Risk Based Internal Audit

?What is Risk Based Internal Audit

What is RBIA?

The Institute of Internal Auditors defines Risk Based Internal Auditing (RBIA)
as:
a methodology that links internal auditing to an organisations overall risk
management framework
that allows internal audit to provide assurance to the board that risk
management processes are managing risk effectively, in relation to the
risk appetite
:( IIA)
.


.

The Internal Auditor will provide Assurance on:

:
Risk management processes:
Design
Effectiveness Management of key risks
Effectiveness of the controls and other responses to them
Complete, accurate and appropriate reporting and
classification of risks
:


.
.

RBIA Requirements

In order for RBIA to be effective, directors need to ensure that the

risk management framework includes the following:

:

RBIA Requirements

Directors and managers have identified and assessed the risks

threatening their organizations objectives and have developed a
system of internal control, to reduce this threat to below the risk
appetite, or report to the board where this is not possible.



.

RBIA Requirements

The inherent risks are recorded and assessed in some way that
permits them to be ranked in order of threat.
.

The board has approved a risk appetite for the organization on

such a basis that risks can be easily identified as being above, or
below, the risk appetite.


.

RBIA Requirements

The responsibility for providing assurance on the risk

management framework is defined. This will include defining the
responsibilities of management, external audit, internal audit and
any other function that provide assurance.


.

Traditional Approach versus Risk Based internal approach::

Traditional IA Approach

Audit plan based on the audit cycle (Time duration)
)
(

Risk Based IA Approach

Audit plan based on the results of the business units
Risk Evaluation. Risky areas are covered first and more
frequently.

Important Risks might not be covered in the audit

program.

Provides assurance that Important risks are being

managed properly

Focus on deficiencies in controls and cases of non

compliance with P & P.

.

Focus on risks that are not properly controlled and / or

overly controlled

An understanding of Business Unit operations is built

through time consuming process mapping exercises
and might rely on outdated P & P manuals


( )

In depth understanding of the business unit operations

through Risk assessment workshops and with the
participation of the BU management.

Traditional Approach versus Risk Based internal approach::

Traditional IA Approach

Risk Based IA Approach

IA resources are spread over all business units /

activities

More efficient use of IA resources by concentrating on

Risky units / areas

/

Disagreement with the BU management on the

importance of the findings raised by IA

The importance of risks is established during the Risk

Assessment phase and in agreement between IA the BU
management

Disagreement with the business unit management over

the action plans leading to delays in implementation

Facilitate consensus with line management on the

needed action plans thus improving timely and effective
implementation of corrective measures

RBIA Stages
:

Annual Audit Planning

Audit Visits

RBIA Stages
:

Throughput

Value of
Transactions

Stability

Complexity

Annual Audit
Planning

Management

Control
Environment

Time Since
Last Audit

RBIA Stages
:

First Stage

Second Stage

Planning

Execution

Reporting

Monitoring Progress

Third Stage

Fourth Stage

Audit Visits

Planning

Preparing Audit
/ Program

Preliminary desk
review

Drafting and
agreeing the

PreAudit Meeting Planning / Scope

Memorandum
with auditee

Execution

Executing the audit program and gathering evidence

Compliance
Tests

Updating the
Risk Profile

Substantive
Tests

Conducting compliance tests (Tests of Controls) to check whether the existing internal
controls are being applied as prescribed
) (

Compliance tests results are reflected on the risk profile and in case some of the mitigating
controls are not working as intended, additional risks (weaknesses) are highlighted.

( )
Substantive tests are conducted -while concentrating on important weaknesses to check
whether risk have occurred and measure the resulting outcome.

.

Reporting

Communicate

Communicating the audit

findings
)(

Convince

Gain the Results

Convincing the
Management by the results
and the value of the
recommendations
Highlighting the risks and
)related losses (if any





) (

Moving the Management

to change and make the
necessary improvements
Showing the impact of
recommendations on the
mitigation of risks and the
Control Environment

) (

Monitoring Progress

Complying to the IIA standards, the chief audit executive must establish a followup process to monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not taking
action (2500. A1).


)(
) (2500. A1

Internal Audit Rating Policy

Rating Matrix

Key
Controls
Working

Within
Acceptable
Gap

1%-20%
Above
Acceptable

20%-40%
Above
Acceptable

>40%
Above
Acceptable

All

B+

Up to 80%

C+

50%-80%

20%-50%
<20%