Audits
      Back to home
      1. Home
      2. Audits

      How does risk-based auditing work?

      Risk-based auditing allows the audit to focus on the most relevant risks, optimizing resources and generating greater value for the organization.

      Risk-based auditing focuses on prioritizing auditable units according to specific criteria, including the organization's predefined risks.Given the limitations of available resources, it is essential to determine which processes or areas should be audited first and which can be deferred.This methodology enables the segmentation of the audit universe and the application of criticality criteria, thereby supporting strategic and efficient decision-making regarding the sequencing and scope of audits.

      How does this work in practice?

      1. Identify Key Risks: The most relevant risks that could impact the organization are identified and assessed.(Examples: fraud, data loss, legal non-compliance)
      2. Pre-Audit Risk Assessment: Before conducting the audit, a risk analysis is performed to identify key threats, their potential impact, and the likelihood of occurrence.
      3. Audit Plan Prioritization: Audits are scheduled and executed based on the criticality level of each unit, optimizing the use of available resources.
      4. Stronger Strategic Alignment: The approach is aligned with business objectives and enhances governance by anticipating and mitigating potential failures that could impact organizational performance.

      From the "Audit Universe" in Pirani, you can not only apply this risk-based auditing approach but also incorporate other criticality criteria defined by your organization.
      This allows for a more comprehensive and strategic assessment of each planned audit, aligning with the business's objectives and priorities.

      Main Criteria for Auditing

      While several criteria will be used, "risk" will be the primary factor to consider. The auditable units are the topics or areas to be audited, and their criticality will be defined according to the established criteria.

      Auditable units

      Each area to be audited will be referred to as an "auditable unit". Below are some examples of potential auditable units:

      1. Physical resource management
      2. Legal advisory
      3. Strategic direction

      The variability of the audit will depend on the "criticality" assigned to each "auditable unit".
      By applying this methodology, it ensures that audit resources are allocated efficiently, focusing on areas with the highest risk.

      How do the qualification criteria for risk-based auditing work?

      To determine the prioritization of auditable units, several qualification criteria will be used. These criteria allow for the evaluation of the importance and urgency of each unit, helping to allocate resources efficiently. The defined criteria are as follows:

      1. Risk level: This corresponds to the evaluation of the inherent risk associated with an auditable unit, considering its potential impact on the organization's objectives. The criticality level is determined based on the average inherent risk of all the identified risks within that unit, providing an integrated view of its risk exposure.
      2. Months since the last audit: The time elapsed since the last audit of the auditable unit. Areas with a longer time since their last audit typically have a higher probability of significant or undetected changes.
      3. Significant changes in the auditable unit: An evaluation of important modifications or transformations within the unit.
      4. Management interest: The level of attention and priority assigned by senior management to the auditable unit, which may influence the urgency of the audit.
      5. Audit status: The status of the auditable unit is determined based on the associated audit plans. If the unit is linked to ongoing audit plans, its status will be "In audit"; if the plans have been completed, it will be shown as "Audited"; and if no audit plans are associated, it will be marked as "Not audited."
      6. Criticality level: The criticality level indicates how important or risky that unit is within the organization. It helps prioritize which units should be audited with greater urgency or frequency. A "high criticality level" means that the auditable unit should be prioritized first in the "Audit Plan."

      How does the prioritization matrix work?

      The prioritization matrix is a key tool within the risk-based auditing approach. Its main function is to rank auditable units according to their criticality level, thereby facilitating decision-making on which areas to audit first.

      Units with lower criticality are placed at the bottom, as they do not require immediate attention from the audit team.

      Additionally, each auditable unit automatically updates its criticality level based on the criteria defined by the system or adjusted by the user.

      This represents a significant advantage in manual update tasks and ensures that audits are always focused on the most critical units.

      How do I create an auditable unit?

      Once I click on “Create my first auditable unit”

      A form must be completed with data fields such as: name of the unit, description (optional), type of unit, responsible person, whether it has been audited previously.

      On the right side of the form, the level of “criticality” will be displayed, which will automatically vary according to the user's responses.

      This value will be key for prioritization in the audit matrix.

      Two types of auditable units are considered:

      • Custom: The user freely defines the type of unit to be audited.
      • Process: The user must select a process already mapped in the system to audit. In this case, the responsible person and whether it has been audited previously must also be indicated.


      If the user selects the "Yes" option in the field "Has it been audited previously?", the system will prompt to enter the date of the last audit performed on that unit.

      Once the date of the last audit is selected, the “Criticality Rating” will be displayed. This will be defined based on the ratings of the various established criteria. As risks are associated, the criticality will adjust according to the specific criteria. Additionally, the following will be taken into account:

      • Number of months since the last audit
      • Interest from senior management
      • Possible changes in the auditable unit



      How to associate a risk?


      The idea is that, by clicking on "Associate Risks", the user will be able to link relevant risks to the auditable unit. This will allow for the adjustment of the criticality rating and ensure that all risk factors are considered when prioritizing the audit.

      A screen will appear where you can select the risks you want to associate with the auditable unit.
      The inherent risks are averaged to determine the unit’s final criticality rating.

      The numbers associated with the risks are averaged, which will determine the final risk rating for the auditable unit.The entire process of risk association and rating will define the criticality of the auditable unit.

      Remember:
       The purpose of this process is to ensure that auditable units are audited in the shortest possible time, while also enabling the board of directors to make informed decisions about which audits should be conducted and which should not.
      In addition, it ensures that all relevant criteria defined by the audit team or the board are taken into account, guaranteeing a transparent and efficient audit prioritization.

       

      Now you can do it! Start managing your risk-based audit.

      Don't have the Audit Management system? Schedule a demo! →

       

      Don’t forget to rate us 👇. Your feedback is very important!