The majority of internal audit functions perform a variety of audits every year and provide an opinion (ideally) or at least a list of risk-ranked weaknesses (far less than ideally) on the scope of each audit.
In early July 2021, the BIS issued a paper on the regulatory requirements for digital payment and e-money services offered by non-bank service providers (“non-banks”). The paper addresses the proliferation of non-banks in retail payments and the questions that are related to their regulation.
Can you assess the overall system of internal controls without considering risk management? I don’t think so, and neither does COSO. That is why there is a risk component in their internal control framework.