Business Risk vs. Audit Risk
By Gabriel Agboola
The following article first appeared online in the IT Compliance Institute Ask The Auditor column. Used with Permission. What’s the difference between business risk and audit risk? Business risk relates mainly to an organization’s goals and objectives. It is essentially the potential cost incurred if the business does not achieve its strategic plans. The assessment and management of business risk has evolved into formalized enterprise risk management (ERM) in many organizations. By contrast, audit risk relates mainly to the internal and external audit efforts to achieve its objectives; that is, provide effective, timely, and efficient assurance and consulting support to management and the board. Traditionally, audit risk has been seen as strictly the risk of incorrect audit conclusions. Contemporary views, however, include big-picture audit risks; specifically, that the internal audit function is not doing the right things or working in the best ways. Let's look a little more closely at these two concerns…
Business Risk (a.k.a. Enterprise Risk)
Enterprise Risk Management (ERM) is defined by COSO as:
* A process, effected by an entity’s board of directors, management, and other personal, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. * ERM is a structured and coordinated entity-wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. When implemented by management, ERM is generally evaluated by internal auditors for effectiveness and efficiency. * Business risk is fundamentally the risk of an organization not achieving its objectives. A formal ERM...