A few years ago my Audit Committee wanted a "greater presence" throughout the organization. To achieve this we decided to limit time on any audit & do a two tier risk assessment. First we risk assessed to determine where & overall what we audited each year of our 5 year plan. Then we went to these departments or operations and did another risk assessment to determine what to cover with each audit. Took some extra work up front, but saved us time in the end and provided a real risk focused audits & results. Anyone else ever take this approach? Share your results & opinions?
Thanks,
Ron Keister, CIA, CPA
In a message dated 04/05/2002 3:01:49 PM Eastern Standard Time, [EMAIL PROTECTED] writes:
I agree with you Tracey, except in approach. You note that to add value your projects are much bigger and all encompassing. I think for a risk based approach to work, the audits performed are becoming more specific and directed. I think that large projects tend to reduce the effectiveness of an auditors time because you are not focusing in on the problem at hand. I tend to break up large projects into multiple auditable units and then apply my risk criteria to the pieces and focus on those with higher risk.
This is all probably because I have only a two man staff and time is what I am measured on.
Thanks.
Joseph A. Rychalski
Director, Internal Audit
Development Corporation for Israel
646-319-4512
212-446-5828
