I am a huge believer in risk-based auditing and have been practicing it ever since I became an internal auditor many years ago.
Some refer to risk-based auditing with an acronym of RBIA (making it clear that it is about internal rather than any other form of auditing).
I prefer to add an ’e’, making it eRBIA or enterprise risk-based (internal) auditing.
Let me explain why.
There are zillions of risks in any organization. They range from the trivial to the critical.
I have seen audit reports that talked about speeding on company property. My response was to ask why the auditor had wasted their time on the issue. Yes, there was a safety risk, but the auditor didn’t look at several risks, such as in the unit’s supply chain, that were far more important to the success of the organization.
But before all of that, when I had just joined a major financial institution I learned a very important lesson.
I got a call from the executive assistant to the company’s president, Mario Antoci. He was a brilliant and very busy man, as you might expect. He received a lot of reports from across the organization, including quite a few audit reports.
She told me that he had asked her to review every report coming into his office and highlight those parts of the report he needed to read and pay attention to. In other…
