10. Risk Based Audit Planning Flashcards

1
Q

The objective of RBIA is to provide assurance to the board on what four things?

A

Risk management processes are operating as intended
Risk management processes are of sound design
Risk responses are adequate and effective
Sound framework of controls is in place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

RBIA is based on an organisation’s own — — framework

A

Risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the broad role of internal audit in RBIA?

A

To assess the extent to which management has adopted and applied robust management of risk overall and in each area of the organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In a more mature risk management environment, what three things is the focus of internal audit’s RBIA activity likely to include?

A

Auditing the risk management infrastructure
Auditing the system of risk mitigation activities, controls and assurances
Reviewing specific risks where they are managed in the organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the first stage in RBIA planning?

A

Reviewing the organisation’s risk maturity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the three objectives of the first stage of RBIA planning (reviewing risk maturity)?

A

Assess risk maturity
Report to management and audit committee on assessment
Agree an audit strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the five levels of risk maturity?

A
Risk naive
Risk aware
Risk defined
Risk managed
Risk enabled
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does a risk naive or risk aware status imply from a compliance perspective?

A

The organisation is probably not complying with the Turnbull Guidance or Code of Corporate Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

For a risk naive organisation, what is the audit strategy?

A

REPORT no formal risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

For a risk aware organisation, what is the audit strategy?

A

REPORT poor risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

For a risk defined organisation, what is the audit strategy?

A

REPORT risk management deficiencies
CONSULT to embed risk management
AUDIT PLAN: start with management view of risk and supplement
ASSURANCE on risk management policies and control processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

For a risk managed organisation, what is the audit strategy?

A

CONSULT to improve risk management
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

For a risk enabled organisation, what is the audit strategy?

A

CONSULT as required
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In risk enabled and risk managed organisations, audit planning is driven by the organisation’s r— r—

A

Risk register

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the two main objectives when developing a high-level risk based audit plan?

A

Agree RM responses and processes on which objective assurance is required
Produce audit plan listing all audits to be carried out over a specified period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the five main steps in developing a high level risk based internal audit plan?

A
Identify responses on which assurance required
Prioritise and categorise responses
Link responses to audit assignments
Draw up periodic audit plan
Report to audit committee and management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The first stage in developing the risk based audit plan is identifying responses on which assurance is required. What two things should IA review to identify them?

A

Risk register

Audit committee’s assurance requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Other than risk responses, what other risk management processes may assurance be required on?

A

Action plans to increase or reduce transfer or treat responses

Monitoring controls to ensure processes and action plans are operating as expected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why may the audit committee not want objective assurance from Internal Audit on the management of all the organisation’s risks?

A

Assurance from other sources
May require specialist expertise
May favour certain types of risks (e.g. Inherent)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The second stage of the risk based internal audit plan is to categorise and prioritise risks and responses. List three useful categorisations.

A

By business unit
By function or system
By objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When is categorisation of risks and responses by business unit useful?

A

Where the organisation has a number of physically independent business units, the procedures of which are self-contained.

22
Q

When is categorisation of risks and responses by function or system useful?

A

In a large organisation with integrated systems

23
Q

When is categorisation of risks and responses by objective useful?

A

When assessing audit plan for relevance to organisation

24
Q

List four useful prioritisations of risk responses

A

By the size of the inherent risks managed by the response
By the contribution that the response makes in managing the risk
By the number and nature of other available assurances that the response is operating effectively
By those categories of risk on which the audit committee requires objective assurance

25
Q

The third stage of developing the risk based audit plan is to link risks to audit assignments. What are the two main methods of doing so?

A

Group risks by business unit, objectives or function and decide audits which will provide assurance on the related responses
Set up an audit universe allocating each audit to a business unit or system and assign the risks to these audits

26
Q

When drawing up the high level audit plan, the — of — for each audit will have to be estimated

A

Number of days

27
Q

At the fifth stage of developing the audit plan, the plan should be discussed with — and approved by the — —

A

Management

Audit committee

28
Q

The high level audit plan should provide details of those risks where — is provided

A

Assurance

29
Q

The high level audit plan should provide details of those risks where assurance is provided but based on…

A

Audit work from previous years

30
Q

The high level audit plan should provide details of those risks where c— work is carried out to assist management in reducing risks to below the risk appetite

A

Consultancy

31
Q

The high level audit plan should should provide details of any additional — time unallocated to specific tasks

A

Contingency

32
Q

The high level audit plan should provide details of the impact of any constraints on —

A

Resources

33
Q

The high level audit plan should provide confirmation that the plan is in accordance with the…

A

IA Charter or Terms of Reference

34
Q

RBIA generates a — amount of work

A

Defined

35
Q

RBIA generates a defined amount of work. How is this useful when determining resources for an audit period?

A

It highlights whether internal audit’s existing resources are sufficient to complete the planned work.

36
Q

If considerable change happening in a business area is not visible in the risk register, what does this suggest about the risk management process?

A

It is not being reviewed

37
Q

The RBIA methodology is usually viewed as c— in nature

A

Cyclical

38
Q

The interval between IA’s revisions in its assessment of risk maturity and its audit planning depends on what?

A

The nature of the organisation: how often its circumstances change and how frequently it must report on risk management matters

39
Q

The risk management framework is a d— process

A

Dynamic

40
Q

Through what channels do environmental and organisational change affect audit strategy and planning?

A
Objectives of the organisation change
Risks change
Risk register is updated
Audit strategy is based on risk register
High level audit plan based on audit strategy
41
Q

In assignment level audit planning, there should be agreement between the internal audit function and the organisation on what eight things?

A
Title of audit assignment
Objectives of audit
Scope of audit
Strategic position of audit
Responsibility for audit
Timeframe for audit
Outline testing strategy
Deliverables for audit
42
Q

In RBIA, the title and objectives of an audit assignment should be drawn from…

A

The risk based high level plan

43
Q

In RBIA assignment level planning the SCOPE of the assignment should be based on what three pieces of information?

A

Conclusion on risk maturity and resulting audit strategy
Title of assignment
Information linking responses to risks

44
Q

One of the usual areas to consider including within the scope of an RBIA assignment is an assessment of the — — of the area, activity or business area being audited

A

Risk maturity

45
Q

When assessing risk maturity at assignment level, the criteria used should be — with the criteria used across the whole of the internal audit function

A

Consistent

46
Q

List seven additional sources of information used to inform assignment planning

A

Local risk registers
Previous internal or external audit reports
Minutes of board, committee or management meetings
External consultant or regulatory reports
Policies and procedures
Business plans
Interviews with senior managers

47
Q

What is the primary purpose of the high level internal audit plan?

A

To balance resources available to work required

48
Q

What is the major difference between risk based and systems based internal auditing?

A

The process used to determine what to audit and how to audit it

49
Q

In systems based audit planning, what four stages are usually involved?

A

Identify all systems in use across organisation
Rank systems in order of importance, criticality or risk to organisation
Use this assessment to assign numerical score ranking systems in order of importance and priority
Make decision on how often and when each system should be audited

50
Q

What are the chief benefits of risk based high level internal audit planning?

A
  1. Clear unambiguous conclusions on risk maturity
  2. Provision of objective assurance on RM framework
  3. Facilitation of efforts to improve RM framework
  4. Considers whole organisation on basis of risk
  5. Reinforces management responsibility in managing risk
  6. Focuses IA activity on future rather than past
  7. In risk mature organisations, less time spent on periodic planning and risk assessment
51
Q

Define Risk Based Internal Auditing

A

A methodology
That links internal auditing
To an organisation’s risk management framework.
It allows internal audit
To provide assurance to the board
That risk management processes are managing risks effectively, in relation to the risk appetite.