7

KEEPING THE ACCENT ON RISK

Risk—The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

—IIA Glossary of Terms

INTRODUCTION

We have used the term “risk-based audit planning” throughout this book to highlight the way audits can be aligned to the risk management process that operates within the organization in question. This short chapter seeks to reinforce the focus on risk by developing a suitable model. Risk-based audit planning is about:

  • Targeting high-risk areas for audit coverage.
  • Promoting a discussion of risk with the management.
  • Starting with risk as the first step in the risk-based auditing process.
  • Building a role for internal auditing within the ERM framework.
  • Developing good knowledge of risk appetite, risk triggers, and the corporate approach to risk management.
  • Enabling audit to validate the risk management process that runs across the organization.

One view suggests that there are several different approaches to planning audit work:

Systematic risk scoring. Here, key factors are developed to reflect the audit view of risk and then the entire organization is scored against these factors. The approach is logical and can be consistently applied across the organization. A database of relevant factors can be compiled to represent the risk assessments, which can be weighed and updated as new information comes on line. The drawback is that the approach is old fashioned and suggests ...

Get Audit Planning: A Risk-Based Approach now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.