Risks and business conditions change all the time, so an annual plan or even one that is updated quarterly won’t lead to auditing what matters today. You audit what used to matter.
Risk management is as critical in the not-for-profit sector as it is in the for-profit world. The more common definition of risk is the chance that events prevent an organization from achieving its objectives. In reality, risk is the possibility that events will affect the achievement of objectives.
Why is risk management in SMEs better than in large corporations? Here are my comments.