Internal Audit Risk Assessment Explained

Written by Sargon Youmara, Partner, Vonya Global

Head in the SandRisk assessment is a recurring, systematic process for identifying and evaluating events (i.e., possible risks and opportunities) that could affect the achievement of strategic objectives, positively or negatively.  An Internal Audit risk assessment is an evaluation of risks related to the value drivers of the organization, covering strategic, financial, operational, and compliance objectives.  The assessment considers the impact of risks to stakeholder value as a basis to define the audit plan and monitor key risks. This enables the coverage of Internal Audit activities to be driven by issues that directly impact stakeholder value, with clear and explicit linkage to strategic drivers for the organization.  Leading organizations will:

  • Complete an Internal Audit risk assessment annually.  For risk assessment to be recurring and systematic, it must be performed consistently.  This allows Internal Audit to identify, capture and update risks while aligning those risks with the organization’s strategic objectives.
  • Incorporate all organizational processes in risk assessment, including financial, operational, compliance and information technology.  This allows Internal Audit to truly focus on the highest risks without limitation to a specific department, group or category of risks (e.g. limiting to Finance department only).
  • Integrate other risk assessment processes with the Internal Audit risk assessment.  Consolidating the results of all risk identification processes (e.g. Enterprise Risk Management risk assessment) with the Internal Audit risk assessment provides a complete risk profile of the organization and potentially better deployment of Internal Audit resources toward those areas of highest risk.

While many public and private organizations under $400 million in annual revenues do not have an Internal Audit department, it is no longer feasible for these organizations to fly blind.  It is critical to have a systematic process to identify risks and evaluate the severity of these risks to the business.


This post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has over 15 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-nationals. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:
– Creating “start-up” Internal Audit Departments
– Evaluating Internal Audit Department Effectiveness
   (QAR and Internal Audit Capability Maturity Model)
– Reducing risk in international operations

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.