According to the CRISC Review Manual (Digital Version), the primary reason a risk practitioner would be interested in an internal audit report is to evaluate the maturity of the risk management process, as it provides an independent and objective assessment of the effectiveness and efficiency of the risk management activities and controls. An internal audit report helps to:
Identify and evaluate the strengths and weaknesses of the risk management process and its alignment with the organization’s objectives and strategy
Detect and report any gaps, errors, or deficiencies in the risk identification, assessment, response, and monitoring processes and controls
Recommend and implement corrective actions or improvement measures to address the issues or findings in the risk management process
Communicate and coordinate the audit results and recommendations with the relevant stakeholders, such as the risk owners, the senior management, and the board
Enhance the accountability and transparency of the risk management process and its outcomes
References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 223-2241
Submit