CBOK: Auditing Strategic Risks

The insights on leading practices shared by CAEs are by turns familiar and fascinating when these leaders open up about how their internal audit functions work with management and the board to address three specific areas of strategic risk for their organizations: cybersecurity, IT projects, and capital projects.

The familiarity stems from the risk-based approach of audit leaders for these strategic risk areas, as well as what they say about the underlying enablers of effective “strategic auditing” – an activity that more board members, CEOs, CFOs, and other C-suite executives are encouraging internal audit to perform. CAEs consistently point to the value of internal audit’s early involvement in strategic initiatives, its risk-based auditing approach, internal audit’s credibility in the eyes of business partners, and the function’s capacity to thrive in an advisory manner. These critical building blocks have existed within top-performing audit functions for some time.