Thursday, 30 June 2011

Audit Risk Universe Confusion?

So this is the blog post, found via a Tweet from @theiia , that compelled me to set up 'Blogging Auditor'. Kiko Harvey examines gaps between the risk universe and the audit universe in a new IAOnline blog post. I was rather confused by the whole Audit Risk Universe business especially when mentioned in connection with the 'rest of the risk universe'. I can understand the need to create an Audit Risk Universe if the organisation does not have a risk management system in place. However, once the organisation has begun to embed risk management then surely the need for an Audit Risk Universe will begin to reduce. Once the risk management within the organisation reaches a good maturity then the need for an Audit Risk Universe will be obsolete? Obviously some work will need to be done on a yearly basis on the organisation's management of the risk management process so that Audit can gain some assurance on the reliance they can place on the output of the risk management process. Audit planning should then involve discussions with management around the risks identified by management, the risks known to Audit during the course of their work and some crystal ball gazing as to what risks might be on the horizon. I do not understand why you would have an Audit Risk Universe if you have an organisation risk universe? Yours confused Blogging Auditor
at
Labels: , ,

2 comments:

  1. Anonymous30 June 2011 at 23:58

    Your presentation is very much consistent with risk-based internal auditing as practised in the UK and captured in the Chartered IIA's Risk Based Internal Auditing. Many UK internal auditors identify the same issue you do - and they just go straight for the idea that it is wrong to have an ARU if you have a good ORU. Another thought: if your ORU is not good enough to use for internal audit purposes, you have a bigger problem in the organisation than the difficulty in decided where to focus internal audit work. The first thing an internal auditor has to do if she wants to evaluate governance, risk management and internal control systems and help the organisation improve in order to meet its objectives is to report to management and the board or equivalent is that the management of risk is not effective! That has consequences that are much more important than internal audit's internal workings!

    ReplyDelete
  2. Me2 July 2011 at 02:01

    Wow, thank you so much for commenting! It is really appreciated. I think it is amazing for a brand new blog to get an almost instant comment from an industry expert. It could only happen in the world of internal auditing. Thank you also for clarifying the situation. I would be interested to know what happens in other countries and whether they support the use of ARU's or not.

    Yours happier
    Blogging Auditor

    ReplyDelete

Subscribe to: Post Comments (Atom)