Spoiler alert – your next internal audit finding will include risk management

If you're preparing for an internal audit and thinking, "risk management isn’t really in scope," think again. The Institute of Internal Auditors’ International Professional Practices Framework (IPPF) has made it crystal clear: risk-based auditing isn’t a trend, it’s the standard.

That means every engagement, regardless of its specific focus, will almost certainly evaluate how well risks are being identified, assessed, evaluated and treated.

Whether you’re being audited on operational areas or functions such as procurement, cybersecurity or HR, auditors are expected to ask:

👉 What are the risks associated with the work?

👉 Have they been identified, assessed and evaluated in line with a standard (e.g. ISO31000)?

👉 Are the controls appropriate (as well as in place and effective)?

As such, if your business lacks a clear, structured approach to risk management, or treats it as a once-a-year checkbox exercise, then don’t be surprised when audit observations go beyond immediate control failures and start pointing to gaps in your broader framework.

It’s not about "catching you out" it’s about aligning assurance with strategy. Having an effective risk framework is a key success factor for achieving strategic objectives making it a natural fit for any internal audit activity.

So yes, your next internal audit will include a focus on risk management, whether it's in scope or not.

Reach out to ⚡Virtus Advisory⚡ to discuss.