Developing a Risk-Based Strategic &

Annual Internal Audit Plan – Part I

by
Abdul R. Koromah
Ministry of Finance & Economic
Development
 Outline of Presentation
• Learning Objectives
• IIA Planning Standards
• Strategic Planning Process
• Audit Universe
• Strategic Risk Assessment Process
• Risk Prioritization
• Resource Model
• Staff Estimated Audit Hours
• Selection of Risk-Based Auditable Units
 Learning Objectives
 Introduce the IIA Planning Standards
 Concept of Strategic Risk-Based Planning
 Strategic Risk-Based planning process
 Identify Audit Universe
 Understand and apply risk factors
 Rating and Ranking of audit universe
 Prioritizing risky audit universe
 Resource model
 Selection of Risk-Based auditable units
 Provide the techniques for developing a
challenging & realistic plan that conforms to
International Standards.
 Strategic Internal Audit Planning Process

Audit Risk Prioritisation Selection Audit Plan

Universe Assessment and Sizing Approval

Risk Coverage Required

Parameters Parameters Audits
...with refinements to meet specific needs and improve sustainability and
flexibility.
 Approach to Risk Assessment
Base your risk assessment and Audit Plan
around the Auditable Units or Audit Universe.
 Audit Universe
• Is the auditable areas / units in the entity.
• This is defined as the business processes within the
institution where the risks originate or are
managed.
• IA must conduct an entity-wide risk assessment
that identifies broad risks that are pervasive
throughout the entity, as well as process-level risk
assessments that evaluate the inherent risks at the
line-of-business or function level.
• IA should re-evaluate continually the audit
universe for changes in new lines of business or
products, business strategy, and external factors
and determine the effect on IA coverage.
 Risk Assessment
A process used to identify and evaluate risk
and its potential effects.
It includes assessing the critical functions
necessary for an enterprise to continue
business operations, defining the controls in
place to reduce enterprise exposure and
evaluating the cost for such controls. Risk
analysis often involves an evaluation of the
probabilities of a particular event.
 Purpose of Risk Assessment
 Allocate limited resources to areas of the
organization that are most critical to the
success of the organization in reaching its
goals.
 Internal audit efficiency & effectiveness is
increased when audit effort is matched to risk
in the various auditable units of the
organization.
Stages of the Risk Assessment Process
A well developed risk assessment model will
provide an efficient and systematic procedure
to:
1. Determine the auditable areas of an entity
2. Measure the risk of each unit and identify
activities exposed to high risk
3. Rank the units by risk
4. Determine the time necessary to complete
audits
Stages of the Risk Assessment Process
5. Distribute available resources in the most
efficient manner, and
6. Develop annual and long-term audit plans
 Universal Risk Factors
These are factors which are indicative of risks.
It could be either inherent or control related.
They are as follows:
• Number of full time employees
• Budgeted expenditures
• Budgeted revenue
• Liquidity and negotiability of assets (Level of
cash and assets easily converted to cash
handled by the department)
 Examples of Risk Factors
• Complexity of transactions
• Compliance with laws and regulations (Level
of potential loss due to regulatory sanctions or
penalties)
• Public exposure and interest
• Quality of internal controls
 Other Risk Factors
1. Management stability 11. Economic conditions
2. Degree of automation (fraud increases in bad
3. Confidence in mgt economy).
4. Extent of major change 12. Recent accounting
system changes
5. Employee Turnover
6. Environmental factors
7. Competitive pressures
8. Control environment
9. Time since last audit
10. Prior audit results
 Measuring Risk of Audit Universe
The goal of risk assessment is to determine
units exposed to high risk and allocate limited
audit resources appropriate to that level of
risk. Steps to accomplish this purpose, which
ultimately results in audit selection and
inclusion in the annual audit plan, include the
following:
1. Identify and catalogue auditable activities
(the “ audit universe”) of the organization.
 Measuring Risk of Audit Universe
2. Select the criteria (risk factors) used to
identify the significance of and likelihood
that conditions and/or events may occur that
would adversely affect the organization.
3. Weight the selection (risk) factors in terms of
importance to management, external
influences, and the auditor.
4. Prepare an audit selection schedule that
includes the factors for each audit universe
item.
 Measuring Risk of Audit Universe
5. Compute the weighted score for each
universe item and the cumulative factor score.
6. Select and prioritize the audits to be
conducted
7. Examine available resources
 Risk Rating Process
A management questionnaire is used to
determine the risk score for each “risk factor” in
the audit universe. The risk factors are then rated
for all auditable units. Two ways of doing this are:
1. A risk score of 0 (low), 3 (medium low), 5
(medium), 7 (medium high), or 9 (high) for each
of the risk factors.
2. A basic model of rating the program using (High,
Medium, and Low) which essentially translates
to a one-three scale with one representing the
lowest level of risk and three the highest.
 Risk Rating (Continued)
The weighted factors are added to obtain the
representative total impact and probability
score for each auditable unit. weights are
assigned to each risk factor based on relative
importance as determined by input from
Audit staff.
Once the total scores have been calculated
the list of auditable units can be sorted from
highest to lowest by their respective total risk.
 Risk Prioritization
This involves the ranking of the audit universe
based on the result of the risk assessment.
Each unit in the universe is separately
evaluated and assigned a point value known
as the total risk score.
Which Animal Poses the Greater Risk?
A Tiger A Lion
 Resource Model
Due to the size of auditable units, all audits
are rated from highest to lowest risk and then
selects those that can be completed by
available staff during the fiscal year. This
approach is the Resource Model of risk
assessment based on available resources of
the audit function.
 Risk-Based Planning Questions?
• What percent of your audits are risk-based
assurance audits?
• Consulting engagements?
• Management requests?
• Board / Audit Committee requests?
• Do you perform the same audit(s) each year
no matter the results during the prior audit?
Calculation of Estimated Audit Hours
The annual audit plan will be based on the full
utilization of available audit staff resources.
The standard hours for each auditor is 2,080
(5dys x 8hrs x 52 wks). The estimated working
hrs is arrived at after adjusting for the
following:
Holidays, leave, sick time, training and
professional development, service on
committees, attendance at various staff and
other meetings.
 Sample of Staff Budgeted Hrs
Details Hours

Standard hours per staff per annum (5dys x 8hrs x 52wks) 2,080

Less adjustments:

Leave (4wks x 40hrs) (160)

Sick leave (5dys x 8hrs) (40)

Holidays (10dys x 8hrs) (80)

Professional development, training & meetings (250)

Total estimated hrs per audit staff 1,550

 Total Estimated Hrs for IA
Ser Designation No. of staff Estimated hours Total hrs

1. Head Internal Audit 1 1,550 1,550

2. Principal Auditor 1 1,550 1,550
3. Senior Auditors 3 1,550 4,650
4. Auditors 5 1,550 7,750
5. Assistants 10 1,550 15,500
Total estimated hours available for internal audit work 31,000
 THANK YOU

QUESTION TIME