Is Your Audit Plan Actually Risk-Based?

Is Your Audit Plan Actually Risk-Based?

Think about all the work that goes into creating your audit plan. You build out the audit universe to include all the processes or departments in your organization. Then you gather risk information and agonize over scoring to prioritize risks accurately. Finally, you aggregate the risk information and create your audit plan. The bad news is that the process was flawed from the very first step. The audit plan’s basis was a list of entities, so this is an entity-based audit plan. For a proper risk-based plan, the starting point, the audit universe used in the assessment, should include objectives and risks, not entities.

Since new risks frequently emerge and organizations modify objectives to meet changes in the world, the audit department must also be prepared to react quickly. The ability to shift plans and audit based on the most urgent risks that threaten the organization from achieving its objectives is critical to a risk-based plan. To illustrate the difference, we can compare the traditional approach and the risk-based approach for looking at an area like Human Resources. In the conventional method, we start with the department and build out the risks. If the process is a high risk, we would add a Human Resources audit to the plan and look at the entire function. It might look like this:

A graph displaying a human resource audit plan with area, processes, and risks as the top 3 main columns.

In a risk-based plan, we flip the evaluation and start with management’s objectives and current risks. We then create an audit that addresses the specific risks, not the entire process. Again, the assessment might look like this:

A graph displaying a risk-based plan where we flipped the evaluation and start with management's objectives and current risks. Highlighting objective and risks as the top 2 main columns.

While some of the risks in the second model are similar in nature to the traditional example, you can quickly see that the audit approach for addressing the risks would be entirely different. If we take the first risk (technology requirements are not designed for remote work), the audit will span several departments. At a minimum, we will audit HR onboarding processes, IT resource allocations, and IT security measures. The same will be true for all these risks.

In the current dynamic environment, a true risk-based plan is more valuable to any organization. Embracing this change aligns the audit department directly to management’s strategy. Internal Audit will add value by providing deep insight into the most critical risk areas that matter most to management.