Risk Based Internal Audit Plan

(Developing a Risk based IA Plan and updating the Audit Universe)

Module I
Part II

1
Table of Contents

Backdrop

What is Risk ?

Challenges faced by Internal Auditor

What is RBIA ?

RBIA Plan

Resources
3
Backdrop

• Need of a strong and robust internal auditing and internal control systems
due to increase in the trend of frauds in the corporate sector

• Regulators have also become more vigilant towards the requirement of

strong internal control system [viz., Sarbanes Oxley Act in USA, Clause 49
of Listing Agreement as per SEBI and Companies Act, 2013 and rules
thereunder]

• Risk-based Internal Auditing (RBIA) allows internal auditor to provide

assurance to the Board of Directors that risk management processes are
managing risks effectively

4
Changes in Definition of Internal Audit
1947
Independent appraisal
activity within an
organization for the review
of accounting, financial and
other operations as a basis
for protective and
constructive service to
management.
1981
An independent appraisal
function established within an
organization to examine and
evaluate its activities as a
service to the organization.
1999
Internal auditing is an
independent, objective
assurance and consulting
activity designed to add value
and improve an organization's
operations. It helps an
organization accomplish its
objectives by bringing a
systematic, disciplined approach
to evaluate and improve the
effectiveness of risk
management, control, and
governance processes.
5
6
What is Risk?

• Risk is defined by IIA’s International

Standards of Professional Practices as:

“The uncertainty of an event

occurring that could have an impact
on the achievement of objectives.”

• Risk is defined by ISO 31000 as:

“the effect of uncertainty on objectives”

7
Relationship Between Inherent Risk & Residual Risk

Inherent
Risk

Risk management

• Accept
• Reduce
• Transfer
• Avoid
8
Key Focus Area Based on Emerging Risk

Cyber security T echnology Regulatory Corruption

risk risk

Crisis
Corporate Vendor Culture / soft
governance governance management controls
planning

Source : IIA & Others

As per SIA -13 – The risk assessment process should be of a
continuous nature so as to identify not only residual or existing risks,
but also emerging risks. 9
10
Challenges Faced by Internal Auditor

• Mismatch in the expectations

• Audit risk
• Practical implementation of audit standards
• Size and complexity of data
• Uncertainties due to changing environment
o internal as well as external

11
Three Axioms of Auditor’s Dilemma

12
13
What is RBIA ?

IIA defines risk based internal auditing (RBIA) as a

methodology that links internal auditing to an organisation's overall
risk management framework.

RBIA allows internal audit to provide assurance to the board that risk
management processes are managing risks effectively, in relation to
the risk appetite.

14
Traditional IA vs. RBIA

Traditional IA RBIA
Assurance on the
Control assurance effectiveness of risk
based on routine management [in
audit addition to control
assurance]

15
Advantage of RBIA

Management has identified, assessed and responded to risks above and below the risk appetite

The responses to risks are effective but not excessive in managing inherent risks within the
risk appetite

Where residual risks are not in line with the risk appetite, action is being taken to remedy
that

Risk management processes, including the effectiveness of responses and the completion of
actions, are being monitored by management to ensure they continue to operate effectively

Risks, responses and actions are being properly classified and reported.

16
Assurance Provided by RBIA

17
19
19
RBIA Plan [RBIAP]

• Responsibility of chief internal auditor of the Company

• Review on annual basis
• Approved by audit committee
• Needs to be consider:
o Major risk
o Business objective
o Risk appetite
o Inputs from key management
o Business environment

20
Process of RBIAP

21
Define Objective, Criteria and Risk Appetite

Objective Criteria Risk appetite

• Size & nature • Risk categorization • Discussion with

• Complexity • Risk assessment management
• Resource constraint • Control environment
• Priority & frequency

Risk rating depends on the criteria set by the organization to

assess and prioritise its risk. Depending on the risk appetite of
the organization, it could mean financial loss of 100,000 could
be ‘minor’ for a large company but it could be major for an
organization with annual profit of 5 million.
22
Understanding the Business Environment and Processes

Understand Feedback from

management &
business process audit committee

Comparison
Engage with all
with market
stack holders
leader

23
What is Audit Universe?

SIA 1 “Planning as Internal Audit” defines audit

universe as “Audit universe comprises the activities,
operations, units, etc., to be subjected to audit
during the planning period. The audit universe is
designed to reflect the overall business objectives
and therefore includes components from the
strategic plan of the entity. Thus, the audit universe
is affected by the risk management process of the
client. The audit universe and the related audit plan
should also reflect changes in the management’s
course of action, corporate objectives, etc.”

24
Key Factors for Audit Universe

Organisation objective

Expectation from internal audit

Organisation structure and set-up

Geographic location of organisation

Scalability of operation

Organic linkage between business process

Sufficiency to justify cost of control

25
Steps for Preparation of Audit Universe

Re-validate

Assess
objective
Sketch audit
universe
Discussion with
management

26
Illustrative Audit Universe of a Manufacturing Company

27
Risk Register

Risk register containing the list of all the risks identified and the preliminary risk
rating.

Auditable Sub- Risk Risk

Risk Rating
Entity Process Description Category

28
Risk Assessment

Non-compliance Financial Loss Health & Safety

Fraud / Management’s
Reputation
misappropriation assertion

Impact on
IT system Complexity
profitability

Earlier audit
observations

29
Risk Assessment (Continued…)

Insignificant (1)
Risk Risk
identification prioritization Minor (2)

Moderate (3)
Risk
assessment Major (4)

Critical (5)

30
What is control Environment

As per COSO, the control environment is the set of standards, processes and
structures that provide the basis for carrying out internal control across the
organisation.

As per SIA 12 "control environmen32t" means the overall attitude, awareness and
actions of directors and management regarding the internal control system and its
importance in the entity.

31
Control Environment Rating

Existence of preventive or detective control to mitigate risks

Control Environment Rating Pyramid
associated with / mapped to the business process, entity or location.

Legal compliance framework Very strong (1)

Appropriate and established IT Control environment

Strong (2)
Governance structure/ monitoring Mechanism
Moderate (3)
Documented policy and procedures

Past incidents/ trend Week (4)

Organization’s sensitivity towards Health, Safety & Environment Almost

missing
Fraud detection (5)

Balance of centralized versus decentralized operations within the

organization 33
Preliminary Risk Assessment & Control Environment
Rating Matrix

Preliminary Control
Residual
Risk Environment
Risk Score
Assessment Rating
Control Environment Rating

Almost missing (5)

Week (4)

Moderate (3)

Strong (2)

Very Strong (1)

Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5)

Preliminary Risk Assessment 34

Developing of RBIAP

1. Within tolerance limit – No immediate focus

required
2. Inherent risk is maximum & control score is
also high – Audited every year
3. Inherent risk is moderate & control score is
also moderate – Audited every 3 years
4. Inherent risk is low & control score is also low –
Audited every 3 years

34
Illustrative RBIAP [For few department / activity]

35
Practical tips on RBIA

Judgement
Industry
80:20 principle based on
knowledge
experience

Audit tools Keep in touch

Focus on new
[Walk through, with
development
flow chart, etc.] management

Refer RCM

36
37
Resources used for preparation of this presentation

• Guide on Risk Based Internal Audit and Risk Based Internal Audit Plan
issued by ICAI
• Standards on internal audit issued by ICAI
• https://global.theiia.org/standards-
guidance/topics/documents/201501guidetorbia.pdf
• www.theiia.org
• https://www.wirc-icai.org/images/material/Risk-Based-Internal-Audit-
Plan.pdf

38
Q & A Session

39
A.Barcatan

40