Businesses must resist the urge to rely on their auditor as their personal trainer. Risk management needs to be an ongoing process that creates a perpetual state of assurance. Auditors should not be pushing internal risk managers to the finish line in order to get them everything they need to perform the audit. Instead, auditors should be at the end of the race and clocking in the time for the work risk managers have already done. By trusting a knowledgeable team of risk managers rather than relying solely on in-house staff, businesses have the assurance that their systems are being managed efficiently.”]
Source: https://informationsecuritybuzz.com/articles/maximizing-risk-management-efficiency/