Risk based internal auditing
Before we can ask this question, two others must be answered:
So what is a risk? My definition (others are available), ‘A risk is a set of circumstances that hinder the achievement of objectives’. So risk based internal auditing is driven by determining the risks hindering the achievement of the organisation's objectives.
So how does this differ from ‘traditional’ internal auditing? Traditional auditing tends to focus on processes which safeguard assets and ensure correct financial reporting. Such processes are referred to as ‘internal controls'. Risk based internal auditing focuses on risks and the internal controls which should manage them to acceptable levels. Thus risk based internal audits should be assessing the effectiveness of internal controls managing those risks which present the greatest threat to the achievement of the organisation's objectives. However, risks are determined by management.
The aim of this website, and the books and spreadsheets available from it, is to push out the boundaries of internal auditing by providing practical ideas on implementing internal auditing focused on the achievement of objectives. These ideas are not meant to represent ‘best practice’ but to be thought provoking.
There are four books with associated spreadsheets. Click the heading to be taken to the page giving more details, or click the navigation buttons on the left:
1. Book 1: Risk based internal auditing -
2. Book 2: Compilation of a risk and audit universe. This book aims to show you how to assemble a Risk and Audit Universe (RAU) for a typical company and extract audit programs from it.
3. Book 3: Three views on implementation. Looks at the implementation of risk based internal auditing from three points-
4. Book 4 Audit Manual. This shows the audit working papers from an accounts payable audit and therefore provides a detailed account of how a risk based audit is carried out in practice.
If you are interested in Specifying, Choosing and Implementing Computer Systems, check out my website at www.systemsimplementation.co.uk
To provide practical ideas as to how to implement risk based internal auditing. It’s based on my 30 years experience of accounting systems, about half of these being in the internal audit department of a UK company (£5bn turnover), where I was the Group Head of Internal Audit (Chief Audit Executive).
Internal auditing provides an independent and objective opinion to an organization's management as to whether its risks are being managed to acceptable levels.
The books are being revised to acknowledge the role of internal audit in focusing on the management of opportunities and risks in order to achieve objectives.