by Abdul R. Koromah Ministry of Finance & Economic Development Outline of Presentation • Learning Objectives • IIA Planning Standards • Strategic Planning Process • Audit Universe • Strategic Risk Assessment Process • Risk Prioritization • Resource Model • Staff Estimated Audit Hours • Selection of Risk-Based Auditable Units Learning Objectives Introduce the IIA Planning Standards Concept of Strategic Risk-Based Planning Strategic Risk-Based planning process Identify Audit Universe Understand and apply risk factors Rating and Ranking of audit universe Prioritizing risky audit universe Resource model Selection of Risk-Based auditable units Provide the techniques for developing a challenging & realistic plan that conforms to International Standards. Strategic Internal Audit Planning Process
Audit Risk Prioritisation Selection Audit Plan
Universe Assessment and Sizing Approval
Risk Coverage Required
Parameters Parameters Audits ...with refinements to meet specific needs and improve sustainability and flexibility. Approach to Risk Assessment Base your risk assessment and Audit Plan around the Auditable Units or Audit Universe. Audit Universe • Is the auditable areas / units in the entity. • This is defined as the business processes within the institution where the risks originate or are managed. • IA must conduct an entity-wide risk assessment that identifies broad risks that are pervasive throughout the entity, as well as process-level risk assessments that evaluate the inherent risks at the line-of-business or function level. • IA should re-evaluate continually the audit universe for changes in new lines of business or products, business strategy, and external factors and determine the effect on IA coverage. Risk Assessment A process used to identify and evaluate risk and its potential effects. It includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce enterprise exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event. Purpose of Risk Assessment Allocate limited resources to areas of the organization that are most critical to the success of the organization in reaching its goals. Internal audit efficiency & effectiveness is increased when audit effort is matched to risk in the various auditable units of the organization. Stages of the Risk Assessment Process A well developed risk assessment model will provide an efficient and systematic procedure to: 1. Determine the auditable areas of an entity 2. Measure the risk of each unit and identify activities exposed to high risk 3. Rank the units by risk 4. Determine the time necessary to complete audits Stages of the Risk Assessment Process 5. Distribute available resources in the most efficient manner, and 6. Develop annual and long-term audit plans Universal Risk Factors These are factors which are indicative of risks. It could be either inherent or control related. They are as follows: • Number of full time employees • Budgeted expenditures • Budgeted revenue • Liquidity and negotiability of assets (Level of cash and assets easily converted to cash handled by the department) Examples of Risk Factors • Complexity of transactions • Compliance with laws and regulations (Level of potential loss due to regulatory sanctions or penalties) • Public exposure and interest • Quality of internal controls Other Risk Factors 1. Management stability 11. Economic conditions 2. Degree of automation (fraud increases in bad 3. Confidence in mgt economy). 4. Extent of major change 12. Recent accounting system changes 5. Employee Turnover 6. Environmental factors 7. Competitive pressures 8. Control environment 9. Time since last audit 10. Prior audit results Measuring Risk of Audit Universe The goal of risk assessment is to determine units exposed to high risk and allocate limited audit resources appropriate to that level of risk. Steps to accomplish this purpose, which ultimately results in audit selection and inclusion in the annual audit plan, include the following: 1. Identify and catalogue auditable activities (the “ audit universe”) of the organization. Measuring Risk of Audit Universe 2. Select the criteria (risk factors) used to identify the significance of and likelihood that conditions and/or events may occur that would adversely affect the organization. 3. Weight the selection (risk) factors in terms of importance to management, external influences, and the auditor. 4. Prepare an audit selection schedule that includes the factors for each audit universe item. Measuring Risk of Audit Universe 5. Compute the weighted score for each universe item and the cumulative factor score. 6. Select and prioritize the audits to be conducted 7. Examine available resources Risk Rating Process A management questionnaire is used to determine the risk score for each “risk factor” in the audit universe. The risk factors are then rated for all auditable units. Two ways of doing this are: 1. A risk score of 0 (low), 3 (medium low), 5 (medium), 7 (medium high), or 9 (high) for each of the risk factors. 2. A basic model of rating the program using (High, Medium, and Low) which essentially translates to a one-three scale with one representing the lowest level of risk and three the highest. Risk Rating (Continued) The weighted factors are added to obtain the representative total impact and probability score for each auditable unit. weights are assigned to each risk factor based on relative importance as determined by input from Audit staff. Once the total scores have been calculated the list of auditable units can be sorted from highest to lowest by their respective total risk. Risk Prioritization This involves the ranking of the audit universe based on the result of the risk assessment. Each unit in the universe is separately evaluated and assigned a point value known as the total risk score. Which Animal Poses the Greater Risk? A Tiger A Lion Resource Model Due to the size of auditable units, all audits are rated from highest to lowest risk and then selects those that can be completed by available staff during the fiscal year. This approach is the Resource Model of risk assessment based on available resources of the audit function. Risk-Based Planning Questions? • What percent of your audits are risk-based assurance audits? • Consulting engagements? • Management requests? • Board / Audit Committee requests? • Do you perform the same audit(s) each year no matter the results during the prior audit? Calculation of Estimated Audit Hours The annual audit plan will be based on the full utilization of available audit staff resources. The standard hours for each auditor is 2,080 (5dys x 8hrs x 52 wks). The estimated working hrs is arrived at after adjusting for the following: Holidays, leave, sick time, training and professional development, service on committees, attendance at various staff and other meetings. Sample of Staff Budgeted Hrs Details Hours
Standard hours per staff per annum (5dys x 8hrs x 52wks) 2,080
Less adjustments:
Leave (4wks x 40hrs) (160)
Sick leave (5dys x 8hrs) (40)
Holidays (10dys x 8hrs) (80)
Professional development, training & meetings (250)
Total estimated hrs per audit staff 1,550
Total Estimated Hrs for IA Ser Designation No. of staff Estimated hours Total hrs
1. Head Internal Audit 1 1,550 1,550
2. Principal Auditor 1 1,550 1,550 3. Senior Auditors 3 1,550 4,650 4. Auditors 5 1,550 7,750 5. Assistants 10 1,550 15,500 Total estimated hours available for internal audit work 31,000 THANK YOU