The Institute of Internal Auditors – UK and Ireland

An approach to implementing
Risk Based Internal Auditing
Professional guidance for internal auditors
About the Institute The Institute of Internal Auditors – UK and Ireland (IIA) is the only professional body in
the UK and Ireland solely dedicated to the profession of internal auditing. We are part of
the global Institute of Internal Auditors, which sets the International Standards for the
Professional Practice of Internal Auditing (Standards), and the Code of Ethics, which all
members agree to follow.

The IIA represents, promotes and develops the professional practice of internal auditing.
We have more than 100,000 members in 160 countries worldwide, and 7,000 members in
the UK and Ireland.

We provide the only professional qualifications specifically designed for internal auditors
in the UK and Ireland. We are committed to the ongoing development of internal auditors,
and provide a range of training courses and seminars, professional guidance, networking
opportunities, publications and other services.

Professional guidance Professional guidance is designed to provide practical ideas on how internal auditors can
apply the professional practices framework, the Code of Ethics and Standards, in the
commercial and economic environment found in the UK and Ireland.

The Institute is grateful to members of the Technical Development Committee for their
contributions to this guidance.
 P R E F A C E

Preface
Over the last few years, the need to manage risks has become recognised as an essential
part of good corporate governance practice. This has put organisations under increasing
pressure to identify all the business risks they face and to explain how they manage them. In
fact, the activities involved in managing risks have been recognised as playing a central and
essential role in maintaining a sound system of internal control.1

While the responsibility for identifying and managing risks belongs to management2, one of
the key roles of internal audit is to provide assurance that those risks have been properly
managed. The Institute of Internal Auditors – UK and Ireland believes that a professional
internal audit activity can best achieve its mission as a cornerstone of governance by
positioning its work in the context of the organisation’s own risk management framework.
This approach is generally known as Risk Based Internal Auditing (RBIA). In 2003, the
Institute presented an overview of this approach in its position statement Risk Based Internal
Auditing. This guidance develops further the ideas outlined in the position statement and sets
out an approach that may be used to implement RBIA.

It explains:

• Why RBIA should be introduced;

• How RBIA can be implemented; and
• The advantages of RBIA.

The guidance is not intended as an internal audit manual giving a complete methodology on
how to run an internal audit activity. It focuses on those areas where RBIA requires different
actions from other internal audit methodologies and assumes an appropriate knowledge of
the International Standards for the Professional Practice of Internal Auditing.

Every organisation is different, with a different attitude to risk, different structure, different
processes and different language. This publication can provide advice and ideas only as a
starting point. Experienced internal auditors need to adapt these ideas to the structures,
processes and language of their organisation in order to implement RBIA.

The guidance also assumes that readers have an understanding of the regulations or
requirements regarding risks and internal controls which affect their organisation, such as,
for example, the Financial Reporting Council’s Code on Corporate Governance3 or the
Government Internal Audit Standards issued by HM Treasury in the UK. Publications listed
under ‘Further Reading’ should be consulted.

RBIA is at the cutting edge of internal audit practice. As a result it is an area that is evolving
rapidly and where there is still little consensus about the best way to implement it. The
authors have drawn up the guidance with reference to their own practical experience, and
the experience of other internal auditors in a wide-range of organisations. The Institute
hopes that its publication will stimulate further debate. If you have any comments, please
email them to technical@iia.org.uk.

1 See ‘Internal Control – Guidance for Directors on the Combined Code (Turnbull Guidance)’.
2 See ‘Guidance on Audit Committees (the Smith Guidance)’.
3 Such as the Financial Reporting Council’s Code on Corporate Governance including the Guidance on Internal Control
(Turnbull) and the Guidance on Audit Committees (Smith) and the International Standards for the Professional Practice of
Internal Auditing; and the Government Internal Audit Standards issued by HM Treasury in the UK.

An approach to implementing Risk Based Internal Auditing 03

 T A B L E O F C O N T E N T S

Table of contents
What is Risk Based Internal Auditing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 05

Implementing RBIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 06

Stage 1 – Assessing the organisation’s risk maturity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 08

Stage 2 – Production of a periodic audit plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Stage 3 – Carrying out an individual assurance audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Benefits and drawbacks of RBIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Guidance on implementing key aspects of the RBIA methodology

A Assessing the organisation’s risk maturity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

B Guidance on assigning audit conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Illustrations of how you might document parts of the risk management framework and RBIA

C Risk register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

D Audit Universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

E Risk and audit universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

F Audit Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

G Individual audit database for expense purchasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

04 An approach to implementing Risk Based Internal Auditing

 W H A T I S R I S K B A S E D I N T E R N A L A U D I T I N G ?

What is Risk Based

Internal Auditing?
The Institute defines Risk Based Internal Auditing (RBIA) as a methodology that links
internal auditing to an organisation’s overall risk management framework. RBIA allows
internal audit to provide assurance to the board that risk management processes are
managing risks effectively, in relation to the risk appetite.

RBIA is based on an organisation’s own risk management framework and seeks at every
stage to reinforce the responsibilities of management and the board for managing risk. If the
risk management framework is not very strong or does not exist, the organisation is not
ready for RBIA. More importantly, it means that the organisation’s system of internal control
is poor. Internal auditors in such an organisation should promote good risk management
practice to improve the system of internal control.

Where RBIA is new to an organisation, the head of internal audit will need to market the
concept to management and win their support, particularly since it may mean a change for
them in the way that they think about risk. The guidance includes a section on the benefits
of RBIA to help with that process. RBIA also provides challenges to the internal audit activity
itself because it is a dynamic process. It is more difficult to manage than traditional
methodologies and monitoring progress against an annual plan that is constantly changing
is a challenge. Setting targets and appraising staff may become more complex.

But the advantages are much greater. By following RBIA internal audit should be able to
conclude that:

• Management has identified, assessed and responded to risks above and below the
risk appetite;
• The responses to risks are effective but not excessive in managing inherent risks
within the risk appetite;
• Where residual risks are not in line with the risk appetite, action is being taken to
remedy that;
• Risk management processes, including the effectiveness of responses and the
completion of actions, are being monitored by management to ensure they continue
to operate effectively; and
• Risks, responses and actions are being properly classified and reported.

This enables internal audit to provide the board with assurance that it needs on three areas:

• Risk management processes, both their design and how well they are working;
• Management of those risks classified as ‘key’, including the effectiveness of the controls
and other responses to them; and
• Complete, accurate and appropriate reporting and classification of risks.

An approach to implementing Risk Based Internal Auditing 05

 I M P L E M E N T I N G R B I A

Implementing RBIA
The implementation and ongoing operation of RBIA has three stages:

1 Assessing risk maturity – obtaining an overview of the extent to which the board and
management determine, assess, manage and monitor risks. This provides an indication of
the reliability of the risk register for audit planning purposes.

2 Periodic audit planning – identifying the assurance and consulting assignments for a
specific period, usually annual, by identifying and prioritising all those areas on which the
board requires objective assurance, including the risk management processes, the
management of key risks, and the recording and reporting of risks.

3 Individual audit assignments – carrying out individual risk based assignments to

provide assurance on part of the risk management framework, including on the mitigation
of individual or groups of risks.

The relationship between these stages is shown in figure 1.

06 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

Figure 1
RBIA – Overview of Stages

Key 1
Flow of audit work Assess Risk
Source where possible maturity
Internal audit reports

Overall Audit
Strategy

2
Periodic
Assurance Audit
Management Risk register Audit
Requirements Committee
Planning

Audit Plan

3
Individual
Audit
Assignments

Audit Results

An approach to implementing Risk Based Internal Auditing 07

 I M P L E M E N T I N G R B I A

Stage 1 – Assessing the organisation’s risk maturity

Introduction The first stage of RBIA is to review the level of risk maturity. There are three objectives to
this stage, which are to:

• Assess the risk maturity of the organisation

• Report to management and to the audit committee on that assessment
• To agree an audit strategy

Actions to achieve 1 Discuss the understanding of risk maturity with the board and senior managers. Determine
the objectives what has already been done to improve the risk maturity of the organisation such as
training, risk workshops, questionnaires about risks and interviews with risk managers.
Determine whether managers feel that the risk register is comprehensive. Discuss whether
an understanding of risk management is embedded so that managers feel responsible not
only for identifying, assessing and mitigating risks but also for monitoring the framework
and the responses to risks.

2 Obtain documents, where they are available, which detail:

– The objectives of the organisation.
– How risks are analysed, for example by scoring their impact and likelihood.
– A definition, approved by the board, which defines its risk appetite in terms of the
scoring system used for inherent and residual risks.
– The processes followed to identify risks which threaten the organisation’s objectives.
– How management considers risks as part of their decision making. For example,
including risks and the response to them, in project approval documents.
– The processes followed to report risks at different levels of management.
– The sources of information used by management and the board to assure themselves
that the framework is working effectively to manage risks within the risk appetite.
– The risk register of the organisation, including the types of information described in the
previous section.
– Any existing assessment by management or the board of the risk maturity of
the organisation.
– Any other documents which indicate the commitment to risk management.

3 Conclude on the risk maturity.

Using the documents and information gathered assess the organisation’s risk maturity
using the stages defined in the Institute’s position statement on Risk Based Internal
Auditing, published in 2003: risk enabled, risk managed, risk defined, risk aware and risk
naïve. Appendix A provides these definitions and suggests the factors you can take into
account to do this assessment. It also suggests audit tests that you can undertake to
provide evidence to support your assessment.

08 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

4 Report your conclusion on risk maturity to management and to the audit committee. This
stage will provide a first, high level, assurance on the risk management processes, the
management of key risks and on the recording and reporting of risks.

In reporting your conclusions and their implications, you should note that a risk maturity of
risk naïve or risk aware implies that the organisation’s system of internal control and the
board’s ability to assess it may be ineffective. The Institute believes that risk naïve and risk
aware organisations are not complying with either the Turnbull Guidance or the Code of
Corporate Governance.

5 Work with management to identify any actions they propose to take as a result of this
assessment. Management may suggest consulting assignments for internal audit such as,
for example, facilitating management’s efforts to improve their risk management processes.

6 Decide on the audit strategy that follows from your assessment and obtain approval from
management and audit committee.

Range of audit strategies The audit strategy selected depends upon the organisation’s risk maturity.

Risk naïve or risk aware organisations will be unable to implement RBIA straight away.
However, such organisations can benefit from some aspects of the audit strategies described
below. For example, internal audit can help improve risk management and governance
processes by reporting its assessment of the risk maturity of the organisation to
management and to the audit committee, and by championing risk management throughout
the internal audit activity’s work. It may also conduct consulting assignments supporting
management in improving the organisation’s risk maturity.

There are three potential elements to an RBIA audit strategy: firstly, the type of assurances
that you expect to be able to give; secondly, the framework that will be used for your audit
planning; and, thirdly, the type of consulting services that you expect to provide.

An approach to implementing Risk Based Internal Auditing 09

 I M P L E M E N T I N G R B I A

Figure 2
RBIA Stage 1 – Range of audit strategies

Audit Strategy (N):

• Report that no formal risk
management
• Consulting to champion
risk management
• Audit plan driven by
alternate framework
• Assurance on control
processes
Risk Naive

Audit Strategy (E): Audit Strategy (A):

• Management view of risk • Report poor risk
drives audit plan management
• Assurance on risk • Consulting to champion
management processes risk management
& mitigation • Audit plan driven by
• Consulting as required Risk re alternate framework
Ena
bled Awa
Risk • Assurance on control
What is the processes
organisation’s
risk maturity?
d

Ri
e

sk
ag

D
an

ef
M

in
sk

ed
Ri

Audit Strategy (M): Audit Strategy (D):

• Management view of risk • Report risk management
drives audit plan deficiencies
• Assurance on risk • Consulting to embed risk
management processes management
& mitigation • Start with management view
• Consulting to improve of risk and supplement
risk management • Assurance on risk
management policies
& on control processes

10 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

Assurance strategies For risk enabled and risk managed organisations, the conclusion on risk maturity is the first
step in being able to provide assurance on risk management processes, management of key
risks and reporting of risks. The internal audit activity’s assurance strategy is therefore to
provide assurance on these areas.

For other organisations, the conclusion on risk maturity means that such assurances are not
available. Those in risk defined organisations may be able to identify risk management policies
or pockets of risk management excellence and be able to plan to provide assurance on these
elements. Otherwise, internal audit should plan to provide assurance that control processes
are working according to the objectives or standards that have previously been set.

Framework for audit planning In risk enabled and risk managed organisations, RBIA means that audit planning is driven
from the organisation’s risk register and its need for objective assurance. This is described in
greater detail in Stage 2.

For other organisations, there is no reliable risk register. Therefore, in these organisations, the
internal audit activity will need to plan its audit work using an alternative framework, for
example, key systems or business units.

In the past, internal auditors have performed their own assessments of the risks facing their
organisations. It is tempting to take these assessments and start considering them the
organisation’s risk register. However, this may be detrimental to the ultimate goal of
improving the organisation’s risk maturity since it is likely to reinforce the misconception that
internal audit are responsible for risk management. The RBIA methodology drives internal
auditors to facilitate the improvement of the risk management framework. Therefore, the use
of misleading names, such as audit needs or risk assessments or analyses, should be
discontinued in favour of the generic term ‘audit planning framework’.

An approach to implementing Risk Based Internal Auditing 11

 I M P L E M E N T I N G R B I A

Consulting strategies In less risk mature organisations, internal audit may wish to set aside time to champion
the introduction and improvement of risk management processes. The aim of this type of
consulting activity is to improve the risk maturity of the organisation. Internal audit should
approach the work in such a way that management retains a sense of ownership of the
processes that are being developed.

The Institute’s International Standards 4 define consulting activities as advisory services, the
nature and scope of which are agreed with the client and which do not involve the
internal auditor assuming any management responsibility. The Institute’s position
statement on The Role of Internal Audit in Enterprise-wide Risk Management provides
further guidance on the roles that you may undertake and those that you may not.5

In risk enabled and risk managed organisations, the need to improve risk management
processes is less pressing than in less risk mature organisations and may be part of the
framework itself. As a result, less resource may be needed for consulting work.

Mixed risk maturities It is possible that one part of an organisation may be risk managed and another risk aware.
Alternatively, an organisation may be risk managed when it comes to one type of risk, for
example, market risk in a bank, but risk aware for another type of risk.

In this case, internal audit should not conclude that the whole organisation is risk managed.
It should report the dangers of having a patchwork of risk maturities and devise audit
strategies separately for the different parts of the organisation.

4 International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors: ‘Consulting Services –
Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to
add value and improve an organisation’s governance, risk management, and control processes without the internal auditor
assuming management responsibility. Examples include counsel, advice, facilitation and training.’
5 Position statement on The Role of Internal Audit in Enterprise-wide Risk Management, published by the Institute of Internal
auditors – UK and Ireland in 2004.

12 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

Stage 2 – Production of a periodic audit plan

Introduction RBIA is not about auditing risks but about auditing the management of risk. Its focus is on
the processes applied by the management team:

• The responses to individual risks and

• The processes used to assess risks, to decide on the responses to them, to monitor the
responses and to report to the board.

This is represented in figure 3.

Figure 3
Representation of assurance provided by RBIA

RBIA also provides assurance that

management’s risk management
processes to identify, evaluate,
monitor and report on risk are
operating effectively Inherent
Risk
Impact

Response

RBIA provides
assurance that
the response is
Residual operating
Risk effectively
Ris

k
app
eti
t
e

Likelihood

Objectives of this stage The objectives of this stage are:

• To agree all the risk management responses and risk management processes on which
objective assurance from internal audit is required.
• To produce an audit plan which lists all audits to be carried out over a specified period –
usually a year.

An approach to implementing Risk Based Internal Auditing 13

 I M P L E M E N T I N G R B I A

Information requirements Stage 1 should have provided the background needed to understand how management
identifies and evaluates risks and how and where the rest of the information needed is recorded.

The risk register, or attached documents, show responses, actions and monitoring controls:
i.e. the responses that management believe exist to manage key risks; the actions that are
being taken to add, delete or modify existing responses where they do not currently bring
risk within the risk appetite; and the monitoring controls used by management to ensure that
all these elements of the framework are working.

Internal audit should also obtain from the audit committee and the management team guidance
about the nature of the objective assurance they want from the internal audit activity. These are
called the assurance requirements. They may be explained in a separate document or as part of
the risk register; or they may be identified as a result of discussions with the people involved.

In RBIA the role of internal audit is not to create any of this information but to be able to
interpret it and to use it for planning purposes.

Actions to achieve The steps to complete Stage 2 are shown as follows.

the objectives
1 Identify the responses and risk management processes on which objective
assurance is required.

Internal audit should review the audit committee’s assurance requirements and the risk
register and list all the responses on which objective assurance is required, together with
information on the risks to which they are related.

Response to risk Processes to audit

Terminate activities if the risks they Action plans and projects to terminate the activity
pose are too high or too costly
Tolerate a risk Monitoring the risk
Transfer a risk Processes for transferring risks
Treat a risk These include the familiar accounting and
operational controls that have been the focus of
internal audit for many years

Other risk management processes on which assurance may be required include:

• Action plans to increase or reduce the amount of transfer or treat responses; and
• Monitoring controls to ensure that the processes and action plans are operating as expected.

Internal audit should provide assurance on parts of the risk management framework itself –
i.e. on the processes used to identify and assess risks and to decide on the appropriate
responses; processes for reporting risks throughout the organisation; and monitoring
controls over those processes.

14 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

The audit committee may not want objective assurance from internal audit on the
management of all the risks. Reasons not to want such assurance may include: the quantity
of assurance from other sources; the skills and competence of the internal audit activity in a
specialist area; and the availability of objective assurance from other sources.

The audit committee may prioritise the risks on the management of which it would like
objective assurance, favouring higher inherent risks. It may not, therefore, require objective
assurance on all risks every year.

Internal audit may wish to review thoroughly the audit committee’s assurance requirements to
ensure that they do not leave a gap in assurance. It is important to recognise that the
internal audit activity does not have to provide assurance on every aspect of the risk
management framework in order for it to be effective.

Figure 4
RBIA Stage 2 – Producing the audit plan

Key
Flow of audit work Overall Audit
Source where possible Strategy
Internal audit reports

Identify responses
Assurance
Risk register on which assurance
Requirements
is required

Prioritise and List of responses

categorise by category with
responses priority & risk data

Link responses List of audits

to audit showing responses,
assignments risks and priority data

Draw up the
Periodic Audit Plan
Audit plan

Audit
Management Report
Committee

An approach to implementing Risk Based Internal Auditing 15

 I M P L E M E N T I N G R B I A

2 Categorise and prioritise the risks.

a If there is a large number of risks, they should be categorised. This should result in
grouping the risks into a logical order, which will help in compiling the audit plan.
Useful categorisations include:

– By business unit. This is useful where the organisation has a number of physically
independent business units, the procedures and systems of which are self-contained.
It may be necessary to duplicate common responses, for example, those arising from
computers, across all units.
– By function or system, such as sales, purchases, or stock control. This is useful in a
large central organisation with integrated systems.
– By objectives. This is useful when assessing the audit plan for its relevance to the
organisation because it links audits directly to the objectives affected by the risks,
the management of which is being checked by the audit.

b Internal audit should also prioritise the responses which are to be audited. An
important characteristic of RBIA is that prioritisation is always by reference to the size
of the risks and to the contribution that the response makes to managing the risks.
Useful prioritisations include:

– The size of the inherent risks managed by the response: the bigger the risk, the
higher the priority.
– The contribution that the response makes in managing risks so that the more the
response reduces the risk, the higher the priority. For example, where a risk is
managed using a single response, say a treatment, the control score – (the difference
between the inherent risk and the residual risk) – is the contribution of that response.
However, the control score for some risks may be divided among different responses,
which needs to be taken into account.
– The number and nature of other available assurances that the response is operating
effectively. Where several groups provide assurance on a single response, it may
have a lower priority.
– Those categories of risks on which the audit committee requires objective assurance
each period.

3 Link risks to audit assignments.

Two methods can be used to link risks to audit assignments:

a Group the risks, for example by business unit, objective, function or system, and decide
the audits which will provide assurance on the related responses. This method has the
advantage that the management of all risks will be covered, but it may be difficult to
define audit units which satisfy the organisation’s preferences for audit “size”, such as
the number of staff hours on an audit.

16 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

b Set up an audit universe. This allocates each audit to a business unit or system and
assigns the risks, on which assurance is to be provided to these audits. This method
has the advantage of covering one physical location in one visit and of allowing the
definition of suitably sized audit units. It requires an additional check to ensure that the
management of all risks is being audited.

This step will produce a list of potential audit assignments. The priority of each audit is
derived from the size of the risk management process on which it provides assurance. This
information should link to the categorised listing of risks, which in turn links to the risks in
the organisation’s risk register.

The organisation also needs to collect and record information that links the risks, the
responses to them and the audit assignments which provide assurance on those
responses. An example can be found in Appendix E, the risk and audit universe, which may
either be a separate document or form part of the risk register.

4 Draw up the periodic audit plan.

Estimate the number of days required for each audit and identify which audits can be
completed with the available resources, while providing scope for consulting support.

RBIA generates a defined amount of work and, therefore, highlights whether resources
are sufficient to complete the planned work. Internal audit can propose an increase in
staff, or a reduction in the number of audits if there are insufficient resources.
Management and the audit committee should be informed of any risks on which
assurance will not be provided.

All the audits to be included in the plan should have now been determined. However,
many organisations add audits based on criteria other than risk. Such criteria might
include areas subject to change, mandatory audits or audits requested by management.
This is a reason to ‘sense check’ the RBIA work so far because any topic worthy of audit
should have surfaced through the risk management framework. For example, considerable
change happening in an area could result in increases in the likelihood of a risk event
materialising and this should be visible in the risk register. If an audit has to be included by
management request, then it is displacing an audit included on the basis of risk scores
and management should justify this substitution.

An approach to implementing Risk Based Internal Auditing 17

 I M P L E M E N T I N G R B I A

5 Reporting to management and the audit committee.

a The periodic audit plan should be discussed with management and be presented to the
audit committee for approval. It should provide:

– Details of those risks where assurance is provided by carrying out the audits of the
risk management processes and responses in the plan.
– Details of those risks where assurance is provided but based on audit work from
previous years, if applicable.
– Details of those risks where consultancy work is carried out to assist management in
reducing the risks to below the risk appetite, or, at least, an indication of the
resources available for consultancy work.
– The impact of any constraints on resources.
– Any risks not covered due to policy constraints.
– Confirmation that the plan is in accordance with the internal audit activity ‘s terms
of reference.

An example plan can be found at Appendix F.

b Internal audit should report to management any information that has come to light
about the quality of the risk register. If extra topics for audit have been identified at the
end of Stage 2 these should be discussed with management so that management can
revise the risk register.

Risk defined organisations If an organisation is risk defined it does not have a complete risk register. Internal audit
starting to use RBIA should use completed parts of the risk register to plan, or re-plan, audit work using the
method above.

For those parts of the organisation without a complete risk register, internal audit should use
an alternative framework as discussed under ‘Range of Audit Strategies’ above.

18 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

Stage 3 – Carrying out an individual assurance audit

Introduction Since RBIA is not about auditing risks but about auditing the management of risk, it focuses
on the actions taken by the management team to respond to risks. Internal auditors need to
spend time with managers, discussing and observing the monitoring controls they apply,
rather than re-performing controls or other responses, or analysing data for themselves.

Internal auditors should behave in a way that reinforces the fundamental principle that
management is responsible for managing risks. Procedures should exist to enable internal
auditors to report issues to management and agree with them the action they will take to
update the risk register.

Objectives of this stage To provide assurance that, in relation to the business, activity, or system under review and for
the processes identified in the audit plan:

• Management has identified, assessed and responded to risks above and below the
risk appetite.
• The responses to risks are effective but not excessive in managing inherent risks within
the risk appetite.
• Where residual risks are not in line with the risk appetite, action is being taken to
remedy that.
• Risk management processes, including the effectiveness of responses and the
completion of actions, are being monitored by management to ensure they continue to
operate effectively.
• Risks, responses and actions are being properly classified and reported.

Action to achieve The steps to complete Stage 3 are:

these objectives
1 Establishing the planned scope of the assignment. This involves the internal auditors
understanding the results of Stages 1 and 2 in order to draw up the draft scope. Relevant
information includes the conclusion on the risk maturity and the resulting audit strategy,
the title of the assignment and information that links the audit to the responses on which
it should provide assurance and then to the risks managed by the responses.

2 Assessing the risk maturity of the unit being audited. This allows internal audit to
take its assessment to a more detailed level than was possible at Stage 1. The criteria
used to assess risk maturity should be consistent with those used in Stage 1 and in other
assignments. The assignment may include scrutiny of the risks identified by management,
which may need additional or expert resources.

An approach to implementing Risk Based Internal Auditing 19

 I M P L E M E N T I N G R B I A

Figure 5
RBIA Stage 3

Key
Flow of audit work Audit Plan
Source where possible
Internal audit reports

List of audits Establish List of responses

showing responses, planned scope by category with
risks and priority data of audit priority & risk data

Assess risk
maturity of unit
being audited

Update audit
planning

rm Compare rm
> rm to rm <
rm rm
Report to
Management &
audit committee
rm
=
rm

Confirm
scope of
assignment

Discussion and
observation of
monitoring controls

Audit
Database

Verification of
evidence

Audit Assess evaluation

Management
Committee Of residual risk

Conclusions
Audit report
On responses

20 An approach to implementing Risk Based Internal Auditing

 I M P L E M E N T I N G R B I A

3 Assignment-level conclusions on risk maturity. Conclusions from individual audits

should either confirm or cast doubt on the original organisation-level assessment. This initial
assessment may need to be changed.

If the actual risk maturity ( rm) is better than or the same as the expected risk maturity
( rm), the current assignment will carry on as planned.

If rm is lower than rm, internal audit should report this to management, together with
the conclusion that responses included in the audit scope are not working effectively.

This may be the end of the audit assignment or, if the nature of the shortfall in risk
maturity means that some responses may still be effective, the scope of the audit may be
restricted to those responses only.

4 Confirming the scope of the assignment. Under RBIA, internal auditors need more of
management’s time than they would in other approaches to internal audit. Heads of
internal audit may wish to support the audit team by marketing the approach and gaining
buy-in from the management prior to conducting audit work.

5 Discussion and observation of monitoring controls. This is the first stage of the audit
testing. The aim is to determine that the controls used by management to ensure that the
risk management framework is working are designed to achieve this objective and to
show that they are working as designed.

6 Verification of evidence, walkthroughs, re-performance, etc. These activities may

also be required to provide extra evidence that responses to key risks are working
effectively and to support a conclusion that the monitoring controls are also working.

7 Documenting the results of the audit work. This differs in RBIA from standard
practices mainly in that the link between risks, responses to risks, assurances given and
work done to support those assurances has to be made clear.

8 Assessing management’s evaluation of residual risks. This produces a conclusion about

specific scores in the risk register and should lead to findings about how management
determine residual risks in general. If there is a systemic failing, internal audit should ensure
that it is reflected in the organisation-level conclusions on risk maturity.

9 Conclusions on responses and risk management processes covered by the

assignment. This covers both their design and how well they are working. The
conclusions need to be linked to the risks that are managed by the responses so that
the assignment can deliver the assurances that are the aims of this stage. One
suggested way to draw the conclusions is given in appendix B. This should be tailored
to individual needs.

An approach to implementing Risk Based Internal Auditing 21

 I M P L E M E N T I N G R B I A

10 Reporting and feedback. This should be in accordance with the organisation’s policies,
including whatever levels of review are required by audit management.

This step is critical to your aim of reinforcing management’s responsibility for managing
risks. Findings should be discussed with management in such a way that they take
responsibility for deciding on appropriate remedial actions, including all and any changes
to the risk register. If this is a big change in the style of the internal audit activity, the
effort required to implement it properly should not be underestimated. Internal audit may
need to play a bigger role in drafting and delivering reports for the first months of
implementing RBIA.

To complete the RBIA steps and stages the findings from individual assignments are fed
back into the overview of the organisation begun in Stage 1 because:

– The findings may change the conclusions on risk maturity and may need to be reflected
throughout the audit plan the next time it is updated.
– The findings need to be reflected in the reporting of risks so that management and the
audit committee understand where objective assurance has been provided.

11 Summarising the audit conclusions for the audit committee. This summary should:

– Support the requirement of any regulations6 which apply to the organisation.

– Fulfil the requirements of the audit charter.
– If not part of the charter, provide an opinion on whether risks are being managed
sufficiently to ensure the organisation’s objectives are being achieved and, within
reasonable limits, will be achieved in the future.

Repeating the cycle of RBIA The RBIA methodology is cyclical.

The interval between revisions in internal audit’s assessment of the risk maturity and its audit
planning depends on the nature of the organisation: how often its circumstances change
and how frequently it must report on risk management matters. The interval should be
agreed with the audit committee. Changes to the assessment of risk maturity may change the
audit strategy. Changes to the risk register, arising from changes to the assessment of risks
or from changes in the responses to risks, may change which responses require auditing, the
way they are allocated to audit assignments and the priority of the different audits.

Other sources of change include audit work, the risk management framework, the external
environment and the objectives of the organisation. Audit work gathers evidence on the risk
maturity of the organisation which is fed back into the assessment. The risk management
framework is a dynamic construction, dependent on people to operate effectively, and it
takes continuous effort to keep it working well. As the external environment and the
objectives of the organisation change, the circumstances and context of potential risk events
also change so that the risk register needs to evolve as time passes.

6 Such as the Financial Reporting Council’s Code on Corporate Governance including the Guidance on Internal Control (Turnbull)
and the Guidance on Audit Committees (Smith) and the International Standards for the Professional Practice of Internal Auditing

22 An approach to implementing Risk Based Internal Auditing


Benefits and
drawbacks of RBIA
Clear and unambiguous
conclusions on risk
management
Direct contribution to the
organisation’s objectives
Relationship with management
B E N E F I T S A N D D R A W B A C K S O F R B I A
RBIA is inextricably linked to the risk management framework. During Stage 1 it allows a
conclusion on the risk maturity of the organisation. If this is not high, it provides internal audit
with an opportunity to report that fact promptly to management and the audit committee so
that they can take immediate action.
While this allows the internal audit activity to provide value to its organisation, RBIA is a
challenging prospect. Organisations with a poor level of risk maturity may be that way
because the managers and directors do not accept that a good risk management framework
is an essential element of a sound system of internal control. Internal audit may need to
undertake a longer term programme of activity to champion risk management.
An effective risk management framework will improve an organisation’s governance and its
chances of achieving its objectives over the long term. The RBIA methodology makes a clear
and valuable contribution to the risk management framework by providing objective assurance
and by facilitating management’s efforts to improve the framework. It ensures that internal audit
resources are directed towards assessing the management of the most significant risks.
The RBIA approach requires increased management involvement.
Since the processes to be covered in audits exist in all parts of the organisation, audits may
involve managers in departments never before visited.
In order to discuss the responses deployed to manage risks and how management knows
these are working properly the internal auditor may need to involve a greater number of
more senior managers than might be involved in traditional audits.
RBIA emphasises management’s responsibility for managing risks. This must be stressed
during all meetings with managers.
The close-down meeting is less about management accepting internal audit’s recommendations
and more about management agreeing that an issue exists and determining what action it is
going to take and what reporting it needs to provide to the next level of management.
As a result, the head of internal audit may be required to market the benefits and the need
for internal audit. A much higher profile may be necessary in non-financial areas in order to
pave the way for audits that managers can understand and support. The implications for
staff expertise are discussed overleaf.
An approach to implementing Risk Based Internal Auditing 23
 B E N E F I T S A N D D R A W B A C K S O F R B I A

Management responsibility RBIA can be implemented fully only in risk enabled and risk managed organisations. One
for risk management characteristic of this level of risk maturity is that managers have to take responsibility for
managing risks. In taking responsibility for risks, managers understand that controls, like
other responses to risks, are not the responsibility of internal audit, imposed by internal audit,
but are their own responsibility.

Implementing RBIA means that the internal audit activity behaves in a way that reinforces
this management responsibility and thus contributes to a stronger risk management culture.

Achieving targets RBIA is an effective way to achieve targets set for the internal audit activity, such as:

• The compilation of an audit plan which ensures the internal audit activity fulfils its charter
• Gaining acceptance from management that it takes appropriate action to manage risks within
the risk appetite;
• Provision of objective assurance in the three areas of risk management normally required; and
• Keeping within the budget set for the activity.

Audit resources RBIA justifies the number of auditors required. The audit plan, including the resources
required, is driven by the proportion of processes and risks on which the audit committee
requires objective assurance. This differs from alternative approaches, where the resources
available determine the audits which can be carried out.

Staff expertise Internal auditors engaged in RBIA require more people and business skills, such as
interviewing, influencing, facilitating and problem solving.

The expansion of the audit universe to cover all risks threatening the organisation’s objectives
requires the internal auditor to conclude on the design and operation of responses to risks in
areas that may be new. This may require specialist knowledge that may be acquired as follows:

• Use specialist skills already available within the internal audit activity, e.g. computer auditors.
• Provide specialist training to auditors with general expertise, e.g. provide training on the
regulations and practices related to stress management to an auditor who already a holds
an Advanced Diploma in Internal Auditing and Management.
• Recruit temporary or permanent specialists from inside the organisation, e.g. a warehouse
manager from one overseas subsidiary could audit warehouse processes in another.
• Use specialists from outside the organisation, e.g. treasury specialists.

24 An approach to implementing Risk Based Internal Auditing

 B E N E F I T S A N D D R A W B A C K S O F R B I A

An audit trail for audits RBIA ties all aspects of internal auditing together; objectives, risks, processes for responses
and monitoring controls, tests and reports, see figure 6.

Figure 6
RBIA – An audit trail

Individual audit

Objectives

Risks

Responses Risk and audit

universe

Monitoring Controls

Testing

Conclusions on the Conclusions on the

effectiveness of risk management effectiveness of risk management
tested in the audit tested in other audits

Conclusions on the
effectiveness of risk management
in the organisation

Report to audit committee

on the effectiveness of the risk
management framework

The relevance of any test can be seen in relation to the opinion on the entire risk
management framework because of the relationships set up in the risk and audit universe.

RBIA provides an audit trail from an individual audit report back through tests, processes
and risks to objectives, and forward to the audit committee report on whether those
objectives are threatened.

An approach to implementing Risk Based Internal Auditing 25

 G L O S S A R Y O F T E R M S
Glossary of terms
Assurance: The delivery of an opinion or
conclusion regarding the credibility of disclosed
information and the process that delivers that
information or regarding the reliability of
processes according to their conformity with
certain criteria. The receiver of the opinion may or
may not be assured, depending on other
influences upon them.
Assurance Services: An objective examination of
evidence for the purpose of providing an
independent assessment on risk management,
control, or governance processes for the
organization. Examples may include financial,
performance, compliance, system security, and
due diligence engagements.
Audit universe: A list of audits showing the
processes that they cover and the importance or
priority of those processes.
Board: A board is an organisation’s governing
body, such as a board of directors, supervisory
board, head of an agency or legislative body,
board of governors or trustees of a non-profit
organisation.
Consulting Services: Advisory and related client
service activities, the nature and scope of which
are agreed with the client and which are intended
to add value and improve an organisation’s
governance, risk management, and control
processes without the internal auditor assuming
management responsibility. Examples include
counsel, advice, facilitation, and training.
Control: Any action taken by management, the
board, and other parties to manage risk and
increase the likelihood that established
objectives and goals will be achieved.
Management plans, organises and directs the
performance of sufficient actions to contain risk
to an acceptable level or to increase the
probability of a desired outcome.
Control Score: The difference between the
inherent risk score and residual risk score in a
quantitative system. The higher the value, the
more important the basket of responses that
create the difference. It can also be known as the
‘response score’.
Director: Member of a controlling board, such as a
company director, trustee, councillor or governor.
Enterprise: Any organisation established to
achieve a set of objectives.
26 An approach to implementing Risk Based Internal Auditing
Enterprise-wide Risk Management (ERM): A
structured, consistent and continuous process
across the whole organisation for identifying,
assessing, deciding on responses to and reporting
on opportunities and threats that affect the
achievement of its objectives.
Facilitating: Working with a group (or individual)
to make it easier for that group (or individual) to
achieve the objectives that the group has agreed
for the meeting or activity. This involves listening,
challenging, observing, questioning and
supporting the group and its members. It does not
involve doing the work or taking decisions.
Inherent (or Gross) Risk: The status of risk
(measured in terms of impact and likelihood)
without taking into account any risk response that
the organisation may already have in place.
Management of Risks: The implementation of
responses to risks, which reduce their threat to
below the level of the risk appetite or, where this
is not possible, reports the risk to the board.
Monitoring: Processes which report to
management, at appropriate intervals, the success,
or otherwise, of the responses to risks.
Periodic Audit Plan: A list of audits to be carried
out in a specified time frame.
Residual (Net) Risk: The status of risk
(measured in terms of impact and likelihood)
after taking into account any risk management
responses that the organisation may already
have in place.
Risk: The possibility of an event occurring that
will have an impact on the achievement of
objectives. Risk is measured in terms of
consequence and likelihood.
Risk Analysis: The systematic use of available
information to determine the likelihood of
specified events occurring and the magnitude of
their consequences, i.e. their impact.
Risk Appetite: The level of risk that is
acceptable to the board or management. This
may be set in relation to the organisation as a
whole, for different groups of risks or at an
individual risk level.
Risk Assessment: The overall process of risk
identification, risk analysis and risk evaluation.
Risk and Audit Universe: The part of the risk
register showing the audits which are intended to
provide assurance on the processes that manage
and monitor each risk.
Risk Evaluation: The process used to determine
risk management priorities by comparing the level
of risk against predetermined standards, target
risk levels or other criteria.
Risk Identification: The process of determining
what events might occur to affect the objectives of
the organisation and their root causes.
Risk Based Internal Auditing: A methodology
which provides assurance that the risk
management framework is operating as required
by the board.
Risk Management Framework: The totality of
the structures, methodology, procedures and
definitions that an organisation has chosen to use
to implement its risk management processes.
Risk Management Processes: Processes to
identify, assess, manage, and control potential
events or situations, to provide reasonable
assurance regarding the achievement of the
organisation’s objectives.
Risk Maturity: The extent to which a robust risk
management approach has been adopted and
applied, as planned, by management across the
organisation to identify, assess, decide on
responses to and report on opportunities and
threats that affect the achievement of the
organisation’s objectives.
Risk Register: A complete list of risks, identified
by management, which threaten the objectives of
the organisation.
Risk Responses: The means by which an
organisation elects to manage individual risks. The
main categories are to terminate the activity
creating the risk; to tolerate the risk; to transfer it
to another organisation; or to treat it by reducing
its impact or likelihood. Internal controls are one
way of treating a risk.
 F U R T H E R R E A D I N G

Further reading
The Institute of The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics.
Internal Auditors
Position statement on Risk Based Internal Auditing, 2003.

Position statement on The Role of Internal Audit in Enterprise-wide Risk Management, 2004.

All available on the website of the Institute of Internal Auditors – UK and Ireland
www.iia.org.uk

Standards and regulations The Financial Reporting Council’s Code on Corporate Governance including the Guidance on
Internal Control (Turnbull) and the Guidance on Audit Committees (Smith): Although these
documents are directly relevant to companies caught by the Listing Rules of the London
Stock Exchange and the Irish Stock Exchange, the principles they set out apply to any
organisation and are some of the most clear and concise available. The documents are
available from www.frc.org.uk.

A Risk Management Standard written by The Institute of Risk Management, The Association
of Insurance and Risk Managers (AIRMIC), and ALARM – The National Forum for Risk
Management in the Public Sector and supported by the Federation of European Risk
Management Associations (FERMA). This is available from www.theirm.org and gives a good
introduction to risk management.

ANZ Risk Management Standard, Standards Australia and Standards New Zealand (AS/NZS
4360:2004). This is the original standard, now revised. It can be obtained from
www.standards.co.nz or www.standards.org.au.

Enterprise Risk Management – integrated framework, Committee of Sponsoring

Organisations of the Treadway Commission (COSO). More details of this US standard are
available from www.coso.org.

Guidance It’s a risky business: a practical guide to risk based auditing, Chartered Institute of Public Finance
and Administration (CIPFA) Available from www.cipfa.org.uk. Aimed mainly at public service
organisations, this document provides considerable detail on risk management and risk maturity.

Management of risk – principles and concept (The Orange Book). HM Treasury. Available as a
download from www.hm-treasury.gov.uk, this is a useful introduction to risk management for any
organisation. The Orange Book contains a chapter on risk appetite. Also available is a Risk
Management Assessment Framework which can assist in defining the organisation’s risk maturity.

Implementing Turnbull – A Boardroom Briefing, Institute of Chartered Accountants in England

and Wales (ICAEW), can be downloaded from www.icaew.co.uk. It provides a good practical
approach to introducing risk to the boardroom.

Good practice checklist for assessing risk management in Higher Education Institutions
provides a checklist for assessing risk maturity. It can be downloaded from www.hefce.ac.uk/
finance/assurance/guide/checklist.doc.

An approach to implementing Risk Based Internal Auditing 27

 A P P E N D I C E S

Appendices
Guidance on implementing key aspects of the RBIA methodology

Appendix A – Assessing the organisation’s risk maturity

Risk naïve Risk aware Risk defined Risk managed Risk enabled Sample audit test
Key characteristics
No formal approach Scattered silo based Strategy and policies Enterprise approach Risk management
developed for risk approach to risk in place and to risk management and internal controls
management management communicated. developed and fully embedded into
Risk appetite defined communicated the operations
Process
The organisation's Possibly Yes – but may be no Yes Yes Yes Check the organisation's
objectives are consistent approach objectives are determined
defined by the board and have been
communicated to all staff.
Check other objectives and
targets are consistent with
the organisation's objectives
Management have No Some limited training Yes Yes Yes Interview managers to
been trained to confirm their understanding
understand what of risk and the extent to
risks are, and their which they manage it
responsibility for them
A scoring system for No Unlikely, with no Yes Yes Yes Check the scoring system
assessing risks has consistent approach has been approved,
been defined defined communicated and is used
The risk appetite of No No Yes Yes Yes Check the document on
the organisation has which the controlling body
been defined in terms has approved the risk
of the scoring system appetite. Ensure it is
consistent with the scoring
system and has been
communicated
Processes have been No Unlikely Yes, but may not Yes Yes Examine the processes to
defined to determine apply to the whole ensure they are sufficient to
risks, and these have organisation ensure identification of all
been followed risks. Check they are in use,
by examining the output
from any workshops
All risks have been No Some incomplete Yes, but may not Yes Yes Examine the Risk Register.
collected into one list. lists may exist apply to the whole Ensure it is complete,
Risks have been organisation regularly reviewed, assessed
allocated to specific and used to manage risks.
job titles. Risks are allocated to
managers
All risks have been No Some incomplete Yes, but may not Yes Yes Check the scoring applied
assessed in lists may exist apply to the whole to a selection of risks is
accordance with the organisation consistent with the policy.
defined scoring Look for consistency (that is,
system similar risks have similar
scores)
Responses to the No Some responses Yes, but may not Yes Yes Examine the Risk Register to
risks have been identified apply to the whole ensure appropriate
selected and organisation responses have been
implemented identified
Management have No Some monitoring Yes, but may not Yes Yes For a selection of responses,
set up methods to controls apply to the whole processes and actions,
monitor the proper organisation examine the monitoring
operation of key control(s) and ensure
processes, responses management would know if
and action plans the responses or processes
(‘monitoring controls’) were not working or if the
actions were not
implemented
Continued opposite

28 An approach to implementing Risk Based Internal Auditing

 A P P E N D I C E S

Appendix A – Assessing the organisation’s risk maturity (continued)

Risk naïve Risk aware Risk defined Risk managed Risk enabled Sample audit test
Process
Risks are regularly No Some risks are Regular reviews, Regular reviews, Regular reviews, Check for evidence that a
reviewed by the reviewed, but probably annually probably quarterly Probably quarterly thorough review process is
organisation infrequently regularly carried out
Management report No No Yes, but may be Yes Yes For risks above the risk
risks to directors no formal process appetite, check that the
where responses have board has been formally
not managed the risks informed of their existence
to a level acceptable
to the board.
All significant new No No Most projects All projects All projects Examine project proposals
projects are routinely for an analysis of the risks
assessed for risk which might threaten them
Responsibility for the No No Limited Most job descriptions Yes Examine job descriptions.
determination, Check the instructions for
assessment, and setting up job descriptions
management of risks
is included in job
descriptions
Managers provide No No No Some managers Yes Examine the assurance
assurance on the provided. For key risks,
effectiveness of their check that controls and the
risk management management system of
monitoring, are operating
Managers are No No No Some managers Yes Examine a sample of
assessed on their appraisals for evidence that
risk management risks management was
performance properly assessed for
performance
Internal Audit Promote risk Promote enterprise- Facilitate risk Audit risk Audit risk
approach management and rely wide approach to management/liaise management management
on alternative audit risk management with risk management processes and processes and use
planning method and rely on and use management use management management
alternative audit assessment of risk assessment of risk assessment of risk
planning method where appropriate as appropriate as appropriate

Appendix B – Guidance on assigning audit conclusions

Conclusion on:
Risks have been identified,
evaluated and managed
Responses manage risks to
acceptable levels (that is to within the
risk appetite of the organisation)
Criteria
Thorough processes have been used
and all significant risks should have
been identified.
The risk is being mitigated to an
acceptable level by the response(s)
Report as Supplementary issue, if cost
effective controls can reduce the risk
further, otherwise do not report
Processes have been used, but there
are some deficiencies
The risk is not being mitigated to an
acceptable level by the response(s),
although the consequence from the
risk occurring, or likelihood of the risk
occurring, is not considered
significant. There is the possibility that
some objectives will not be achieved
Inadequate, or no, processes have been used
The risk is not being mitigated to an acceptable
level by the response(s) and it is probable that
some objectives will not be achieved, with
significant (material) results (red) or The risk is
not being mitigated to an acceptable level by
the response(s) and objectives are not being
achieved, with significant results

Report as: Key issue Report as: Key issue

Action being taken to promptly The action being taken will result in The action being taken will result in No action is being taken, OR insufficient action
remedy significant failings or all risks being mitigated some reduction in risk but not to is being taken to mitigate risks
weaknesses acceptable levels
Current levels of monitoring No more monitoring is necessary Some additional monitoring is required Major improvements are required to the
are sufficient than is done at present monitoring of controls
Colour: Green Amber Red
Grading: Acceptable Issues Unacceptable

An approach to implementing Risk Based Internal Auditing 29

 A P P E N D I C E S

Illustrations of how you might document parts of the

risk management framework and RBIA
The following five appendices are provided to help illustrate some of the ideas in this guidance. They should not be interpreted as
recommendations or in any way indicating that these are the only way to document the related concepts:

Appendix C – Risk register (Part)

Business Process Process Key risk I L Inherent E O A Treatment Monitoring I L Residual Control
unit Description to process Score (examples) (examples) Score Score
Purchasing Define The objectives of The objectives will 5 5 25 The strategic The strategic 5 1 5 20
objectives the processes for not deliver the objectives of the objectives are
purchasing are organisation's purchasing approved by
defined objectives department are set the board
effectively and out in a document,
efficiently which is used in the
induction of new
staff and appears
on the company's
intranet site
Purchasing Purchase Purchase items The purchased 5 5 25 Raw materials are Quality Control 0 25
raw to manufacture items are specified exactly by check all
materials goods unsuitable, too formulation deliveries.
expensive or department. All cost The buyer is
delivered late changes over 5% informed of
must be authorised failed batches
by the Sales Director. and late
Late deliveries are deliveries and
highlighted by the the supplier is
supply system. warned. The
gross profit
report will
highlight
excessive cost
increases.
Purchasing Purchase Purchase items A major supplier 5 5 25 Vital raw materials The planning 5 3 15 10
raw to manufacture of a vital raw are always sourced department in
materials goods material, not through two manufacturing
obtainable suppliers. In the monitor all
elsewhere, is few cases where stock levels
not able to this is not possible,
deliver additional stocks
are held to cover
one month's
production
Purchasing Purchase Purchase fixed Assets are not 4 5 20 The purchase of all The fixed asset 4 2 8 12
assets assets required, not fixed assets must be system produces
suitable or too approved according a report which
expensive to a defined shows variances
authorisation list. of fixed asset
Assets purchased expenditure
over £1000 require against budgets.
additional cost
justification.
Key: I = impact, L = likelihood, E = Terminate, O = Tolerate, A = Transfer

30 An approach to implementing Risk Based Internal Auditing

 A P P E N D I C E S

Appendix D – Audit universe (Part)

Last audit details
Business Audit name Audit Last Last Last Last Last Final Last Next Next Next Status Next
unit Group audit audit audit timing final report result audit audit timing final
number Budget actual report achieved number Budget report
Target Target
Purchasing Purchasing Q 123 3 4 June 23/6/04 28/6/04 accept 3 March Not
strategy 2004 2006 planned
Purchasing Purchasing for R 124 20 20 Sept 25/10/04 10/11/04 unacc 253 18 Sept planned 25/10/05
manufacture 2004 2005
Purchasing Purchase of S
assets
Purchasing Purchase of T
goods for resale
Purchasing Purchase of U
expense goods
and services
Factory Manufacturing X
strategy
Factory Product Y
design
Factory Manufacturing Z
specification
Factory Scheduling AA
manufacture
Factory Production AB
accounting
Factory Environmental AC
audit

An approach to implementing Risk Based Internal Auditing 31

 A P P E N D I C E S

Appendix E – Risk & audit universe (Part)

Business Key risk Treatment Monitoring I L Residual Control Audit Audit Last Final Last result
unit to process (examples) (examples) Score score name Group audit report
number achieved
Purchasing The objectives The strategic The strategic 5 1 5 20 Purchasing Q 123 28/6/04 accept
will not deliver objectives of the objectives are strategy
the organisation’s purchasing approved by
objectives department are the board
effectively and set out in a
efficiently document,
which is used in
the induction of
new staff and
appears on the
company's
intranet site
Purchasing The purchased Raw materials Quality Control 0 25 Purchasing for Q 124 10/11/04 unacceptable
items are are specified check all manufacture
unsuitable, too exactly by deliveries. The
expensive or formulation buyer is
delivered late department. informed of
All cost changes failed batches
over 5% must and late
be authorised deliveries and
by the Sales the supplier is
Director. Late warned. The
deliveries are gross profit
highlighted by report will
the supply highlight
system. excessive cost
increases
Purchasing A major supplier Vital raw The planning 5 3 15 10 Purchasing for R
of a vital raw materials are department in manufacture
material, not always sourced manufacturing
obtainable through two monitor all
elsewhere, is suppliers. In the stock levels
nota ble to few cases
deliver where this is
not possible,
additional
stocks are held
to cover one
month's
production
Purchasing Assets are not The purchase The fixed asset 4 2 8 12 Purchase of S
required, not of all fixed system produces assets
suitable or too assets must be a report which
expensive approved shows variances
according to a of fixed asset
defined expenditure
authorisation against budgets
list. Assets
purchased over
£1000 require
additional cost
justification

32 An approach to implementing Risk Based Internal Auditing

 A P P E N D I C E S

Appendix F – Audit plan (April 2005 – March 2006)

Business unit Audit name Audit Group Next audit Next audit Next timing Next auditor Status Next final
number Budget report Target
Purchasing Purchasing Q 3 March 2006 Not planned
strategy
Purchasing Purchasing R 253 18 Sept 2005 Smith planned 25/10/05
for manufacture
Purchasing Purchase of S 254 20 April 2005 Shah In progress 3/5/05
assets
Purchasing Purchase of T
goods for resale
Purchasing Purchase of U
expense goods
and services
Factory Manufacturing X
strategy
Factory Product Y
design
Factory Manufacturing Z
specification
Factory Scheduling AA
manufacture
Factory Production AB
accounting
Factory Environmental AC
audit

An approach to implementing Risk Based Internal Auditing 33

 A P P E N D I C E S

Appendix G – Individual audit database for expense purchasing (Part)

Process Process Risk to process Example Example Tests Issue
Description treatment monitoring
Define the strategy Set down targets for The strategy does The strategy for Directors check the Examine the latest None – an approved
for expense the year(s) ahead, not maximise purchasing expense strategy for strategy document strategy exists
purchasing for example, efficiency and goods and services departments under
meeting the budget, effectiveness and is updated each their control. The
improving staff is not consistent with year, prior to setting overall budget is
efficiency, handling the organisation’s targets and budgets approved by the
more orders strategy for the areas board
concerned. These
targets and budgets
are approved by
management
finance.
Deliver the strategy Form an action plan, Any member of staff Rights to place The policy is checked Examine the policy. Issue – some new staff are
with the staff can authorise the requisitions and every year to ensure Check it is up-to- not aware of the strategy as
involved, to deliver purchase of any orders are in a it is correct date, appropriate it was omitted from their
the strategy goods or services written policy staff have a copy induction training
and know how to
use it. As part of
other tests, ensure
adherence to the
policy
Set up Suppliers Set up new Supplier details are Details of all Details of Suppliers Check individual Issue – no evidence of the
Suppliers on the not correctly input/ changes to the and the amount reports over the last check on the reports
computer system, modified Supplier master file spent with them are six months for
or modify existing are printed on a printed out every six evidence of
details. Includes report which is months for checking. Observe
addresses and checked to authorisation by the the process in action.
payment terms supporting Purchasing Director
documentation by
staff who are not
involved in changing
Supplier details
Set up Suppliers Set up new False Suppliers are Details of all Details of Suppliers Check individual Issue – no evidence of the
Suppliers on the set up and paid changes to the and the amount reports over the last check on the reports
computer system, or Supplier master file spent with them are six months for
modify existing are printed on a printed out every six evidence of
details. Includes report which is months for checking. Observe
addresses and checked to authorisation by the the process in action.
payment terms supporting Purchasing Director
documentation by
staff who are not
involved in changing
Supplier details

34 An approach to implementing Risk Based Internal Auditing

Disclaimer This material is not intended to provide definitive answers to specific individual
circumstances and as such is intended to be used only as a guide. The IIA recommends
that you always seek independent expert advice relating directly to any specific situation.
The IIA accepts no responsibility for anyone placing sole reliance on this guidance.

Copyright © 2005 by The Institute of Internal Auditors – UK and Ireland Ltd, 13 Abbeville Mews,
88 Clapham Park Road, London SW4 7BX. All rights reserved. Printed in the United Kingdom.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
any form by any means – electronic, mechanical, photocopying, or otherwise – without the
prior written permission of the Institute.
www.iia.org.uk
Institute of Internal Auditors – UK and Ireland Ltd
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
Telephone 020 7498 0101 Fax 020 7978 2492 Email technical@iia.org.uk
Registered in England and Wales, no. 1474735
ISBN 0-906999-31-6
© December 2005. Information can be made available in other formats.