For audit risk assessments, we combine subjective measures with past audit results and data from different systems. Then we tack on hours of interviews with management that only adds more subjectivity. When I push deeper and ask who designed this risk assessment process, very few auditors can answer. Usually, it’s someone who left the organization years before or an external consultant who recommended the approach. When it takes so much effort to complete the assessment that it takes away from the actual audits that we could be working on, is it time to admit that our risk assessment process is just too complicated?
Here are a few related courses: