Updated: Mar 21
As we continue the audit planning process, we need to identify and understand what risks and controls are currently in place. Depending on the maturity of an organisation or a function, a business may have already identified its risks (documented in a risk register) and may already have a series of documented controls (similar to SOC). If a business is required to perform SOC testing, you would hope this is already established.
Understanding what risks have already been identified, and what controls may be in place to address the risks, will help us to see how effective the controls are working, and whether or not there are currently any gaps in the control coverage. Essentially, we will be looking at the design of the process, what risks are there, and what controls are in place to mitigate the risks. We should give consideration to inherent risk, and the residual risk from effective implementation of controls. All of this (and it sounds like a lot), will help us to also understand the risk appetite of the business, and what areas we should focus on during our review.
A preview of our template is included below:
This activity forms part of a suit of planning activities which should be performed to make sure we fully understand the audit topic. Particularly where an organisation performs SOC testing, or has a well established risk management process, we should leverage off work from other assurance activities or team (i.e. the risk team), to avoid duplication and gain efficiencies during the planning process.
Simply CLICK HERE to download your FREE template.
To buy an editable version of this template, PLEASE CLICK HERE.