3
USING THE CORPORATE RISK REGISTER
Evaluating management's risk processes is different than the requirement that auditors use risk analysis to plan audits. However, information from a comprehensive risk management process, including the identification of management and board concerns, can assist the internal auditor in planning audit activities.
—IIA Practice Advisory 2100-3
INTRODUCTION
This chapter addresses the important topic of the corporate risk register, otherwise known as the risk log/database. There is a growing school of thought that suggests that the audit universe is the risk universe. Moreover, the audit risk that drives audit's plans is primarily derived from risks that drive the organization's activities in managing threats and opportunities. Some commentators go so far as to argue that audit should simply adopt the corporate risk register into their plans and so align themselves entirely with what the entity views as the key risks to its continued success. The model developed here makes use of these ideas, developing them into a more well-rounded view of how and where the corporate risk register may be fed into the audit-planning process.
CORPORATE RISK REGISTER MODEL: PHASE ONE
Our first model looks at the main drivers that affect the audit's role in the organization in Figure 3.1.
Each aspect of the model is ...
Get Audit Planning: A Risk-Based Approach now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.