In the context of Policy Exceptions, when do audit managers determine whether to audit entities?

The determination made by audit managers regarding whether to audit entities is primarily influenced by risk ratings. Risk ratings are assessments that quantify the level of risk associated with specific entities, activities, or processes. These ratings help audit managers prioritize their focus on areas that pose the greatest risk to the organization. By evaluating risk ratings, audit managers can ensure that their audit resources are allocated most effectively, targeting those areas that could potentially result in significant losses or failures if not properly managed.

Other factors such as test plan ratings, engagement ratings, or indicator ratings may play a role in the audit process, but they do not directly determine the decision to audit entities like risk ratings do. Test plan ratings are typically related to specific testing procedures, engagement ratings assess the effectiveness of audit engagements, and indicator ratings may reflect performance metrics, but it is the risk ratings that serve as a critical driver for auditing decisions. This focus on risk assessment aligns with best practices in risk management and compliance, emphasizing the importance of understanding and mitigating risks within the organization.