1.

Risk Based Audit Plan

Risk is the possibility of an event’s occurrence that affects the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Internal Audit Plan
The internal audit plan sets priorities for the internal audit activity’s engagements performed
based on an understanding of the organization’s strategies, objectives, risks, and risk
management procedures.
It is established by the chief audit executive after consultation with senior management and
the board. The choices and priorities of engagements are based on the:
 needs,
 risks, and
 potential effects on the organization.
Priorities Based on the Risk Assessment

The audit plan of any internal audit activity must reflect the organization’s assessment of
risks found in large, complex, and interconnected organizations in the modern economy.

 The knowledge, skills, and other competencies of the internal auditors determine
what engagements can be performed without using external service providers.

Performance Standard 2010Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the
internal audit activity, consistent with the organization’s goals.
To comply with the standard above, the audit plan must be logically related to identified
risks of the organization and its strategic and operational goals. This connection of risks and
goals is a requirement of risk-based audit planning.
The purpose of establishing an internal audit plan is to ensure adequate coverage of areas
with the greatest adverse exposures to the organization. However, lower-risk audits may be
included to confirm that their risks have not changed. Thus, results of prior engagements are
relevant.
Accordingly, the priorities of the internal audit activity are based on the results of risk
assessments. The chief audit executive (CAE) generally should assign engagement priorities
to activities with higher risks.
 Setting priorities helps ensure the allocation of available resources that best meets
goals.
 Internal audit should be able to meet its objectives within given operating plans and
budgets, including measurement criteria and targeted dates of completion.
The CAE should have ongoing consultations with management and the board. The result
may be a revision of the risk assessment and audit priorities as a result of organizational
change.
Interpretation of Standard 2010
To develop the risk-based plan, the chief audit executive consults with senior management
and the board and obtains an understanding of the organization’s strategies, key business
objectives, associated risks, and risk management processes. The chief audit executive must
review and adjust the plan, as necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.
Implementation Standard 2010.A1
The internal audit activity’s plan of engagements must be based on a documented risk
assessment, undertaken at least annually. The input of senior management and the board
must be considered in this process.
In developing the risk-based plan, the internal audit activity ordinarily reviews and
corroborates the results of risk assessments performed by senior management.
The key input in the evaluation of risk is the internal auditor’s professional judgment about
exposures and likelihoods.
Planning also involves considering what services stakeholders want and where operating
benefits are most likely to be available.
Implementation Standard 2010.A2
The chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other
conclusions.
planning for consulting services involves considering what benefits these engagements may
offer.
Implementation Standard 2010.C1
The chief audit executive should consider accepting proposed consulting engagements
based on the engagement’s potential to improve management of risks, add value, and
improve the organization’s operations. Accepted engagements must be included in the plan.
Consulting engagements use internal audit resources. The benefits of a consulting
engagement therefore must exceed its costs, including the opportunity cost of potentially
not conducting an assurance engagement.
The goals of the internal audit activity should be capable of accomplishment within given
operating plans and budgets and should be measurable to the extent possible.
 They should be accompanied by measurement criteria and targeted dates of
accomplishment.
The Risk-Based Audit Plan
Developing the plan often follows developing or updating the audit universe. It is “a
compilation of the subsidiaries, business units, departments, groups, processes, or other
established subdivisions of an organization that exist to manage one or more business risks
The audit universe (all auditable risk areas) may include the organization’s strategic plan. It
may reflect the

 Overall business objectives,

 Attitude toward risk,
 Difficulty of reaching objectives,
 Results of risk management, and
 Operating environment.

A documented risk assessment defines the audit universe and its assessed risks and
potential effects after input from senior management.
The audit universe includes all business units, processes, or operations that can be
evaluated and defined. They include accounts, divisions, functions, procedures, products,
services, programs, systems, controls, and many other possibilities.
 The audit plan includes audits requested by management and the board (audit
committee) or required by regulators, e.g., as a condition of receiving government
contracts.
 Many entity operations or functions are audited cyclically. Accordingly, the priority of
an audit may depend on how recently a specific operation or function has been
audited.
The audit universe should be assessed at least annually to reflect the most current
strategies and direction of the organization.

 More frequent updating of audit plans may be needed to respond to changes in

circumstances.

The internal audit activity’s audit plan is based on

 The audit universe,

 Input from senior management and the board, and
 Assessed risks.
An internal audit plan usually is prepared for an annual period. But it might be for a rolling
12-month cycle or two or more years with annual evaluations. The plan most often includes
 A set of proposed assurance and consulting engagements.
 The basis for inclusion of each engagement (e.g., risk or time elapsed from the most
recent audit).
 The objective and scope of each proposed engagement.
 Projects derived from the internal audit activity’s strategy.
Key audit objectives are to provide assurance and information to senior management and
the board.
Assurance includes an assessment of risk management activities.
Work schedules are based on, among other factors, an assessment of risk and exposure.
Most risk models (risk analysis) address internal and external risks using risk factors to set
priorities.
Internal risk factors include
 quality of and adherence to controls;
 degree of change (e.g., increased expenditures or decreased revenues);
 timing and results of last engagement;
 impact;
 likelihood;
 materiality;
 asset liquidity, accessibility, and value;
 management competence;
 potential for fraud; and
 regulatory penalties.
External risk factors include
 competitor actions,
 supplier prices and quality (e.g., because of lack of competing bids),
 industry issues, and
 employee and government relations.
An unexpected, significant change in an account that cannot be explained increases its
assessed risk.
Risk Management Process
Each engagement plan must consider the organization’s understanding of the risk
management process, a vital component of the planning process.
Risk management identifies, assesses, manages, and controls potential events or situations
to provide reasonable assurance regarding the achievement of the organization’s objectives
(The IIA Glossary).
Risk management is critical to sound governance of all organizational activities. Consistent
risk management should be fully integrated into management at all levels.
Management typically uses a framework (e.g., COSO, ERM, or ISO 31000) to perform the risk
assessment and document the results.
The chief audit executive considers the organization’s risk management framework. If a
framework does not exist, the chief audit executive assesses risks after consultation with
senior management and the board.
Effective risk management assists in identifying key controls related to significant inherent
risks. An inherent risk is the combination of internal and external risk factors in their
uncontrolled state, or the existing gross risk, assuming no internal controls are in place
(The IIA Glossary). For example, cash and assets easily converted to cash, such as precious
metals, have high inherent risk.
Control often is used to manage risk within the risk appetite, the “level of risk that an
organization is willing to accept”
Risk tolerance is the acceptable variation in performance relative to achieving objective
Current risk is the risk managed within existing controls or control systems.
Key controls “must operate effectively to reduce a significant risk to an acceptable level”
Controls are processes that address risks.
Effective risk management identifies key controls based on the difference between inherent
and residual risk across all affected systems.
Residual risk is “the portion of inherent risk that remains after management executes its
risk response (sometimes referred to as net risk)”
When identifying key controls (and if risk management is mature and reliable), the internal
auditor looks for
 Individual risk factors when the reduction from inherent to residual risk is significant
(particularly if inherent risk was very high)
 Controls that mitigate a large number of risks
Internal auditors audit key controls and provide assurance on the management of significant
risks.
When planning individual audits, the internal auditors identify and assess risks relevant to
the specific engagement. They consider
 risks of current and future events,
 effects on the organization’s objectives, and
 causes.
An internal audit plan normally focuses on the following:
 Unacceptable current risks requiring management action
 Control systems on which the organization is most reliant
 Large differences between inherent risk and residual risk
 Very high inherent risks
Due professional care requires
 work assignments to be proportional to the complexities of the engagement and
 the assigned internal auditors to have the knowledge, skills, and other competencies
to perform their responsibilities.
N.B: Inherent risk is the risk that an organization could encounter when no controls are in
place. inherent risk is what a company might face without any preventative measures in
place.
On the other hand, residual risk is the risk that exists with controls in place. This type of
risk can be thought of as the risk that still remains even after an organization has taken
preventative measures to minimize the likelihood and/or impact of the risk event.
2. Risk Modeling
Rank and Validate Risk Priorities
Risk modeling ranks and validates risk priorities for engagements in the audit plan.
Risk factors (e.g., impact and likelihood) may be weighted based on professional
judgments to determine their relative significance, but the weights need not be quantified.
Risk modeling in a consulting service can be accomplished by ranking the engagement’s
potential to improve management of risks, add value, and improve the organization’s
operations.
Senior management assigns different weights to each of these items based on
organizational objectives. The engagements with the appropriate weighted value are
included in the annual audit plan.
RM techniques
 Accept
 Transfer
 Reduce
 Avoid
Likelihood
High Low
Impact High Avoid Transfer
Low Reduce Accept

Audit Risk and Its Components

Audit risk is the risk of reaching invalid audit conclusions or providing faulty advice
based on the audit work (The IIA Glossary).
 In an internal audit context, audit risk is the risk of providing senior management and
the board with flawed or incomplete information about governance, risk
management, and control.
 the components of audit risk are (1) inherent risk, (2) control risk, and (3)
detection risk.
Inherent risk is the combination of internal and external risk factors in their uncontrolled
state, or the existing gross risk, assuming no internal controls are in place (The IIA
Glossary).
 In an internal audit context, inherent risk is the risk arising from the nature of the
account or activity under review. For example, accounting estimates are inherently
riskier when estimation uncertainty increases significantly. Another example is the
risk that advances in technology may render inventory obsolete.
Control risk is “the potential that controls will fail to reduce controllable risk to an
acceptable level” (The IIA Glossary).
 In an internal audit context, control risk is the risk that the system of internal control
designed and implemented by management will not achieve management’s
objectives for the account or activity under review.
Detection risk is the risk that the audit procedures intended to reduce audit risk to an
acceptably low level will not detect a material misstatement.
 In an internal audit context, detection risk is the risk that the auditor will fail to
discover conditions relevant to the established audit objectives for the account or
activity under review.
The components of inherent, control, and detection risk may be assessed in quantitative
(e.g., scale of 1% to 100%, with 100% being maximum risk) or nonquantitative (e.g., high,
medium, low) terms.
Audit Risk Model
Audit risk = Risk of Material Misstatement (Inherent risk × Control risk) × Detection risk
Auditor Response to Assessed Risk
Of the three components, only detection risk is under the auditor’s direct control.
The internal auditor must first determine the levels of inherent and control risk for the
account or activity under review. Detection risk is then adjusted to achieve an overall
acceptable level of audit risk.
If inherent risk, control risk, or both are determined to be high, detection risk must be set at
a low level to compensate. The internal auditor then must increase the nature, timing, and
extent of engagement procedures to decrease audit risk to an acceptable level.
3. Communicating and Reporting to SN and BoD

Communication and Approval

Performance Standard 2020 Communication and Approval
The chief audit executive must communicate the internal audit activity’s plans and resource
requirements, including significant interim changes, to senior management and the board
for review and approval. The chief audit executive must also communicate the impact of
resource limitations.
The proposed internal audit plan and the risk assessment are discussed with the board to
communicate
 the risks addressed by the plan and
 those risks that cannot be addressed because of resource limits.
The proposed internal audit plan includes the following:
 Assurance and consulting engagements
 The reason for selecting each engagement (e.g., risk or time elapsed since the last
audit)
 Objectives and scope of each engagement
 Projects indicated by the internal audit strategy but not necessarily related to audit
engagements
The plan should be flexible enough to respond to changes in circumstances.
 Significant changes in the plan, its basis, or its effects must be approved by the board
and senior management.
 Review of, and changes in, the plan may occur at quarterly or semiannual board
meetings.
Performance Standard 2060 Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior management and the board on
the internal audit activity’s purpose, authority, responsibility, and performance relative to its
plan and on its conformance with the Code of Ethics and the Standards. Reporting must also
include significant risk and control issues, including fraud risks, governance issues, and
other matters that require the attention of senior management and/or the board.
Frequency and Content of Reporting to Senior Management and the Board
The frequency and content of reporting are determined collaboratively by the chief audit
executive, senior management, and the board. The frequency and content of reporting
depends on the importance of the information to be communicated and the urgency of the
related actions to be taken by senior management and/or the board.
The CAE’s Duty to Report
The CAE should communicate information to senior management and the board about the
following:
 The internal audit charter
 The CAE periodically reviews the charter and presents it for approval.
 Organizational independence of the internal audit activity
 The CAE annually confirms organizational independence to the board.
 Impairments of independence must be disclosed to the board.
 Internal audit plans, resource requirements, and performance using key indicators
 Results of audit engagements
 But the CAE’s supervisory and reporting roles are unlikely to include drafting
final communications for engagements.
 Engagements completed compared with those planned
 Gaps in audit coverage
 Results of the quality assurance and improvement program
 Included is a conclusion on whether the internal audit activity conforms with
the Code of Ethics and Standards.
 Significant risk and control issues and management’s acceptance of risk
 The CAE may believe that significant risk exposures and control issues will
result in unacceptable internal and external risks. These risks may include (1)
control weaknesses, (2) fraud, (3) illegal acts, (4) errors, (5) inefficiency, (6)
waste, (7) ineffectiveness, (8) conflicts of interest, and (9) financial loss. The
CAE should present such concerns to senior management.
 Senior management and the board determine the responses to significant
issues.
o They may assume the risk of not correcting the reported condition
because of cost or other considerations.
o Senior management should inform the board of decisions about all
significant issues raised by internal auditing.
 When the CAE believes that senior management has accepted an
unacceptable risk, the CAE must discuss the matter with senior management
first. The CAE should
o Understand management’s basis for the decision,
o Identify the cause of any disagreement,
o Determine whether management has the authority to accept the risk,
and
o Preferably resolve the disagreement.
 If the CAE and senior management cannot agree, the CAE must inform the
board.
 o If possible, the CAE and management should jointly present their
positions.
o The CAE should consider timely discussion of financial reporting issues
with the external auditors.
The CAE may share and discuss the contents of the report with senior management before
presenting it to the board.
The CAE reports on the overall effectiveness of the organization’s internal control and risk
management processes to senior management and the board.