International Journal of Auditing doi:10.1111/ijau.

12016
Int. J. Audit. 18: 115–125 (2014)

Improving the Efficiency and Effectiveness of Risk-Based Internal

Audit Engagements
Philna Coetzee1 and Dave Lubbe2
1
University of Pretoria
2
University of the Free State

The role of internal auditing in assisting with the mitigation of key risks threatening organisations has increased,
not least, for example, in ensuring that engagements are performed more effectively and efficiently, and that all the
key risks of organisations are addressed, but also to ensure that scarce internal audit resources are used optimally.
This article describes the development of a model that can be used by internal auditors to perform this task. The
model was developed from a study of the academic literature, current business practice norms, and other
documentation whereafter it was tested in a practical scenario, and input from heads of internal audit departments
in prominent South African organisations was obtained. The findings of the study, inter alia, support the use of the
model. However, a concern is that the risk management strategy currently implemented by organisations is not
mature enough for internal auditing to rely on the outcome of the risk management process, a prerequisite for the
model to function optimally. A second concern is that internal auditing is reluctant to use a pure risk-based
approach when performing audit engagements and still prefers to use a control-based approach with more
emphasis placed on high risk areas.

Key words: Internal auditing, engagement planning, risk management process, internal audit engagement process,
risk-based internal audit engagements, views of chief audit executives, audit more effective and efficient

1. INTRODUCTION parties (Gramling, Maletta, Schneider & Church, 2004:

195; Gendron, Cooper & Townley, 2007: 105), arguably the
Risk and the management thereof is not a new concept. In most important being the internal audit function.
recent years, risk taking and its management has taken on Furthermore, the internal audit profession has realised
a new dimension. One such example is the risks taken that it will have to adapt to the changing environment in
which resulted in the current global financial crisis. The which it operates, an idea supported by a study performed
global financial crisis was in many ways a shock to the by PricewaterhouseCoopers (2008), which concluded that
business world, the biggest problem being that it was it is essential for the profession to adopt new mindsets if it
not foreseen by economists, and relevant stakeholders, wants to retain a key role in the future.
organisations and governments were caught unprepared. Risk management and internal auditing have a
In May 2007 the Organisation for Economic Co-operation connection, as can be seen from the above discussion,
and Development made the following statement: ‘the and this has been substantiated by many recent studies
current economic situation is in many ways better than and surveys. However, most of these, although referring
what we have experienced in years. Our central forecast to risk-based internal auditing, reflect on the role
remains indeed quite benign’ (cited in Keen, 2008). Three that internal auditing should play with regard to the
months later this statement was contradicted as markets organisation’s overall risk management strategy; with
in the United States of America went into decline: house recommendations ranging from providing assurance on
prices fell and organisations went into serious financial the soundness of the strategy to taking responsibility
crisis. This was rapidly followed by the rest of the world’s for its implementation. Furthermore, although some
financial markets and other organisations that ran into literature refers to the concept of risk-based internal
financial difficulties (Keen, 2008). Many argued that the auditing (Pelletier, 2008: 73; IOD, 2009: 94; Koutoupis &
core of this crisis was the lack of an effective and efficient Tsamis, 2009: 106; Castanheira, Rodrigues & Craig, 2010:
risk management strategy (Lam, 2009: 23; Hull, 2009: 3), 83), this term focuses on the internal audit function’s
and the question was asked: Where were the auditors? – annual plan based on the strategic risks inherent in the
referring to both internal and external auditors (Mathker, plan. Both these scenarios ignore the potential benefits of
2008; Olah, 2009: 11; Lubbe, 2009). using risk methodologies as the basis when performing
The types of risks that initiated the global financial crisis internal audit engagements. Research papers supporting
are typically only discovered by a sound risk management this tendency include a study of the internal audit
strategy, something that the board are responsible for methodologies of Greek banks (Koutoupis & Tsamis,
(IOD, 2009: 73–76), but that internal auditors need to 2009: 102), which revealed that many internal audit
ensure is functioning efficiently and effectively (IOD, functions, although using the term ‘risk-based internal
2009: 80; IIA, 2012: 2120); and, if so, incorporate the auditing’, could not justify its use since any form of
investigation of the mitigation of the key risks threatening risk assessment or risk-based audit planning was
the organisation into their activities. At the same time, conspicuously absent, thus undermining the term
the evolution of corporate governance has forced manage- ‘risk-based internal auditing’ even further. This lack of
ment to revisit the roles and responsibilities of various risk-based internal audit engagement is also supported
in a study by Castanheira et al. (2010: 95) where most
Correspondence to: Philna Coetzee, Professor in Auditing, Department participants indicated that they do perform risk-based
of Auditing, University of Pretoria, South Africa. Email: philna. planning for their annual internal audit plan, but that
[email protected]

© 2013 John Wiley & Sons Ltd ISSN 1090-6738

116 P. Coetzee and D. Lubbe

only one third incorporate risk into their engagement risk-based. A further limitation was that the company
planning. Similarly, a study by Khanna (2011: 59) that was chosen to test the model was selected essentially
concluded that Indian banks have adopted a staggered for its willingness to participate. However, the authors
approach to implementing risk-based internal auditing. believe that as it is one of the top five risk-mature
From the above discussion it seems that there is still companies of the Top 40 companies listed on the JSE
a lack of understanding of what risk-based internal Limited, which may negate any negative connotations
auditing entails for the performance of an audit of self-selection, and probably enhances the quality of the
engagement. The objective of this article is to provide a data gathered. Also, only South African companies were
model that will improve the efficiency of internal audit included in the study and only five companies were
engagements by incorporating risk methodologies more chosen to be included in the empirical study, based on
effectively into the engagement process. The model could their risk-maturity levels as determined by using the Risk
be used by internal auditors to address all the key risks and Insurance Management Society risk maturity model
of the organisations, while simultaneously ensuring (RIMS, 2006). However, the fact that interviews were
efficient use of their scarce resources (Fasset, 2011). The performed using a structured questionnaire, and that
article will also assist in broadening the knowledge base participating companies were chosen based on their high
of risk-based internal audit engagements as information risk-maturity levels, enhances the quality of the data.
seems to be limited. The Institute of Internal Auditors
(IIA) would also benefit from this discussion, as it
provides insight into the relative adequacy of its guidance 3. LITERATURE REVIEW ON THE
to practitioners on performance of risk-based internal RISK-BASED INTERNAL AUDIT
audit engagement. ENGAGEMENT PROCESS
The layout of the rest of the article is as follows: firstly, The literature review is presented in two parts: firstly,
we present a short discussion of the various research a discussion on the evolution of internal audit
methodologies followed, including the scope and engagements and the inclusion of risks and risk
limitations. Section 3 presents a discussion of the methodologies, and secondly, a discussion of the
literature covering the risk-based internal audit literature covering the research and current practices
engagement process. This is followed in Section 4 with with regard to risk-based internal audit engagements.
a description of the model. A more comprehensive
discussion on the research methodology is given in 3.1 Evolution of the internal audit
Section 5, together with the empirical findings gathered engagement process
during the testing of the model. Conclusions are drawn
and recommendations are made in Section 6. The investigation into the evolution of the internal audit
engagement revealed that internal auditing has been
influenced over the last few decades by the changing
2. RESEARCH METHODOLOGY, SCOPE
business environment, and has undergone, and is still
AND LIMITATIONS
undergoing, a number of transformations. The literature
To address the research objective, various research (McNamee & Selim, 1998: 5; Spira & Page, 2003: 653–56;
methodologies were followed. Firstly, a comprehensive Hyde, 2007: 65–68) distinguishes between four
literature review was performed to get an understanding generations, namely pre-1980, the 1980s, the 1990s, and
of what a modern risk-based internal audit engagement 2000 and beyond, based on, inter alia, the types of
process should entail, and from that information, to activities performed, when activities are performed, what
develop a model. Secondly, the model was tested by factors influence the planning of an engagement and
means of a case study (see Section 5.1 for an explanation how it is executed. The word ‘risk’ makes its appearance
of the research methodology and findings) to ensure that from the second generation, referring to financial and
the model was effective (all significant audit findings compliance risk only. It is only from the third generation
captured and reported on in a timely manner) and (the 1990s) and onwards that ‘risk’ is more broadly
efficient (fewer audit procedures were performed, but incorporated into the engagement process. However,
with more intense focus on the areas of key risk). Thirdly, the question remains: How is the internal audit
the views of heads of internal audit functions (hereafter engagement process methodology linked to current risk
referred to as chief audit executives, CAEs) within methodologies and modern approaches to mitigate risks?
prominent risk-mature Top 40 private sector companies One of the most comprehensive frameworks on the
listed on the South African stock exchange (the JSE risk management process is documented in the COSO
Limited), were obtained and analysed to determine the Report (2004), providing guidance on what risk
use of such a model in practice (see Section 5.2 for an management entails, methodologies, terminologies,
explanation of the research methodology and findings). responsible parties, the steps in the risk management
A limitation of this article is that time and budget process, to name a few; thus focusing on risk
did not allow for all the available risk management management, and suggesting that internal control is one
frameworks to be used to exhaustively identify the of the risk mitigating activities (a risk-driven approach).
incorporation of risk methodologies in the internal audit At first glance it seems that this framework is the basis for
engagement process. However, the Committee of the fourth generation internal audit engagement process.
Sponsoring Organisations (COSO) has developed a The first COSO Report (1992), which is currently being
well-recognised framework on risk management (2004) updated (COSO, 2012), focuses on internal control with
which was used as the basis for the research for this risk assessment being a step in the development and
article. Also, the article only focuses on the planning stage implementation of appropriate controls (a control-driven
of the internal audit engagement. However, if the approach). It could thus be possible that the 1992
planning phase is based on risk methodologies, the framework reflects on the third generation internal audit
execution of the rest of the engagement will also be engagements. The third and fourth generation internal

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
Improving the Efficiency and Effectiveness of Risk-Based Internal Audit Engagements 117

Table 1: Comparing the evolution of internal audit engagements with the COSO frameworks
Engagement planning COSO I (1992) COSO II (2004)
elements Third generation process* Fourth generation process*
Starting point Based on the risk assessment of all business Based on the outcome of the risk management
activities; process; understand all risks
understand all risks
Additional steps and/ Determine controls that should be in place to Determine the risk response that should be in
or information mitigate the risks place to effectively manage key risks
during planning
Engagement procedures No specific scope – determined by previous Audit the management of key risks within each
element risk management process component
Scope All business risks Target testing focusing on high risks
*Highlighted areas as discussed in the literature on third and fourth generation internal audit engagement process.

audit engagement planning elements are compared with engagement and no investigation into other mitigating
the frameworks provided in the two COSO reports (1992, activities (McNamee & Selim, 1998: 106; Deloitte, 2005: 7);
2004) in Table 1. Based on this comparison, it could be no integration of controls and risk assessment are
concluded that the third generation risk-based internal performed (Spencer Pickett, 2003; Sobel, 2008: 93);
audit engagement process is based on the COSO internal auditing performs their own risk assessment as
framework as documented in the 1992 report (or similar part of the audit engagement instead of relying on the
frameworks), whereas the fourth generation is based on formal risk assessment performed by, inter alia, the risk
the COSO framework as documented in the 2004 report department (Spencer Pickett, 2006: 143–61; Sobel, 2008:
(or similar frameworks). 93); and the focus is only on financial risks (Deloitte, 2005:
This conclusion was tested on what is occurring in 1–10).
practice or explained in guidance documents. After an Although there is documentation supporting the
Internet search and various research databases, only a few risk-driven approach (Griffiths, 2006a, 2006b; Pelletier,
studies and other documentation were unearthed. These 2008; Reding et al., 2009), these are either textbooks or
are discussed in the next section in the context of either guidance documents, or weaknesses that were identified
a control-driven (COSO, 1992) or a risk-driven (COSO, when compared to the processes mentioned in each
2004) approach to performing internal audit engagements. and the fourth generation risk-based internal audit
engagement methodology, namely:
3.2 Research and current practices • Internal auditors perform their own risk assessment
based on the objectives of the activity under review
As discussed in Section 1, when referring to risk-based (Pelletier, 2008: 73–76; Reding et al., 2009: 13–22). If the
internal auditing, most literature will mention either the formal risk management process’s risk assessment is
role that internal auditing should play in the overall risk used, duplications will be eliminated. However, this
management strategy of the organisation, or the internal will only be possible if the organisation is risk-mature
audit function’s annual plan based on the organisation’s and the risk management process has been audited by
strategic risks. The literature explains that a risk-based the internal audit function and is found to be reliable
internal audit engagement should consist of five steps, (De la Rosa, 2008; Baker, 2010: 32).
namely: setting the objectives of the audit engagement • Previously, the term risk referred mainly to hazards –
based on the objectives of the activity under review; the possibility that an action has a potentially negative
identify operational or strategic events within the scope of outcome or consequence on reaching the objectives
the audit engagement (including the risks threatening the (Prinsloo, 2008: 216–26). The modern approach to risk
achievement of the objectives); perform a risk assessment includes the loss of opportunity – the possibility that
where the risks are measured in terms of the likelihood an opportunity to achieve something positive could be
(the possibility that a given event will occur) and the lost (COSO, 2004: 16). It seems that this concept
impact (the result or effect of an event); the risk response is still not incorporated into the risk-based internal
(management developing a set of actions to align the risks audit engagement planning (Griffiths, 2006a: 41–42;
with the organisation’s risk appetite) that management Pelletier, 2008: 73–76; Reding et al., 2009: 13–22).
has or must implement; and control activities which • According to the risk management process, the
should form part of the risk response. However, difference between an inherent risk (the possibility
weaknesses were identified as discussed below. of an event occurring that could cause harm to an
According to much of the documentation referring to a organisation in the absence of any preventative,
risk-based approach, when performing an internal audit corrective or detective measures) and a residual risk
engagement, only the risk assessment step to identify (the remaining risk after mitigating activities have been
appropriate controls is incorporated. This indicates that a implemented) is the current responses that have been
control-driven approach, as discussed in Section 3.1, is put in place to mitigate the risk to an acceptable level
being used (McNamee & Selim, 1998; Bank of Canada, (COSO, 2004: 49–54). The movement between these
1998; Spencer Pickett, 2003, 2006; Deloitte, 2005; Sobel, two levels should thus provide the internal auditors
2008; Clayton, 2009). Other specific tendencies that with a starting-point when planning the engagement
should be mentioned include that risk analysis is not procedures. However, it seems that this is not currently
performed (McNamee & Selim, 1998: 103–5; Spencer the case, as most documents suggest focusing on all the
Pickett, 2003: 402; Clayton, 2009: 35–39); only the controls high inherent risks (Griffiths, 2006b: 37–40; Pelletier,
that mitigate the risks must be included in the audit 2008: 73–76; Reding et al., 2009: 13–22).

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
118 P. Coetzee and D. Lubbe

• As mentioned previously, risks cannot be viewed in practice advisories (see Table 2). The potential benefits of
isolation but must be viewed holistically (COSO, 2004: using this methodology are consistent with the guidance
15). With reference to an internal audit engagement, provided by the Institute of Internal Auditors (2012:
this could mean that a risk identified in a specific 2200-2) on the use of the risk management process in the
business unit or process might flow over to another. planning of the internal audit function’s annual plan.
The internal auditor should review the effect of these Table 2 reflects how the steps in the risk management
risks on the whole instead of the smaller unit only process can be incorporated into the planning phase of an
(Griffiths, 2006b: 26–30; Pelletier, 2008: 73–76; Reding internal audit engagement and explains how the risk
et al., 2009: 13–22). management process can be used to develop the internal
• It seems that controls are mostly investigated as a audit engagement work programme. The steps of the risk
means of reducing risks. Other risk-mitigating management process have been adapted to develop the
procedures or risk responses, such as sharing the model, which is also schematically presented in Figure 1
risk, avoiding the risk or accepting the risk (COSO, and explained below.
2004: 55–66), are not mentioned, but could be more Firstly (step 1), objectives are set for either the strategic
favourable or cost-effective (Griffiths, 2006a: 42; level or the operational levels of the organisation.
Pelletier, 2008: 73–76; Reding et al., 2009: 13–28). Assuming that this was performed during the risk
Apart from the above weaknesses in performing a management process, internal auditing may rely on the
risk-based approach, the internal audit engagement outcome of the process as documented in the risk register
process used in much of the literature still refers to the and use these objectives as the basis for the internal audit
control-driven process (COSO, 1992), even though it engagement objectives.
should be risk-driven (COSO, 2004) based on the internal Secondly (step 2), the inherent risks that have been
audit process generation as reflected in the literature identified during the risk management process that are
sources and their respective dates (Spencer Pickett, 2003, threatening the achievement of these objectives should be
2006; Deloitte, 2005; Sobel, 2008; Clayton, 2009). considered by the internal auditor. All inherent high risk
It seems that although some individuals and areas are considered to be included in the engagement
organisations are promoting the performance of risk- planning (refer to numbers 1, 2 and 3 in Figure 1). All
based internal audit engagements based on the risk hazards and opportunities should be included as
management process, and more specifically the process potential risks (see also Appendix B).
documented in the 2004 COSO Report, there are still a Thirdly (step 3), the internal auditor may use the
few gaps that prevent the utilisation of the process to its assessment of inherent risks as documented in the risk
fullest potential. From the above literature review, a register in terms of the likelihood as well as the impact.
risk-based internal audit engagement model was All inherent risks should also be considered in a holistic
developed, addressing these gaps. This model is context, thus how risk in areas outside the scope of
discussed in the next section. the engagement could affect this engagement and vice
versa. For all inherent risks that are not within the risk
appetite boundaries (refer to numbers 1, 2 and 3 in
4. DEVELOPMENT OF THE MODEL
Figure 1), the assessment of the residual risk should
While reflecting on the gaps and weaknesses identified also be obtained from the risk register. The investigation
above when referring to a risk-based internal audit of controls and other activities that are mitigating the
engagement, a model was developed to be used in this high inherent risks (refer to the list in Table 2) are
process. It should be noted that the use of the model is automatically included in the engagement work
based on certain assumptions, namely: programme, either for in-depth inspection to determine
• the organisation is risk-mature and thus has a the adequacy and the effectiveness (refer to number 2
comprehensive risk management process in place for in Figure 1), or for suggestions to facilitate improvement
both strategic and operational levels; (refer to numbers 1 and 3 in Figure 1). Low inherent risk
• the risk management process is being driven by the areas could be eliminated entirely (refer to number 4 in
board and senior management and implemented by a Figure 1), thus conserving the internal auditor’s time and
body independent of the internal audit function, such scarce resources and assisting management in reducing
as a risk department; costly over-controlling processes (see also Appendix B).
• the risk management process and its outcomes are Fourthly (step 4), the internal auditor should align the
properly documented, for example, in a risk register; recommendations of each internal audit finding to the
• the risk appetite (the amount of risk an organisation appropriate risk response as well as the residual risk level.
is willing to accept in pursuit of value; COSO, 2004: These could be made on a timely manner by issuing an
19) and risk tolerance (an acceptable variation or interim internal audit report (refer to numbers 1 and 3 in
deviation from the risk appetite to ensure that Figure 1). Recommendations could focus on either the
objectives are achieved; COSO, 2004: 124) levels lowering of the impact (refer to number 1 in Figure 1) or
have been set by senior management and the board of the likelihood (refer to number 3 in Figure 1) of a risk
or, where applicable, by line-management for when additional procedures are needed to mitigate that
operational activities; and risk. Internal auditing should keep track of management’s
• the risk management process has been audited by the action plans to mitigate the risk as well as the impact of the
internal audit function and the outcome of the process organisation and ensure that management is aware of it
can be relied upon. (see also Appendix B).
In the development of the model, the steps in the The above explanation of how the risk management
risk management process (COSO, 2004) are linked to process can be used to perform a fourth generation
the planning phase of an internal audit engagement internal audit engagement based on risk could be an
according to the guidance provided by the Institute of appropriate aid to not only reduce the internal auditor’s
Internal Auditors (2012: 2200–1) formal standards and workload, but also to provide a sharper focus. Especially

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
Improving the Efficiency and Effectiveness of Risk-Based Internal Audit Engagements 119

Table 2: Incorporating the risk management process into the internal audit engagement process
Step Risk management process (performed by Use in internal audit engagement planning (for a specific activity
management, e.g. risk department) under review, e.g. business unit or business process)
1 • Objective setting • The activity’s objectives and related criteria form the foundation of the
• Outcome (a list of): audit engagement objectives and scope:
○ strategic objectives ○ Review the objective-setting process and outcome and, if needed,
○ operational objectives identify further objectives or only focus on priority objectives
(based on audit resources available)
○ Set the engagement objectives and scope
2 • Identification of inherent risks • The risks threatening the activity’s objectives form the foundation of
• Outcome (a list of significant): the engagement planning:
○ hazards ○ Consider the risk identification process and all relevant exposures
○ opportunities that threaten identified according to the process
the reach of objectives ○ While obtaining knowledge of the activity, consider other
exposures and risks for both hazards and opportunities
threatening the reach of the activity’s objectives
3 • Assessment of risks • The assessment (likelihood and impact) of both the inherent and
• Outcome (for each risk the residual risks are determined:
measure of): ○ Consider the risk assessment process and use outcome or perform
○ likelihood own assessment
○ impact for both: ○ Review inherent risk level, current risk responses in place, and
– inherent risk level residual risk level for each risk
– residual risk level ○ Measure inherent and residual risk level in the context of the risk
appetite
○ Focus more on high level risks (inherent risk exceeding the risk
appetite)
○ For the engagement programme, include current existing
responses where the inherent risk is high but the residual risk is
within the risk appetite levels (adequacy)
○ Investigate whether these responses are functioning as planned
(effectiveness)
○ Consider low inherent risk for inclusion in the engagement
programme by using professional judgement
○ Consider high inherent risk where the residual risk remains high
for inclusion in the engagement programme by using professional
judgement
4 • Risk response • The assessment of each risk is measured in terms of the risk appetite
• Outcome (for each risk decide to): • Residual risk exceeds the risk appetite and must be further treated by
○ avoid means of an appropriate risk response:
○ reduce ○ Consider engagement recommendation in terms of the appropriate
○ share risk response
○ accept ○ Include in the follow-up phase of the engagement
○ exploit
○ terminate activity
○ integrate above

High 1

= inherent risks

2 = residual risks
I
M = risks within
P tolerance
A levels
C
T
4
3

Low High
LIKELIHOOD

Figure 1: Schematic presentation of risk-based internal audit engagement.

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
120 P. Coetzee and D. Lubbe

in the light of the global scarcity of competent internal • A clear understanding of the system description was
auditors, the effect of the global economic meltdown on obtained.
business viability, and the growing complexity of the • The audit procedures performed during the
business environment, to name only a few factors engagement were listed.
currently affecting the internal audit profession, this • The audit findings were examined and summarised.
could be a tool to ensure more effective and efficient • The current risk register for the operational area was
engagements. It is important to note that the professional obtained. The risks identified in the risk register were
judgement of the internal auditor should never be classified as high/moderate inherent risk areas that
compromised and due professional care must be had lower residual risk levels after controls were
exercised at all times (IIA, 2012: 1200). For example, if the implemented (refer to number 2 in Figure 1); low
internal auditor suspects a possibility of fraud or if inherent risk areas (refer to number 4 in Figure 1);
controls seem unnecessary but are also performing a and high/moderate inherent risk areas that remained
preventative control function for possible collusion, the at high residual risk after controls were implemented
controls should remain and continue to be included in (refer to numbers 1 and 3 in Figure 1). The risk
the engagement work programme. register was used as the basis on which to decide
whether or not engagement procedures should be
included in the engagement programme.
5. TEST THE MODEL • The risks and controls in the risk register were used as
In this section, the testing of the model in a practical the basis to re-perform the engagement.
situation is described to determine whether the model The following criteria were used to determine how the
improves the efficiency and effectiveness of internal audit inherent risks and the controls recorded in the risk
engagements, as well as obtaining input from chief audit register should be included in the audit engagement’s
executives on the functionality of the model. list of engagement procedures (movement of inherent
risks to residual risks):
5.1 Methodology and findings to test the model • controls for high/moderate inherent risk areas that
had lower risk levels after controls were implemented
The efficiency and effectiveness of the model was tested should be included in the audit engagement
by means of a case study provided by a risk-mature programme (refer to number 2 in Figure 1);
company, selected on the basis of its willingness to • controls for low inherent risk areas should not be
participate. Before finalising the selection of the company, included in the audit engagement programme (refer
the assumptions contained in Section 4 had to be to number 4 in Figure 1);
applicable. • controls for high/moderate inherent risk areas that
According to Yin (2003: 2–4), a case study approach remained at a high risk level should not be included
allows the researcher to gain an understanding of the in the audit programme but be reported to
holistic and unique characteristics of a given real-life management, for example an audit finding in the
event. The planning phase of an internal audit audit report (refer to numbers 1 and 3 in Figure 1);
engagement that had previously been performed by the • the above list of engagement procedures was
company’s internal audit function was re-evaluated using compared to the original list of engagement
the risk-based internal audit model. The criteria used procedures to determine whether fewer tests would
when choosing the engagement ranged from the have been performed if the risk-based model had
engagement being performed on a high strategic risk been used; and
area, to being an assurance engagement (as opposed to • the list of engagement findings was compared to the
being a consulting engagement). The engagement had original engagement findings, as listed in the audit
to have been performed previously by the organisation report, to determine whether all the relevant audit
without having the input of the operational risk findings would have been discovered had fewer tests
management process. Finally, the engagement still had to been performed.
be relevant and had to have been performed recently, The results of the case study are summarised in Table 3
preferably in the current or the immediately previous (see also Appendix B). In the first column the processes of
financial year. the activity that was audited are numbered as per the audit
Yin (2003: 39–46) demonstrates that a single case study programme. In the second column the number of risks, as
can be used when a theory is being tested. In this case the listed in the risk register, applicable to each process area is
existing theory was tested against our risk-based internal listed. The word ‘General’ in the first column refers to a
audit engagement model. The internal audit engagement risk that is applicable to all the areas. In the third column
planning, more specifically the engagement work the difference between the inherent risk and the residual
programme, with its detailed engagement procedures, risk indicates whether the movement warrants an
was re-performed; thus a new engagement plan was inclusion in the audit programme proposed by the model.
developed based on the model. The original engagement In the fourth column, ‘Influence on audit procedures
work programme and detailed engagement procedures performed’, the table differentiates between the various
were compared with the ones drawn up using procedures currently included (walk-through tests were
the risk-based internal audit model. Possible mainly used and these are excluded from the analysis), the
differences, advantages, disadvantages, improvements procedures included if the risk-based audit model had
and weaknesses were identified. been used, and the net effect on the audit programme.
After all of the above criteria had been addressed and In the fifth column, on audit findings, the results as to
the relevant information and documentation which were whether findings would have been identified when
gathered and documented during the execution of the performing only the audit procedures as proposed in the
engagement (e.g., the working paper file) had been risk-based audit model are investigated. The sixth column
obtained, the execution of the case study was planned: addresses the possible inclusion of further audit findings

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
Improving the Efficiency and Effectiveness of Risk-Based Internal Audit Engagements 121

Table 3: Summary of results of the case study

Process Number of Risks with Influence on audit Audit findings Additional finding
area risks as per movement procedures performed or discussion
risk register that indicates
inclusion Currently After use Nett Currently Use of Over Weak Other
included of model effect included model control controls findings†
1 4 2 4 2 Fewer None N/A 2
2 6 3 5 3 Fewer Finding 1 Yes 2
3 4 2 4 2 Fewer None N/A 2
4 5 1 4 1 Fewer None N/A 4
5 6 3 3 3 Same None N/A 1 1
6 2 2 2 2 Same None N/A
7 4 2 4 2 Fewer 1 2
Finding 2 Yes
Finding 3* Yes
Finding 4 Yes
General 10 4 0 4 More 1 1 4
Finding 5 Yes
Finding 5 Yes
*Finding 3 was not accepted by management as it is too difficult to implement a solution.
†
‘Other findings’ refers to risks that are high and should be brought to management’s attention in order that they may be
addressed accordingly.

and/or the need for discussions with management. The Advantages linked to this type of data gathering include
overall results of the case study indicate that if the model (Saunders et al., 2007: 354–60) a high level of confidence
had been used, fewer audit procedures would have been that the right person has responded; the likelihood of
performed (more efficient) but that all the audit findings contamination of the respondent’s answers is low;
would still have been included in the audit report open and closed questions can be included; and the
(effective). respondent’s participation is enhanced by this face-to-face
The process area ‘General’ refers mainly to strategic- interaction.
type risks that reflect on all the other process areas and Input was obtained from the chief audit executives on
were not included in the initial audit scope. However, if the current practices performed, the overall benefits of
these had been included, the value that internal auditing using the model during the performance of an internal
could add rises even further. Furthermore, for this specific audit engagement, as well as on specifics, such as
case study, additional audit findings could have been whether low inherent risk areas should be included in the
made, including areas where weak controls exist, areas engagement planning, how risks should be treated
subject to over-controlling, and other more strategic where both the inherent and residual risks are above the
weaknesses or problems that need to be brought to risk appetite, and other general comments (see also
management’s attention. Appendix B).
Results indicated that although the respondents were
5.2 Methodology and findings from interviews under the impression that they were following the COSO
2004 methodology, the fear of not covering all the
Formal interviews were conducted with five chief audit required aspects of the engagement, and of being ‘caught
executives employed by Top 40 private sector companies out’ by management should they not identify all the
that were listed on the JSE Limited on 8 April 2009. The relevant weaknesses, as well as other unique problems,
companies were chosen based on their level of risk was the motivation for still following the more
maturity as well as the risk maturity level of the internal comprehensive, but resource-hungry COSO 1992 audit
audit functions. The risk maturity levels of the 40 methodology.
companies were determined using the Risk and Insurance The second significant result was that internal auditors
Management Society (RIMS, 2006) maturity model. The still tend to perform their own risk assessment instead
five companies with the highest levels of overall risk of relying on the risk management process. If internal
maturity were chosen, considering that the internal audit auditing has provided assurance on the risk management
function’s maturity level also had to be high. The process, then there should be no reason not to trust the
reasoning behind this decision was that risk management risk management process’s outcome for the identification,
is a relatively new concept, and if the internal audit assessment and mitigating activities as documented in
function is addressing this concept in all or most of their the risk register. If the engagement reveals otherwise, this
activities (referring to risk maturity), there is a greater information should be used to update the risk register.
than even probability that internal auditors will follow The third significant result was that some organisations
a risk-based approach when performing internal audit have not fully developed their integrated risk
engagements. Although a structured questionnaire (see management processes. This then makes it difficult for the
Appendix A) was developed, the method that was used to internal auditor to bring risk that is technically outside the
gather the desired information was a ‘descriptive method audit scope into the engagement, or to bring into the audit
survey research’, from which the quantitative primary engagement risks identified during the engagement that
data was obtained. This data was collected by means have an effect on another area. This widened risk-
of personal interviews and the data consists of facts, incorporation process can only be fully implemented by
opinions, beliefs, attitudes and behaviours (Mouton, the internal audit function when the risk department
2001: 152–53; Saunders, Lewis & Thornhill, 2007: 310). is focused on the integration of organisation-wide risk

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
122 P. Coetzee and D. Lubbe

management. Until such time, the internal auditor should incorporated into the process since the 1990s. However, it
be aware of the weakness in the methodology and, where is only since the beginning of the new millennium (2000s)
applicable, refer to risks outside the scope of the audit, or that the risk management process has been used as a
to incorporate risks identified in this engagement into a foundation for the planning phase. Even then, all the
later engagement. elements of the risk management process have not yet
The fourth significant finding confirmed that internal been fully implemented and further improvements to
auditors are justifiably known as control experts and streamline the internal audit engagement process are
are used to providing recommendations on controls. needed.
However, sometimes it is more effective and efficient to During the testing of the risk-based internal audit
suggest another form of risk mitigation, such as sharing engagement model, the planning phase of an internal
the risk between business sections or entities, or audit engagement that had been performed previously
eliminating the activity that gives rise to a specific risk. was re-performed using the model’s methodology. The
Internal auditors therefore should also consider the results indicate that if the model had been used in
negative effects of over-controlling, as unnecessary executing the engagement, fewer audit procedures
controls are costly to any organisation. Results indicated would have been performed, but at the same time more
that this was still far from their default position. audit findings would have been uncovered, thus
The fifth result of the empirical study indicated that demonstrating that the risk-based internal audit model
low risks should not be included in the internal audit for assurance engagements will ensure that audits are
engagement, not even on a surprise basis. Thus, if the risk performed more effectively and efficiently.
management process can be relied upon, low inherent The chief audit executives interviewed all agreed that
risks should be eliminated from the engagement scope. implementing the model would certainly benefit the
However, it is suggested that the internal auditor should internal audit function overall, but more specifically
always use professional judgement when making this the internal audit assurance engagement, especially as
decision, as some low-risk areas could lead to other risks internal auditors tend to protect themselves by over-
arising, such as fraudulent activities. auditing. Valuable internal audit resources should not be
The sixth key result indicated that high inherent risks wasted on areas that are not effectively controlled by
should only be included in the engagement planning management: these should rather be speedily brought to
once control adequacy has been investigated, that is, once management’s attention. Thus, audit engagements can
the extent to which the control reduces the risk has been and should be more focused. However, respondents
established. Only those controls that do add to the risk were concerned that risk management systems are not
mitigation should be investigated for the effectiveness yet mature enough to accommodate the model. A
of the control – the extent to which the control is summary of the model, input obtained from chief audit
implemented and properly carried out. executives and the results of the case study are
The final result showed that if the risk-based internal summarised in Appendix B.
audit model is used correctly for the performance of an Areas for further research include the expansion of the
internal audit engagement, more audit findings are likely input obtained from chief audit executives to other
to be revealed than with conventional audits. These could stakeholders, such as the audit committee, management
include formal findings that should be reported in the and the risk identification and control bodies, on the
audit report, aspects of the business that should be performance of risk-based internal auditing. Also, the
brought to management’s attention for a decision on investigation of the state of maturity of the risk
whether each should be addressed or not, and finally, management process for operational areas, to ensure that
preparing and presenting an informal finding that is not risks are holistically addressed, are clustered according
included in the final audit report, for discussion and ad to a business unit and/or a business process, and that
hoc attention. the process outcome is properly documented. The latter
should enable internal auditing to implement an effective
and efficient risk-based approach to their activities,
6. CONCLUSION AND
including the performance of a fully risk-based internal
RECOMMENDATIONS
audit engagement.
The objective of the study was to provide a model that
will improve the efficiency and effectiveness of internal
audit engagements by optimally implementing a REFERENCES
risk-based approach. To reach this objective, the internal Baker, N. (2010), ‘Equipped for governance’, Internal Auditor,
audit engagement process was investigated to determine Vol. 67, No. 1, pp. 29–32.
how risk methodologies can be included. A model was Bank of Canada (1998), Risk-based internal auditing and
developed by using the risk management process as dynamic control assessment: revolutionising internal audit
documented in the 2004 COSO Report. Thereafter it was services, Altamonte Springs, FL: Institute of Internal
tested in a practical situation as well as by obtaining the Auditors.
Castanheira, N., Rodrigues, L. L. & Craig, R. (2010), ‘Factors
input from chief audit executives of prominent South associated with the adoption of risk-based internal
African companies. auditing’, Managerial Auditing Journal, Vol. 25, No. 1, pp.
As the term ‘risk-based internal auditing’ is relatively 79–98.
new, it seems that the terminology is not used consistently: Clayton, D. (2009), ‘A risk-centric approach that works’,
it is used interchangeably to describe the audit of the Internal Auditor, Vol. 66, No. 1, pp. 35–39.
risk management process, planning the internal audit Committee of Sponsoring Organisations of the Treadway
Commission (COSO) (1992), Internal control – integrated
function’s annual activities based on risk, or performing framework: framework, Jersey City, NJ: Sponsoring
an internal audit engagement based on risks. When Organisations of the Treadway Commission.
considering the overall evolution of the internal audit Committee of Sponsoring Organisations of the Treadway
engagement process, it seems that ‘risk’ has only been Commission (COSO) (2004), Enterprise risk management

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
Improving the Efficiency and Effectiveness of Risk-Based Internal Audit Engagements 123

integrated framework: executive summary, Jersey City, NJ: argief / berigte / volksblad / 2009 / 06 / 27 / VB / 17 /
Sponsoring Organisations of the Treadway Commission. artikeldavelubbe.html (accessed 16 September 2013).
Committee of Sponsoring Organisations of the Treadway Mathker, V. (2008), ‘Sub-prime bomb: where were the auditors?’
Commission (COSO) (2012), COSO develops draft update to Available at: http://www.rediff.com/money/2008/oct/
internal control – integrated framework and related supporting 15bcrisis.htm (accessed 24 March 2009).
documents. Available at: http://www.coso.org (accessed 21 McNamee, D. & Selim, G. M. (1998), Risk management:
August 2012). changing the internal auditor’s paradigm, Altamonte Springs,
De la Rosa, S. 2008. How to effectively review your organisation’s FL: Institute of Internal Auditors.
risk management process. Institute of Internal Auditors – Mouton, J. (2001), How to Succeed in your Master’s & Doctoral
South Africa Training Programme, Johannesburg. Studies: a South African Guide and Resource Book, Pretoria:
Deloitte (2005), Lean and balanced: how to cut costs without Van Schaik.
compromising compliance. Available at: http://www Olah, A. J. (2009), ‘Where was ERM?’, Internal Auditor, Vol.
. deloitte . com / assets / Dcom - China / Local % 20Assets / 66, No. 1, p. 11.
Documents / Lean _ balanced _ us _ Sarbanes _ Control Pelletier, J. (2008), ‘Adding risk back into the audit process’,
Rationalization%281%29.pdf (accessed 16 September Internal Auditor, Vol. 65, No. 4, pp. 73–76.
2013). PricewaterhouseCoopers (2008), Internal audit 2012: a study
Finance, Accounting, Management Consulting and other examining the future of internal auditing and the potential
Financial Services (Fasset) Sector Education & Training decline of a controls-centric approach. Available at: http://
Authority (SETA) (2011), Fasset Scarce Skills ‘Guideline: www.pwc.com/images/gx/eng/about/svcs/grms/PwC
February 2011’. Available at: http://www.fasset.org.za/ _IAS_2012.pdf (accessed 3 May 2008).
down-loads-/research/SS_Guide-_2011_V4.pdf (accessed Prinsloo, J. (2008), ‘The development and evaluation of
26 July 2011). risk-based approaches’. Unpublished MCom (Accounting)
Gendron, Y., Cooper, D. J. & Townley, B. (2007), ‘The dissertation, University of the Free State.
construction of auditing expertise in measuring Reding, K. F., Sobel, P. J., Anderson, U. L., Head, M. J.,
government performance’, Accounting, Organisations and Ramamoorti, S., Salamasick, M. & Riddel, C. (2009),
Society, Vol. 32, No. 1–2, pp. 105–33. Internal Auditing: Assurance and Consulting Services, 2nd
Gramling, A. A., Maletta, M. J., Schneider, A. & Church, B. K. edn, Altamonte Springs, FL: Institute of Internal Auditors
(2004), ‘The role of the internal audit function in corporate Research Foundation.
governance: a synthesis of the extant internal auditing Risk and Insurance Management Society (RIMS) Inc. (2006),
literature and directions for future research’, Journal of RIMS risk maturity model for enterprise risk management.
Accounting Literature, Vol. 23, pp. 192–244. Available at: http://www.rims.org/rmm (accessed 12
Griffiths, D. (2006a), ‘Risk-based internal auditing: an introduct- March 2008).
ion’, 15/03/2006, Version 2.0.3. Available at: http:// Saunders, M., Lewis, P. & Thornhill, A. (2007), Research
www.internalaudit.biz/supporting-pages/resources.htm Methods for Business Students, 4th edn, Harlow: Prentice
(accessed 20 February 2008). Hall.
Griffiths, D. (2006b), ‘Risk-based internal auditing: three views Sobel, P. (2008), ‘Risk management-based auditing’, Internal
on implementation’, 15/03/2006, Version 1.0.1. Available Auditor, Vol. 65, No. 4, pp. 92–93.
at: http://www.internalaudit.biz/supporting-pages/ Spencer Pickett, K.H. (2003), The Internal Auditing Handbook,
resources.htm (accessed 20 February 2008). 2nd edn, Hoboken, NJ: John Wiley & Sons.
Hull, J. C. (2009), ‘The credit crunch of 2007: what went Spencer Pickett, K.H. (2006), Audit Planning: A Risk-Based
wrong? Why? What lessons can be learned?’, The Journal of Approach, Hoboken, NJ: John Wiley & Sons.
Credit Risk, Vol. 5, No. 2, pp. 3–18. Spira, L. F. & Page, M. (2003), ‘Risk management: the
Hyde, G. (2007), ‘Enhanced audit testing’, Internal Auditor, reinvention of internal control and the changing role of
Vol. 64, No. 4, pp. 65–68. internal audit’, Accounting, Auditing & Accountability
Institute of Directors (IOD) (2009), King report on governance Journal, Vol. 16, No. 4, pp. 640–61.
for South Africa, King Committee on Corporate Yin, R. K. (2003), Case Study Research: Design and Methods, 3rd
Governance, Johannesburg. edn, London: Sage Publications.
Institute of Internal Auditors (IIA) (2012), International
Professional Practices Framework. Available at: https://na.
theiia.org/standards-guidance/recommended-guidance/ AUTHOR PROFILES
pages/newly released (accessed 11 April 2012).
Keen, S. (2008), Economics 101 – what the global meltdown Philna Coetzee is a Professor in internal auditing at
means. Available at: http://www.theage.com.au?action/ the Department of Auditing, University of Pretoria. She
printArtile?id=226496 (accessed 12 February 2009). is also the Coordinator of the Centre of Internal Audit
Khanna, V. K. (2011), ‘A survey-based assessment of
progress in the implementation of risk-based internal Excellence programme of the Institute of Internal
audit in Indian banks’, The IUP Journal of Accounting Auditors Inc. She has published widely on the topic of
Research & Audit Practices, Vol. 10, No. 4, pp. 53–96. auditing and internal auditing.
Koutoupis, A. G. & Tsamis, A. (2009), ‘Risk-based internal Dave Lubbe is a Professor at the Centre for Accounting
auditing within Greek banks: a case study approach’, at the University of the Free State. He has guided many
Journal of Management and Governance, Vol. 13, No. 1–2, students to their PhD and Master’s degrees in the fields
pp. 101–30.
Lam, J. (2009), ‘Key requirements for enterprise-wide risk
of auditing and governance. He also holds a law degree,
management: lessons learned from the global financial has written and published poems and lyrics, and
crisis’, RMA Journal, Vol. 91, No. 8, pp. 22–27. regularly writes for newspapers and magazines on a
Lubbe, D. (2009), ‘ “Politieke bedrog” dalk ’n rede vir ekonomiese variety of pertinent topics.
krisis”, Volksblad. Available at: http : / / 152 . 111 . 11 . 6 /

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
124 P. Coetzee and D. Lubbe

APPENDIX A
Structured interview schedule: Private sector
1 Organisational background*
2 IIA Standards*
3 The changing internal audit environment*
4 The risk management framework*
5 Risk management process*
6 Annual planning of the internal audit function’s activities*
7 Risk-based internal audit assurance engagements
7.1 When conducting the engagement planning, do you incorporate risk into the internal audit process by using the following?
(Explain if necessary):
COSO I model terminology Yes No Not sure
COSO II model terminology Yes No Not sure
If another methodology is used, indicate:
7.2 If using the COSO II model, how is the following information obtained?
Information Use auditee input Use risk management No/limited information Other
process results (internal auditor (provide
(risk register) has to obtain) details)
Operational (auditee)
objective setting
Risk identification for
inherent risks
Risk assessment (measure)
for inherent risks
Current risk mitigation
activities
Risk assessment (measure)
for residual risks
7.3 When planning the internal audit engagement, which one (or more) of the following strategies is used as a starting point?
Previous year’s working Inherent risks as per Difference between the inherent Other
paper file the risk register and residual risk as
per the risk register
7.4 When planning the internal audit engagement, which of the following are included?
Both threats and loss of The effect that a risk(s) may The effect that a risk(s) in another Recommending activities other
opportunities are have on another area area (outside the scope of the than controls to mitigate risk
investigated as (outside the scope of the engagement) may have on this to an acceptable level is
possible risks engagement) is considered engagement is considered considered
7.5 Please describe any further aspect relevant to your organisation’s internal audit engagement planning methodologies based
on risk that was not covered in this questionnaire:
8 Risk-based internal audit assurance engagement model
(Explain the model – see Figure 1 – to the interviewee)
8.1 Do you think the model can be used when performing your internal audit assurance engagement?
Yes No Reasons:
8.2 Do you think the model will reduce the extent of engagement procedures to be performed?
Yes No Reasons:
8.3 Do you think the model will be effective in focusing on the crucial aspects?
Yes No Reasons:
8.4 Do you think the model will be efficient (e.g., save time) whilst still being effective?
Yes No Reasons:
8.5 Do you think the model will assist in the following:
Eliminating ineffective controls Yes No Reason:
Eliminating unnecessary controls Yes No Reason:
Eliminating redundant controls Yes No Reason:
Eliminating excessive controls Yes No Reason:
Simplifying complex controls Yes No Reason:
8.6 Do you think low inherent risks should be included in the audit planning?
Full inclusion Only partial (judgement) Only on surprise basis No inclusion
Provide reasons:
8.7 Do you think a high inherent risk with a residual risk above the risk appetite should be included in the planning of
audit procedures?
Must be included in full Only focus on adequacy Only focus on effectiveness Only an audit finding
(audit all controls) of controls of controls
Provide reasons:
8.8 Please provide any further comments that may be used to refine the model:
8.9 May the model be tested at your organisation against a prior engagement? Yes No

* Detailed questions not included as it does not form part of the scope of this article.

© 2013 John Wiley & Sons Ltd Int. J. Audit. 18: 115–125 (2014)
 APPENDIX B
Comparing the model, input received from CAEs and the results of the case study
Step Internal audit engagement planning Input from chief audit executives (CAEs) Result of case study Influence on model
based on literature (see Table 2) (see Figure 1)
1 • The activity’s objectives and related criteria • Use auditee input • Not applicable • Ensure that COSO II methodology is
form the foundation of the audit engagement • Use the risk management processes’ followed
objectives and scope: results
○ Review the objective setting process and • If no or limited information exists, the
outcome and, if needed, identify further internal auditor should obtain further
objectives, or only focus on priority information

© 2013 John Wiley & Sons Ltd

objectives (based on the audit resources • Methodology followed is mainly COSO I
available) methodology, although respondents
○ Set the engagement objectives and scope initially thought it was COSO II-based
2 • The risks threatening the activity’s objectives • Use the previous year’s working papers as • For operational level: • Audit the effectiveness and outcome of
form the foundation of the engagement a starting point ○ Only threats are considered the operational risk management process
planning: • Internal auditing should perform an audit • For strategic level: and rely on the outcome to plan the audit
○ Consider the risk identification process and to verify the effectiveness and results of ○ Both threats and loss of engagement
all relevant exposures identified according the risk management process, including opportunities are considered • Both threats and loss of opportunities
to the process operational risks must be considered as risks during the
○ While obtaining knowledge of the activity, • Both threat and loss of opportunity are planning phase of the audit engagement
consider other exposures and risks for both considered
hazards and opportunities threatening the
achievement of the activity’s objectives
3 • Both the inherent and residual risks are • Use risk management process results for: • Use risk management process results • Use preliminary model
assessed (likelihood and impact): ○ inherent risks; as a basis for engagement planning • Perform own risk assessment only if no
○ Consider the risk assessment process and ○ difference between inherent and • Focus on the high/moderate inherent risk management process exists or if it is
use outcome or perform own assessment residual risk; and risk levels not reliable
○ Review inherent risk level, current risk ○ measurement or assessment of • Focus on areas where the movement • Consider integration of risks with other
responses in place, and residual risk level inherent and residual risks between inherent and residual risk areas
for each risk • Perform own risk assessment (additional) is material • Include risk mitigation activities, e.g.
Improving the Efficiency and Effectiveness of Risk-Based Internal Audit Engagements

○ Measure inherent and residual risk levels in • Consider enterprise risk management • Focus on the areas where the outsourcing
the context of the risk appetite integration: residual risk is within the risk • Ignore low inherent risk areas
○ Focus more on high level risks (inherent ○ Effect of risk on another area appetite (moderate to low) • For high residual risk, investigate control
risk exceeds the risk appetite) ○ Effect of another risk on this • Focus only on the risk mitigation adequacy, and if applicable, the
○ For the engagement programme, include engagement activities of the risk management effectiveness of controls
current existing responses where the • Internal auditor does not rely on current process
inherent risk is high but the residual risk is risk mitigation activities as per the risk • No inclusion of low inherent risks
within the risk appetite levels register, and, as such, focuses only on • Residual risk that remains high is
○ Investigate whether these responses are controls not included in the audit
functioning as planned • No inclusion of low inherent risks engagement
○ Consider low inherent risk for inclusion in • When the residual risk is still too high, ○ Fewer audit procedures are
the engagement programme by using evaluate control adequacy and, if performed
professional judgement applicable, the effectiveness ○ All findings as per the audit
○ Consider high inherent risk where the report are identified
residual risk remains high for inclusion in ○ Additional findings and/or areas
the engagement programme by using that need to be discussed with
professional judgement management are identified
4 • The assessment of each risk is measured in • Perform an investigation of the control • Residual risk that remains high is • Additional findings and/or areas that
terms of the risk appetite adequacy for residual risks above the risk not included in the audit need to be discussed with management
• Residual risk exceeding the risk appetite must appetite engagement: are identified
be further treated by means of an appropriate • Consider management signing a ○ All relevant findings are
risk response: document where they acknowledge that identified
○ Consider engagement recommendation in they are aware of the high residual risk ○ Additional findings that should
terms of the appropriate risk response • Internal auditing keep track of be brought to management’s
○ Include in the follow-up phase of the management’s action plans and the attention are identified
engagement impact on the organisation

Int. J. Audit. 18: 115–125 (2014)

125