For the last month or two, I have been working on an IIA Practice Advisory on how to define which controls to include in the scope of an audit (hopefully, to be issued in early 2010). It is based on the popular Guide to the Assessment of IT Risk (GAIT) methodology (available to members here).
During this time, I realized that my views on "risk-based auditing" have changed from what I did a few years back. In the past, like many other chief audit executives, I performed a risk assessment and rated the various elements in the audit universe (e.g., locations, business units, processes, and projects) based on the audit team's assessment of risk. The elements with the higher risk ratings were then audited, and the scope of each audit was defined based on the higher risk areas within that area.
As an example, I might rate the following as higher risk areas: the factories in Penang, Malaysia, and Bordeaux, France; the Corporate Shared Services Center in Dublin, Ireland; and the general controls over the IT Data Center in Longmont, Colo. The scope of the Penang audit would be based on a risk assessment of the factory's processes, assets, etc. The audit might include the higher risk areas of inventory management, quality control, and code of conduct training. The scope of the Bordeaux factory audit would be different, as the risks in that location are not the same: payroll, procurement, and accounting for inventory. A similar local risk assessment would be performed for the other audits.
My approach today — my definition of risk-based auditing — is different. Instead of starting with an assessment of the audit universe, I start with the risks to the enterprise as a whole. The more significant risks might include: our implementation of a new enterprise resource planning (ERP) system; the startup of a new factory in Suzhou, China; the expansion of the business into Russia; compliance with the U.S. Foreign Corrupt Practices Act (FCPA) in the Asia/Pacific region; reliance on single source vendors for critical components; and the timeliness and accuracy of monthly management reporting to the executive committee.
My goal is to provide assurance on how well management's processes are able to manage the more significant risks. My audit plan includes projects to identify and assess the controls that management is relying upon to manage the ERP implementation, FCPA compliance in Asia/Pacific, and sourcing for critical components, and to ensure the integrity of monthly management reports.
So instead of using risk assessment to determine which audit universe elements I will include in the audit plan, I am auditing the processes and controls management relies on to manage the more significant risks to the enterprise.
Which approach are you using? Have you also changed to assessing management's controls over the more significant risks?