Register now or log in to join your professional community.
It is essential that the risk-based audit plan be built according to the strategic objectives of the company. However, in the absence of strategic objectives, how will it be managed? Will the plan be built at the level of processes and procedures? In this case, the work will be doubled and the risk of gaps in risk assessment will increase.
The internal auditor builds a risk-based assessment of a company on several factors and bases, even if the company does not have a strategic plan.
Understanding the Organization: This includes identifying the organization’s objectives, strategies, and structure.
Reviewing Key Documents: This can provide insights into the organization’s operations and potential risks.
Consulting with Key Stakeholders: Stakeholders can provide valuable insights into the risks facing the organization.
Internal Audit’s Risk Assessment: This involves understanding the significance of independent assessment, understanding business objectives, strategies, and risks, documenting risks, measuring risks, and validating risk assessment with management.
Accommodating Management and Board Requests: The internal audit function should be flexible to accommodate requests from management and the board.
Assessing Skills: The internal audit function should have the necessary skills to carry out the risk assessment.
Coordinating with Other Providers of Assurance and Consulting Services: This can help to ensure a comprehensive risk assessment.
Nature and Scope of the Business Unit and/or Function: The nature and scope of the business unit and/or function and the nature and scope of the product and/or service line.
Nature of Transactions: Their size, volume, complexity, or distinct geographic location.
Quality of the Current Internal Control Environment: The competence and integrity of the staff, the size of the unit, complexity of the unit operations, and extent of automation, amongst other factors.
It’s important to note that while the internal auditor can use other risk assessments conducted by other entities within the organization, they still need to apply their own independent professional judgment before using and integrating risk assessments conducted by functions other than internal audit into their own risk-based audit plans. Moreover, risk ought to be continuously assessed and the plan would ideally be periodically updated, with the same regularly reported to the audit committee for updates.