RISK BASED AUDITING Over the past few years, the need to manage risks has become an important part of good corporate governance practice. The increasing pressure on organisation to identify all business risks and explain how they manage them. With the responsibility of identifying and managing risk lying with the management, the role of internal auditor is to provide assurance that those risks have been properly managed. What is Risk Based Internal Audit Risk Based Internal Audit is a methodology that explains how risk concepts are integrated into the strategies and approaches used by the management and provide assurance that risk is being managed and are within the defined risk appetite level. It is the risk management framework that provides mechanism for understanding specific risks which may influence the achievement of the company objectives. Risk based auditing provides better understanding of existing and proposed strategies and measures and a mechanism for monitoring and reporting practices and procedures. Traditional Approach vs Risk Based Approach Traditional approach emphasized on evaluation of controls. But without first understanding the purpose of business and risk associated with the business, it provided no context for the results. How can internal auditor know which areas and procedures are riskier and need more thorough examination? Excessive focus on strengthening internal controls slows down processes and reduces value addition to the work. Examining controls which were designed to deal with issues when system was implemented may or may not be relevant for current risks because they are monitoring risks which are no longer important but also don’t even exist. Risk based approach changes the way we think about risk. Instead of just focusing on outdated controls, the Internal Audit Report addresses the risk associated with current procedures and strategies and how the organisation can deal with future changes in business environment and risk associated with those changes. Risk based approach completes the loop of assurance of control in current operations and provide input for risk assessment for the strategic plan and achieving organisational objectives. Risk based approach places emphasis on risk based internal audit reports rather than traditional control-based reports. Advantages of Risk Based Audit Risk Based Audit is evolving rapidly and is at the cutting edge of internal audit practice. Even though it is more difficult to manage than traditional methods, advantages of risk-based audit are far much greater. By implementation of Risk Based Approach, internal auditor should be able to conclude that:
- The management has identified, assessed and responded to critical and high-risk areas.
- The actions taken against risks are effective but not too excessive to manage inherent risks.
- Risk Management Processes are being implemented and monitored by management and continue to operate effectively.
- Risks, responses and actions are properly classified and reported.
- Organisation becomes more proactive rather than being purely reactive.
- Value addition because it can evaluate if the processes within system are operating effectively and efficiently.
- Residual risk is not in the risk appetite level.
- Assessment of Risk: Analysing to what extent the management assess, manage and monitor the risks and the reliability of the data obtained for planning future audits.
- Planning the Audits: Identifying and prioritising all high and critical risk areas on which the management requires objective assurance and the risk management process for management of key risk areas and reporting of risks to plan for periodic audit assignments.
- Individual Audit Assignments: At this stage, individual risk assignments are carried out to provide assurance on part of risk management process.