> Risk > Pick audits to perform that can make a real difference
Pick audits to perform that can make a real difference
I continue to see internal audit functions performing audits that are highly unlikely to make a difference to the success of the organization.
One article I saw that was (sadly) on the IIA’s blog site asserted that risk-based auditing ensured that every entity in the audit universe is audited at least once every few years. The article thought that the level of risk determined how often the entity might be audited.
If an entity is low risk, there are always other areas that should be audited first. While an argument might be made that the longer it is before an area is audited the higher the risk, that is usually not true. If the entity represents 0.5% of the corporate revenues, it will never be a high risk.
In a presentation on agile auditing, the entirety of an entity (in this case, a process) was audited pretty much every year. Risk was used to determine which aspect of the process would be audited first. I read the same in an article by a different internal audit leader.
May I suggest two principles:
- Only perform audits where the risk to the enterprise (not just an entity within the enterprise) is significant.
- Focus audits on areas where, if controls are not…