Organizations are looking to internal audit to provide assurances that existing and emerging risks are identified, monitored and managed so that they can move forward with confidence in executing their business models.
These questions explore internal audit’s strategic contributions and what management and boards should expect from audit going forward. The document organizes the questions to gain perspective from the board of directors and chief audit executives.
Sample questions for the board of directors include:
- Have we updated our risk assessment in the wake of recent events?
- Do we have a process for keeping our risk assessments up to date?
- Are we evaluating new and emerging risks to the organization?
- Are we overlooking any important risks?
- Are we satisfied we have minimized what we don’t know about our risks?
- Do audits planned by internal audit target business opportunities that can improve efficiency and create bottom-line savings?
- In addition to an operation focus, do existing audits explore issues related to IT, security, compliance and finance?
- Do we take full advantage of the experience and knowledge of our auditors?
Sample questions for chief audit executives include:
- Is the internal audit function evolving in a manner that reflects the way the organization as a whole is becoming more data-driven and more susceptible to new business risks resulting from strategies and activities related to growth and innovation?
- Is internal audit operating in a sufficiently proactive, collaborative and data-driven fashion, according to key stakeholders throughout the company and on the board of directors?
- How are internal auditors keeping abreast of regulatory, technology and marketplace changes that have the potential to affect the organization’s risk profile?
- Is organizational cybersecurity addressed via a comprehensive risk-based approach that is supported by cross-enterprise collaboration and board engagement?
- What cybersecurity reporting needs of the board of directors can internal audit help address?
- How does the audit plan address cybersecurity, IT governance, social media, cloud computing and mobile application risks?
- What investments in data analytics are needed to expand internal audit’s reach and heighten its efficiency?
- How does the internal audit function assess and monitor risks related to organizational culture? How can this approach be improved?
- Is your internal audit function keeping pace with the data-driven capabilities of the rest of the organization?