The risk assessment results will not come into play for audit plan purposes for those audits that are required to be conducted at a specfic interval (for example, ACH, BSA/AML, SAFE Act). Although we still would perform the risk assessment.
Assuming you perform a risk assessment for each auditable entity, do you weight each risk category (examples of categories: business impact, credit risk, market risk [includes IRR and liquidity risk], operational risk, technology risk, legal risk, compliance risk, reputation risk, strategic risk)?
If yes, how did you determine the weights? Are the weights the same for every auditable entity? Any feedback or criticism from examiners?
If weighting is not used, are examiners "ok" with that?
Thanks.
Last edited by happyauditor; 04/02/14 05:42 PM.
_________________________
* My opinion is not necessarily that of my employer.