Lara is an extremely proficient auditor in Alan’s company. She clearly understands that Enterprise Risk Management plays a key role in ensuring that the company audit programme is truly risk-based.
Scoping by Objectives
It is ideal to work backwards while planning an audit plan with a risk-based approach. The process should start with goal definition; then create a process to deliver the goals, and move on to risk, controls and monitoring. ERM has risk taxonomy to enable internal auditors to pick a goal and get related business process risks, controls and tests across all areas in the organization.
Concentrating on High priority items
An ERM software system helps identify control weaknesses in each sub-process, and prioritize which risk, control and test combinations are truly important. This significantly trims down the low-risk and low-impact audit content in the company’s annual audit plans.
It is important to connect physical assets, people, IT assets and vendor partners that contribute most to the business processes and its corporate objectives. Usually, it is not just one vendor responsible for failure, but a group of other resources that result in critical harm. Auditing resources in seclusion is time consuming and needs sharp focus. With Enterprise risk management, it is easy to combine individual resource evaluation with business processes and vendor assessments. This prioritizes failing aspects of the organization that require auditing.
Deep understanding of the business
Enterprise Risk Assessment Data is not only useful in allowing the auditors to concentrate on high priority items. If the data is detailed enough (i.e. risks linked to objectives, risk drivers clearly identified, controls documented and classified…etc) and up-to-date, it helps the auditors develop a good understanding of the business in a relatively short period and prepare the initial audit visit programs.
Having a simple framework in place breaks complexities and encourages everyone in the organization to chip in to their control environment. A standardized set of criteria, which are collectively applicable, makes risk information accessible on a structured basis. A Risk Taxonomy enabled move helps you with data and tools to practise resource-based scoping.
With these five key points Lara is one happy auditor, Alan a happy CEO, and Jack as always, the superhero risk manager. What are the steps that you take in your organization to improve internal audit planning with ERM? Do share your thoughts.
Latest posts by Mohammed Nasser Barakat (see all)
- The Seven Operational Risk Event Types Projected by Basel II - December 15, 2014
- Overseas Businesses Endangered by Political Risks - November 20, 2014
- Reputational Risks Arising out of Social Media - November 5, 2014