51 STUDY UNIT TWO ESTABLISH RISK-BASED INTERNAL AUDIT PLAN (12 pages of outine) 2.1 Risk-Based Audit Plan. ot 2.2 Identify Internal Audit Resource Requirements “ 59. 2.3. Reporting to Senior Management and the Board. : 61 This study unit is the second of four covering Section |; Managing the Inter Function from The IIA’s CIA Exam Syllabus. This section makes up 40% to 50% of of |A exam and is tested at the proficiency level. The relevant portion of the syllabus is complete syllabus is in Appendix B.) J, MANAGING THE INTERNAL AUDIT FUNCTION (40%-50%) A. Strategic Role of Internal Audit 1B. Operational Role of ©. Establish Risk-Based [4 Plan 1, Use market, product, and industry knowledge to iden 2. Usea risk framework to identify sources of potential e requirements, management requests, regulatongandates) Establish a framework for assessing risk st opportunities 9% jerse, audit cycle a 4 Rank an validate risk priorities rogjopicl nfs in 5, Identity internal auitresoutce requ ual TA, . 6. Communicate areas of significant ‘approval fe board for the annual engagement plan ‘ ‘Types of engagements a. inte 6rs shoulguuse market, product, and industry knowledge to identify new internal ucit engagernéint opportunities. Efe lalGe, complex. pMlerconnected organizations in the modern economy require sophisticated aggéssment of many diverse risks. Thus, the work plan of any internal iy lit aciigityghust reflect the organization’s assessment of these risks. =? 1) WAB.KAowledge, skills, and other competencies of the internal auditors affect ¢ Say engagements can be performed without using external service providers. p, However, the knowledge, skills, and other competencies of the internal auditors is.) do not affect the risk assessment.‘Stablish Risk-Based Internal Avolt Plant c. The audit pian must be logically related to identified risks of the organization. These are in tur related to its strategic and operational goals. Making this connection between identified risks and how they relate to strategic and operational goals is the primary advantage of risk-based audit planning. This requirement is codified in the following standard Performance Standard 2010 Planning The chief audit executive must establish a risk-based plan to determine the prioritie; audit activity, consistent with the organization's goals. executive takes into account the organization's risk map} appetite levels set by management for the different aati framework does not exist, the chief audit executive & consideration of input from senior management and th review and adjust the plan, as necessary, in response to risks, operations, programs, systems, and contya Rees ‘on a documented risk assessment, undertaken al legs ally" The inpul.of Senior management and the > A ofisidering What services stakeholders want. imentgtiga Standard 2010.A2 just iderfly and consider the expectations of senior and wy ‘eholders for internal audit opinions and other LY services involves considering what benefits these offer. ¢ Implementation Standard 2010.C1 The chief au futive should consider accepting proposed consulting engagements based on the effYagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.SU 2: Establish Risk-Based Intermal Audit Plan 2. Specific Guidance a. Practice Advisory 2010-1, Linking the Audit Plan to Risk and Exposures, provides specific guidance regarding planning and risk. 1) Developing the internal audit activity’s audit plan often follows developing or updating the audit universe. a) The audit universe (all possible audits) may include the organization's strategic plan. Thus, it may reflect i) Overall business objectives, 4 il) The attitude toward risk,, 7 iil) The difficulty of reaching objectives, &. 2 iv) The results of risk-management, and v)__ The operating environment b) The audit universe should be assessed most current strategies and direct i) But more frequent updating, ans may sled to respond NOTE: The audit universe includ eS, tions thai can be evaluated and defined. They incl isang Rpsions, procedures, products, systems, and many other audit plan inciudes audits Sos. ‘a8 a condition of receiving government contracts. Moy many entity spurns or functions are audited cyclically. Accordi ay thé prtorlfj.of an “a depend on how recently a specific operation or functio 2) The internal aud io an assessment of risk management activities. based on an assessment of risk priority and exposure Ge ‘tay roses used to prioritize engagements are based on risk "e.g, quality of and adherence to controls, degree of change. and results of last engagement, impact, likelihood, materiality, ee ye liquidity, management competence, complexity, and employes and y Bey 25 Goverment relations. An unexpected, significant change in an account that cannot be explained pS the assessed risk for that account.