7/27/2019 Tradisional vs Risk Based Audit
1/1
SPE 135734
Difference Between Traditional and Risk Based AuditingDanny
Spadaccini, Weatherford International
Copyright 2010, Society of Petroleum Engineers
This paper was prepared for presentation at the SPE Annual
Technical Conference and Exhibition held in Florence, Italy, 1922
September 2010.
This paper was selected for presentation by an SPE program
committee following review of information contained in an abstract
submitted by the author(s). Contents of the paper have not
beenreviewed by the Society of Petroleum Engineers and are subject
to correction by the author(s). The material does not necessarily
reflect any position of the Society of Petroleum Engineers,
itsofficers, or members. Electronic reproduction, distribution, or
storage of any part of this paper without the written consent of
the Society of Petroleum Engineers is prohibited. Permission
toreproduce in print is restricted to an abstract of not more than
300 words; illustrations may not be copied. The abstract must
contain conspicuous acknowledgment of SPE copyright.
Abstract
Auditors are trained to make detailed examinations of the
internal control systems such as ISO 9001, ISO 29001, ISO
14001,
OSHAS 18001, API, accounting systems and various legislative
requirements and; focus their audit planning, testing, andreporting
on internal controls in the business process.
The Evaluation of controls without first examining the purpose
of the business process and its risks provides no context for
theresults. How can the internal auditor know which control systems
are most important, which are out of proportion to their risk,and
which are missing?
When controls are the central theme of the internal audit, audit
reports and recommendations are generated for improving and
strengthening internal controls. Over time, layer upon layer of
controls are built up. These excessive layers of control slowdown
business processes, communication becomes more difficult, and
people are employed in non-value-added work.
Auditors are typically looking at control activities designed at
some previous time to deal with issues that were relevant
whensystems were implemented. This means the internal auditor is
examining activities that may or may not be relevant to
currentrisks. The controls may be inappropriate because they
monitor risks that are no longer important or even in
existence.
RBA changes the way internal auditors think and talk about risk.
Instead of focusing on history, audit reports address thepresent
and the organization's level of preparedness to deal with the
future. Internal audit reports "complete the loop" between
assurance of control in current operational plans and input to
risk assessment for the strategic plan. RBA places an emphasison
risk-based internal audit reports rather than on traditional
controls-based reports.
What is RBA?
RBA is an audit process that explains how risk concepts are
integrated into the strategies and approaches used for
managementsystems. RBA provides:
A mechanism for understanding the specific risks which may
influence the achievement of the company objectives; A description
of existing measures and proposed strategies for managing specific
risks; and
A mechanism for monitoring, performing internal auditing, and
reporting practices and procedures.
What are the benefits of RBA?
Risk-Based Auditing can effectively and efficiently assist an
organization by:
Improving understanding and communication of risk and related
mitigation options;
Strengthening accountability for achieving objectives;
Facilitating achievement of company wide requirements for risk
management;
Providing a basis upon which to create contingency plans; and
Enhancing information for informed decision-making.
What roles should Risk Based Auditing NOTundertake?
Setting the risk appetite;
Imposing risk management processes;
Providing management assurance on risks;
