15–14. Schedule Internal Audits Based on Risk
The scheduling of various areas within a company for internal audits is usually an arcane process, involving pressure from the audit committee to have a few “pet” areas investigated; during the process some department managers demand reviews of other areas, while others put forth considerable effort to avoid them, on the grounds that they take up too much staff time. The internal audit manager is caught in the midst of this maelstrom, trying to please everyone while still scheduling audits for those areas in which he or she has a feeling that some problems may lurk. A simple way to revise this scheduling process is to base all audits on the concept of risk to the company.
To schedule based on risk, a company must devise a ranking for risk levels, with number one being any potential control problem that could place the company in grave financial danger, while lower levels of risk can be assigned a lesser category. Then the internal audit manager assigns a risk ranking to each requested audit, while also conducting a review of other control areas to see if there are other areas of risk that are not currently being addressed. The upshot of this process is a clear ranking of audit reviews that is highly defensible and that will focus the bulk of company audit attention on those few key control processes that are at the most risk of causing financial trouble.
The main issue to be aware of is that the internal audit committee should formally ...