Skip to main content
06 August 2018

Developing Risk Management Frameworks through Internal Audits

By Tom Ryan

The IIA’s guide to ‘Risk Based Internal Auditing’ (RBIA) advises that “While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed. We believe that a professional internal audit activity can best achieve its mission as a cornerstone of governance by positioning its work in the context of the organisation's own risk management framework.”

The guide follows through to say that this should be achieved through “Carrying out individual risk based assignments to provide assurance on part of the risk management framework, including the mitigation of individual or groups of risks.”

Where an organisation does not have a strong or very formal risk management framework, carrying out risk-based internal audits can be a challenge but more importantly, where there is a non-existent or weak risk management framework it could mean that the organisation’s system of internal control is poor.

The Guide states “Where RBIA is new to an organisation, the head of internal audit will need to market the concept to management and win their support, particularly since it may mean a change for them in the way that they think about risk.”

In my experience, this means that by default internal audit are often given the responsibility of developing a formal risk management framework. This may be because internal audit is seen as the most risk aware and risk mature function within an organisation.

While developing formal risk management frameworks AND providing internal audit assurance all at the same time can sound daunting when thought about as a process it becomes a lot more manageable and I’ll explain why.

Modern internal audit teams have long been thinking about risk frameworks as part of their audit work. A good internal auditor already plans their work with a risk framework in mind:

  1. Identify a risk 
  2. Understand the inherent risk level to decide whether it is a good use of time to audit the controls
  3. Audit the control and assess how well the control is designed and how well it operates in practice
  4. Take a view on how far the control mitigates the likelihood and/or impact of a risk

 If the auditor introduces steps to record point 1, 2 and 4 as part of their process they are close to introducing a formal risk management framework into the organisational area they are auditing:


If every internal auditor does the same within a full internal audit team a regular handover of risk management frameworks to the business could take place at the end of each audit.

The overall result would be a steady and manageable introduction of a formal and well-defined risk management framework.

Our platform Ideagen Pentana Audit has been designed in line with the IIA’s guide to Risk Based Internal Auditing. Pentana Audit will not only provide best in class audit management capabilities, but it can also help an internal audit team to encourage their organisation to adopt and develop a risk management framework, provide a powerful platform to begin managing their own framework and registers and - as a result greatly - improve the organisations system of internal control.

Surely this is the goal of any ambitious internal audit team?

Pentana Audit is part of our Pentana Assurance product suite. Discover today how Pentana Audit can help you encourage your organisation to adopt and develop a risk management framework. 

Back To Top