Audit Program for Creating a Risk Based Audit Plan

AUDIT PROCEDURES Ref.

Evaluate risks existing within the organization 1. Likelihood of risk occurring 2. Significance of the risk related to the organization

Risk-based auditing begins by reviewing the organizational objectives, then considers the risks that impact on the achievement of those objectives, and examines the methodologies in place to mitigate those risks. Risks can be avoided, shared, or transferred rather than controlled. Risk-based auditing also explicitly accepts that there will always be some risk that must be accepted; but the acceptable amount must be kept within the limits established by the Board and management. Audit Services identifies risk factors and evaluates them. The evaluation of risk factors includes, but is not limited to, discussions with management, observations made during previous audits, and the past history of the unit. Some examples of risk factors are: Example 1 of Risk Factors Size of the unit Recent changes in accounting or administrative systems Complexity of operations Liquidity of assets Recent changes in key personnel Economic condition of the unit Rapid growth or decline of the unit’s personnel Time since last audit Pressure on management to meet objectives Level of employees’ moral Example 2 of Risk Factors the date and results of the last audit financial exposure potential loss and risk requests by management major changes in operations, programs, systems and controls opportunities to achieve operating benefits changes to and capabilities of audit staff.

Example 3 of Risk Factors A. Financial Impact 1. Proposed revenues and expenses for fiscal year 2. Expenditures and revenue trend over last three years

3. Fund type 4. Negative fund balances 5. Value of fixed assets 6. Capital expenditures 7. Proposed budget cuts B. Results of Prior Years Audit 1. Occurrence of fraud 2. Information obtained from external reviewers 3. Date of last audit C. Changes in Organization and/or Management 1. Management and staff capabilities 2. High employee turnover or new management 3. Management accountability D. Systems 1. Stability and reliability of information technology 2. Disaster recovery E. Political and/or Economic Environment 1. Regulations of a specific program’s activities 2. Adverse criticism or public embarrassment F. Impact of Not Providing Service 1. Central control responsibility 2. Complexity of operations 3. Dependency on centralized processing Based on the evaluation, assign a “Risk Rating” (low, medium or high) and a “Priority Level” of 1, 2 or 3 (with 1 being the highest priority).

Select audits based on the identification and evaluation of significant risk exposures as mentioned above. By focusing on the risk, internal auditors are able to identify controls that are absent or ineffective, as well as those that are no longer relevant. Consider requests originating from other sources including the Board, the Audit Committee, Administration or deparmental management.

Done By

Time Spent

Date Expected

Date Finished

Remarks

Checked By:

Audit Program

Audit Procedure

Control Objective

Risk if Objective Not Met

Control Technique

Workpaper Reference

Performed By

Date Expected

Date Completed

Budget Hours

Actual Hours

Document Reference

Source

Reviewed By

Remarks/Comments

AREA:

Process

Control Objective

Risk

Control Considerations

Assertion E,A,C,V,P

Description of control

Documentation W/P Ref.

Do controls meet objective? Yes/No

Test W/P Ref

Testing exceptions noted? Yes/No

Resolution / remediation/ comments W/P Ref

Potential Risk Factors Business strategic risks IT strategic operations risk Financial return Competitive impact Regulatory impact

Size of the unit Recent changes in accounting or administrative systems Complexity of operations Liquidity of assets Recent changes in key personnel Economic condition of the unit Rapid growth or decline of the unit’s personnel Time since last audit Pressure on management to meet objectives Level of employees’ moral

Audit Program Area
Global Ref No, Audit Procedure

Control Objective

Risks

Control Activity Number

Control KeyControl? Frequency Description

Owner

Exceptions

Type

Document Reference

Mapping to Standards

AREA DATE COMPLETED: COMPLETED BY: Question

Yes No

Comment

Finding Ref #

Control Testing

Finding

Management Response & Treatment

Sign up to vote on this title
UsefulNot useful