10. Risk Based Audit Planning Flashcards
The objective of RBIA is to provide assurance to the board on what four things?
Risk management processes are operating as intended
Risk management processes are of sound design
Risk responses are adequate and effective
Sound framework of controls is in place
RBIA is based on an organisation’s own — — framework
Risk management
What is the broad role of internal audit in RBIA?
To assess the extent to which management has adopted and applied robust management of risk overall and in each area of the organisation.
In a more mature risk management environment, what three things is the focus of internal audit’s RBIA activity likely to include?
Auditing the risk management infrastructure
Auditing the system of risk mitigation activities, controls and assurances
Reviewing specific risks where they are managed in the organisation
What is the first stage in RBIA planning?
Reviewing the organisation’s risk maturity
What are the three objectives of the first stage of RBIA planning (reviewing risk maturity)?
Assess risk maturity
Report to management and audit committee on assessment
Agree an audit strategy
What are the five levels of risk maturity?
Risk naive Risk aware Risk defined Risk managed Risk enabled
What does a risk naive or risk aware status imply from a compliance perspective?
The organisation is probably not complying with the Turnbull Guidance or Code of Corporate Governance
For a risk naive organisation, what is the audit strategy?
REPORT no formal risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes
For a risk aware organisation, what is the audit strategy?
REPORT poor risk management
CONSULT to champion risk management
AUDIT PLAN driven by alternate framework
ASSURANCE on control processes
For a risk defined organisation, what is the audit strategy?
REPORT risk management deficiencies
CONSULT to embed risk management
AUDIT PLAN: start with management view of risk and supplement
ASSURANCE on risk management policies and control processes
For a risk managed organisation, what is the audit strategy?
CONSULT to improve risk management
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation
For a risk enabled organisation, what is the audit strategy?
CONSULT as required
AUDIT PLAN driven by management view of risk
ASSURANCE on risk management processes and mitigation
In risk enabled and risk managed organisations, audit planning is driven by the organisation’s r— r—
Risk register
What are the two main objectives when developing a high-level risk based audit plan?
Agree RM responses and processes on which objective assurance is required
Produce audit plan listing all audits to be carried out over a specified period
What are the five main steps in developing a high level risk based internal audit plan?
Identify responses on which assurance required Prioritise and categorise responses Link responses to audit assignments Draw up periodic audit plan Report to audit committee and management
The first stage in developing the risk based audit plan is identifying responses on which assurance is required. What two things should IA review to identify them?
Risk register
Audit committee’s assurance requirements
Other than risk responses, what other risk management processes may assurance be required on?
Action plans to increase or reduce transfer or treat responses
Monitoring controls to ensure processes and action plans are operating as expected
Why may the audit committee not want objective assurance from Internal Audit on the management of all the organisation’s risks?
Assurance from other sources
May require specialist expertise
May favour certain types of risks (e.g. Inherent)
The second stage of the risk based internal audit plan is to categorise and prioritise risks and responses. List three useful categorisations.
By business unit
By function or system
By objectives
When is categorisation of risks and responses by business unit useful?
Where the organisation has a number of physically independent business units, the procedures of which are self-contained.
When is categorisation of risks and responses by function or system useful?
In a large organisation with integrated systems
When is categorisation of risks and responses by objective useful?
When assessing audit plan for relevance to organisation
List four useful prioritisations of risk responses
By the size of the inherent risks managed by the response
By the contribution that the response makes in managing the risk
By the number and nature of other available assurances that the response is operating effectively
By those categories of risk on which the audit committee requires objective assurance
The third stage of developing the risk based audit plan is to link risks to audit assignments. What are the two main methods of doing so?
Group risks by business unit, objectives or function and decide audits which will provide assurance on the related responses
Set up an audit universe allocating each audit to a business unit or system and assign the risks to these audits
When drawing up the high level audit plan, the — of — for each audit will have to be estimated
Number of days
At the fifth stage of developing the audit plan, the plan should be discussed with — and approved by the — —
Management
Audit committee
The high level audit plan should provide details of those risks where — is provided
Assurance
The high level audit plan should provide details of those risks where assurance is provided but based on…
Audit work from previous years
The high level audit plan should provide details of those risks where c— work is carried out to assist management in reducing risks to below the risk appetite
Consultancy
The high level audit plan should should provide details of any additional — time unallocated to specific tasks
Contingency
The high level audit plan should provide details of the impact of any constraints on —
Resources
The high level audit plan should provide confirmation that the plan is in accordance with the…
IA Charter or Terms of Reference
RBIA generates a — amount of work
Defined
RBIA generates a defined amount of work. How is this useful when determining resources for an audit period?
It highlights whether internal audit’s existing resources are sufficient to complete the planned work.
If considerable change happening in a business area is not visible in the risk register, what does this suggest about the risk management process?
It is not being reviewed
The RBIA methodology is usually viewed as c— in nature
Cyclical
The interval between IA’s revisions in its assessment of risk maturity and its audit planning depends on what?
The nature of the organisation: how often its circumstances change and how frequently it must report on risk management matters
The risk management framework is a d— process
Dynamic
Through what channels do environmental and organisational change affect audit strategy and planning?
Objectives of the organisation change Risks change Risk register is updated Audit strategy is based on risk register High level audit plan based on audit strategy
In assignment level audit planning, there should be agreement between the internal audit function and the organisation on what eight things?
Title of audit assignment Objectives of audit Scope of audit Strategic position of audit Responsibility for audit Timeframe for audit Outline testing strategy Deliverables for audit
In RBIA, the title and objectives of an audit assignment should be drawn from…
The risk based high level plan
In RBIA assignment level planning the SCOPE of the assignment should be based on what three pieces of information?
Conclusion on risk maturity and resulting audit strategy
Title of assignment
Information linking responses to risks
One of the usual areas to consider including within the scope of an RBIA assignment is an assessment of the — — of the area, activity or business area being audited
Risk maturity
When assessing risk maturity at assignment level, the criteria used should be — with the criteria used across the whole of the internal audit function
Consistent
List seven additional sources of information used to inform assignment planning
Local risk registers
Previous internal or external audit reports
Minutes of board, committee or management meetings
External consultant or regulatory reports
Policies and procedures
Business plans
Interviews with senior managers
What is the primary purpose of the high level internal audit plan?
To balance resources available to work required
What is the major difference between risk based and systems based internal auditing?
The process used to determine what to audit and how to audit it
In systems based audit planning, what four stages are usually involved?
Identify all systems in use across organisation
Rank systems in order of importance, criticality or risk to organisation
Use this assessment to assign numerical score ranking systems in order of importance and priority
Make decision on how often and when each system should be audited
What are the chief benefits of risk based high level internal audit planning?
- Clear unambiguous conclusions on risk maturity
- Provision of objective assurance on RM framework
- Facilitation of efforts to improve RM framework
- Considers whole organisation on basis of risk
- Reinforces management responsibility in managing risk
- Focuses IA activity on future rather than past
- In risk mature organisations, less time spent on periodic planning and risk assessment
Define Risk Based Internal Auditing
A methodology
That links internal auditing
To an organisation’s risk management framework.
It allows internal audit
To provide assurance to the board
That risk management processes are managing risks effectively, in relation to the risk appetite.
