RIAM:Overview: Risk Based Planning (RBP)

From RiskWiki
Jump to: navigation, search

Introduction - The Result of the Internal Audit Planning Process

The planning process results in a 3 year Strategic Internal Audit Plan and a 1 year Rolling Tactical Internal Audit Plan and a Risk Model for the organisation. The Risk Model should integrate and utilise the corporate strategic risk plan.

The Strategic Audit Plan and Tactical Audit Plans

The Strategic Audit Plan details the:

  • Objectives of the Plan and the Period Covered
  • The Plan Scope and Boundary
  • Principal Acts Effecting Operations
  • The Total and Annual Man Day Requirements
  • The Personnel and Skill Requirements (with estimated time requirements)
    • Plan Administration and Criteria for Plan Modification
    • The Activities to be Audited, Relevant Objectives and Procedures
    • The Schedules
      • 3 Year by activity
      • Annual by activity
      • Annual by chronology
  • The Tactical Audit Plan details the tasks, commencement dates, duration and (in later years) summarises the status of the tasks undertaken to date

Auditable activities are identified within their organisational units together with:

  • appropriate audit objectives and assertions,
  • specific issues of legislative compliance,
  • specific issues of management assistance to be addressed,
  • the general types of procedures required to meet the objectives and establish or refute the assertions,

The working papers contain additional information such as records of interviews and background data.

The Organisation Risk Model

The risk model is initially developed during the strategic audit planning stage and continuously updated with the results of audit reviews, and improvement effects of the implemented recommendations or other management strategies and action plans.

The Basis to Planning

There are two pillars to the planning process proposed:

  1. Administrative Infrastructure for the Plan;
  2. The Plan.

The basis to the Plan is:

  • Establishment of objectives
  • Prioritising objectives
  • Selection of appropriate goals
  • Determine Procedures to meet goals
  • Cost Procedures (in staff resources and time)
  • Review and select most efficient procedures

The basis to the Administrative Infrastructure for the Plan is the need for administration of the plan and flexible planning. The performance of a plan must be monitored during execution to ensure adherence and the need for additional or different audit resources. The detail of the plan must be regularly reviewed for the need to modify the plan for changing circumstances.

The administrative infrastructure supports these needs and provides the framework for change management. By separating it from the Plan, we highlight the importance of plan management in the Internal Audit function and allow separate budgeting, evaluation and control of the ongoing quality of the Plan.

The Approach to Planning

The primary objective of the approach is Management Assistance.

The Internal Audit section is ultimately a tool for management to use in controlling and tuning operations. The reports generated from the Internal Audit program must be seen by management to be relevant. We place a high emphasis on interviewing staff at all levels to help establish a comprehensive management assistance program.

The objective is met by work programs that are focussed to five goals:



Reliability and Integrity of Information

  • Accurate Information
  • Reliable Information
  • Timely Information
  • Complete Information
  • Useful Information
  • Correctly Accumulated Information
  • Fully and Correctly Disclosed


Compliance With

  • Policies
  • Plans
  • Procedures
  • Legislation
  • Regulations and Treaties


Assets are Safeguarded.


Efficient and Effective Use of Resources.


Accomplishment of Goals, Objectives for Programs, Policies and Management's Critical Success Factors.

The goals are seen to be achieved through management's successful implementation and maintenance of control systems. These control systems are examined within the following ten classes:

1Organisation of the section
6Budgeting and Planning
9Internal Review
10Physical Security

(These classes can be modified as necessary to a particular business entitie's environment.)

Each control class will have a control risk associated with it determined by the quality of its:

  • Preventive Controls,
  • Detective Controls, and
  • Corrective Controls.

The types of audit activities planned will look to the 5 opinion goals by examining these ten control classes. The activities are thus directed to standard audit and management identified areas of concern. Activities to be planned might include:

  • Efficiency and Effectiveness Reviews
  • Operations Research
  • Control System Reviews and System Based Audits
  • Performance Measurement Strategy Reviews
  • Compliance Testing
  • Applications Reviews
  • ADP Reviews (Applications, Environment, Software development and change control, Data Integrity Reviews)
  • Quality Reviews

The Process of Planning

Planning and Familiarisation Phase

  • Determine the overall objectives of the plan
  • Determine Scope, Boundary and Timing of the plan
  • Establish Quality Assurance procedures relevant to the overall planning objectives
  • Establish how plan efficiency will be measured
  • Establish risk ranking criteria

Analysis Phase

Recursively categorise the organisation to be audited

For each level and category of the organisation:

  • Analyse and categorise the activities of the target level and component
  • Determine relevant background data
  • Determine projected changes during lifetime of plan
  • Determine requirements for legislative (etc.) compliance
  • Determine specific concerns and expectations of management
  • Determine the objectives and goals of each category
  • Determine assertions (performance standards) appropriate to achieving category goals and legislative compliance
  • Rate the activities for auditability and risk

Specification Phase

  • Direct the plan to meeting specific objectives through achieving specific goals in accordance with the risk rating and management directions
  • Estimate time requirements and tune the plan to maximise the efficiency rating
  • Identify skills required for each component of the plan

Scheduling Phase

  • Ensure plan is dynamic by establishing the process and conditions for plan execution, control, performance evaluation, modification and annual re-scheduling
  • Schedule activities

Measuring Plan Efficiency

Plan efficiency is measured by maximising the coverage of Auditable Areas addressing those with the highest risk (or priority) ranking first. The time allocated to each area will be a function of the complexity of the area, nature of existing control systems and specific concerns of management.

Measuring Risk

The measurement of risk may follow any one of a number of methods. Our planning strategy is largely independent of the method of risk assessment adopted. We expect that the selected ranking criteria will be the result of discussions with the client's management.

The primary restriction to risk analysis reflected in the proposed approach is the assumption that risks may be separated into:

  1. Inherent Risks
  2. Control Risks
  3. Detection Risks

The familiarisation and planning phase attempts to determine the inherent risks while the analysis phase forms preliminary judgements on the control risks.

Detection risks are largely the responsibility of the planner and auditor. At the planning stage they are limited by a comprehensive planning methodology, project management and quality assurance program.

The starting point for discussions on ranking techniques might be the Weighted Average Scoring Technique. A common domain of variables is selected under which inherent and control risks may be analysed, and a ranking of 1 to 5 is determined. Variables might include:

Previous audit resultsEmployee Turnover
Assets controlledUnit Revenue/Turnover
Confidentiality and PrivacyLegislative Compliance
Systems maturityManagement Concern
Change ControlPerformance Indicators
Complexity of the SystemsWorkload volumes
AdministrationPublic Relations

Techniques such as the Delphi technique are used to capture the key risk areas, or threats to the organisation, and gain a weighting for each threat area. The Delphi Technique is a one pass survey strategy in which management vote on relative importance of threats in pairs. The technique is suggested by the Institute of Internal Auditors in the Risk Analysis course. After the risk variables are selected, the Weighted Scoring method calculates a score for each auditable activity based on percentage weights (totalling 100%) reflecting the relative importance of the variable. For example:

WeightAudit VariableRanksWeight * Rank
20 %Maturity of System

5. Less than one year
4. Less than two years
3. Less than three years
2. Less than four years
1. Greater than four years

Eg 2 * .20 = .4
40 %Yearly Expenditures

5. $1,000,000 +
4. $500,000 to 1,000,000
3. $100,000 to 500,000
2. $10,000 to 100,000
1. Less than $10,000

Eg 4 * .4 = 1.6
40 %Privacy Exposure

5. Most Exposure
4. Significant
3. Average
2. Moderate
1. Minimum Exposure

eg 5 * .4 = 2.0

The number of ranks (1 to 5 or 1 to 10) would be determined after preliminary surveys established the range of conditions relevant.

The strategy requires the implementation plan and procedures to be prepared in accordance with each client's different circumstances.

Professional judgement and experience are applied to identify and evaluate risks and to determine the most appropriate response. It is clear that a thorough understanding of the Organisation's business environment is necessary with the approach.


Back To The RIAM : Overview (Main) || Back To The Five Arms - At a Glance