When setting the scope for the identification and assessment of key risks and controls in a process, which of the following would be the least appropriate approach?
A.
Develop the scope of the audit based on a bottom-up perspective to ensure that all business objectives are considered.
B.
Develop the scope of the audit to include controls that are necessary to manage risk associated with a critical business objective.
C.
Specify that the auditors need to assess only key controls, but may include an assessment of non-key controls if there is value to the business in providing such assurance.
D.
Ensure the audit includes an assessment of manual and automated controls to determine whether business risks are effectively managed.
When setting the scope for identifying and assessing key risks and controls in a process, developing the scope of the audit based on a bottom-up perspective is the least appropriate approach. A bottom-up perspective typically focuses on individual controls and processes without necessarily aligning with the organization’s critical business objectives and risk appetite. Effective risk assessment should begin with a top-down approach, identifying key business objectives and the associated risks, and then determining the necessary controls to manage these risks. References: IIA Practice Guide – Auditing Key Risk Management, IIA Standard 2200 – Engagement Planning
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit