Risk-based Assessment Framework for Internal Auditing:
Determine the audit universe
- Identifies all organizational sources of potential engagements and all potential auditable activities; not limited to functions such as payroll or accounting but also considers specific activities within the function that pose potential risk.
- Varies depending on the industry or nature of the organization, for example, locations, processes, products, or divisions may be considered.
Examine Organizational Risk Factors
- Assesses internal and external organizational risks viewed more from the perspective of their impact on organizational goals and objectives rather than the extent of change within specific functions.
- Consider potential engagement sources
- Involves discussing the audit universe with organizational senior managers to identify level of risk, planned new activities, and/or process changes.
- Incorporates enterprise risk management (ERM) results if the organization has an ERM process.
Prioritize Audits
- Evaluates proposed engagements
- Establishes criteria and ranks the risks based on their significance to organizational success and the organization's risk appetite
- Considers if the internal audit staff is sufficient to cover all the primary risks and whether some can be delayed and/or handled by external auditors.
- Leads to the annual audit plan.
No comments:
Post a Comment