Risk management and auditing are related in that they seek to optimize the performance of an organization. In fact, risk management is often housed within the internal audit and compliance division of many corporations.
Risk management can very effectively support auditors by providing a framework for risk-based audit planning. One of the key functions of internal audit is assessing the effectiveness of internal controls – controls put in place to treat risks. How, though, do auditors decide which controls to target for their performance audits? Risk-based audit planning provides just the solution.
The risk management process clarifies an organization’s goals and objectives and identifies risks associated with their achievement. It then goes on to ask, “What are you already doing about those risks?”
These are your existing controls – the controls auditors are interested in verifying.
The risk management process then goes on to rate the likelihood and consequence those risks in consideration of those controls, but this isn’t necessarily what the auditors need to know before planning their audit.
Auditors need to know the raw, or “inherent” risk rating, which supposes there were no pre-existing controls in place. Only then can only then can an assessment of the true importance of those controls be made, and the most important ones targeted in the audit plan.
At Enlightened Business Risk Solutions, we’ve developed flexibility into our risk assessment process and risk register, to allow for the assessment of inherent risk in the absence of existing controls. If you’re looking for a risk-based audit planning solution, we’ve got it.
Want to know more? I’d love to hear from you. If you have questions, comments or want to geek out about risk management, contact me: