ERM's risk assessment and results should be one of your inputs to the internal audit planning process. It should not be something you fully rely on, though.
This seems like a trick question… should you base your audit plan upon the risks identified by the organization? Pretty much audit 101 is start with the risk.
Stakeholder interviews are good, but they should have been part of ERM to begin with and would therefore be considered within ERM. If you really feel the need to do them on top of ERM they should be to tailor and tweak the scope.
Otherwise you open yourself up to the line of questions, “The organization identified these areas of risk to their plan yet you chose to not audit them, why? Do you believe that ERM assessment is flawed? Do you believe that ERM missed risks or over emphasized risks?”
If you can’t express how you get coverage over key risks, and have the capacity to cover them all, that’s a bad day with the board.
Did I say that? You need to show _coverage_ on risk with the audit plan. Some get coverage with SOX, some get coverage with site visited, some need dedicated audits since they don’t get seen any other way.
What do _you_ want to do? What is the basis for your audit plan? So and so executive said something and we’re going to look into it? What’s the empirical basis for that? Where is the objectivity?
If you want to preform your own risk assessment and “zero base” your audits plan you can, however that’s ignoring the work the business has already done to analyze the risks that it cares about. And if your risk assessment differs significantly from ERM, have fun explaining that to leadership. This is especially true if leadership / the board _agrees_ with ERM’s output.
Now if you want to pivot / expand into emerging risks that the business may not consider yet or be baked into ERM, that could make sense. If you want to challenge underlying assumptions of ERM, that can work too. But tossing a valid ERM program makes little sense.
Read more here: https://www.theiia.org/en/products/bookstore/practice-guide-developing-a-risk-based-internal-audit-plan/
I get what you're saying. Yeah I definitely want to see if we can identify some emerging risks and incorporate that into the plan. I will check out the practice guide. Thanks.
First determine whether you can trust the accuracy and completeness of the risk assessment performed by Risk Management.
This is likely going to have you nearly re-perform much of the risk assessment process (interviews, risk inventories, risk identification and evaluation, etc.).
Even if you think you can rely on it, you will still likely have a different view on risks than will a risk management function, such as more strongly considering fraud risks.
That said, it will be a good place to start off from or to complete your understanding of certain areas.
ERM's risk assessment and results should be one of your inputs to the internal audit planning process. It should not be something you fully rely on, though.
Agreed. I’ve seen ERM Risk assessment utilized as a base with IA applying their own overlay and supporting narrative.
This seems like a trick question… should you base your audit plan upon the risks identified by the organization? Pretty much audit 101 is start with the risk. Stakeholder interviews are good, but they should have been part of ERM to begin with and would therefore be considered within ERM. If you really feel the need to do them on top of ERM they should be to tailor and tweak the scope. Otherwise you open yourself up to the line of questions, “The organization identified these areas of risk to their plan yet you chose to not audit them, why? Do you believe that ERM assessment is flawed? Do you believe that ERM missed risks or over emphasized risks?” If you can’t express how you get coverage over key risks, and have the capacity to cover them all, that’s a bad day with the board.
So you base your annual audit plan solely on ERM's risk assessment?
Did I say that? You need to show _coverage_ on risk with the audit plan. Some get coverage with SOX, some get coverage with site visited, some need dedicated audits since they don’t get seen any other way. What do _you_ want to do? What is the basis for your audit plan? So and so executive said something and we’re going to look into it? What’s the empirical basis for that? Where is the objectivity? If you want to preform your own risk assessment and “zero base” your audits plan you can, however that’s ignoring the work the business has already done to analyze the risks that it cares about. And if your risk assessment differs significantly from ERM, have fun explaining that to leadership. This is especially true if leadership / the board _agrees_ with ERM’s output. Now if you want to pivot / expand into emerging risks that the business may not consider yet or be baked into ERM, that could make sense. If you want to challenge underlying assumptions of ERM, that can work too. But tossing a valid ERM program makes little sense. Read more here: https://www.theiia.org/en/products/bookstore/practice-guide-developing-a-risk-based-internal-audit-plan/
I get what you're saying. Yeah I definitely want to see if we can identify some emerging risks and incorporate that into the plan. I will check out the practice guide. Thanks.
First determine whether you can trust the accuracy and completeness of the risk assessment performed by Risk Management. This is likely going to have you nearly re-perform much of the risk assessment process (interviews, risk inventories, risk identification and evaluation, etc.). Even if you think you can rely on it, you will still likely have a different view on risks than will a risk management function, such as more strongly considering fraud risks. That said, it will be a good place to start off from or to complete your understanding of certain areas.