From auditor to auditor: which areas of your company do you audit? The most common answers I’ve heard are two: a) the accounts that are related to money such as banks, petty cash, payments, purchases, etc. and b) the accounts that have a higher balance because when auditing them, a higher amount is being covered.
And what happens to the accounts that are related to the information? Or those that have a lower balance and have been there for years without someone having reviewed the movements? Knowing in which areas the company is vulnerable to risks can help auditors to diminish its probability of occurrence and focus on how to help the company to avoid them.
By taking a risk-based approach, you can identify where your business is vulnerable and pinpoint the cause. Finding the cause, it’s essential because in this way the problem is solved, and the auditor can give a true value added. But it’s not easy. Auditor’s most common mistake in issuing their recommendations is attacking the problem and not the cause. Example:
OBSERVATION: The legal area is not complying with the data protection law.
RECOMMENDATION: That the legal area complies with the data protection law.
Really? What kind of recommendation is that? Yes, we all know they must comply with the law, but the crucial thing is: why have they not complied with it? Do they know the reason? Do you know the reason? In this example, the first reason was that they weren’t familiar with the law; then that they didn’t have enough time to study the law and after that, because the area was chaos! And why? Because the activities were not aligned to the functions of each position…The main cause was detected, and it was affecting not only to comply with the law but the entire productivity of the area.
Interested in learning which areas of your company you should audit? Join us Advanced Risk Based Auditing MasterClass which will be streamed ONLINE on the 20th until the 21st of May, 2021!