Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorStandards and GuidanceBreadcrumb SeparatorTopics and ResourcesBreadcrumb SeparatorRisk Publications and Guidance

The IIA Risk Resource Exchange 

Risk Publications and Guidance

Today’s business environment is characterized by mounting pressures for stronger, more effective risk management. There is a sharp focus on risk oversight, considered by many observers to be the top governance issue facing corporate boards in this continuously evolving world. Audit committees are pushing for holistic risk management, stepped-up risk mitigation, and enterprisewide risk assessments. The IIA has developed the Risk Resource Exchange: a comprehensive resource for professionals around the globe on risk guidance, publications, training, events, and more.

Any Weather

In Any Kind of Weather
One year after COSO issued its updated ERM framework, many internal audit functions are working to apply the new framework to help their organizations weather risks that are on the horizon. Paul Sobel reflects on how, through its assurance and advice, internal audit can help the organization apply the framework’s principles.

Read more.

Audit Channel

Making an Impact
What emerging risk areas can internal auditors examine to increase their impact in the organization? Gregg Hart, vice president of internal audit (CAE) at Penske Truck Leasing, provides his recommendations in Part 1 of this Audit Channel video.

Watch now.

Third-party Risks

Learn How to Audit Third-party Provider Risks
This new practice guide informs chief audit executives and their audit teams about the roles, responsibilities, and risks involved in managing third-party provider risk. It offers tools and guidance on how to plan and execute audits that provide organizationwide value.

Get your copy now.

Climate Action

Global Knowledge Brief: Climate Action
Climate actions will impact compliance, operational, and reputational risks and opportunities for organizations in all sectors and across all industries. Internal auditors should obtain sufficient knowledge to evaluate the organization’s risks and management processes related to climate change, climate actions, and sustainability. This primer is a good place to start.

Download the report to read more.

Tug of War

Risky Relationships
Trust is integral in working with third parties. Internal auditors can help their organization ensure that trust is fostered and maintained. A holistic audit strategy can provide confidence in the performance of third-party partners.

Read more.

Blindfold Stairs

Auditing Third-party Risk, Part 1
The IIA’s EVP and COO Bill Michalisin recently sat down with Stacy Juchno, general auditor at PNC Bank, and Brian Portman, principal at EY, to talk about why auditing third-party risk is such a hot-button topic in the marketplace today.

Watch now.

ToT Misunderstood Risks

Misunderstood Risks & Constrained Auditors
The collapse of Carillion, the United Kingdom’s second-largest construction firm, sent shock waves through the corporate governance community. Learn more about what went wrong and strategies on how your organization can better prepare to refocus on disruptive risks.

Download your FREE copy now.

AC Video

Video: Cybersecurity: Threats and Expertise
Nathan Anderson, senior director of internal audit at McDonald’s, discusses the most significant cyber threats facing his organization and the types of expertise internal auditors need to address them on The IIA’s Audit Channel.

Watch now.


How Are Global Organizations Combatting Corruption?
Find out in the Internal Audit Foundation’s newest report, “Auditing Anti-Bribery Programs.” It highlights initiatives that leading global organizations are implementing and discusses how national laws are impacting global operations.

Download your complimentary copy today!

Crisis Aware to Crisis Resilient Help Your Organization Move from Crisis Aware to Crisis Resilient
Are you among the 39 percent of recent survey respondents who said they have no plan to address reputational risks? Find out how to prepare your organization to resist, react to, and recover from a crisis in the latest Global Perspectives and Insights report on Crisis Resilience.

Download your copy.

Global Perspectives and Insights New Global Perspectives and Insights Focuses on Auditing Culture
High-profile business scandals across the globe in 2015, from alleged corruption within FIFA to Volkswagen’s much reported emission’s scheme, have put a spotlight on how wayward corporate cultures can contribute to tangible negative outcomes. The new issue of Global Perspectives and Insights, Auditing Culture — A Hard Look at the Soft Stuff, makes the case that internal audit can enhance its value to an organization by auditing culture and provides a comprehensive look how it can be accomplished.

Practice Guide: IA Second Line of Defense Practice Guide: Internal Audit and the Second Line of Defense
Many organizations are restructuring responsibilities, ensuring governance and monitoring functions collaborate more closely to avoid duplication. With this change comes an additional weight for the chief audit executive; they may be asked to assume responsibilities for risk management, compliance, and other governance functions. Navigating through this process can be challenging; as a result, this guidance was developed to assist practitioners in making effective decisions regarding roles and responsibilities to assume related governance of risk management and controls.

Learn more and download.

Who Owns Risk? Who Owns Risk? A Look at Internal Audit’s Changing Role
Who owns risk? The literal answer is “not internal audit.” However, there is no question that internal audit has helped organizations better understand and manage risk in the past and will undoubtedly play a valuable role in the future.

This report provides insights into the status of risk management and the role of internal audit around the world and lays out 13 key actions that can help chief audit executives (CAEs) and internal auditors ensure that their internal audit function is properly positioned to address risk challenges in an ever-changing world.

Responding to Fraud Risk Responding to Fraud Risk: Exploring Where Internal Auditing Stands
Recent high profile cases of fraud have captured media attention and the scrutiny of regulators worldwide. This report offers current global analysis of the importance of fraud risk to internal audit and stakeholders.

Combine Assurance: One Language, One Voice, One View Combined Assurance: One Language, One Voice, One View
In increasingly complex organizations, where more and more players are involved in providing different measures of assurance, how can we prevent management from being overwhelmed by information and reports and succumbing to “assurance fatigue”? This report assists internal audit functions and their organizations to embark on the combined assurance journey. Internal audit has a key role to play in both the implementation and the coordination of activities as well as ongoing improvement.

Internal Audit Must Adapt to Tech Risks Internal Audit Must Adapt to Tech Risks
A new report from the Internal Audit Foundation, Staying a Step Ahead, Internal Audit’s Use of Technology, reflects how internal audit is embracing technology. Based on data from the 2015 Common Body of Knowledge Practitioners Survey, the report provides insight for where the profession needs to go to help organizations keep up with ever-evolving technology and the risks it creates.

Navigating Top 10 Technology Risks Navigating Top 10 Technology Risks
A new report from the Internal Audit Foundation ranks the biggest tech risks and outlines internal audit’s role in managing them. The authors of Navigating Technology’s Top 10 Risksdeveloped the ranking based on data from the CBOK 2015 Global Internal Audit Practitioners survey as well as interviews with chief audit executives (CAEs) from around the world.

IIA-South Africa: Corporate Governance Index IIA–South Africa: Corporate Governance Index – An Internal Audit Perspective
IIA–South Africa has released the third edition of its Corporate Governance Index – An Internal Audit Perspective, a result of a survey completed by Chief Audit Executives (CAEs). It details the current state of corporate governance in South African organizations as perceived by its CAEs.

Kendallville Bank Case Study from the Anti-Fraud Collaboration Kendallville Bank Case Study from the Anti-Fraud Collaboration
The latest installment from the Anti-Fraud Collaboration case study series offers insights to help build awareness of financial fraud deterrence and detection.

Leveraging COSO Across the Three Lines of Defense Leveraging COSO Across the Three Lines of Defense
In Leveraging COSO Across the Three Lines of Defense, authors Douglas J. Anderson and Gina Eubanks make a strong case for using the Three Lines of Defense Model, which addresses how specific duties related to risk and control should be assigned and coordinated.

Driving Success in a Changing World: 10 Imperatives for Internal Audit Driving Success in a Changing World: 10 Imperatives for Internal Audit
Driving Success in a Changing World: 10 Imperatives for Internal Audit, developed from data gleaned from The IIA’s Global Internal Audit Common Body of Knowledge (CBOK) practitioners’ survey, offers direction to help internal audit professionals expand their skills and add value to their organizations.

New IPPF IIA Introduces Updated Guidance Framework
The IIA has unveiled enhancements to its International Professional Practices Framework (IPPF)®. Among the most significant enhancements to the IPPF are the introduction of a Mission of Internal Audit and articulation of 10 Core Principles for the Professional Practice of Internal Auditing.

IIA Practice Guide: Auditing Anti-bribery and Anti-corruption Programs
IIA implementation guidance on auditing anti-bribery and anti-corruption programs.

2015 Pulse of Internal Audit release 2015 North American Pulse of Internal Audit
The 2015 North American Pulse of Internal Audit showed that CAEs consider emerging risks to be one of their greatest challenges, but it also found that only a third of respondents have a high degree of confidence in their ability to identify such concerns.
​ ​
​​IIA Letter on Audit Committees Published in Wall Street Journal
The Wall Street Journal published a Letter to the Editor from IIA President and CEO Richard Chambers Feb. 12 about audit committee members being open to expanding their roles.

Tone at the Top: Cybersecurity: They’re In. Now What?
Read the November/December 2014 issue of Tone at the Top and learn how organizations can approach cybersecurity breaches.
​ ​
Combining Internal Audit and Second Line of Defense Functions? Read this white paper from IIA–Netherlands.

IIA–Netherlands published a white paper on the pros and cons of combining internal audit and second line of defense functions. The white paper addresses the key question asked by many boards and committees: Can internal audit work independently and objectively if support is provided on risk management, compliance, and internal controls?

​ ​
Internal Audit Coverage of Risks to Achieving Strategic Objectives: IIA Practice Advisory 2120-3.

The IIA outlines six guidelines in assisting internal audit departments in understanding and providing coverage of risks in organizations achieving their strategic objectives.

​ ​

Internal Audit Foundation Research Report, in partnership with ISACA: Cybersecurity: What the Board of Directors Needs to Ask.

This report helps directors know how they should react to cybersecurity breaches and what to do, understand that cybersecurity is an enterprisewide issue, not just an IT issue, and know what the IT auditor’s role is in helping the Board of Directors address the issue. The report also outlines the NACD’s five principles for the board, and provides a list of top questions every board needs to ask.

IIA Practice Guide: Auditing Anti-bribery and Anti-corruption Programs

IIA implementation guidance on auditing anti-bribery and anti-corruption programs.


IIA South Africa Report: How to Effectively Review Your Organization’s Risk Management Process

This report’s emphasis is on sharing practical risk management advice needed by internal auditors on providing assurance over the risk management process.


Internal Audit Foundation Research Report: Becoming a Strategic Auditor: Tying Risk to Strategy

Businesses today are spending more time on strategic issues and seeking more help from those with strategic capabilities. This has created a unique opportunity for internal auditors to help their organizations both manage their risks and achieve their strategic goals.


2014 North American Pulse of the Profession Report

In this annual report, The IIA’s Audit Executive Center shares the results from the 2014 Pulse of the Profession survey and provides insight on current trends and emerging issues relevant to the profession.


2014 Global Pulse of the Profession Report

In this report, The IIA’s Audit Executive Center cross-references the Global Pulse of the Profession survey findings with outcomes from similar global reports issued by KPMG International, PwC, and Protiviti. The result is a robust view of challenges facing the profession along with strategies to overcome those challenges.


IIA Practice Guide: Coordinating Risk Management and Assurance

Implementation guidance on coordinating risk management and assurance activities within the organization.


IIA South Africa Report: Issuing an Assessment in Terms of King III

The King III report requires an objective assessment of the effectiveness of risk management and the internal control framework. This report provides practical guidance to fulfill this requirement.

 ​ ​

​IIA Practice Guide: Auditing Privacy Risks, 2nd Edition

Implementation guidance on auditing privacy risks.

 ​ ​

​Internal Audit Foundation Research Report: Contrasting GRC and ERM: Perception and Practices among Internal Auditors

This Internal Audit Foundation research report looks at the perceptions and practices among internal auditors on the difference between GRC and ERM.

 ​ ​

​IIA UK/Ireland Guidance Booklet: An Approach to Implementing Risk-based Auditing

Report documents why risk-based auditing should be introduced, how it can be implemented, and the advantages of a risk-based approach.

 ​ ​

​IIA Global Technology Audit Guide (GTAG): Information Technology Risk and Controls, 2nd Edition

Implementation guidance on information technology risk and controls.

 ​ ​

​IIA South Africa Report: Risk-based Auditing

This report looks at the need in the business world today for effective corporate governance and risk management practices.

 ​ ​

IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control

The IIA’s position on the three lines of defense in effective risk management and control.

 ​ ​

​IIA Spain Research Report: Definition and Implementation of Risk Appetite

Report evaluates the process of defining and implementing risk appetite and what Boards and management should consider.

 ​ ​

​October 2013 North American Pulse of the Profession Report

The IIA’s Audit Executive Center looks at the trends and insights emerging from the most recent Pulse of the Profession Survey.

 ​ ​

​April 2013 Global Pulse of the Profession Report

This global report summarizes feedback from the 1,700 internal auditors around the world who participated in the 2013 Pulse of the Profession Survey.

 ​ ​

​March 2013 North American Pulse of the Profession Report

In this semiannual report, The IIA’s Audit Executive Center looks at the results from the Pulse of the Profession Survey to provide insight into the state of the profession for 2013.

 ​ ​

IIA UK/Ireland 2013 Governance and Risk Report

This 2013 report from IIA UK/Ireland documents the results of an annual survey covering important and emerging governance and risk topics.

 ​ ​

​IIA Practice Advisory 2200-2: Using a Top-down, Risk-based Approach to Identify the Controls to be Assessed in an Internal Audit Engagement

An interpretation on using a top-down, risk-based approach to identify the controls to be assessed in an internal audit engagement.

 ​ ​

​IIA Practice Advisory 2120-2: Managing the Risk of the Internal Audit Activity

Interpretation on managing the risk of the internal audit activity.

 ​ ​

​IIA Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures

Interpretation on linking the audit plan to risk and exposures.

 ​ ​

​Internal Audit Foundation Research Report: Internal Auditing’s Role in Risk Management

Increasing economic pressures are moving organizations to increase the effective of risk mitigation efforts and focus on a more holistic approach to risk management. As a result, the role of internal auditing in risk management is focused on ways to identify and assess the organization’s strategic risk.

 ​ ​

​IIA Position Paper: The Role of Internal Auditing in Enterprise Risk Management

The IIA’s position on the role of internal audit in enterprise risk management.

 ​ ​

​IIA Practice Advisory 2010-2: Using the Risk Management Process in Internal Auditing

Interpretation on using the risk management process in internal auditing.

 ​ ​

​IIA Practice Advisory 2110-2: Governance: Relationship with Risk and Control

Interpretation on the relationship between governance and risks and controls.

 ​ ​

​IIA Practice Advisory 2210.A1-1: Risk Assessment in Engagement Planning

An interpretation on performing risk assessments during the planning phase of an engagement.