內審現在流行 Risk-based approach,即是以風險為基礎來為流程把脈。例如評審 Procurement process 的內部控制是否足夠,我們必須先將所有相關的風險,例如買貴了,買遲了或者買錯了羅列出來,然後為每個風險配對現有的內部控制,沒有受到足夠內控約束或者監察的風險就是管理漏洞,並根據風險的大小制定補救措施,防止問題發生或避免問題進一步惡化。
未流行Risk-based approach之前,內審的傳統的做法是 Process-based approach,做法大致是先將整個流程記錄下來,然後將每個內控配對相應的風險。有人提出過,既然有了新的Risk-based approach,傳統的Process-based approach可以從此不需要使用,但我個人認為不應該。
為流程把脈的最終目的是為了規避風險,使用Risk-based approach的好處是快,而且做到一針見血,避免了一切多餘的 review work,但壞處是審計人員未必能夠對整個流程有深入的了解,對日後制定補救措施時可能會有影響。相反,傳統的Process-based approach需要較多時間來做,審計人員可以藉此對流程有一個較深入的了解,對日後制定補救措施時有利,而且Process-based approach會將流程從頭到尾來看,做審計時也可以一併檢討流程的效率。
以我的經驗,如果為某流程首次做審計,建議先用傳統的Process-based approach,這樣會令審計人員加深流程的了解,特別當管理層向內審徵詢意見及要求詳細描述問題時,如果內審人員不清楚實際運作的話,給管理層的感覺會不太好。不過,為了確保所有相關的風險沒有遺漏,最好還是準備一個 Risk chart,然後利用這個Risk chart 來與流程內的內部控制做配對(即是Risk-control Matrix)。 如果某流程的審計不是首次,特別是Time budget有限的時候,Risk-based approach就是一個好選擇。
Risk-based approach的具體做法,請參考以下兩個系列的文章:
如何為採購功能做內控評審 (一)「平」
以風險為基礎的庫存功能內控評審(一)
&&&&&&&&
My observations:
回覆刪除Process-based audit -
ISO 9001 QMS
Risk-based audit -
OHSAS 18001 Safety MS
ISO 14001 Env MS
ISO 27001 Info Security MS
Many cases are hybrid audit.
劍虹兄:
回覆刪除我只認識ISO9001及ISO14001,你說得對,我也認為前者是process-based,後者是risk-based.
Hi Bittermelon,
回覆刪除Is it possible for you to discuss further the risk chart and risk/control matrix?
From the net, I came across articles that mentioning many – many relations between risks and controls. Whether I should have the risks first and figure out the controls or vice versa? Do you have any recommendation as to how the risk chart should be constructed?
Thank you.
Hi Anonymous,
回覆刪除No problem. I will write an article for risk-control matrix later. In general, if we are adopting Risk-based audit, we will list the risk first and match the relevant controls. If process-based, it will be vice versa. There are many types of risk-control matrix in practice. Please allow me to discuss this topic later as more time is needed for preparation and composition.
有點不明白, 讓我先看點書.
回覆刪除關於Control Matrix,我發現在 Internal Auditor Feb 09(IIA 雙月刊)有篇article: A Risk-Centric Approach that works 寫得也很好。
回覆刪除回正題,我也同意process-based approach 雖然開始不流行,但仍然好有價值,例如第一次review時用process-base,做足system doc,特別是Process/Document/Data flow chart,對下次audit時做audit planning 及risk assessment時,事半功倍。
無留意潻,等我番去睇睇^^
回覆刪除