When I became a chief audit executive (CAE) for the first time in 1990, I determined that a risk-based approach was not sufficient.
A risk-based approach focuses on how well management can handle a potentially bad event or situation. It assesses the design and operation of the internal controls relied upon to prevent losses or other bad effects, such as financial statement errors, fraud, or reputation damage.
The risk-based approach is suggested by IIA Standards, as described in Risk Assessment in Audit Planning from IIA Belgium that Marinus de Pooter was kind enough to share with me. It quotes relevant IIA Standards:
- IIA Standard 2010 … requires “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit.”
- IIA Standard 2010.A1 … requires that “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process”.
It says:
- These standards require the Head of Internal Audit (HIA)2 to develop a risk-based plan. The HIA should take into account the organisation’s risk management framework, including risk appetite levels set by management for the different activities or parts of the organisation. If a risk…
