RIAM:Overview: The Five Arms of RIAM - At a Glance
The five arms of RIAM are:
- The Client Service Plan (CSP)
- Risk Based Planning (RBP)
- Control Implementation Services (CIS)
- The Assertion Linked Systems Based Audit (ALSBA)
- Tactical Quality Assurance Strategy (TQAS)
Driving these five arms is the motive of Management Assurance, which comes from the need to equip management with the information necessary for making the risk decision (transfer, control or ignore). This means providing comfort that the Internal Audit process results in the continuous and measurable improvement in the quality of the systems it uses.
When implementing and operating the audit function and conducting reviews the auditor must keep in mind the following key principles:
- Comfort stems from ownership of the outputs, ownership stems from receiving what our client wants in the way they want it.
The Client Service Plan (CSP) aims to involve our client in defining the "shape" of the service they receive from planning through performance standards and reporting. The CSP must result in us understanding their needs and the organisation we are auditing.
- Assurance is a about management knowing their risks and making informed Cost / Benefit decisions for risk control, transfer or assumption.
The Risk Based Planning (RBP) uses an agreed basis for measuring risk and feeds both annual planning data and ongoing review results into a risk model for the organisation. This model forms the basis not only for prioritising activities and allocating resources but also for measuring the significance of audit findings. Our work should see a measurable reduction in the total risk of the organisation.
- Prevention is cheaper than detection and subsequent correction.
The Control Implementation Services (CIS) product provides advisory assistance in the design and construction of Control Systems in a structured, reproducible and verifiable format.
- A favourable or unfavourable opinion about a system must have a clear and logical basis. A report user must clearly understand exactly what issues are included in the review when relying on its findings.
The Assertion Linked System Based Audit (ALSBA) is a significant advance on conventional Systems Based Audits because it uses an agreed set of "hypotheses" against which systems are tested. We call these hypotheses "Assertions" because we assert the truth or falsity of the system's ability to sustain them. At the beginning of each review appropriate Assertions are identified and agreed with management.
The ALSBA is a remarkably versatile structure for analysis and forms the core of both the review process and the reporting structures. It is critical that assertions are agreed with management before a review commences, and that all findings are precisely tied back to assertions when reported. You must be able to back up your opinion by precise identification of which assertions are effected, and how they are effected.
- The reliability of Internal Audit's work is directly related to the standard of Tactical Quality Control imposed.
The Tactical Quality Assurance Strategy (TQAS) addresses issues ranging from Assignment Management through training, interim Reporting, timeliness and usefulness of reports and advisory services. It includes such things as the planning, methods, reporting, training, use of technology, review, client feedback, and control of variances in standards of our processes and outputs.
Juran & Blakemore describe 6 principles of quality. Adapted to the Internal Audit function, these can be summarised as:
- Satisfying the client's/auditee's needs;
- Building quality as the intent of all processes;
- No waste;
- Employee & auditee involvement;
- Reduce variation;