Internal Audit and Risk Management: The Basics

This page is designed to help new professionals in the internal audit and risk management industry understand the field and start their careers.

What is Internal Audit?

Internal audit is a profession common to consulting firms such as Protiviti. Internal auditors assist organizations in implementing and improving compliance, governance and risk management-related processes and controls within an organization. Many companies also have their own internal audit team in-house. The internal audit team within a company can range from one to hundreds of auditors, depending on the company size. These organizations may also partner with outside consulting firms on big projects or if they need more expertise.

Internal audit can help with nearly any aspect of a business, from choosing new technology to implementing a new company culture. Auditors go in to analyze and document the current processes in place, usually through interviewing key personnel, and come up with recommendations to help the company achieve efficiency and effectiveness.

  • Guide to Internal Audit
    This internal audit guide addresses common questions concerning the NYSE listing requirements that mandate creation of an effective internal audit function. The questions and answers will assist those planning to develop a function. The booklet provides guidance on issues ranging from roles and reporting structures to audit risk assessments, and management’s responsibilities. Ten appendices include samples and additional information. This guide has now been updated to reflect the SEC’s approval of PCAOB Auditing Standard No. 2 and other regulations in the U.S. and Canada.

What is Risk Management?

The objective of risk management is to help identify and document the organization's risks in critical business processes and the internal controls within each process to mitigate those risks.

For all businesses, there are risks that exist and need to be identified and addressed in order to prevent or minimize losses. Risk is the threat that an event, action or non-action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully. Risk is measured in terms of consequences and likelihood.

Risk management must control identified risks to help the company achieve its performance and profitability targets, prevent loss of resources, ensure reliable financial reporting, and ensure compliance with laws and regulations, avoiding damage to its reputation and other consequences.

  • Guide to Enterprise Risk Management
    In today’s challenging global economy, there is a need for identifying, assessing, managing and monitoring an organization’s business opportunities and audit risks. The concept of enterprise risk management (ERM) helps elevate the focus of risk management from the tactical to strategic level. The purpose of this publication is to address some of the most commonly asked questions with respect to ERM. It offers ideas, suggestions and insights to executives responsible for ERM implementation.
  • Assessing Risks and Internal Controls Guide
    For all businesses, there are risks that exist and need to be identified and addressed in order to prevent or minimize losses. As part of their Sarbanes-Oxley compliance efforts or enterprise risk management programs, many internal auditors are involved in training process owners to assess risks and take responsibility for managing internal controls. In this effort, it is important to acknowledge the process owner’s responsibility for the design, implementation and maintenance of the control structure within assigned business processes. Process owners are also expected to: contribute direction to identify, prioritize and review risks and controls; remove obstacles for compliance; and remedy control deficiencies; continue or begin a program of self-assessment and testing to monitor the controls within your processes. This guide was developed to help with this training activity.
  • Protiviti Risk Model
    The Protiviti Risk Model is a comprehensive organizing framework for defining and understanding potential business risks. The model categorizes business risk into three main areas: Environment Risk, Process Risk and Information for Decision-Making Risk.