The IIA has issued Practice Advisory 2200-2: Using a Top-down, Risk-based Approach to Identify the Controls to be Assessed in an Internal Audit Engagement (PDF). This practice advisory (PA) provides strongly recommended guidance on using a top-down, risk-based approach to identifying and including in the scope of internal audit engagements the key controls on which management relies to mitigate the significant risks to the organization identified in the internal audit planning process. The new PA notes that adopting such a top-down approach will help ensure that internal auditors are focusing on “providing assurance on the management of significant risks,” as strongly recommended in Practice Advisory 2010-2: Using the Risk Management Process in Internal Audit Planning (PDF). The new PA also advises that the internal audit scope should include all controls — entity-level, manual, and partly or fully automated and including controls related to IT — required to provide reasonable assurance that significant risks are being effectively managed. Additionally, the PA states that non-key controls also can be assessed if this would add value to the engagement.