Monday, December 17, 2012

Risk - based vs. Objectives - based Audits !

In complying with the IIA CPE requirements , I have re- read some of the articles in the Ia magazine .This has given me the opportunity to think about one particular article in the April 2012 issue " Step up to the Plate ".

The authors of the article say that internal auditors are shifting away from the traditional risk-based approach toward one where the company's goals and objectives become the focus.They define the new objectives - based approach as the approach where the company's objectives and goals become the central focus of the audit.The authors explain that " After all, risks are only relevant when seen in the context of the company's objectives".
The authors explain the advantsges of the new approach as follows :
"The chief advantage of the objective-based approach is that it enables a more targeted audit by focusing audit resources only on those risks that truly matter to the organization’s strategies and goals. It also accounts for low-priority risks and enhances the capacity of internal audit to achieve its objectives. Implementing an objective-based approach involves:
  • Relying on people for risk input. Managers across the organization deal with risks every day. Because they understand their objectives, they tend to know instinctively which risks may impact those objectives, making them best positioned to help auditors understand the relationship between the company’s objectives and its risks.
  • Mapping risks to objectives. Internal auditors can use managers’ responses to quantify the relationships between risks and objectives. Applying this method enables practitioners to discover risks they had not considered.
  • Identifying risk patterns. Risks interact with each other and with objectives in complex ways. Auditors need to understand these interactions instead of looking at each risk in isolation. The whole is often more dangerous than the sum of its parts—much like reading a book while crossing a road is more dangerous than doing each activity independently.
  • Focusing risk management on the most critical objectives. By putting objectives before risk, auditors can mitigate those risks that impair the achievement of objectives and exploit risks that enable value creation. This helps internal auditors use audit resources efficiently, facilitate transparency, and align risk management with business strategy."
 Do you agree with the above ? Are you shifting your focus to the objectives - based approach?
 Do you recognize the difference between the two approaches ,or do you think they are the same ? Aren't both of them , at the end of the day, focus on risks to the achievement of objectives?

Whatever you think about this subject ,I strongly recommend that you read the entire article .

No comments:

Post a Comment

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...