Practice Advisory 2120-3:

Internal Audit Coverage of Risks to Achieving Strategic Objectives

Primary Related Standards
2120 Risk Management
2120. A1 The internal audit activity must evaluate risk exposures relating to the
organizations governance, operations, and information systems regarding the:
Achievement of the organizations strategic objectives.
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations and programs.
Safeguarding of assets.
Compliance with laws, regulations, policies, procedures, and contracts.

1. Executive management is responsible for identifying and managing risk in pursuit of

the organizations strategic objectives. It is the boards responsibility to ensure that
all strategic risks are identified, understood, and managed to an acceptable level
within risk tolerance ranges. Internal audit should have an understanding of the
organizations strategy, how it is executed, the associated risks, and how these risks
are being managed.
2. To enable internal audit to focus on the critical risks to the organization, the
organizations strategy should be a foundational element when developing a riskbased audit plan. This will align internal audit with the organizations strategic
priorities and help ensure its resources are allocated to the areas of significant
importance.
3. When developing the audit plan, internal audit should leverage the work of
management and other assurance functions to help identify the risks that present the
most significant threats and opportunities to the achievement of an organizations
strategic objectives.
4. Strategic threats and opportunities will drive managements creation and prioritization
of the organizations short-term and long-term strategic initiatives or the
organizations most significant investments to deliver value to its stakeholders.
5. Internal audit should consider providing assurance services related to these strategic
initiatives when developing its audit plan. This will allow internal audit to assess
whether the strategic risks are being managed to an acceptable level through
evaluating some or all of the mitigation efforts. It also may provide the opportunity for
internal audit to deliver advisory services that directly impact the organizations
evolution.
6. After determining the strategic risks to include in the audit plan, internal audit should
assess whether all the required skills and knowledge exist in the internal audit
department to execute applicable assurance or advisory engagements. Specialized
Issued: June 2013
2013 The Institute of Internal Auditors

PA 2120-3: Internal Audit Coverage of Risks to Achieving Strategic Objectives

www.globaliia.org

skills and knowledge may need to be sourced (internally or externally) before the
internal audit department is qualified to perform the work.

Issued: June 2013

2013 The Institute of Internal Auditors

PA 2120-3: Internal Audit Coverage of Risks to Achieving Strategic Objectives

www.globaliia.org