I am a huge believer, as are most leading internal audit practitioners (IMHO and I hope the IIA’s Standards Board will come around), in enterprise risk-based auditing.
That means that the audit plan is designed to provide assurance, advice, and insight on the more significant sources of risk to the organization and the achievement of its objectives.
It means that the audit plan is carefully scrubbed and cleansed of audits of lower-level risks (such as risks to auditable entities), because that time is needed to focus on more important areas. Similarly, the scope of planned audits is scrubbed of areas of low risk to focus on the high risk areas.
But, as the title of this blog says, taking a risk-based approach is not quite enough.
There are two reasons:
- Even audits of seriously important sources of risk can sometimes deliver little value.
- Areas with known problems may merit our attention, even if a purist would not say there was a “risk”.
Taking each of those in turn.
When I was CAE of Solectron Corporation, a major problem (a major contributor to its eventual demise) was that it had too many manufacturing and assembly plants around the world.
Over the years, it had grown through acquisition and while it had a few large plants (in Suzhou, China; Penang, Malaysia; Charlotte, North Carolina; and Milpitas,…
