(A couple caveats. I speak as an internal auditor, with a background in food service and deckhanding. I'm ISACA Platinum, which is more like Centruum Silver than American Express Gold, i.e., it is bestowed upon age. I'm an autodidact when it comes to information risk analysis, but I'm trying to learn.)
Firstly, the standards. The Red Book, or more correctly, the International Professional Practices Framework, includes the following standard (2010 A1)
The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.So, every internal audit shop has to perform a risk assessment annually, and use it to plan which audits will be performed in the next year.
This type of risk assessment evaluates "audit risk," defined in Sawyer's Internal Auditing (from my raggedy 4th edition, Part 3 Scientific Methods* Chapter 8 "Risk Assessment") as the following:
A heavy dose of "professional judgment" (also known as "the gut") is used in this method. The output of this assessment prioritizes the auditable units (chunks of business functions which make up the audit universe), and crank them through the cycle to maintain "coverage." Purchasing on even years, Accounts Payable on odd, et cetera. Area with weak controls and lots of potential loss should probably float to the top. This method is old fashioned even for the conservative internal audit profession, but has the backing of some of the AICPA's more ancient Statements of Auditing Standards. The resulting assessment is used internally for audit's planning purposes, and, from talking to my peers in industries without a regulatory mandate to perform risk assessment, it may be the only organization-wide assessment that gets performed. The methods vary, as do the results.
The recent revisions to the Red Book standards state that internal auditors "must evaluate the effectiveness and contribute to the improvement of risk management processes." So a shop that follows standards will be in the business of whoever is performing the "risk management" function, including "information systems." Internal auditors can't manage risk, but can help assess.
From my perspective, a lot of internal auditors have a lot of experience in an old fashioned style of risk assessment, and end up with a gut quantification exercise. There may be some bet hedging, vindictiveness and four tons of politics involved in the process (see above as to who must have input into it), and, in the end, the board will get what it wants. Quality and sophistication of boards will vary widely, and if they want red, yellow, and green heat maps, by gum they are going to get it. If they want quant analysis, they'll get that too, especially if there is overlap between the Audit Committee and the Risk Committee.
Personally, it is approaching risk assessment season for my shop, and, with Hubbard and FAIR in hand, I'm working with our CAE to get together at least some quantitative analysis. Gotta start somewhere. I'll get the blame regardless.
*I think I hear a head exploding somewhere.