Difference Between Traditional and Risk Based Auditing

Abstract

Abstract Auditors are trained to make detailed examinations of the internal control systems such as ISO 9001, ISO 29001, ISO 14001, OSHAS 18001, API, accounting systems and various legislative requirements and; focus their audit planning, testing, and reporting on internal controls in the business process. The Evaluation of controls without first examining the purpose of the business process and its risks provides no context for the results. How can the internal auditor know which control systems are most important, which are out of proportion to their risk, and which are missing? When controls are the central theme of the internal audit, audit reports and recommendations are generated for improving and strengthening internal controls. Over time, layer upon layer of controls are built up. These excessive layers of control slow down business processes, communication becomes more difficult, and people are employed in non-value-added work. Auditors are typically looking at control activities designed at some previous time to deal with issues that were relevant when systems were implemented. This means the internal auditor is examining activities that may or may not be relevant to current risks. The controls may be inappropriate because they monitor risks that are no longer important or even in existence. RBA changes the way internal auditors think and talk about risk. Instead of focusing on history, audit reports address the present and the organization's level of preparedness to deal with the future. Internal audit reports "complete the loop" between assurance of control in current operational plans and input to risk assessment for the strategic plan. RBA places an emphasis on risk-based internal audit reports rather than on traditional controls-based reports.