A
AcadiFi
RI
RiskValueMara2026-05-20
ciaCIA Part 3Risk AssessmentAudit Findings

Should internal audit assign dollar values to every risk it reports?

54 upvotes
AcadiFi TeamVerified Expert
AcadiFi Certified Professional

author: AcadiFi Team

Answer:

No. Internal audit should quantify exposure when the audit evidence supports it and when quantification helps the conclusion. For example, duplicate payments, missed discounts, or known exception dollars may be calculated from the tested population.

But many risks are not cleanly reduced to one dollar value by internal audit. Cyber, safety, regulatory, reputation, and strategic risks may need scenario analysis, qualitative severity, or ERM methodology. Risk management and business owners usually own enterprise risk valuation and response.

Internal audit's responsibility is to present supported evidence, risk implications, and conclusions. It should not invent dollar values just to satisfy a risk-register field.

🔍

Master CIA Part 3 with our CIA Course

45 lessons · 90+ hours· Expert instruction

View Course — $199All-Access $49/mo
#risk-quantification#monetary-impact#audit-findings#erm

Related Questions

What should an auditor do if a supervisor weakens a supported finding?

cia·CIA Part 2·46 upvotes

How should auditors prepare for a technical exit meeting?

cia·CIA Part 2·35 upvotes

When should audit quality concerns be escalated beyond the engagement team?

cia·CIA Part 2·56 upvotes

How does business knowledge affect internal audit quality?

cia·CIA Part 2·51 upvotes

Where should an auditor begin a full-company internal control audit?

cia·CIA Part 2·51 upvotes

Related Articles

Risk Management and Internal Audit: How to Coordinate Without Blurring the Three Lines

12 min read

Practice Questions

Test your knowledge with our CIA question bank.

Try Practice Questions

Join the Discussion

Ask questions and get expert answers.

Join Now