Scribd
Upload
60 views2 pages

Risk-Based Audit Program Essentials

The document outlines steps that all risk-based audit programs should take which include: identifying all business activities and compliance issues within an institution that should be audited; profiling significant business units to identify business and control risks; using a scoring system to rank business unit risks; getting board approval of risk assessments and annual audit plans; implementing the audit plan through various stages; and regularly monitoring and updating risk assessments at least annually. It also provides a framework for risk analysis that includes identifying the risk, explaining why it exists, determining its potential impact, and assessing the likelihood of it occurring.

Uploaded by

sunilkusabat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
60 views2 pages

Risk-Based Audit Program Essentials

The document outlines steps that all risk-based audit programs should take which include: identifying all business activities and compliance issues within an institution that should be audited; profiling significant business units to identify business and control risks; using a scoring system to rank business unit risks; getting board approval of risk assessments and annual audit plans; implementing the audit plan through various stages; and regularly monitoring and updating risk assessments at least annually. It also provides a framework for risk analysis that includes identifying the risk, explaining why it exists, determining its potential impact, and assessing the likelihood of it occurring.

Uploaded by

sunilkusabat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

All risk-based audit programs should:

 Identify all of an institution’s businesses, product lines, services, and functions


 Identify the activities and compliance issues within those businesses, product lines,
services, and functions that should be audited
 Include profiles of significant business units, departments, and products that identify
business and control risks and document the structure of risk management and business
and control risks and document the structure of risk management and internal control
systems.
 Use a measurement or scoring system to rank and evaluate business and control risks of
significant business units, departments, and products
 Include board or audit committee approval of risk assessments or the aggregate result
thereof and annual risk-based audit plans
 Implement the audit plan through planning, execution, reporting, and follow-up
 Have systems that monitor risk assessments regularly and update them at least annually
for all significant business units, departments, and products

Risk analysis
1. Risk identification (“what is the risk”) – a description of the risk presented

 Example: Risk of non-compliance with regulations


2. Risk rationale (“why does the risk exist”): - what event(s) cause the risk to occur

 Example: Risk of non-compliance with regulations due to reports of financial information


required by regulatory agencies or tax authorities being incomplete, inaccurate, or
untimely.
3. Impact (“so what”) –the extent to which, if realized, the risk would affect the Company; may
be expressed in qualitative or quantitative terms

 Considerations: financial effect, reputation impacts, ability to achieve key goals and
objectives
 Example: Risk of non-compliance due to reports of financial information required by
regulatory agencies or tax authorities being incomplete, inaccurate, or untimely, exposing
the company to fines, penalties and sanctions.
4. Likelihood (“how often”) –probability of the risk occurring over a defined time frame

 Consideration: often 1 year; also consider frequency of occurrence


 Example: Risk of non-compliance due to reports of operating and financial information
required by regulatory agencies or tax authorities being incomplete, inaccurate, or
untimely, exposing the company to fines, penalties and sanctions. The likelihood of
occurrence over the course of the quarter is considered to be high based on the volume
of global reporting requirements

Are we focused on the risks that matter?


Is the scope of our assessment comprehensive?
Do we leverage industry specific risk models?
Do we gain insights on the risks of our key business partners and customers?
Is our assessment approach consistent?
Do we evaluate risk on a common basis?
Do we recognize the impact to value drivers?
Does our process cover emerging risks?

You might also like