"Risk based auditing" (RBA) has been the audit methodology adopted within Arun since April 2003.
RBA is an approach that focuses on the response of the organisation to the risks it faces in achieving its goals and objectives. Unlike other forms of audit, RBA starts with business objectives and their associated risks rather than the need for controls. It aims to give independent assurance that risks are being managed to an acceptable level and to facilitate improvements where necessary.
The role of Internal Audit under this approach is to review the risk management processes (as opposed to purely internal controls) that are in place, to reduce these risks to a level that is acceptable to the organisation.
Owing to the relative immaturity of the risk management environment at Arun, it is not considered that risk management processes are presently sufficiently robust or embedded within the corporate business system for Internal Audit to rely on the organisation’s own view of the risks in order to determine the audit work that it needs to carry out.
Internal Audit therefore take a pragmatic approach to the development of RBA, undertaking its own risk assessment process (in conjunction with management) to determine the precise level of work required.
In the short term, Internal Audit continue to predominantly focus on complete systems, processes or business units, reviewing business objectives and risk management processes within each of these audit entities. In time however, Internal Audit will be seeking to develop this approach, placing greater reliance on the risk self-assessments undertaken by management.