Cookies

We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Business Assurance Service

Risk Based Auditing

What is a risk?

A risk is defined as 'threat or possibility that an action or event will adversely or beneficially affect an organisation's ability to achieve its objectives'. HEFCE Guide to Corporate Governance (2004)

Therefore risks are a corollary to the University's objectives.

What is risk based audit?

The University's Business Assurance Service uses the model and approach promulgated by the Institute of Internal Auditors, (IIA) in their Position Statement on Risk Based Internal Auditing (2003) as endorsed by HEFCE in Circular 2004/27 Audit and Accountability: HEFCE Audit Code of Practice (2004 amended 2005). (Resources provided below)

The IIA states that risk based auditing 'starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement'.

The role of the Service is to 'assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board [Council] (the risk appetite).'

Risk based auditing asks not just ‘is the University doing things right? [compliance/operation of controls], but is it doing the right things? [effectiveness/design of controls]'. The objectives (policy) are not challenged; this is to preserve the independence of the auditor. Audit now asks not just ‘is the University doing things right? [compliance/operation of controls], but is it doing the right things? [effectiveness/design of controls]'. The objectives (policy) are not challenged; this is to preserve the independence of the auditor.