From risk to planningMaking the bridge from risks to audit plans

Richard MaggsAstana September 2014

RiskAudit plans must be risk based

The chief audit executive must establish risk-based plans to determine the priorities of the internal audit. IIA Standard 2010

The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. IIA Standard 2010.A1

The last RAWG meeting considered risk assessment

This meeting will focus on preparing strategic and annual plans

Key definitions for risk based planning

The objective is of risk-based planning is to ensure that the Auditor examines subjects of highest risk to the achievement of the organisation’s objectives

Audit plans must be developed through a process that identifies and prioritizes potential audit topics

The audit universe is the entire population of potential audit topics

The risks or opportunities have to be assessed and decisions taken on other risk factors that may influence the priority to be given to each element of the audit universe (audit objects).

Recap on five steps in guide

Determining and categorising the audit universe. (See chapter 2 of RAAP)

Identifying individual events that may give rise to risks and opportunities across the audit universe. (See chapter 3 of RAAP)

Scoring events in terms of probability and impact (taking into account management actions to mitigate risk) to identify the level of residual risk. (See chapter 3 of RAAP)

Building risk-based audit plans by using generic risk factors and scoring criteria for each factor to determine the audit priority of all audit objects within the audit universe. (See chapter 4 of RAAP)

Presenting the results of risk-based planning by writing and updating strategic and annual work plans. (See chapter 5 of RAAP)

Audit risk assessmentAudit risk assessment is part of planning and a

process where auditors consider (i) individual events and the risks and opportunities these

represent to the achievement of the objectives of elements of the audit universe and

(ii) generic risk factors that help prioritize work to areas of highest risk.

The purpose of audit risk assessment is to ensure that audit resources are addressed to the audit of areas of highest risk to the Organisation.

Audit risk assessment is different from risk management undertaken by managers. See Table 1 in RAAP guide.

Why do we need a bridge from risks to plans?

There may be hundreds of individual risks

Risk is not the only factor that influences the decision to carry out an audit. Others include:MaterialityComplexity of transactionsControls

The auditor is interested in residual risk which must take into account effectiveness of controls.

Inherent Risk minus controls = Residual Risk

Recap on audit Universe 1The phrase “audit universe” is a simple way of

referring to the totality of all things that an internal auditor could separately examine.

The universe consists of the totality of “auditable objects” which is a way of identifying a describing discrete part of the business, system or process, which can be separately audited.

Auditable objects need to be large enough to justify an audit and small enough to be manageable.

Recap on audit Universe 2 Traditionally, auditable objects were categorised by organisational

structure - a “vertical” analysis. Here an auditable object equated with one or a number of organisational units.

But its also important to design audit coverage from a horizontal or cross-functional view of the entity - that is ‘horizontal’ audits based on entire business processes.

The top five categorisations used by IA are: Organisational structure (Departments, Divisions, Units, Stand-

alone Projects); Common processes (Payments, Receipts, Asset Management,

Procurement, Contracting, Inventory, Human Resource Management) Location (Headquarters, Regional offices, Local offices) Operational programmes Service lines

Selecting audits from the audit universe

The objective of this stage of the process to determine what needs to be audited from within the audit universe.

We build risk based audit plans by applying risk factors to each element of the audit universe. It may help to think of “risk factors” as” selection factors” Keep the number of risk factors to between 4

and 8. Too few risk factors will limit the effectiveness of the exercise; too many will increase the time it takes to and will not produce substantially better results

Choose risk factors that make the most sense for the Organisation you are auditing.

Common risk (selection) factors

Financial materiality

Complexity of activities.

Control environment

Reputational sensitivity.

Inherent risk

Extent of change.

Confidence in Management.

Fraud potential.

Political sensitivity.

Time since last audit.

ProcessDevelop a set of criteria to score and therefore rank

the relative need to audit each of the possible audit objects within the audit universe

Consider adding a weighting factor as not all risk(selection) factors are equally important

Make sure that risk index scores and priorities are reasonable. (a) Calculate the theoretical maximum before setting

the index priorities and (b) be prepared to change the index priorities if the

results are obviously unrealistic (for example if every audit is show as high priority).

Example – scoring factors

Example – weighting factors

Final CommentThe process of moving from individual risk

assessment to selection subjects for audit can be confusing as there is no direct link between assessing individual risks

This is a transition issue that arises because of the lack of good risk management in Government Ministries and Agencies

Consider carrying out internal audits which encourage management to have more effective risk management processes