• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies
You are here: Home / Business / Survey results: Risk-based internal audit planning

By Occasional Contributors | 3 Minutes Read September 28, 2016

Survey results: Risk-based internal audit planning

riskMy thanks to the 232 people who answered my short survey.
I wanted to know how many have shifted to basing their audit plan on risks to the enterprise (perhaps linked to their organization’s ERM program); how many remain with the traditional approach of addressing risks to individual processes, business units, or locations; and how many are somewhere in between.
As a reminder, in the traditional approach, an ‘audit universe’ is built, listing all the organization’s business units, divisions, locations, processes, and so on. That list is then ‘risk–ranked’ using attributes such as revenues; assets employed; number of employees; complexity; time since last audit; severity of issues in last audit; whether new systems have been deployed; whether new management is in place; and so on. The entities that rank highest are included in the audit plan. Prior to each audit, a second risk assessment is performed to identify the more significant risks to that entity.
The enterprise risk-based approach starts with understanding the risks to the organization’s objectives and strategies. The risks disclosed in regulatory filings are considered, as are major new initiatives approved by the board. If the organization has an enterprise–wide risk assessment in place that can be relied upon, it is usually a major driver. The goal is to identify the more significant risks to the successful achievement of enterprise goals, objectives, and strategies. It is more of a top–down approach. When individual risks are considered, such as privacy, cyber, or reputation risk, they are assessed based on their potential effect on the organization as a whole.
Here are the results.

  • 11% Risks to the enterprise
  • 15% Risks to individual auditable entities such as processes, locations, business units
  • 32% A combination of the above, but more enterprise risks
  • 42% A combination, but more at the process business unit, or location level

Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization.
Somewhat more have weighted their plan towards the micro level than the macro level.
So what does this all mean?
My personal assessment is that this reflects solid progress from the traditional (i.e., micro level) towards the enterprise risk-based approach I advocate. But room for improvement remains .
While I agree that certain ‘micro’ risks need to be addressed in audit engagements, I believe that is because they are important to the enterprise as a whole – in other words, although the source of the risk is ‘micro’, I would actually call them ‘macro’ risks. For example, the safety of workers at a single factory might be considered a micro risk. But, I would include a related engagement in the audit plan if I believed that a failure to manage safety risk in that single factory represented a significant risk to the enterprise as a whole. I would not address it otherwise (absent other factors, such as a request from the board or CEO), because there are always more significant (to the enterprise) risks than I have resources to address.
So, I think the results are encouraging.
Hopefully, this will trigger the consideration of the enterprise risk–based approach by those with a more traditional methodology. Let’s audit the risks that matter to the leadership of the organization, what KPMG calls “critical risks”. If we don’t do that, the value gap between board and C–suite expectations (that we provide advice, insight and assurance on the issues they face as they lead the organization) and what IA delivers will persist.
I also believe that The IIA Standards Board should review its risk assessment standards. Do they support the enterprise risk–based approach, or are they only directed towards the traditional methodology. I believe that when they say that a risk assessment should be done for every engagement, focused on risks to the entity being audited, they are falling behind emerging best practices.
I welcome your comments.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • What should charities do if they find out that a board member donated to the Freedom Convoy? - March 18, 2022
  • Accepting cryptocurrency for donations or payments can be quite risky for Canadian charities unless you know what you are doing - February 23, 2022
  • Being proactive with employee absences - January 26, 2022

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Privacy / audit plan, enterprise risk-based approach, internal audit, internal audit planning, macro risks, micro risks, risk, risk assessment, risk assessment standards

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2022 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy