Traditional versus risk-Based Audits
To ensure organizations reach their objectives, it is imperative that internal audit reviews the controls in place to reduce the risks their companies face. In order to distinguish this process from ‘traditional’ internal auditing, the term ‘risk-based internal auditing’ was coined.
Risk-based internal auditing begins by first assessing an organization’s objectives and providing an opinion as to whether internal controls are reducing the risks threatening them to acceptable levels. Based on the opinions formed, it is then determined if those objectives will be achieved. In contrast, traditional internal audit is limited to considering the controls over financial, fraud and possibly IT risks as well.
Today, risk-based internal auditing is the standard expected for internal auditing. According to the Chartered Institute of Internal Auditors, risk-based internal auditing allows internal audit to conclude that:
- Management has identified, assessed and responded to risks above and below the risk appetite
- Responses to risks are effective but not excessive in managing inherent risks within the risk appetite
- Action is being taken to correct situations where residual risks are not in line with the risk appetite
- Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively
- Risks, responses and actions are being properly classified and reported
In this white paper, we will look at how auditors can assess, respond to and analyze the risks they encounter during a risk-based audit.
Read the white paper Data analytics: The key to Risk-based auditing