من قبل
SAHL HIJAZI , Purchasing Manager , BINZAFRAH GROUP
The difference(s);
Traditional auditing is associated with conducting tests to issue an opinion on the truth and fairness of the financial statements of the company being audited. These tests include tests on the internal controls that the company uses to produce figures in the financial statements, tests on the amount balances of the accounts, and tests on the overall posting system of its accounts.
On to information system (IS) auditing. Many people mistakenly assume that IS=IT, which it's definitely not. It's a common misconception that anything with the phrase INFORMATION SYSTEM is equivalent to INFORMATION TECHNOLOGY. In brief, information system is the system of how the information flows within a company, and it may be made up of sub-systems such as the purchase system, the sales system, the capital expenditure system, etc.
RBA is an audit process that explains how risk concepts are integrated into the strategies and approaches used for management
systems. RBA provides:
• A mechanism for understanding the specific risks which may influence the achievement of the company objectives;
• A description of existing measures and proposed strategies for managing specific risks; and
• A mechanism for monitoring, performing internal auditing, and reporting practices and procedures
RBA changes the way internal auditors think and talk about risk. Instead of focusing on history, audit reports address the
present and the organization's level of preparedness to deal with the future. Internal audit reports "complete the loop" between
assurance of control in current operational plans and input to risk assessment for the strategic plan. RBA places an emphasis
on risk-based internal audit reports rather than on traditional controls-based reports.
There are many differences between traditional audit and Risk-based auditing, if we talk about the audit plan:
Traditional Audit focus on audit cycle (time duration, when last audit ocurred), focus on deficiencies in controls, and cases of non-compliance with policies and procedure manual which may be outdated sometimes.
Where as in Risk-based auditing the audit plan is based on the assessment of the Risks which impact the overal company objectives, the audit plan includes projects to identify and assess risk responses that management relying upon to manage those risks.
Risk-based Auditing provides an in-depth understanding of the business unit operations through Risk assessment workshops and with the participation of the unit managers and key staff, provides assurance that Important risks are being managed properly, and more efficient use of IA resources by concentrating on Risky units / areas.
Where as in traditional auditing an understanding of Business Unit operations is built through time consuming process mapping exercises and might rely on outdated P & P manuals and audit staff spead all over the company trying to cover the audit universe whichsome times extend to more than one years
I have replied to a similar question before .Here is what I said then:
IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
By following RBIA internal audit should be able to conclude that:1.Management has identified, assessed and responded to risks above and below the risk appetite2.The responses to risks are effective but not excessive in managing inherent risks within the risk appetite3.Where residual risks are not in line with the risk appetite, action is being taken to remedy that4.Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively5.Risks, responses and actions are being properly classified and reported.
This enables internal audit to provide the board with assurance that it needs on three areas:1.Risk management processes, both their design and how well they are working2.Management of those risks classified as 'key', including the effectiveness of the controls and other responses to them3.Complete, accurate and appropriate reporting and classification of risks
To those who are intereste, I can share an excellent presentation by Grant Thornton on the subject.The presentation is in both Arabic And English and it discuses the following issues:
- Definition of risk based internal audit
- Risk based internal audit requirments
- Tradittional approach vs. Risk based approach
-Risk based audit stages
من قبل
Hussein Issa , Internal Auditor , specialised Leasing Company
التدقيق المبني على المخاطر:
يتكون من مجالات متعددة ومنها المعايير الجديدة في مجال التدقيق المبني على المخاطر ، نظام الرقابة الداخلية، مفهوم نظام الرقابة الداخلية،اهداف نظام الرقابة الداخلية ،انواع نظام الرقابة الداخلية، تقديرات المدقق لخطر الرقابة الداخلية ،مخاطر التدقيق ،التقييم الذاتي ،مفهوم المخاطر،تقييم المخاطر،اساليب التقييم الذاتي،مزايا التقييم الذاتي ،الاجراءات العملية لبناء خطة التدقيق السنوية.
واما التدقيق التقليدي:
فهو يتم بدون اعداد اي خطة لمهمة التدقيق او اعداد برنامج عمل وتوثيق العينات وتستند الى الخبرة العملية للمدقق وعادة من يرغب بهذا النوع من التدقيق لا يميل للحصول على الشهادات المهنية، وحيث ان التدقيق التقليدي آخذ بالتلاشي بشكل كبير.