Acquiring Knowledge of Business and Assessing Risk
Auditing procedures typically require auditors to acquire knowledge of the organization and subject matter being audited and to prepare a risk-based audit plan. In practice, this means that the audit team needs to:
- collect knowledge of business information about the governance structure of selected major initiatives (critical projects, programs, or services), especially regarding oversight bodies and functions and
- identify significant areas that would benefit from an examination of oversight.
As in all performance (value-for-money) audits, the auditor’s understanding of significance and risks will be used to identify particular activities or aspects of the major initiative being audited to include in the audit and to develop audit objectives. This section of the Practice Guide is designed to help auditors acquire a sound understanding of significance and risks by providing them with examples of:
- general audit questions that can be used to better understand oversight roles and responsibilities relevant to the major initiative(s) being audited and
- indicators that oversight may be at risk in the major initiative(s) selected for audit.
While these tools will be helpful, auditors should keep in mind that the Practice Guide does not foresee all possible situations. Applying professional judgment and knowing the particularities of each selected organization are key success factors for the planning phase of any audit of oversight.