Good questions help understand what your client considers to be their biggest risks.
Charles Hall provides two great questions to ask in his post Missing Critical Clues in the Audit Process:
Think about these as ways to get your client talking about the risks in their organization:
What keeps you awake at night?
If you had a magic wand and could wave it over your business and fix one issue, what would that be?
I’ve not had great success with the ‘what keeps you awake at night’ question. Doesn’t seem to generate conversation. If you haven’t used that question, give it a shot. Might help understand your client’s understanding of risk.
I’ve gotten better responses to a two-fold question:
First, look at the organization’s objectives by asking “Where do you want the organization to be in 5 years?” That usually gives a good description of the mission and medium-term goals.
Second, look at risk perception by asking “What are the 5 or 6 biggest things that could keep you from getting there?”
Think I’ll trying using that magic wand question.
Check out the full post. It also reminds us the whole point of the risk assessment process is to take a big-picture look at the organization to consider where things could go wrong.
Then we should adjust our audit procedures accordingly.