We want to build an audit plan that focuses on what matters most to the achievement of enterprise objectives. Some call this objective-based auditing, but I prefer enterprise risk-based auditing, because (a) we are auditing {the controls over) the more significant risks to the achievement of enterprise objectives, and (b) we are not actually auditing the objectives.
I discussed this earlier in the year in Enterprise risk-based auditing.
Let’s say we want to base our audit plan on the results of management’s enterprise risk management program.
There are some steps we need to take before we can do that, including:
- Assess the reliability of their risk reports. Are they complete and reasonably accurate? Do they include the more significant sources of risk to every enterprise objective?
- Confirm that the risk reports are current.
- Evaluate the adequacy of those reports, in particular do they assess each risk as a range of potential effects, each with its own likelihood, or as a single point. If a point, what does that point represent?
If they are not sufficient to use as a basis for audit planning, then we can either work with management to upgrade them or substitute our own identification and assessment.
For the moment, let’s assume we can use management’s reporting.
Now we need to ask whether the risk…
