There’s an old joke:
Q: How do you eat an elephant?
A: One bite at a time.
You could also ask:
Q: How do you audit the entire system of internal control (i.e., for all objectives)?
A: One audit of high sources of risk at a time.
The answer is the essence of (enterprise) risk-based auditing.
Now extend it:
Q: How do you audit the processes and practices of risk management?
A: One audit of high sources of risk at a time.
That is one of the principles behind my new book, just published on Amazon (and described in a separate tab on this web site).
Risk management is practiced (in one way or another) in every corner of the organization, from objective-setting to both strategic and tactical decision-making, project management, performance reporting, and board oversight.
It’s everywhere.
Just like an elephant or the entire system of internal control (over operational, financial, compliance, reporting, and other objectives), it’s too big to eat in a single bite.
So we need to audit it in pieces.
But which pieces?
Audit those pieces where a failure in process or practice would represent the greatest “sources of risk” to the organization.
In other words, take a risk-based approach to the audit of risk management.
Why should you audit risk management?
Because ineffective risk management means you probably have…
