RIAM:Overview: Risk Based Planning (RBP)
Introduction - The Result of the Internal Audit Planning Process
The planning process results in a 3 year Strategic Internal Audit Plan and a 1 year Rolling Tactical Internal Audit Plan and a Risk Model for the organisation. The Risk Model should integrate and utilise the corporate strategic risk plan.
The Strategic Audit Plan and Tactical Audit Plans
The Strategic Audit Plan details the:
- Objectives of the Plan and the Period Covered
- The Plan Scope and Boundary
- Principal Acts Effecting Operations
- The Total and Annual Man Day Requirements
- The Personnel and Skill Requirements (with estimated time requirements)
- Plan Administration and Criteria for Plan Modification
- The Activities to be Audited, Relevant Objectives and Procedures
- The Schedules
- 3 Year by activity
- Annual by activity
- Annual by chronology
- The Tactical Audit Plan details the tasks, commencement dates, duration and (in later years) summarises the status of the tasks undertaken to date
Auditable activities are identified within their organisational units together with:
- appropriate audit objectives and assertions,
- specific issues of legislative compliance,
- specific issues of management assistance to be addressed,
- the general types of procedures required to meet the objectives and establish or refute the assertions,
The working papers contain additional information such as records of interviews and background data.
The Organisation Risk Model
The risk model is initially developed during the strategic audit planning stage and continuously updated with the results of audit reviews, and improvement effects of the implemented recommendations or other management strategies and action plans.
The Basis to Planning
There are two pillars to the planning process proposed:
- Administrative Infrastructure for the Plan;
- The Plan.
The basis to the Plan is:
- Establishment of objectives
- Prioritising objectives
- Selection of appropriate goals
- Determine Procedures to meet goals
- Cost Procedures (in staff resources and time)
- Review and select most efficient procedures
The basis to the Administrative Infrastructure for the Plan is the need for administration of the plan and flexible planning. The performance of a plan must be monitored during execution to ensure adherence and the need for additional or different audit resources. The detail of the plan must be regularly reviewed for the need to modify the plan for changing circumstances.
The administrative infrastructure supports these needs and provides the framework for change management. By separating it from the Plan, we highlight the importance of plan management in the Internal Audit function and allow separate budgeting, evaluation and control of the ongoing quality of the Plan.
The Approach to Planning
The primary objective of the approach is Management Assistance.
The Internal Audit section is ultimately a tool for management to use in controlling and tuning operations. The reports generated from the Internal Audit program must be seen by management to be relevant. We place a high emphasis on interviewing staff at all levels to help establish a comprehensive management assistance program.
The objective is met by work programs that are focussed to five goals:
|ITEM||OPINION FOCUS||SUB FOCUS|
Reliability and Integrity of Information
Assets are Safeguarded.
Efficient and Effective Use of Resources.
Accomplishment of Goals, Objectives for Programs, Policies and Management's Critical Success Factors.
The goals are seen to be achieved through management's successful implementation and maintenance of control systems. These control systems are examined within the following ten classes:
|1||Organisation of the section|
|6||Budgeting and Planning|
(These classes can be modified as necessary to a particular business entitie's environment.)
Each control class will have a control risk associated with it determined by the quality of its:
- Preventive Controls,
- Detective Controls, and
- Corrective Controls.
The types of audit activities planned will look to the 5 opinion goals by examining these ten control classes. The activities are thus directed to standard audit and management identified areas of concern. Activities to be planned might include:
- Efficiency and Effectiveness Reviews
- Operations Research
- Control System Reviews and System Based Audits
- Performance Measurement Strategy Reviews
- Compliance Testing
- Applications Reviews
- ADP Reviews (Applications, Environment, Software development and change control, Data Integrity Reviews)
- Quality Reviews
The Process of Planning
Planning and Familiarisation Phase
Recursively categorise the organisation to be audited
Measuring Plan Efficiency
Plan efficiency is measured by maximising the coverage of Auditable Areas addressing those with the highest risk (or priority) ranking first. The time allocated to each area will be a function of the complexity of the area, nature of existing control systems and specific concerns of management.
The measurement of risk may follow any one of a number of methods. Our planning strategy is largely independent of the method of risk assessment adopted. We expect that the selected ranking criteria will be the result of discussions with the client's management.
The primary restriction to risk analysis reflected in the proposed approach is the assumption that risks may be separated into:
- Inherent Risks
- Control Risks
- Detection Risks
The familiarisation and planning phase attempts to determine the inherent risks while the analysis phase forms preliminary judgements on the control risks.
Detection risks are largely the responsibility of the planner and auditor. At the planning stage they are limited by a comprehensive planning methodology, project management and quality assurance program.
The starting point for discussions on ranking techniques might be the Weighted Average Scoring Technique. A common domain of variables is selected under which inherent and control risks may be analysed, and a ranking of 1 to 5 is determined. Variables might include:
|Previous audit results||Employee Turnover|
|Assets controlled||Unit Revenue/Turnover|
|Confidentiality and Privacy||Legislative Compliance|
|Systems maturity||Management Concern|
|Change Control||Performance Indicators|
|Complexity of the Systems||Workload volumes|
Techniques such as the Delphi technique are used to capture the key risk areas, or threats to the organisation, and gain a weighting for each threat area. The Delphi Technique is a one pass survey strategy in which management vote on relative importance of threats in pairs. The technique is suggested by the Institute of Internal Auditors in the Risk Analysis course. After the risk variables are selected, the Weighted Scoring method calculates a score for each auditable activity based on percentage weights (totalling 100%) reflecting the relative importance of the variable. For example:
|Weight||Audit Variable||Ranks||Weight * Rank|
|20 %||Maturity of System||
5. Less than one year
|Eg 2 * .20 = .4|
|40 %||Yearly Expenditures||
5. $1,000,000 +
|Eg 4 * .4 = 1.6|
|40 %||Privacy Exposure||
5. Most Exposure
|eg 5 * .4 = 2.0|
The number of ranks (1 to 5 or 1 to 10) would be determined after preliminary surveys established the range of conditions relevant.
The strategy requires the implementation plan and procedures to be prepared in accordance with each client's different circumstances.
Professional judgement and experience are applied to identify and evaluate risks and to determine the most appropriate response. It is clear that a thorough understanding of the Organisation's business environment is necessary with the approach.