ESTABLISHING

RISK-BASED
AUDIT PLAN
INTAUD - H004
(For In ternal Use Onl y)
RISK-BASED AUDIT PLAN

Determining the Internal Audit Activity’s Priorities

a) Internal auditors should use market, product, and industry knowledge to
identify new internal audit engagement opportunities.

b) The large, complex, interconnected organizations in the modern

economy require sophisticated assessment of many diverse risks. Thus,
the work plan of any internal audit activity must reflect the
organization’s assessment of these risks.

 The knowledge, skills, and other competencies of the internal

auditors affect what engagements can be performed without
using external service providers.

 However, the knowledge, skills, and other competencies of the

internal auditors do not affect the risk assessment.

c) The audit plan must be logically related to identified risks of the

organization. These are in turn related to its strategic and operational
goals. Making this connection between identified risks and how they
relate to strategic and operational goals is the primary advantage of
risk-based audit planning. This requirement is codified in the following
standard:

The chief audit executive must establish a risk-based plan to determine

the priorities of the internal audit activity, consistent with the
organization’s goals.

The chief audit executive is responsible for developing a risk-based

plan. The chief audit executive takes into account the organization’s
risk management framework, including using risk appetite levels set by
management for the different activities or parts of the organization. If a
framework does not exist, the chief audit executive uses his/her own
judgment of risks after consideration of input from senior management
and the board. The chief audit executive must review and adjust the
plan, as necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.

Page | 1
 The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of
senior management and the board must be considered in this process.

d) Planning also involves considering what services stakeholders want.

The chief audit executive must identify and consider the expectations
of senior management, the board, and other stakeholders for internal
audit opinions and other conclusions.

e) Planning for consulting services involves considering what benefits

these engagements may offer. The chief audit executive should
consider accepting proposed consulting engagements based on the
engagement’s potential to improve management of risks, add value, and
improve the organization’s operations. Accepted engagements must be
included in the plan.

Linking the Audit Plan to Risk and Exposures

1. Developing the internal audit activity’s audit plan often follows developing
or updating the audit universe.

a) The audit universe (all possible audits) may include the organization’s
strategic plan. Thus, it may reflect
 Overall business objectives,
 The attitude toward risk,
 The difficulty of reaching objectives,
 The results of risk management, and
 The operating environment.

b) The audit universe should be assessed at least annually to reflect the

most current strategies and direction of the organization. But more
frequent updating of audit plans may be needed to respond to changes
in circumstances.

NOTE: The audit universe includes all units, processes, or operations

that can be evaluated and defined. They include accounts, divisions,
functions, procedures, products, systems, and many other possibilities.

Page | 2
 Thus, the audit plan includes audits requested by management or
required by regulators, e.g., as a condition of receiving government
contracts. Moreover, many entity operations or functions are audited
cyclically. Accordingly, the priority of an audit may depend on how
recently a specific operation or function has been audited.

2. The internal audit activity’s audit plan is based on:

a) The audit universe,
b) Input from senior management and the board, and
c) Assessed risk and exposures.

3. Key audit objectives are to provide assurance and information to senior

management and the board. Assurance includes an assessment of risk
management activities.

4. Work schedules are based on an assessment of risk priority and exposure.

Most risk models used to prioritize engagements are based on risk factors,
e.g., quality of and adherence to controls, degree of change, timing and
results of last engagement, impact, likelihood, materiality, asset liquidity,
management competence, complexity, and employee and government
relations.

NOTE: An unexpected, significant change in an account that cannot be

explained raises the assessed risk for that account.

Using the Risk Management Process in Internal Audit Planning

1. Risk management (RM) is critical to sound governance of all

organizational activities. Consistent RM should be fully integrated into
management at all levels. Management typically uses a framework to
conduct the assessment and document the results.

2. Effective RM assists in identifying key controls related to significant

inherent risks. Enterprise risk management (ERM) is a common term. It
has been defined as a process, effected by the board, management, and
others, applied in setting strategy across the entity. It identifies events that
may affect the entity and manages risks within the risk appetite.

Page | 3
 Its ultimate purpose is to provide reasonable assurance of achieving entity
objectives. Control is often used to manage risk within the risk appetite.
Internal auditors audit key controls and provide assurance on the
management of significant risks.

3. Inherent risk and residual risk (also known as current risk) are basic
concepts.
 Financial (external) auditors define inherent risk as the
susceptibility of information or data to a material misstatement
given no related mitigating controls.

 Current risk is the risk managed within existing controls or

control systems.

4. Key controls reduce an otherwise unacceptable risk to a tolerable level.

Controls are processes that address risks. Effective RM identifies key
controls based on the difference between inherent and residual risk across
all affected systems. Key controls are relied upon to reduce the rating of
significant risks.

When identifying key controls (and if RM is mature and reliable), the

internal auditor looks for individual risk factors when the reduction from
inherent to residual risk is significant (particularly if inherent risk was very
high) and controls that mitigate a large number of risks.

5. Audit planning uses the organizational RM process if one exists. The

internal auditor considers the significant risks of the activity and the means
by which management mitigates the risks. Risk assessment methods are
used to develop the audit plan and to determine priorities for allocating
audit resources. It examines auditable units and selects areas for review that
have the greatest risk exposure.

6. The following factors affect the internal audit plan:

a) Inherent and residual risks should be identified and assessed.

b) Mitigating controls, contingency plans, and monitoring activities

should be linked to events or risks.

Page | 4
 c) Risk registers should be systematic, complete, and accurate. A risk
register (risk log) is used to identify and analyze risks. The register
describes each risk, its impact and likelihood, and the risk score (impact
× likelihood). The register also records planned responses if the event
occurs, preventive measures, and a risk ranking.

d) Risks and activities should be documented.

7. The internal auditor also coordinates with other assurance providers and
considers planned reliance on their work.

8. The internal audit activity needs to identify high inherent and residual risks
and key control systems, and management needs to be notified about
unacceptable residual risk.

a) Strategic audit planning identifies the following activities to include in

the plan:
 Control reviews to provide assurance
 Inquiry activities to gain a better understanding of the residual
risk
 Consulting activities to give advice on controls to mitigate
unacceptable risks

b) Internal auditors also identify controls with costs exceeding benefits.

9. Risk registers may document risks below the strategic level. They address
(a) significant risks, (b) inherent and residual risk ratings, (c) key controls,
and (d) mitigating factors.

The auditors then can identify more direct links between risk categories and
aspects described in the risk registers and, if applicable, the items already in
the audit universe.

10. Lower-risk audits need to be included in the audit plan to give them
coverage and confirm that their risks have not changed. Also, priorities
should be set for outstanding risks not yet subject to audit.

Page | 5
11. An internal audit plan normally focuses on the following:
a) Unacceptable current risks requiring management action

b) Control systems on which the organization is most reliant

c) Areas where the difference between inherent risk and residual risk is
great Areas where inherent risk is very high

12. When planning individual audits, the internal auditor identifies and assesses
risks relevant to the area under review.

IDENTIFY INTERNAL AUDIT RESOURCE REQUIREMENTS

The chief audit executive must ensure that internal audit resources are
appropriate, sufficient, and effectively deployed to achieve the approved plan.
Appropriate refers to the mix of knowledge, skills, and other competencies
needed to perform the plan.

Sufficient refers to the quantity of resources needed to accomplish the

plan. Resources are effectively deployed when they are used in a way that
optimizes the achievement of the approved plan.

Managing Internal Audit Resources

1. The CAE is primarily responsible for the sufficiency and management of

resources, including communication of needs and status to senior
management and the board. These parties ultimately must ensure the
adequacy of resources. Resources may include employees, service
providers, financial support, and IT-based audit methods.

NOTE: To determine the sufficiency of resource allocation, the CAE must

consider all relevant factors, including:

a) Communications received from management and the board;

b) Information about ongoing and new engagements;
c) Consequences of not completing an engagement on time; and
d) Knowledge, skills, and competencies of the internal audit staff.

Page | 6
2. The skills, capabilities, and technical knowledge of the internal audit
staff should be appropriate for the planned activities. The CAE conducts a
periodic skills assessment based on the needs identified in the risk
assessment and audit plan.

NOTE: A job description summarizes the duties and qualifications required

for a job. Properly formulated job descriptions provide a basis for
identifying job qualifications such as training and experience. They also
facilitate recruiting the appropriate internal audit staff with the necessary
attributes for the planned activities.

3. Resources need to be sufficient for audit activities to be performed in

accordance with the expectations of senior management and the board.
Resource planning considers
a) The audit universe,
b) Relevant risk levels,
c) The internal audit plan,
d) Coverage expectations, and
e) An estimate of unanticipated activities.

4. Resources must be effectively deployed by assigning qualified auditors and

developing an appropriate resourcing approach and organizational
structure.

5. The CAE considers succession planning, staff evaluation and development,

and other human resource disciplines.

a) The CAE also addresses resourcing needs, including whether those

skills are present.

b) Other ways to meet needs include external service providers,

specialized consultants, or other employees of the organization.

6. The CAE’s ongoing communications with senior management and the

board include periodic summaries of resource status and adequacy, e.g., the
effect of temporary vacancies and comparison of resources with the audit
plan.

Page | 7
 When selecting the appropriate audit staff, the CAE must consider these
factors:
a) Complexity of the engagement
b) Experience levels of the auditors
c) Training needs of the auditors
d) Available resources

Outsourcing the Internal Audit Activity

An organization’s governing body may decide that an external service
provider is the most effective means of obtaining internal audit services. In such
cases, the following Performance Standard requires those performing internal
audit services to remind the organization of where ultimate responsibility for
maintaining an effective internal audit activity lies.

External Service Provider and Organizational Responsibility for Internal

Auditing
When an external service provider serves as the internal audit activity,
the provider must make the organization aware that the organization has the
responsibility for maintaining an effective internal audit activity.

Reporting to Senior Management and the Board

The chief audit executive must report periodically to senior
management and the board on the internal audit activity’s purpose, authority,
responsibility, and performance relative to its plan. Reporting must also include
significant risk exposures and control issues, including fraud risks, governance
issues, and other matters needed or requested by senior management and the
board.

1. The CAE’s Duty to Report

According to Practice Advisory 2060-1, Reporting to Senior Management
and the Board, reporting provides assurance to senior management and the
board about governance, risk management, and control. The CAE must
communicate and interact directly with the board.

a) The CAE should agree with the board about (a) the frequency and
nature of reporting, (b) the internal audit activity’s charter, and (c)
performance.

Page | 8
  Performance reporting should relate to the most recently
approved plan to report (1) significant deviations from the
approved audit plan, staffing plans, and financial budgets; (2)
reasons for the deviations; and (3) action needed or taken.

 The CAE also must communicate the results of the quality

assurance and improvement program.

b) Significant risk exposures and control issues may result in unacceptable

exposure to internal and external risks, including control weaknesses,
fraud, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts
of interest, and financial viability.

c) Senior management and the board determine the responses to

significant issues.

 They may assume the risk of not correcting the reported

condition because of cost or other considerations.
 Senior management should inform the board of decisions about
all significant issues raised by internal auditing.

d) When the CAE believes that senior management has accepted an

unacceptable risk, the CAE must discuss the matter with senior
management. The CAE should:
 Understand management’s basis for the decision,
 Identify the cause of any disagreement,
 Determine whether management has the authority to accept the
risk, and
 Preferably resolve the disagreement.

e) If the CAE and senior management cannot agree, the CAE must inform
the board.
 If possible, the CAE and management should jointly present
their positions.
 CAEs should consider timely discussion of financial reporting
issues with the external auditors.

Page | 9
The CAE may share and discuss the contents of the report with senior
management before presenting it to the board. The frequency and content of
reporting are determined in discussion with senior management and the board
and depend on the importance of the information to be communicated and the
urgency of the related actions to be taken by senior management or the board.

2. Communication and Approval

The chief audit executive must communicate the internal audit activity’s
plans and resource requirements, including significant interim changes, to
senior management and the board for review and approval. The chief audit
executive must also communicate the impact of resource limitations.

a) The CAE annually submits a summary of the (a) internal audit plan, (b)
work schedule, (c) staffing plan, and (d) financial budget.
 The CAE also submits all significant interim changes.
 The scope of work and any limitations on it should be
disclosed.

b) These communications should suffice to allow senior management and

the board to determine whether internal audit’s objectives and plans are
consistent with (a) those of the organization and (b) the internal audit
charter.

********** Nothing Follows **********

Page | 10