Content area
Full Text
Internal control is not the only strategy for success in the high stakes game of risk management.
Risk assessment in internal auditing identifies, measures, and prioritizes risks so that focus is placed on the auditable areas of greatest significance. In individual audits, risk assessment is used to identify the most important areas within the audit scope. Risk assessment allows the auditor to design an audit program that tests the most important controls, or to test the controls at greater depth or with more thoroughness.
Risk-based auditing (RBA) extends and improves the risk assessment model by shifting the audit vision. Instead of looking at the business process in a system of internal control, the internal auditor views the business process in an environment of risk. It's a straightforward paradigm: an audit focusing on risk adds more value to the organization than an audit focusing only on controls.
A Different Paradigm
Some customers have criticized internal auditing for being too focused on the past. "Driving the car by looking in the rear view mirror," one of the more telling metaphors, characterizes the internal auditor as one who renders advice and recommendations based on examinations of the historical transaction record and the historical operation of the internal control system.
To extend more value to clients and the organization, internal auditors must shift their focus from the past to the future. If the auditor focuses on risks, the audit is more likely to address the full range of issues that concern management.
For most auditors, the shift will be subtle. Instead of identifying and testing controls, the auditor will identify risks and test the ways management mitigates those risks. The majority of risk mitigation techniques will still involve controls; but the auditor will test "how well are these risks being managed?" rather than "are the controls over this risk adequate and effective?"
Controls themselves do not necessarily guarantee success. Major banks with hundreds of transaction controls have lost hundreds of millions by failing to understand the risk that some traders may not enter all of their commitments and transactions into the system.
Each control added to the system costs more resources to operate. If auditors continue to audit and recommend new and strengthened controls without removing any,...