- The objectives of the activity being reviewed and the means by which the activity controls its performance
- The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.
- The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model
- The opportunities for making significant improvements to the activity's risk management and control processes.
Audit engagements are chosen largely in response to enterprise-wide risk assessment. Assessing risk in an engagement area furthers organizational risk management by helping to ensure that:
- The engagement planning is aligned with the entity-level risk assessment
- The engagement planning leverages information from the entity-level risk assessment
- The engagement is focused on risk
"Internal auditors must conduct a preliminary assessment of the risk relevant to the activity under review. Engagement objectives must reflect the results of this assessment".
A risk control matrix is a useful tool to help ensure that internal control adequately account for risk at the engagement level and ensure that all significant risks identified are addressed in subsequent fieldwork.
Risk Control Matrix Features:
- Step 1: Identify business objectives
- Step 2: Identify risks to business objectives
- Step 3: Rate each risk in terms of likelihood and significance
- Step 4: Identify the controls e.g. Avoid, Share, Accept, Reduce and Increase
- Step 5: Evaluate the adequacy of controls
- Step 6: Test the effectiveness of controls
- Step 7: Arrive at the final opinion on adequacy and effectiveness of controls.
No comments:
Post a Comment