The need to manage risks is an essential part of good corporate governance.

An
organization’s management is under pressure to identify risks and develop strategies to manage
them. A risk-based auditing process links internal auditing to an organization’s risk management
framework. It allows managers to communicate to stakeholders that the organization is
effectively managing risks based on its affinity to risk. Given all organizations are different
regarding their structure, processes and attitudes towards risk, a risk-based audit adapts an audit
plan to the organizations specifications.
The first step in an audit plan is determining the threats facing the organization. These
threats are events which have a probability greater than zero of occurring and which could have
negative implications on the firm. These threats may be as a result of human error or due to
processes over which human beings have no control over. The classification of threats is
essential in later stages of the risk-based audit. An organization’s system may be exposed to
accidental threats or intentional threats where human agents exploit a system’s weaknesses to its
disadvantage. This stage employs research methods to gather data and process it to inform the
range of threats a system faces.
The second step in the risk-based audit process is identifying control procedures. These
are based on the threats identified in the first step. The control procedures are steps taken to
prevent the realization of the threats. For instance, internal controls may be used to ensure
employees adhere to certain standards of conduct. Control procedures are also necessary in the
detection of threats. This allows the management to identify the areas of operation that are more
prone to threats than others. This step also involves devising ways to control the threats and
minimize their impact on an organization. The audit process reviews and tests these control
procedures to determine their efficacy and efficiency in accomplishing their objectives.
The third step is the evaluation of control procedures. A review of the existing risk
control policy establishes whether threat control procedures are in place. This is followed by a
series of tests with the objective of determining if the existing controls work as intended. If there
are no threat control procures in place, the system is severely exposed to internal and external
aggression. Furthermore, if the existing control procedures are flawed or improperly configured
and monitored, the system is still exposed. To ensure the control procedures work as intended,
auditors identify faults in existing systems and provide recommendations for improvement of the
control procedures.
The auditors’ final step is evaluation of control weaknesses to determine their
effectiveness. This step may include exposing the system to mock threats in a bid to evaluate
how control systems respond and identify their upsides as well as their weaknesses. The auditors
examine how various components of the control system interact with one another. For instance, a
weaknesses in one area may be acceptable if other areas compensate for that weaknesses through
their robustness.
The risk-based audit process provides managers with a more candid comprehension of a
company’s security situation. It also identifies the risks faced by an organization as well as the
extent of exposure to these risks. It also forms the basis for recommendations on areas that need
improvement to reduce the organization’s exposure to risk and better develop threat response
mechanisms.