"Sharing the Knowledge" The website for internal audit professionals
"Sharing the Knowledge"
Risk-Based Audit Planning Audit planning should be risk-based or focused on areas of greatest risk to the achievement of the audited entity’s objectives. Risk- based audit (RBA) is an approach to audit that analyzes audit risks, sets materiality thresholds based on audit risk analysis and develops audit programs that allocate a larger portion of audit resources to high-risk areas. Conducting and maintaining an Organizational Risk Assessment is one of the best ways to identify the entity's business activities and determine their corresponding risk levels.
The Organizational Risk Assessment An Organizational Risk Assessment is a risk assessment that considers the risks associated with all of the identified business activities of the organization.
The Organizational Risk Assessment of business activities should identify all of the organization's business activities and include a risk score/rating (e.g., high, moderately-high, moderate, low) for each business activity with the input of management. After all of the business activities have been identified and rated, they can be ranked according to their overall risk score.
As the foundation for risk-based audit planning, the Organizational Risk Assessment should be an ongoing framework used by the organization to document and evaluate changes in:
risks and risk levels
systems and personnel
internal control strength
With management’s input, the assessment should be updated on a regular basis. The Organizational Risk Assessment should be maintained by the Internal Audit Department and submitted to the Audit Committee for review on an annual basis.
Strategic Audit Plan A Strategic Audit Plan, typically covering a period of 3-5 years, should be developed to ensure that the Internal Audit function is addressing the entity's audit needs based on the Organizational Risk Assessment. The Strategic Audit Plan should document:
Vision and Mission of the Internal Audit function
Objectives of the Internal Audit function
Department Procedures and Responsibilities
The Business Activities to be Audited
Frequency (monthly, quarterly, semi-annually, annually) with which Business Activities will be audited
Regulatory Compliance and Legal considerations
Current Department Structure and Employees
Additional Anticipated Employees/Assets Required
Proposed Long-Term Budget
The Strategic Audit Plan provides a proposed framework or blueprint of the objectives, audit activities, and required resources for the Internal Audit function from a long-term, strategic perspective. As a proposed framework, the Strategic Audit Plan should be amended and updated regularly. Some of the factors that can affect the Strategic Audit Plan include changes in :
the Organizational Risk Assessment results
the entity's legal structure (merger, acquisition)
the entity's business activities
the risks and risk rankings of business activities
the internal control system
the internal control rating of a business activity based on audit
the regulatory or legal environment
information technology systems or applications
management and personnel
Based on the Strategic Audit Plan, an Annual Audit Plan should be developed listing the scheduled audits for the calendar/fiscal year.
The Annual Audit Plan An Annual Audit Plan listing the scheduled audits for the upcoming calendart/fiscal year should be prepared by the Internal Audit Department and submitted to the Audit Committee for approval.
The Annual Audit Plan should identify the business activities to be audited based on:
their risk ranking (from the Organizational Risk Assessment)
the required frequency (monthly, quarterly, semi-annually, annually) of their review (from the Strategic Audit Plan)
Based on the Annual Audit Plan, an Annual Audit Schedule should be developed to outline the specific target deliverable dates of each audit for the calendar/fiscal year.
The Annual Audit Schedule A proposed Annual Audit Schedule should be created to indicate when scheduled audits are to take place during the calendar/fiscal year.
The Annual Audit Schedule should outline the:
estimated number of hours required to complete each audit
proposed calendar day on which the audit is scheduled to commence
proposed calendar day on which the audit is scheduled to be completed
Unexpected Factors that can affect the Audit Schedule can include:
the addition of a new business activity during the year
changes in a key business activity
a change in the risk ranking of a business activity
changes to the internal control system
adverse audit results
changes in the regulatory or legal environment
department workforce or asset availability limitations
The Annual Audit Budget An Annual Audit Budget should be compiled based upon information from the Strategic Audit Plan, Annual Audit Plan and the Annual Audit Schedule. It is common for the Annual Audit Budget to be a representation of the aggregate amount of individual audit project costs and necessary expenses. Thus, each audit can be costed out as its own project by multiplying the estimated work hours required to complete the project by an hourly cost. Typical information required in developing project budgets and the Annual Audit Budget include:
the number of activities to be audited
the estimated number of hours required to audit each activity
available department resources and employees
the cost of resources
current employee compensation
the need for outside resources to complete audit activities