Yup. That is
exactly what we do, only we revisit our audit plan every 2 years. Some
noted risk areas may appear on every audit plan, some may move from the bottom
of the list to the number one priority.
By the way, Joseph, we
do have a medium sized audit shop - 35 auditors. Sometimes, we conduct our
preliminary risk assessment, decide that risks are appropriately controlled, and
move on to the next project. But that is another
topic...
Tracey Sadler, CIA, CGAP
Senior Internal Auditor
System Internal Audit
Texas A&M University System
1200 TAMU
College
Station, TX 77843-1200
Phone: (979)
845-3476
Fax: (979) 845-6536
email: [EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, April 06, 2002 7:51 AM
To: [EMAIL PROTECTED]
Subject: Re: Internal Audit key performance indicators
Joseph:From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, April 06, 2002 7:51 AM
To: [EMAIL PROTECTED]
Subject: Re: Internal Audit key performance indicators
A few years ago my Audit Committee wanted a "greater presence" throughout the organization. To achieve this we decided to limit time on any audit & do a two tier risk assessment. First we risk assessed to determine where & overall what we audited each year of our 5 year plan. Then we went to these departments or operations and did another risk assessment to determine what to cover with each audit. Took some extra work up front, but saved us time in the end and provided a real risk focused audits & results. Anyone else ever take this approach? Share your results & opinions?
Thanks,
Ron Keister, CIA, CPA
In a message dated 04/05/2002 3:01:49 PM Eastern Standard Time, [EMAIL PROTECTED] writes:
I agree with you Tracey, except in approach. You note that to add value your projects are much bigger and all encompassing. I think for a risk based approach to work, the audits performed are becoming more specific and directed. I think that large projects tend to reduce the effectiveness of an auditors time because you are not focusing in on the problem at hand. I tend to break up large projects into multiple auditable units and then apply my risk criteria to the pieces and focus on those with higher risk.
This is all probably because I have only a two man staff and time is what I am measured on.
Thanks.
Joseph A. Rychalski
Director, Internal Audit
Development Corporation for Israel
646-319-4512
212-446-5828
