Summary 8 Functions look internally at their own function to assess
- Conclusion 8 if their key risks and controls are being managed
effectively?
Appendix 1 – Illustrative Risk and Control Matrix 9
(Extract Only) How can an Internal Audit Function, and to quote from
Bibliography and References 11 the definition of Internal Auditing in the Global Internal
Purpose of White Papers 11 Audit Standards, help accomplish its own objectives
Author’s Biography 11 “by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of governance,
About the Institute of Internal Auditors–Australia 12
risk management and control processes” within the
Copyright 12
Internal Audit Function itself.
Disclaimer 12
This White Paper will explore how Internal Audit
Introduction Functions can actively identify, assess and respond to
Purpose risks that may impact their success.
The purpose of this White Paper is to explain how Internal History
Audit Functions can better manage their own risks.
The concept of Internal Audit Functions managing their
Background risks is not new. In 2009, the IIA released Practice Advisory
Effective risk management is essential to any 2120-2 (superseded Recommended Guidance) which
organisation’s success. Organisations of various types highlighted how the Internal Audit Function “is not immune
actively identify and manage risks with appropriate to risks. It needs to take the necessary steps to ensure that
oversight at the board level. The ASX ‘Corporate it is managing its own risks”.
Governance Principles and Recommendations’ (2019), Many Internal Audit Functions adopted the Practice
require listed entities to have a dedicated board committee Advisory by maintaining and periodically updating their
or committees to oversee risk and review the entity’s risk own risk registers – standalone or as part of a broader

© 2024 - The Institute of Internal Auditors - Australia 2

 Managing Internal Audit
Function Risks
enterprise risk management system. In the case of larger Risks Faced by an Internal Audit Function
Internal Audit Functions such as global organisations
Risks the Internal Audit Function faces when delivering on
or major financial institutions, dedicated individuals are
its mandate may impact effectiveness and credibility of the
assigned to identify, monitor and report on Internal Audit
chief audit executive as well as individual internal auditors.
Function risks.
Risks that may affect an Internal Audit Function include:
Risk Category Risk Examples
Strategic › Stakeholder Management – Inability to identify and meet key stakeholder expectations.
› Strategic Project and Initiatives – Failure to plan and execute major initiatives in a systematic and
coordinated manner (for example new audit management system implementation, compliance with
new regulatory or industry standards).
› Organisational Structure – The Internal Audit Function organisational structure does not support
achievement of strategic and business objectives in an efficient manner.
› Internal Communication – Not understanding or responding to concerns of the internal audit team
in a timely manner.
› Brand and Reputation – Failure to create, promote and sustain a brand, reputation and trust
aligned to the Internal Audit Function’s mission. This also includes risk of the Internal Audit
Function being perceived as biased or not objective in its assessments.
› Market Dynamics – Changes to external environment impacting the Internal Audit Function’s
ability to deliver on its mission, for example loss of key staff or shortage of specialised service
providers due to better paying clients elsewhere.
Operational › Culture – Not defining and reinforcing the culture you want internal audit team members to live by
in line with organisational values and the Internal Audit Function mission.
› Service Catalogue – Engagement types provided by the Internal Audit Function may not suit
business needs or support delivery of the internal audit mandate.
› Risk Focus – Internal audit plan misalignment with the organisational strategy and key risks. Also
refer IIA-Australia Factsheet ‘Neglected Audit Areas’.
› Change Management – The internal audit team’s resistance to change or poorly managed
change initiatives (for example change is too frequent, done without consultation, lack of training,
etc).
› People Management – Failure to recruit and retain qualified employees to ensure optimal staffing
levels and adequate succession planning. This includes high staff turnover rates.
› False Assurance – Assumption that Internal Audit Function involvement in an organisational
activity is necessarily providing definitive assurance to the organisation.
› Procurement – Lack of transparency or delays in appointing internal audit service providers.
› Engagement Scope – Internal audit team and management scope creep or scope limitations
during engagements.
› Engagement Cycle Times – Long cycle times from start to end of engagements caused
by burdensome documentation requirements, excessive number of report drafts issued to
management, ineffective project management, etc.
› Service Providers – Ineffective onboarding and oversight of internal audit service providers.
› Fraud and Unethical Behaviour – Fraudulent behaviour by the internal audit team such as falsified
workpapers, expense report manipulation, misrepresenting to the audit committee, etc.
› Reporting Accuracy – Audit committee engagement and reporting may not be accurate or
complete.

© 2024 - The Institute of Internal Auditors - Australia 3

 Managing Internal Audit
Function Risks

Financial › Budget Setting – Incomplete or inaccurate data used to estimate required financial resources
during internal audit planning.
› Budget Limits – Exceeding the Internal Audit Function budget approved by the audit committee.
Compliance › Standards – Nonconformance with the ‘Global Internal Audit Standards’.
› Laws and Regulations – Non-compliance with requirements such as:
› Australian Federal/ State / Territory internal audit related requirements for the public sector.
› Australian Prudential Regulation Authority (APRA) Prudential Standards applicable to internal
audit such as CPS510 ‘Governance’ and CPS234 ‘Information Security’.
› ASX Corporate Governance Principles and Recommendations.
Risks Cascaded from Other Parts of the Organisation circumstances it would be necessary for the Internal Audit
Function to ensure the presence of process and procedure
Another area to consider is when business units devolve
documentation to clarify organisational expectations and
common controls to other business units. They may vary in
behaviours. Some considerations are included below for
nature and complexity, and sometimes are not applicable
reference:
to the Internal Audit Function due to their nature, but
they require careful consideration. In most, if not all,

Area Considerations
Expense Depending on nature of usage (for example high frequency of travel) and maturity of expense
Management and related controls within the organisation, the chief audit executive might consider additional
Corporate credit controls to further safeguard the reputation of the Internal Audit Function and its staff.
cards
Safeguarding Chief audit executives would be responsible for their own physical space where the Internal Audit
of Assets Function is located and facilities used by the Internal Audit Function. This includes but is not
and Access limited to reviewing access to physical workspaces, computers, audit management system, online
Management collaboration workspaces (e.g. SharePoint or Google Drive) or non-audit related information such
as employee details, compensation, etc.
Health and Safety Several health and safety related controls may be cascaded down to the rest of the organisation.
The Internal Audit Function is not exempt from those requirements. Training and appointment of
first aiders, fire wardens, review of work environment, and periodic communication of health and
safety obligations are common controls to address health and safety risks. In addition, there may
be considerations specific to the Internal Audit Function such as working from home and overall
employee wellness such as work-life balance, response to organisational health surveys, etc.
Corporate There may be organisation wide initiatives stemming form the organisation’s strategy which
Initiatives may present risks to the Internal Audit Function. These initiatives may include mergers and
acquisitions, divestitures, cost restructuring and other strategies which may impact internal audit
team composition, resources and the internal audit plan delivery.
How the IIA Standards Help in Managing Internal Audit following:
Risks
› Risk of not identifying or managing potential biases
The ‘Global Internal Audit Standards’ state they “guide when performing audit work – addressed through
the worldwide professional practice of internal auditing Standard 2.1 ‘Individual Objectivity’.
and serve as a basis for evaluating and elevating the
› Risk of self-review / performing management
quality of the internal audit function”. While not explicit,
responsibilities – addressed through Standard 2.1
the Standards provide a variety of responses to potential
‘Individual Objectivity’.
risks that may face Internal Audit Functions. Consider the

© 2024 - The Institute of Internal Auditors - Australia 4

 Managing Internal Audit
Function Risks
› Risk of data loss or misuse of data by internal auditors A Systematic, Disciplined Approach to Managing
– addressed through Standard 5.2 ‘Protection of Internal Audit Risks
Information’,
Risk management frameworks usually break down core
› Risk of misalignment of internal audit activities with risk management activities into the following five steps:
stakeholder expectations – addressed through
Standard 8.1 ‘Board Interaction’ and Standard 11.1
‘Building Relationships and Communicating with
Stakeholders’.

› Risk that internal audit’s budget, staff or technology

resources may limit its ability to effectively deliver the
internal audit plan – addressed through Standards
10.1 ‘Financial Resource Management’, Standard 10.2
‘Human Resources Management’ and Standard 10.3
‘Technological Resources’.

› Risk that audit conclusions are not adequately

supported – addressed through Standard 12.3
‘Oversee and Improve Engagement Performance’ and
Standard 14.1 ‘Gathering Information for Analyses and
Evaluation’. These same steps can be applied to managing Internal
Audit Function risks:
While this does not constitute a comprehensive list of
potential risks managed through conformance with the
Standards, it does highlight the value of conformance with
the Standards from a risk management perspective.

Step 1 – Identify
Action Considerations
Identify all potential › Start from the purpose, definition and mandate of the Internal Audit Function (Internal
risks the Internal Audit Audit Charter).
Function might be › Review the strategy, objectives and goals of your organisation and list internal audit
exposed to processes within the audit lifecycle that directly or indirectly contribute to it.
› Ask the question – ‘what should go right’?
› Ask the question - ‘what could go wrong’?
› Consider workshopping risks in the identified processes (internal audit planning,
engagement execution, audit committee reporting, etc) internally, with the risk team
and compliance team, external industry and refer to industry literature.
› Use your organisation’s risk assessment methodology (if available) to consider all
risks and categorise risks identified through this process.

Outcome – List of processes and associated risks in a risk register.

© 2024 - The Institute of Internal Auditors - Australia 5

 Managing Internal Audit
Function Risks
Step 2 – Assess
Action Considerations
Assess and categorise › Use the organisation’s own risk assessment methodology to assess risks.
risks based on likelihood
› A Consequence (impact) / Likelihood (probability) matrix can be used to objectively
and impact to determine assess risk using impact (for example negligible to severe) and probability (for
the significance example unlikely to very likely) to derive a risk rating.
› As part of the assessment, consider the propensity for processes to break down and
not achieve their objectives. Some factors you could consider:
› Strategic significance
› Regulatory significance
› Process complexity and level of automation
› Capability and capacity of individuals involved
› Process frequency
› Resiliency and sustainability
› Past issues or concerns such as fraud, operational loss, errors omissions,
regulatory and external audit findings, etc.)
Outcome – All risks in the register have a risk rating with supporting rationale.

Step 3 – Prioritise
Action Considerations
Rank risks based on their › Once the list is finalised, prioritise areas requiring attention.
significance so that a
› Test your understanding of risks with Line 2 assurance activities or subject matter
risk that would cause experts.
little issue to the Internal
Audit Function is given a Outcome – Clarity on which risks will need to be addressed for example all risks equal to
low priority and above ‘Medium’.

Step 4 – Manage
Action Considerations
Respond to the risk by › Be open to accept insignificant risks.
accepting, avoiding,
› Identify and develop controls to manage risks or consider alternative strategies to
managing or sharing risk address risk such as accept, avoid or share risks.
› Controls can be described in a similar way to how recommendations or improvements
are developed during an internal audit engagement:
› Who is best placed to execute the control (e.g. capacity / capability)?
› When is the best time for the control execution (preventive / detective)?
› What is the best control (manual review / automated configured workflow, etc)?
› Where is the best evidence of the control (e.g. checklist sign-off)?
› How is the control managing the risk?
For example: The Chief audit executive reviews and approves an audit file in the audit
management system prior to issuing the internal audit report to confirm audit evidence is
sufficient and appropriate to support the audit results.

Outcome – All significant risks and controls mitigating them are identified. Where controls
are absent or ineffective, Specific / Measurable / Attainable / Relevant / Time-based
(SMART) action plans are in place to address the significant risks.

© 2024 - The Institute of Internal Auditors - Australia 6

 Managing Internal Audit
Function Risks
Step 5 – Monitor
Action Considerations
Continually monitor both › Continual monitoring is key to an effective risk management as organisations and the
the operation of controls environment are dynamic and risks change.
and the operational › Internal Audit Function could employ a number of strategies for effective risk
environment for potential monitoring. Practices found to be useful include:
new risks
› Develop and monitor key risk indicators (KRIs) to assess whether risks remain
within risk appetite over time.
› Periodic self-assessment of existing controls (design effectiveness and operating
effectiveness) to confirm whether controls continue to effectively manage risks.
› Periodic review of the risk register to confirm whether recent developments such
as changing regulations, risk issues, events or incidents, and external reviews
require addition to, or revision of, existing risks.
› Periodic reporting of open actions against agreed timeframes internally within
the Internal Audit Function and to the audit committee and Line 2, particularly
where there is a risk aggregation and reporting mechanism.
Outcome – Continual monitoring of changing risk landscape and improvement of overall
control environment of the Internal Audit Function.

Appendix 1 – Illustrates how significant risks and controls effectively. Consider asking for annual confirmation of
within the internal audit lifecycle can be managed and control effectiveness.
monitored over time.
› Take control issues seriously to continually improve
and learn from past experience.
Critical Success Factors
› Evaluate cost versus benefit of risk responses. Unless
Some factors that are likely to maximise the value derived
absolutely necessary, avoid over-controlling risks
from managing Internal Audit Function risks may be:
and burdening the internal audit team with excessive
› Like any process, Tone at the Top from the chief audit procedures or processes.
executive is critical. Chief audit executives need to
promote the value of actively managing Internal Considerations for Smaller Internal Audit Functions
Audit Function risks and participate in brainstorming
Even smaller Internal Audit Functions need to take steps to
sessions.
manage their own risks. Risks specific to smaller functions
› Involving the whole internal audit team in the include:
brainstorming process and get their input as the
› Constrained budgets impacting their ability to acquire
Internal Audit Function risk register is built. Engaging
specialised skills, get trained on and deploy data
the team in this process helps to build awareness as
analytics, and provide extensive coverage of the risk
well as support effective risk management.
universe or audit universe.
› Limiting the number of risks included in the risk
› Difficulties recruiting and retaining staff as growth
register helps to direct focus and right-size effort. The
opportunities may be limited and larger Internal Audit
number of risks will vary based on the size, operating
Functions elsewhere may offer better compensation.
model and nature of Internal Audit Function activities.
› Challenges with engagement supervision, in
› Sufficiently resource the risk management function
particular for functions with a solo internal auditor,
with capable staff.
and maintaining an effective quality assurance
› Make control owners aware of their responsibilities and improvement program (in particular, getting an
and the expected result of operating a control external quality assessment).

© 2024 - The Institute of Internal Auditors - Australia 7

 Managing Internal Audit
Function Risks
From a risk management perspective, smaller Internal Conclusion
Audit Functions would not necessarily require a dedicated
Summary
risk and control matrix for internal audit, but if used it could
be adapted to their situation (for example include a fewer Like any part of the business, the Internal Audit Function
number of risks, be refreshed less frequently, etc). faces risks to achieving its objectives. It is important to
actively identify, assess and respond to these risks in a
Smaller Internal Audit Function chief audit executives
practical, sustainable way which engages and involves the
need to be aware of potential risks facing the function.
whole internal audit team.
This can be through discussions with key stakeholders
or other assurance providers for example the external Conclusion
auditor to get input on how the Internal Audit Function is
The Internal Audit Function is not immune to risks. As
being perceived, what it is doing well, and what might be
required by the Standards, internal auditors evaluate
potential improvement areas. Connecting with internal
whether the organisation and key business functions have
audit peers and learning of their challenges can also help
robust risk management practices in place. Internal Audit
an Internal Audit Function consider and prepare for a
Functions should apply that same evaluation mindset to
particular risk.
their own risks.
With smaller Internal Audit Functions, many of the risks
While there is no way to formally manage all the risks an
described earlier may not have adequate management
Internal Audit Function may face, it should take practical
in place. It is critical to periodically call out to the audit
steps to proactively identify, assess and respond to risk
committee any limitations the Internal Audit Function
and clearly communicate any limitations or significant
faces. For example, if cyber security is a major risk to the
unmanaged risks to the audit committee when they arise.
organisation and the Internal Audit Function does not have
the skills to audit it, or the budget to hire an external party The approach to doing this may be structured in the form
to audit it, then this should be clearly communicated to the of a risk and control matrix (RACM) or risk register, or it
audit committee and documented in relevant papers. may be less formal. Regardless, the chief audit executive
and internal audit team should be on top of risks that
The Impact of Unmanaged Internal Audit Risks may prevent the Internal Audit Function from achieving its
mandate, strategic objectives and operational plan.
The reputation of an Internal Audit Function is essential
to its effectiveness. This reputation can be negatively It takes years to build an Internal Audit Function reputation
impacted as a result of poorly managed risks. Unmanaged and brand, and this can be destroyed by one high-profile
risks could lead to a data leak by internal audit staff, failure. Chief audit executives have been terminated for
major issues that should have been picked up by the performance issues, non-compliance, poor communication
internal auditors, negative results from an external quality and engagement with management, and for organisational
assessment or regulator review, and other adverse events. control failures that should have been identified by the
The impact of these may range from loss of credibility and Internal Audit Function. Actively managing the Internal
trust in the Internal Audit Function, isolation, to termination Audit Function’s risks and embedding treatment into
of the chief audit executive. methodologies and day-to-day processes will go a long
way towards protecting the Internal Audit Function and
In the unfortunate situation an Internal Audit Function
increasing its effectiveness.
does experience a major adverse event, the chief audit
executive will need to conduct a retrospective review to
understand root cause – ‘Why did this happen or why did
we not pick this up?’ – and develop a plan to restore the
Internal Audit Function reputation.

© 2024 - The Institute of Internal Auditors - Australia 8

 Appendix 1 – Illustrative Risk and Control Matrix (Extract Only)
The following table outlines an extract of an illustrative, process based, risk and control matrix (RACM) that touches on key risks within an Internal
Audit Function, common key controls, and their monitoring methodologies.
Process Key Risks Control Control Type Monitoring Methodologies
P1. Internal R1. Internal Audit Plan is not C1. Chief Audit Executive and Audit Preventive M1. Periodic Self-Assessment:
Audit Plan risk-based and does not align Committee reviews and approves the Independent review of internal audit
with the organisation strategy, Internal Audit Plan and subsequent changes planning documentation to confirm
objectives, risks and regulatory to confirm that it: relevancy, reliability and sufficiency
requirements. This could lead › Aligns with the organisation strategy, of the:
objectives and key risks › Procedures performed to derive
to non-value-adding assurance
› Covers the organisation regulatory the Internal Audit Plan
activities or regulatory
requirements in relation to Internal › Underlying assumptions and
censure that could impact the Audit performing certain periodic key rationale supporting the
organisation’s reputation. engagements for example Australian
Prudential Regulation Authority (APRA) Internal Audit Plan
Prudential Standards, State / Territory
internal audit requirements
Function Risks

M2. Key Risk Indicator:

› Sufficiently covers human, Periodic reporting to the Audit

© 2024 - The Institute of Internal Auditors - Australia

technological, and financial resources
Committee of progress and specific
required to deliver the audit plan
targets. Where targets are not met,
› Is supported by relevant, reliable and
analysis and reasons reported to the
sufficient documentation that clearly
outlines key judgements and risk- Audit Committee with specific actions
based rationale to support the Internal on how to bring them in line with the
Audit Plan specified targets
P2. R2. Conclusions drawn C2. Prior to engagement reporting, Preventive M3. Periodic Self-Assessment:
Engagement from Internal Audit Function Engagement Leads (or Chief Audit Executive Independent review of the internal
Execution activities lack robust support in smaller organisations) review and audit engagement documentation
Managing Internal Audit

from relevant, reliable approve audit documentation such as risk to the relevancy, reliability and
and sufficiently analysed and control matrix (RACM), engagement sufficiency of the audit procedures
information. This could lead to work program, testing work papers etc to performed to reach the conclusions
inaccurate assurances or the confirm: reached in the internal audit report.
erroneous inference of control › The Internal Audit Function audit
methodology was correctly applied
environment effectiveness
and result in loss of trust and › Documentation supports the
engagement objectives and
confidence in the Internal conclusions reached
Function.

9
 Process Key Risks Control Control Type Monitoring Methodologies
P3. Hiring R3. Internal Audit Function C3. Prior to onboarding a resource, Chief Preventive M4. Periodic Self-Assessment:
and Co- staff or internal audit service Audit Executive (or delegate) performs a Independent review of conflicts in
sourcing providers are not or do not Conflicts of Interest assessment to confirm the conflict of interest register to
appear to be independent. that there are no, in actual or appearance confirm identified conflicts have
This could negatively impact of, impropriety with the relevant resource. been sufficiently and appropriately
integrity, reliability and This could be because resource has assessed.
credibility of internal audit previously worked with the management
reports. or has first degree familial relationship with
key individuals in the management. If any
instances of conflicts are identified and
the resource has been accepted, sufficient
and appropriate independence safeguards
have been identified and implemented (for
example temporarily barring the resource
Function Risks

to work on engagements where they were

previously responsible for the subject

© 2024 - The Institute of Internal Auditors - Australia

matter etc). All such conflicts are recorded
in the organisational or Internal Audit’s
Conflicts register along with determinations
and any safeguards.
Managing Internal Audit

10
 Managing Internal Audit
Function Risks
Bibliography and References This White Paper also draws from the superseded
document:
Bibliography
The Institute of Internal Auditors, 2009. Practice Advisory
ASX Corporate Governance Council, 2019. Corporate 2120-2, Managing the Risk of the Internal Audit Activity.
Governance Principles and Recommendations, 4th Edition.
Purpose of White Papers
[Online]
Available at: https://www.asx.com.au/documents/asx- A White Paper is a report authored and peer reviewed
by experienced practitioners to provide guidance on a
compliance/cgc-principles-and-recommendations-fourth-
particular subject related to governance, risk management
edn.pdf or control. It seeks to inform readers about an issue and
Australian Prudential Regulation Authority, 2019. Prudential present ideas and options on how it might be managed. It
does not necessarily represent the position or philosophy
Standard CPS 234 Information Security. [Online]
of the Institute of Internal Auditors–Global and the Institute
Available at: https://www.apra.gov.au/sites/default/files/
of Internal Auditors–Australia.
cps_234_july_2019_for_public_release.pdf
Author’s Biography
Australian Prudential Regulation Authority, 2019. Prudential
This White Paper written by:
Standard CPS 510 Governance. [Online]
Available at: https://www.apra.gov.au/sites/default/ Farah George Araj PFIIA, CIA, CRMA, QIAL, CPA, CFE
files/draft_prudential_standard_cps_510_governance_ George is an experienced internal audit leader who has
actively managed internal audit risks in various chief
march_2019_v1_0.pdf
audit executive roles. He has served as a councillor on
Department of Finance (Australia), 2014. Commonwealth the IIA-Australia Western Australia and New South Wales
Risk Management Policy. [Online] Chapters. George was previously a member of the IIA
Global International Internal Auditing Standards Board.
Available at: http://www.finance.gov.au/comcover/risk-
management/ Umair Danka CIA, CRMA, CA, FCCA, CPA, CISA
Umair Danka is a seasoned financial services internal
International Internal Auditing Standards Board, 2024. auditor with over 15 years of experience. He has excelled
Global Internal Audit Standards. [Online] in assessing and enhancing internal controls, risk
Available at: https://www.theiia.org/globalassets/site/ management processes, and compliance frameworks
within leading financial institutions. Umair’s expertise
standards/globalinternalauditstandards_2024january9_
spans banking, insurance, and investment management.
printable.pdf
This White Paper edited by:
International Organization for Standardization, 2018.
Michael Parkinson PFIIA, CIA, CRMA, CISA, CRISC
ISO 31000:2018 Risk management - Guidelines, Geneva:
International Organization for Standardization. Andrew Cox MBA, MEC, GradDipSc, GradCertPA,
DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM, PFIIA,
NSW Government, 2020. Internal Audit and Risk CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA
Management Policy for the General Government Sector.
[Online]
Available at: https://www.treasury.nsw.gov.au/documents/
tpp20-08-internal-audit-and-risk-management-policy-
general-government-sector

The Institute of Internal Auditors - Australia, 2023.

Factsheet: Neglected Audit Areas. [Online]
Available at: https://iia.org.au/technical-resources/fact-
sheet/iia-australia-factsheet-neglected-audit-areas

© 2024 - The Institute of Internal Auditors - Australia 11

 Managing Internal Audit
Function Risks
About the Institute of Internal Auditors– Disclaimer
Australia Whilst the Institute of Internal Auditors – Australia has
The Institute of Internal Auditors (IIA) is the global attempted to ensure the information in this White Paper is
professional association for Internal Auditors, with global as accurate as possible, the information is for personal and
headquarters in the USA and affiliated Institutes and educational use only, and is provided in good faith without
Chapters throughout the world including Australia. any express or implied warranty. There is no guarantee
given to the accuracy or currency of information contained
As the chief advocate of the Internal Audit profession, in this White Paper. The Institute of Internal Auditors –
the IIA serves as the profession’s international standard Australia does not accept responsibility for any loss or
setter, sole provider of globally accepted internal auditing damage occasioned by use of the information contained in
certifications, and principal researcher and educator. this White Paper.
The IIA sets the bar for Internal Audit integrity and
professionalism around the world with its ’Global Internal
Audit Standards’ and associated professional guidance.
The IIA-Australia ensures its members and the profession
as a whole are well-represented with decision-makers and
influencers, and is extensively represented on a number
of global committees and prominent working groups in
Australia and internationally.
The IIA was established in 1941 and now has more than
200,000 members from 190 countries with hundreds of
local area Chapters. Generally, members work in internal
auditing, risk management, governance, internal control,
information technology audit, education, and security.

Copyright
This White Paper contains a variety of copyright material.
Some of this is the intellectual property of the author, some
is owned by the Institute of Internal Auditors – Global or
the Institute of Internal Auditors – Australia. Some material
is owned by others which is shown through attribution and
referencing. Some material is in the public domain. Except
for material which is unambiguously and unarguably in
the public domain, only material owned by the Institute
of Internal Auditors – Global and the Institute of Internal
Auditors – Australia, and so indicated, may be copied,
provided that textual and graphical content are not altered
and the source is acknowledged. The Institute of Internal
Auditors – Australia reserves the right to revoke that
permission at any time. Permission is not given for any
commercial use or sale of the material.

© 2024 - The Institute of Internal Auditors - Australia 12