Skip to content

PLANIFICATION D’AUDIT INTERNE BASÉE SUR LES RISQUES

21 mars 2014

Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un document de la firme Thomson Reuters (White paper) qui aborde les écueils que n’ont pas su toujours éviter les responsables d’audit interne lors du déploiement de leur processus de planification annuelle/triennale fondé sur les risques.

  1. Votre planification prend-t-elle vraiment en compte les objectifs stratégiques de votre organisation ainsi que les risques qui pourraient prévenir leur réalisation…
  2. Votre planification prend-t-elle vraiment en compte les travaux réalisés par les autres fonctions d’assurance de votre organisation (Gestion des risques, Conformité, Finance, etc..)…
  3. Votre planification prend-t-elle vraiment en compte les préoccupations des dirigeants….

Voici un aperçu de la table des matières du document. Bonne lecture et bonne réflexion.

PLANIFICATION D’AUDIT INTERNE BASÉE SUR LES RISQUES

A TYPICAL INTERNAL AUDIT SCENARIO

REVIEW STANDARD INTERNAL AUDIT PROCEDURES

LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY

LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY

KNOW YOUR COMPANY’S RISK APPETITE

PLAN FOR SUCCESS

UNDERSTAND THE BUSINESS AND ITS CULTURE

As the COSO Internal Control – Integrated Framework (2013) states, « risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives ». Yet many in-house internal audit functions look at the annual internal audit risk assessment process as a check-the-box activity, required mainly to be in compliance with the IIA professional practices framework.

Audit

Typically, a three or five-year review cycle for the entire organization is already in place, and the annual internal audit risk assessment barely scratches the surface: It is merely used to justify minor modifications in the risk-based internal audit plan. Yet the internal audit risk assessment presents an often missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process. Let’s take a look at a typical scenario played out every day and see if we, as uninvolved by-standers, can audit the process and see it if falls short in any way.

In advance of this year’s risk assessment, the internal audit department reviewed and revised their risk assessment process and the various preparation materials for management participants. The preparation materials included a list of key management participants with their preferred contact method, a list of internal audit risk assessment questions, an announcement letter explaining the importance of the annual risk assessment process, and a presentation that provided examples of beneficial insight received from the previous year’s risk assessment.

During the risk assessment, the internal audit staff rigorously captures each management remarks in an effort to record each detail, be it quantitative or qualitative. As the « scribe, » the internal audit staff is responsible for note taking, while the internal audit director asks management a series of questions from the annual list of internal audit risk assessment queries. The internal audit director conducts the interview in a way that illustrates both their tremendous understanding of the business and their ability to not get bogged down in the details. The individual representing management, on the other hand, usually provides general responses highlighting a few generic risks inherent in their business, but not enough for one to actually audit. One of those general responses was around an increase in the organization’s credit risk exposure.

Enhanced by Zemanta
Laisser un commentaire

Qu'en pensez-vous ?

Entrer les renseignements ci-dessous ou cliquer sur une icône pour ouvrir une session :

Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l’aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s

%d blogueurs aiment ce contenu :