10. Risk Based Audit Planning Flashcards
The objective of RBIA is to provide assurance to the board on what four things?
Risk management processes are operating as intended
Risk management processes are of sound design
Risk responses are adequate and effective
Sound framework of controls is in place
RBIA is based on an organisation’s own — — framework
Risk management
What is the broad role of internal audit in RBIA?
To assess the extent to which management has adopted and applied robust management of risk overall and in each area of the organisation.
In a more mature risk management environment, what three things is the focus of internal audit’s RBIA activity likely to include?
Auditing the risk management infrastructure
Auditing the system of risk mitigation activities, controls and assurances
Reviewing specific risks where they are managed in the organisation
What is the first stage in RBIA planning?
Reviewing the organisation’s risk maturity
What are the three objectives of the first stage of RBIA planning (reviewing risk maturity)?
Assess risk maturity
Report to management and audit committee on assessment
Agree an audit strategy
What are the five levels of risk maturity?
Risk naive Risk aware Risk defined Risk managed Risk enabled
What does a risk naive or risk aware status imply from a compliance perspective?
The organisation is probably not complying with the Turnbull Guidance or Code of Corporate Governance
For a risk naive organisation, what is the audit strategy?
REPORT no formal risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes
For a risk aware organisation, what is the audit strategy?
REPORT poor risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes
For a risk defined organisation, what is the audit strategy?
REPORT risk management deficiencies
CONSULT to embed risk management
AUDIT PLAN: start with management view of risk and supplement
ASSURANCE on risk management policies and control processes
For a risk managed organisation, what is the audit strategy?
CONSULT to improve risk management
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation
For a risk enabled organisation, what is the audit strategy?
CONSULT as required
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation
In risk enabled and risk managed organisations, audit planning is driven by the organisation’s r— r—
Risk register
What are the two main objectives when developing a high-level risk based audit plan?
Agree RM responses and processes on which objective assurance is required
Produce audit plan listing all audits to be carried out over a specified period
What are the five main steps in developing a high level risk based internal audit plan?
Identify responses on which assurance required Prioritise and categorise responses Link responses to audit assignments Draw up periodic audit plan Report to audit committee and management
The first stage in developing the risk based audit plan is identifying responses on which assurance is required. What two things should IA review to identify them?
Risk register
Audit committee’s assurance requirements
Other than risk responses, what other risk management processes may assurance be required on?
Action plans to increase or reduce transfer or treat responses
Monitoring controls to ensure processes and action plans are operating as expected
Why may the audit committee not want objective assurance from Internal Audit on the management of all the organisation’s risks?
Assurance from other sources
May require specialist expertise
May favour certain types of risks (e.g. Inherent)
The second stage of the risk based internal audit plan is to categorise and prioritise risks and responses. List three useful categorisations.
By business unit
By function or system
By objectives