The Risk-Base Audit Plan (RBAP) is an important output of Internal Audit. Not only is it a requirement of the IIA standards, but it also focuses audit on the most significant risks affecting the organization. In addition, it gives the Chief Audit Executives (CAEs) everything they needed to determine which audits will be performed and when; and to identify the required audit resources. However, developing a robust RBAP is not…
For years I have been thinking about Risk, Controls, Black Swans and Entropy; and more recently about Analytics and RPA. Only recently did I understand how these are all connected and impact large and small organizations – particularly in activities that are high-risk and strictly controlled. Sadly, these tightly controlled areas are often overlooked until it is too late. Which bring us to Risk and Controls. Risk and Controls: Business…
As the principle author of the Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) on Continuous Auditing (GTAG#3), I hope that you will grant me the prerogative to state that “Continuous Auditing is Dead”. Continuous Auditing – a misnomer as it should have been called ‘Continual’ Auditing – was never fully understood or accepted by auditors or by audit clients. The idea behind Continuous Auditing was to improve…
GRC: Governance, Risk and Compliance (or, in my view, Controls) is critical to companies that want to remain viable. A company’s GRC activities should be not just coordinated, but also integrated to provide all levels of management with a view into changing risks and risk levels. If you do not have structures and procedures in place to monitor, identify and assess these risks you are less likely to succeed. Want…
A proposed integrative model Dave Coderre, CAATS, www.caats.ca During the strategic planning process senior managers propose goals and objectives for the coming year. ERM should evaluate objectives to ensure that risks have been considered and the chosen objectives are consistent with the entity’s mission. The risks should be analyzed and prioritized and mitigated by an appropriate response that considers the entity’s risk tolerance and risk appetite. The risk appetite will vary depending on…
Enterprise risk management (ERM) and performance management (PM) are two essential processes for the management of an organization. Both are designed to support the organizations’ efforts in making decisions and meeting its goals—ERM through the identification and management of those risks that could affect business objectives, and performance management through the identification and measurement of the drivers needed to achieve results and provide value. Yet despite having mutually consistent objectives,…
Is there a mismatch between where internal audit spends its time auditing and the risks that organizations face? Boards/audit committees should constantly re-evaluate whether internal audit is being used effectively to deliver risk-based assurance. The fundamental questions for boards/audit committees are: are we doing the right audits; and are we doing audits right. In previous articles I have discussed ‘how to do an audit right’ – namely, the importance of…
The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management. Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the…
Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more? Then you need to wake-up to today’s business environment and step out of your comfort zone. You also will probably need to pull the general auditor away from the safety of pure compliance audits. The notion of the integrated auditor was usually applied to…
COSO had released an update to COSO-ERM which included Principle #8 (“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”) related to fraud risk. David Cotton (Cotton and Company LLP) put together a team of experts to develop guidance on how the audit profession and management could address the requirements of principle #8 and I was fortunate enough to be invited to be part…