Internal audit activities
413
to the work of the internal audit department. These activities include reviewing the 
management of key risks, evaluating the reporting of those risks and evaluating risk 
management processes.
The diagram also identifies activities that should not involve internal audit. These 
activities include setting the risk appetite, imposing risk management processes and 
taking decisions on risk responses. In between these two sets of activities there are 
activities where it is legitimate for internal audit to become involved, provided that 
suitable safeguards are in place. These activities include facilitating the identification 
of risks, co-ordinating ERM activities, developing the ERM framework and 
champion ing the establishment of ERM. The division of responsibilities set out
in Figure 35.1 is not just compatible with the three lines of defence approach; it
reinforces that approach and provides considerable detail on the allocation of
responsibilities. Use of the information shown in Figure 35.1 will help an organiza-
tion allocate responsibilities to management as the first line of defence, specialist risk 
management functions as the second line of defence, and internal audit as the third 
line of defence.
Establishing audit priorities is an important function of the audit department.
In relation to risk management activities, internal auditors will need to establish 
their priorities for the testing of controls. There is an important interface between 
risk management and internal control. Risk management professionals are very good 
at assessing risks and identifying the appropriate type of control that should be in 

Download 3.45 Mb.

Do'stlaringiz bilan baham: