TABLE OF CONTENTS As described in Chapter 1, risk can be defined as anything opportunity, threat, activity or event with potential for impact on the achievement of the organization s business objectives. Risk may thus be perceived as being positive and helpful to the organization up-side risks , or alternatively be believed to be a negative exposure to be avoided down-side risks . We have additionally referred to the characteristics of these risks elsewhere as of value creation and value protection respectively.
An essential first step for any auditor is to identify and consider significant risks in the context of the host organization s business environment. As we have seen, the business environment is turbulent more things will change in the next ten years than in the previous 100 . It is probably in a permanent state of flux as a result of dynamic changes in the political, economic, legal, social or technical perspectives or otherwise.
As described in Chapter 5, auditors use a process for identifying a sample of potentially significant risks for inclusion in an audit work plan. Auditors estimate the significance of identified individual risks (e.g. by using a risk assessment matrix to qualitatively assess the significance of each identified risk area), and their relationships to each other. We have suggested three questions that invariably assist auditors (they may assist management too) to decide the significance of the identified risks:
How often will this happen (likelihood)?
How big could the impact be (severity)?
Who...
