Should internal audit groups be involved in departmental risk assessment exercises?
The Treasury Board Policy on Internal Audit identifies the prime role of the internal audit function as the provider of assurance services to departmental senior management. This does not preclude the internal audit function from providing other internal auditing services which, using the IIA’s definition, include consulting services. Consulting services are defined by the IIA as “advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization’s operations. Examples include counsel, advice, facilitation, process design and training.” An internal audit group’s involvement in risk assessment exercises could clearly fall within this definition of consulting services. Internal auditors undertaking such work are to be guided by internal auditing standards. In particular, it should be noted that where significant risk management, control or governance issues are identified, these sho
