In a risk-based plan, we flip the evaluation and start with management’s objectives and current risks. We then create an audit that addresses the specific risks, not the entire process. Again, the assessment might look like this:
While some of the risks in the second model are similar in nature to the traditional example, you can quickly see that the audit approach for addressing the risks would be entirely different. If we take the first risk (technology requirements are not designed for remote work), the audit will span several departments. At a minimum, we will audit HR onboarding processes, IT resource allocations, and IT security measures. The same will be true for all these risks.
In the current dynamic environment, a true risk-based plan is more valuable to any organization. Embracing this change aligns the audit department directly to management’s strategy. Internal Audit will add value by providing deep insight into the most critical risk areas that matter most to management.