Improving the Efficiency and Effectiveness of Risk‐Based Internal Audit Engagements

Abstract

The role of internal auditing in assisting with the mitigation of key risks threatening organisations has increased, not least, for example, in ensuring that engagements are performed more effectively and efficiently, and that all the key risks of organisations are addressed, but also to ensure that scarce internal audit resources are used optimally. This article describes the development of a model that can be used by internal auditors to perform this task. The model was developed from a study of the academic literature, current business practice norms, and other documentation whereafter it was tested in a practical scenario, and input from heads of internal audit departments in prominent South African organisations was obtained. The findings of the study, inter alia, support the use of the model. However, a concern is that the risk management strategy currently implemented by organisations is not mature enough for internal auditing to rely on the outcome of the risk management process, a prerequisite for the model to function optimally. A second concern is that internal auditing is reluctant to use a pure risk‐based approach when performing audit engagements and still prefers to use a control‐based approach with more emphasis placed on high risk areas.