It seems pretty clear that knowing the risks involved in an operation and having mitigation plans for them is essential for any company that wants to remain stable over time.
But what about internal auditing? Should the processes and areas to be audited consider them? Should a risk assessed as low impact but relevant to senior management be considered?
In this article, Norman Marks analyses these issues by sharing real cases he has experienced in his professional life. He also judges how the auditing standards proposed by The Institute of Internal Auditors address the issue and provides important insights into the topic.