RIAM:VLA:The Four Phases of the RALSBA

From RiskWiki
Jump to: navigation, search


The keys to the Rational Internal Audit Method (RIAM) are structure and focus. RIAM is a Risk, Systems and Assertion Based approach. Many systems based approaches merely measure the compliance of an organisation's staff with a particular system. RIAM is a substantial enhancement to this commonly used approach. RIAM attempts to analyse both compliance with policy & procedure, and the potential risks in the systems themselves.

What is a Risk, Systems and Assertions Based Approach?

The Objectives

The objectives of Internal Audit's reviews are summarised as:

  • Document the procedures in operation within the section so far as they relate to the target activities;
  • Collect sufficient data and analyse that data to support assertions that address management's critical success factors:
    • In the case of a transaction system review typical assertions are:
      1. Data recorded is bona fide;
      2. Data reported/processed is :
        • Attributed to the proper period,
        • Accurately calculated,
        • Correctly accumulated,
        • Accurately recorded,
        • Correctly disclosed,
        • Properly authorised with respect to transactions,
        • Providing benefits to which the recipients are eligible,
        • Complete;
        • Compliant with external requirements (eg. the Auditor-General's requirements for the financial statements)
      3. The relevant management directions and legislation are observed;
      4. The assets of the organisation are efficiently, effectively and otherwise appropriately protected and applied.
    • In the case of other reviews such as ADP, Management and Performance other assertions are adopted;
  • Identify risk and efficiency exposures to the organisation and the critical success factors of management;
  • Recommend relevant and practicable changes in the systems and procedures to management where these exposures are present; and
  • Form an opinion as to the overall reliability of the systems in place and as modified.


Meeting the Objectives

The structure of the approach that meets the above objectives has ten stages in four phases. Here, we introduce those stages and phases and provide links to more detailed discussions of the issues involved.

Some skills are relevant to all phases and these are covered in the following sections:

The Four Phases are:


  1. Identify the objectives and purposes of the section being reviewed, and the review being conducted; document critical success factors. Entrance interviews are held with senior management during which management's concerns and directions are communicated as well as the Critical Success Factors of the audit and the section being audited. Certain objectives, such as legislative compliance, are always assumed to be present;

  2. Identify the functions in place to realise the objectives, critical success factors and purposes. A series of initial interviews are conducted with relevant middle and line management and staff to:
    • Introduce the review and reassure staff as to the assisting rather than policing nature of the review,
    • Identify the operations and organisation structure adopted to meet the objectives, purposes and critical success factors.



  1. Investigate the control systems in place to implement the functions in the Ten Means of Achieving Control (refer section ?? ). Tasks include:
    • Document the procedures in operation so far as they relate to the scope and boundary of the Audit task,
    • Compare actual procedures to legislation, policies, guidelines and documented procedures noting exceptions;

  2. Establish the assertions to be made, the satisfaction of which will represent a "pass" result. The assertions represent the criteria for evaluation;

  3. Examine management information and reporting systems in place to monitor the operations;

  4. Evaluate the systems against the assertions to be supported, noting key controls in the systems, and which assertions they affect, to determine:
    • Potential strengths and weaknesses of the designed systems;
    • Preliminary ranking of risk and exposures including efficiency exposures.



  1. Design a testing program and Test the system and its transactions and/or data for:
    • Compliance of operations with specified system;
    • Occurrence of the identified weaknesses, risks or exposures;

  2. Analyse the results of systems analysis and compliance testing stages to accept or refute the established assertions and operating compliance.

See also:


  1. Conclude and report in which we:
    • Identify risk and efficiency exposures to the Institute;
    • Recommend changes in the systems and procedures to the Institute's management where these exposures are present;
    • Form an opinion as to the overall reliability of the systems in place and as modified;
    • Report to both management and the Audit Committee after and during each task;

  2. Conduct exit interviews, produce the final report and review action plans as required.

Establishing the framework

The framework on which these phases are based has four stays:

  • Interviews to scope and focus the review.
  • Assertions as criteria for evaluation.
  • Analysis of control systems performance in meeting objectives.
  • Clear discussion and specific recommendations to provide improvements.