10. Risk Based Audit Planning

Question 0

The objective of RBIA is to provide assurance to the board on what four things?

Answer 0

Risk management processes are operating as intended
Risk management processes are of sound design
Risk responses are adequate and effective
Sound framework of controls is in place

Question 1

Define Risk Based Internal Auditing

Answer 1

A methodology
That links internal auditing
To an organisation’s risk management framework.
It allows internal audit
To provide assurance to the board
That risk management processes are managing risks effectively, in relation to the risk appetite.

Question 2

RBIA is based on an organisation’s own — — framework

Answer 2

Risk management

Question 3

What is the broad role of internal audit in RBIA?

Answer 3

To assess the extent to which management has adopted and applied robust management of risk overall and in each area of the organisation.

Question 4

In a more mature risk management environment, what three things is the focus of internal audit’s RBIA activity likely to include?

Answer 4

Auditing the risk management infrastructure
Auditing the system of risk mitigation activities, controls and assurances
Reviewing specific risks where they are managed in the organisation

Question 5

What is the first stage in RBIA planning?

Answer 5

Reviewing the organisation’s risk maturity

Question 6

What are the three objectives of the first stage of RBIA planning (reviewing risk maturity)?

Answer 6

Assess risk maturity
Report to management and audit committee on assessment
Agree an audit strategy

Question 7

What are the five levels of risk maturity?

Answer 7

Risk naive
Risk aware
Risk defined
Risk managed
Risk enabled

Question 8

What does a risk naive or risk aware status imply from a compliance perspective?

Answer 8

The organisation is probably not complying with the Turnbull Guidance or Code of Corporate Governance

Question 9

For a risk naive organisation, what is the audit strategy?

Answer 9

REPORT no formal risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes

Question 10

For a risk aware organisation, what is the audit strategy?

Answer 10

REPORT poor risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes

Question 11

For a risk defined organisation, what is the audit strategy?

Answer 11

REPORT risk management deficiencies
CONSULT to embed risk management
AUDIT PLAN: start with management view of risk and supplement
ASSURANCE on risk management policies and control processes

Question 12

For a risk managed organisation, what is the audit strategy?

Answer 12

CONSULT to improve risk management
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation

Question 13

For a risk enabled organisation, what is the audit strategy?

Answer 13

CONSULT as required
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation

Question 14

In risk enabled and risk managed organisations, audit planning is driven by the organisation’s r— r—

Answer 14

Risk register

Question 15

What are the two main objectives when developing a high-level risk based audit plan?

Answer 15

Agree RM responses and processes on which objective assurance is required
Produce audit plan listing all audits to be carried out over a specified period

Question 16

What are the five main steps in developing a high level risk based internal audit plan?

Answer 16

Identify responses on which assurance required
Prioritise and categorise responses
Link responses to audit assignments
Draw up periodic audit plan
Report to audit committee and management

Question 17

The first stage in developing the risk based audit plan is identifying responses on which assurance is required. What two things should IA review to identify them?

Answer 17

Risk register

Audit committee’s assurance requirements

Question 18

Other than risk responses, what other risk management processes may assurance be required on?

Answer 18

Action plans to increase or reduce transfer or treat responses

Monitoring controls to ensure processes and action plans are operating as expected

Question 19

Why may the audit committee not want objective assurance from Internal Audit on the management of all the organisation’s risks?

Answer 19

Assurance from other sources
May require specialist expertise
May favour certain types of risks (e.g. Inherent)

Question 20

The second stage of the risk based internal audit plan is to categorise and prioritise risks and responses. List three useful categorisations.

Answer 20

By business unit
By function or system
By objectives

Question 21

When is categorisation of risks and responses by business unit useful?

Answer 21

Where the organisation has a number of physically independent business units, the procedures of which are self-contained.

Question 22

When is categorisation of risks and responses by function or system useful?

Answer 22

In a large organisation with integrated systems

Question 23

When is categorisation of risks and responses by objective useful?

Answer 23

When assessing audit plan for relevance to organisation

Question 24

List four useful prioritisations of risk responses

Answer 24

By the size of the inherent risks managed by the response
By the contribution that the response makes in managing the risk
By the number and nature of other available assurances that the response is operating effectively
By those categories of risk on which the audit committee requires objective assurance

Question 25

The third stage of developing the risk based audit plan is to link risks to audit assignments. What are the two main methods of doing so?

Answer 25

Group risks by business unit, objectives or function and decide audits which will provide assurance on the related responses
Set up an audit universe allocating each audit to a business unit or system and assign the risks to these audits

Question 26

When drawing up the high level audit plan, the — of — for each audit will have to be estimated

Answer 26

Number of days

Question 27

At the fifth stage of developing the audit plan, the plan should be discussed with — and approved by the — —

Answer 27

Management

Audit committee

Question 28

The high level audit plan should provide details of those risks where — is provided

Answer 28

Assurance

Question 29

The high level audit plan should provide details of those risks where assurance is provided but based on…

Answer 29

Audit work from previous years

Question 30

The high level audit plan should provide details of those risks where c— work is carried out to assist management in reducing risks to below the risk appetite

Answer 30

Consultancy

Question 31

The high level audit plan should should provide details of any additional — time unallocated to specific tasks

Answer 31

Contingency

Question 32

The high level audit plan should provide details of the impact of any constraints on —

Answer 32

Resources

Question 33

The high level audit plan should provide confirmation that the plan is in accordance with the…

Answer 33

IA Charter or Terms of Reference

Question 34

RBIA generates a — amount of work

Answer 34

Defined

Question 35

RBIA generates a defined amount of work. How is this useful when determining resources for an audit period?

Answer 35

It highlights whether internal audit’s existing resources are sufficient to complete the planned work.

Question 36

If considerable change happening in a business area is not visible in the risk register, what does this suggest about the risk management process?

Answer 36

It is not being reviewed

Question 37

The RBIA methodology is usually viewed as c— in nature

Answer 37

Cyclical

Question 38

The interval between IA’s revisions in its assessment of risk maturity and its audit planning depends on what?

Answer 38

The nature of the organisation: how often its circumstances change and how frequently it must report on risk management matters

Question 39

The risk management framework is a d— process

Answer 39

Dynamic

Question 40

Through what channels do environmental and organisational change affect audit strategy and planning?

Answer 40

Objectives of the organisation change
Risks change
Risk register is updated
Audit strategy is based on risk register
High level audit plan based on audit strategy

Question 41

In assignment level audit planning, there should be agreement between the internal audit function and the organisation on what eight things?

Answer 41

Title of audit assignment
Objectives of audit
Scope of audit
Strategic position of audit
Responsibility for audit
Timeframe for audit
Outline testing strategy
Deliverables for audit

Question 42

In RBIA, the title and objectives of an audit assignment should be drawn from…

Answer 42

The risk based high level plan

Question 43

In RBIA assignment level planning the SCOPE of the assignment should be based on what three pieces of information?

Answer 43

Conclusion on risk maturity and resulting audit strategy
Title of assignment
Information linking responses to risks

Question 44

One of the usual areas to consider including within the scope of an RBIA assignment is an assessment of the — — of the area, activity or business area being audited

Answer 44

Risk maturity

Question 45

When assessing risk maturity at assignment level, the criteria used should be — with the criteria used across the whole of the internal audit function

Answer 45

Consistent

Question 46

List seven additional sources of information used to inform assignment planning

Answer 46

Local risk registers
Previous internal or external audit reports
Minutes of board, committee or management meetings
External consultant or regulatory reports
Policies and procedures
Business plans
Interviews with senior managers

Question 47

What is the primary purpose of the high level internal audit plan?

Answer 47

To balance resources available to work required

Question 48

What is the major difference between risk based and systems based internal auditing?

Answer 48

The process used to determine what to audit and how to audit it

Question 49

In systems based audit planning, what four stages are usually involved?

Answer 49

Identify all systems in use across organisation
Rank systems in order of importance, criticality or risk to organisation
Use this assessment to assign numerical score ranking systems in order of importance and priority
Make decision on how often and when each system should be audited

Question 50

What are the chief benefits of risk based high level internal audit planning?

Answer 50

1. Clear unambiguous conclusions on risk maturity
2. Provision of objective assurance on RM framework
3. Facilitation of efforts to improve RM framework
4. Considers whole organisation on basis of risk
5. Reinforces management responsibility in managing risk
6. Focuses IA activity on future rather than past
7. In risk mature organisations, less time spent on periodic planning and risk assessment