You are on page 1of 18

Audit Program for Creating a Risk Based Audit Plan

AUDIT PROCEDURES Ref.

Evaluate risks existing within the organization


1. Likelihood of risk occurring
2. Significance of the risk related to the organization

Risk-based auditing begins by reviewing the organizational objectives, then


considers the risks that impact on the achievement of those objectives, and
examines the methodologies in place to mitigate those risks.

Risks can be avoided, shared, or transferred rather than controlled. Risk-based


auditing also explicitly accepts that there will always be some risk that must be
accepted; but the acceptable amount must be kept within the limits established by
the Board and management.

Audit Services identifies risk factors and evaluates them. The evaluation of risk
factors includes, but is not limited to, discussions with management, observations
made during previous audits, and the past history of the unit. Some examples of risk
factors are:

Example 1 of Risk Factors


Size of the unit
Recent changes in accounting or administrative systems
Complexity of operations
Liquidity of assets
Recent changes in key personnel
Economic condition of the unit
Rapid growth or decline of the unit’s personnel
Time since last audit
Pressure on management to meet objectives
Level of employees’ moral

Example 2 of Risk Factors

the date and results of the last audit


financial exposure
potential loss and risk
requests by management
major changes in operations, programs, systems and controls
opportunities to achieve operating benefits
changes to and capabilities of audit staff.

Example 3 of Risk Factors


A. Financial Impact

1. Proposed revenues and expenses for fiscal year


2. Expenditures and revenue trend over last three years
3. Fund type
4. Negative fund balances
5. Value of fixed assets
6. Capital expenditures
7. Proposed budget cuts

B. Results of Prior Years Audit

1. Occurrence of fraud
2. Information obtained from external reviewers
3. Date of last audit

C. Changes in Organization and/or Management

1. Management and staff capabilities


2. High employee turnover or new management
3. Management accountability

D. Systems

1. Stability and reliability of information technology


2. Disaster recovery

E. Political and/or Economic Environment

1. Regulations of a specific program’s activities


2. Adverse criticism or public embarrassment

F. Impact of Not Providing Service

1. Central control responsibility


2. Complexity of operations
3. Dependency on centralized processing

Based on the evaluation, assign a “Risk Rating” (low, medium or high) and a
“Priority Level” of 1, 2 or 3 (with 1 being the highest priority).

Select audits based on the identification and evaluation of significant risk exposures
as mentioned above. By focusing on the risk, internal auditors are able to identify
controls that are absent or ineffective, as well as those that are no longer relevant.

Consider requests originating from other sources including the Board, the Audit
Committee, Administration or deparmental management.
Done Time Date Date Checked
By Spent Expected Finished Remarks By:
Audit Program

Audit Procedure Control Objective


Workpaper Performed Date
Risk if Objective Not Met Control Technique Reference By Expected
Date Budget Actual Document
Completed Hours Hours Reference Source Reviewed By
Remarks/Comments
AREA:

Process Control Objective Risk


Assertion Documentation W/P
Control Considerations E,A,C,V,P Description of control Ref.
Testing
Do controls meet
exceptions
objective?
Test noted? Resolution / remediation/ comments
Yes/No
W/P Ref Yes/No W/P Ref
Potential Risk Factors

Business strategic risks


IT strategic operations risk
Financial return
Competitive impact
Regulatory impact

Size of the unit


Recent changes in accounting or administrative systems
Complexity of operations
Liquidity of assets
Recent changes in key personnel
Economic condition of the unit
Rapid growth or decline of the unit’s personnel
Time since last audit
Pressure on management to meet objectives
Level of employees’ moral
Audit Program Area

Audit Procedure
Global Ref
No,
Control Objective Risks Control
Activity
Number
Control KeyControl? Frequency Owner Exceptions Type Document Mapping to
Description Reference Standards
AREA
DATE COMPLETED:
COMPLETED BY:
Question Yes No Comment
Finding Ref # Control Testing Finding
Management Response & Treatment