Risk – Based and Process - Based

Approaches to Operations Auditing

Chapter 3
 Content
• Risk-based Operations Audit Approach
• Process-based Operations Audit Approach
• Samples, Short Quiz, Take Home
Assignment
Risk - Based Operations
Audit Approach
The Risk-based Audit Approach
- Designed to evaluate controls and
modify the scope of an audit, risk
based auditing is paramount to an
efficient and successful audit plan.
 What does Risk-based auditing achieve?
AN IMPORTANT TOOL in the auditor's toolbox, risk based auditing
effectively serves the three primary roles of operations auditing
by :
o providing feedback on the adequacy of internal control,
o providing a source of information for monitoring risk,
o and providing identification and communication of best practices
among industries and operating lines of business.
The primary focus of the risk based audit:
 to validate that the internal control environment is functioning as
planned,
 that assets are adequately safeguarded,
 that the organization is operating in conformance with
established policies
 communicating the results of the control assessment to executive
management and the audit committee.

The difference from traditional external audit is the focus on the

scope of the audit procedures designed to achieve these goals,
which is set through the risk assessment and audit planning
processes
 The Stages in Risk-based Audit :
The process begins with formal annual planning,
planning updates before audit segments begin,
and periodic feedback from management and the audit
committee regarding report content expectations.

The audit scope is adjusted based on all of these factors, and

allows the auditor a keen ability to understand management and
audit committee concerns regarding risk and audit coverage and
to react quickly to these concerns.
Step 1 : Understanding the Business
Environment
The key to effective risk based auditing is for the auditor to begin
the planning process by gaining a thorough understanding of the
business process for the area under review.
In combination with feedback from management and the audit
committee, business objectives are developed, specific risks that
could cause management not to meet those business objectives
are identified, and controls established by management to
mitigate these risks are evaluated.
These business objectives, risks, and controls should also be
reviewed in relationship to the entity-wide business objectives,
risks, and controls to assist in developing comprehensive corporate
decisions.
Example: Financial Institutions
 Step 2: Preliminary Risk Assessment
The purpose of the preliminary risk assessment is to determine the level of
risk and adequacy of controls in the various functional processes of a
business unit.
The assessment focuses on the business profile, management structure,
organizational changes, and specific concerns of management and the audit
committee to determine the areas of greatest risk.
It also serves to aid the auditor in evaluating the control design to determine
the desired audit scope.
Many corporations have incorporated an automated risk assessment
application into their risk based approach, which uses artificial intelligence to
link audit planning, risk assessment, analytical review, internal controls
review, and selection of audit procedures into one fully integrated,
automated process.
The risk assessment determines how well each function's control
design mitigates inherent risk.
At the conclusion of this assessment, the internal auditor evaluates the
 Example: Financial Services Industry
(Financial, Business & Operational Risk)
Step 3: Develop a 3-year audit plan
Based on the preliminary risk assessment that places the auditable
business processes within a risk matrix based on low to high risk, a
three-year audit plan is established.
With certain adjustments based on management and audit
committee input or regulatory requirements, low risk areas would
be audited every three years, moderate risk areas audited every
other year, and high-risk areas audited every year.
The three-year audit plan should be revisited each year during the
update phase of the risk assessment process and adjustments
should be made based on new or changed risk factors. This
methodology allows the auditor flexibility in a changing risk
environment.
Example: 3-year audit plan for a Bank
The Defensive: Sample Questions to ask of auditors & management
during preliminary meeting
Step 4: Complete the Secondary Risk
Assessment

In this stage, which is performed during the scheduled audit, the

auditor determines the effectiveness of the control design.
Through in-depth interviews, walk-throughs and other
observations, the auditor determines if the controls established by
management in the control design are in fact operating as
designed.
The secondary risk assessment allows the auditor to more
accurately tailor the audit approach to current risks by providing
for alteration of the audit plan.
Example: Completing the Secondary Risk
Assessment
For example, in the preliminary risk assessment the auditor may
have noted that there were adequate segregation of duties and
physical controls in place.
Based on these circumstances the preliminary risk assessment could
have placed the overall risk for the area at the moderate level.
If, during the secondary risk assessment, the auditor learns that
segregation of duties and physical controls were not actually in place,
the overall risk for the area could be elevated to the high level.
As such, the audit plan and scope would need to be revised to
include a higher level of substantive testing in response to the higher
overall risk in the area.
Step 5: Execution of the Audit Program
After making adjustments to the audit scope based on the results
of the secondary risk assessment, the audit plan is finalized and
audit fieldwork can begin.
A standard audit program guides the audit process, and
determines which audit procedures should be performed based on
the secondary risk assessment rating.
Naturally, the higher the risk assessment, the more detailed the
audit procedures to be performed.
Sample Audit Program
 During audit fieldwork …

…and prior to the exit meeting, all potential audit issues should be
fully discussed with operating personnel and line management.
This “exiting as you go” process serves three valuable purposes:
First, it allows the auditor to ensure the facts are accurate, which
prevents unnecessary audit work and strengthens the internal
auditor’s credibility.
Secondly, operating personnel and line management can begin
correcting problems, which will positively demonstrate to senior
management their ability to address issues. This also allows no
surprises at the formal exit interview.
Lastly, if there are disagreements to items other than facts, such
as the overall risk or the recommended solution, the auditor is
aware before the formal exit and can react accordingly.
 Step 6: Conduct a Formal Exit Meeting
A formal exit meeting should be conducted with both operating
and senior management prior to leaving the field to present issues
noted during the audit, as well as best practice suggestions for
improving controls, efficiency, and operational performance.
Minor exceptions or findings can be discussed verbally, which may
not be included in the audit report.
The formal exit meeting is also the opportunity for the auditor and
management to discuss recommendations for improvement and to
clear any factual issues that are still in question.
The auditor should be sure to give management credit for actions
already taken and offer consultative advise on those issues that
are unresolved.
How to do the Closing
or Exit Meeting:
Step 7: Reporting and Communication
After the conclusion of the exit meeting, a report draft is issued to
operating management to solicit corrective action plans.
The draft report should include findings and recommendations ranked
as high, moderate, or low risk:
High risk indicates management should immediately remedy the
situation to prevent significant risk of loss;
moderate risk indicates that timely remedy by management is
suggested;
and low risk indicates that there does not appear to represent an
immediate risk but improvements are still possible.
The report is issued in draft form to allow continued communication
between the auditor and operating management in the areas of
relative importance of the audit results and recommended solutions.
At this phase of the process, there should be no disagreements as to
the facts in the report as these should have been agreed to during the
fieldwork and exit meeting stages.
Sample Audit Reports
 Management Action and Follow up
Management action plans (MAPs) should document specific actions to address the
findings and recommendations, with management assignments of who is responsible
for the plan and a date when the actions should be concluded.
In reviewing MAPs, the auditor should determine that the identified risk will be
adequately addressed and the completion timetable is reasonable.
A final report is issued to include the auditor’s findings and recommendations, as well
as management’s action plans. This report should be distributed to all applicable
operating, senior and executive management, as well as to members of the audit
committee.
The auditor should regularly meet with the audit committee in person to discuss the
audit reports and solicit any necessary feedback.
The auditor will periodically provide a monitoring report that management and the
audit committee can utilize to track critical audit findings, follow up on the results, and
review at a glance the effectiveness of risk management and the resolution of all
significant findings.
Follow up reporting should continue until the issue is satisfactorily resolved. This
communication is often the source of appropriate changes in audit scope to address
risk changes.
Sample Management Action Plan
End of Part 1
Process - Based Approach to
Operations Audit,
Part 2
Elements of a Process Approach to auditing:
Scope of a Process Approach to auditing:
Advantages of a Process Approach to auditing:
Process Approach to auditing, for effectiveness:
SIPOC
Process
Map
Turtle Diagram Process Map
Swim Lane Flowchart Process Map
Sample
ISO
Audit
Program
Sample Audit Template
Sample Audit Reports
 Short quiz… (20 pts)
1. DESIGNED TO EVALUATE CONTROLS AND _____?___ THE SCOPE OF AN AUDIT, RISK BASED AUDITING IS PARAMOUNT
TO AN
EFFICIENT AND SUCCESSFUL AUDIT PLAN.
A. FIX B. MODIFY C. FINALIZE D. LIMIT

2. RISK BASED AUDITING PROVIDES THE FOLLOWING, EXCEPT FOR:

A. FEEDBACK ON THE ADEQUACY OF INTERNAL CONTROL
B. SOURCE OF INFORMATION FOR MONITORING RISK
C. THE INPUT AND EXPECTED OUTPUT OF A CERTAIN PROCESS
D. IDENTIFICATION AND COMMUNICATION OF BEST PRACTICES AMONG INDUSTRIES AND OPERATING LINES OF
BUSINESS.

3. THIS STEP IN THE RISK BASED APPROACH TO OPERATIONS AUDIT CALLS FOR THE REVIEW OF BUSINESS
OBJECTIVES, RISKS,
AND CONTROLS IN RELATION TO THE ENTITY-WIDE BUSINESS OBJECTIVES, RISKS, AND CONTROLS TO ASSIST IN
DEVELOPING
COMPREHENSIVE CORPORATE DECISIONS.
A. PRELIMINARY ASSESSMENT C. AUDIT PLANNING
B. UNDERSTANDING THE BUSINESS ENVIRONMENT D. AUDIT PROGRAM

4. GUIDES THE AUDIT PROCESS, AND DETERMINES WHICH AUDIT PROCEDURES SHOULD BE PERFORMED BASED ON
THE
SECONDARY RISK ASSESSMENT RATING.
A. BUSINESS ENVIRONMENT REVIEW C. AUDIT PLAN
B. RISK ASSESSMENT CHECKLIST D. AUDIT PROGRAM

5. A _____?_____ AUDIT FINDING INDICATES THAT MANAGEMENT SHOULD IMMEDIATELY REMEDY THE SITUATION TO
 …Short quiz (20 pts)
6. IN THIS AUDITING APPROACH, THE AUDITOR GOES BY EACH STANDARD CLAUSE, USUALLY WITH A
CHECKLIST, SEARCHING FOR EVIDENCE OF CONFORMANCE AND NONCONFORMANCE.
A. PROCESS B. CLAUSE C. DEPARTMENT D. TASK

7. A STEP IN THE PDCA CYCLE THAT CALLS FOR MODIFICATIONS AND UPGRADES FOR EFFICIENCY &
EFFECTIVENESS:
A. PLAN B. DO C. CHECK D. ACT

8. A PROCESS MAP THAT IS USEFUL FOR ANALYZING NON-COMPLEX, LINEAR PROCESSES.

A. SIPOC B. TURGLE C. SWIM LANE D. DECISION TREE

9. THE MAIN ELEMENTS THAT A PROCESS APPROACH TO OPERATIONS AUDIT REVIEWS INCLUDE THE
FOLLOWING, EXCEPT FOR:
A. PROCESS OWNERS C. INPUTS AND OUTPUTS
B. RESOURCES D. ECONOMY AND COST

10. A PROCESS BASED AUDIT SERVES AS A TOOL TO IDENTIFY WEAKNESSES AND OPPORTUNITIES TO
IMPROVE CONNECTIONS BETWEEN THESE, EXCEPT FOR:
A. POLICY B. REGULATION C. PERFORMANCE D. OBJECTIVES &
TARGETS
Thank you