Internal Audit Strategy

(Auditee Selection) and

Risk Based Audit

taufikur@ugm.ac.id
 Standard Related to
Internal Audit Strategy (Auditee
Selection)
Standard 520.01 states that the director of the
internal auditing department should establish audit
plans “consistent with the internal auditing
department’s charter and the goal of organization.”
Guideline 520.04 states that the audit work
schedules should include
(a) what activities are to be audited
(b) when they will be audited
(c) the estimated time required
 Standard Related to
Internal Audit Strategy (Auditee
Selection)
Standard 520.04 adds that auditor should consider
7 factors when considering audit priorities:
1. The date and results of the last audit
2. Financial exposure
3. Potential loss and risk  focus on internal control
4. Requests by management
5. Major changes in operations, programs, systems and
control
6. Opportunities to achieve operating benefits
7. Changes to and capabilities of the auditing staff
3 Types of Internal Audit Strategy
(Auditee Selection)
Systematic Approach
Ad Hoc
Audit requested by the board
Audit requested by auditees
 Steps to Internal Audit Strategy
(Auditee Selection)
Systematic Approach
Set strategy for Identify potential Rank potential
selection of auditees auditees auditees by risk

Choose entities
to be audited
 Steps to Select Auditees
Step 1: Set strategy to identify potential auditees
Look at organization relative to:
1. The location of plants, stores, assets, etc
2. The total dollar amounts associated with each location or with types of
operations
3. The level of detail or complexity of the various activities, operations, or
processes
4. Available manpower in the audit department
5. The degree of management concern regarding the various activities,
operations, or process
6. Functional organizational units
7. Transaction cycles
8. Decision centers
Steps to Select Auditees
Step 2: Identification of possible auditees
Based on the strategy, selects potential possible auditees
(unit organization being audited)
Define potential auditees so that no more than specific
amount of hours are required for any one audit
Where a choice exists of whether to select a larger unit
organization or its several subunit organization separately,
define auditee according to the relative independence (or
integration) of the subunit organization
Steps to Select Auditees
Step 3: Rank potential auditees by risk
7 factors that auditor should consider when assessing the
comparative risk associated with different potential auditees:
1. The date and results of the last audit
2. Financial exposure
3. Potential loss and risk  focus on internal control
4. Requests by management
5. Major changes in operations, programs, systems and control
6. Opportunities to achieve operating benefits
7. Changes to and capabilities of the auditing staff
Other factors could be considered such as a study performed by
James M. Patton, John H. Evans, and Barry L. Lewis (A Framework
for Evaluating Internal Audit Risk, Research Report Number 25, the
IIA, 1982)
 Steps to Select Auditees
Ways to incorporating the various risk factors
into the needed ranking decision
Select the 5 most important risk factors for units in
the organization
Score each auditable unit on each of the 5 selected
risk factors
Total the points for each auditable unit to compute
a ‘risk score’
Rank the units according to their risk scores
Look at exhibit 6-7
Steps to Select Auditees
Step 4: Choose entities to be audited
(Selection of auditees for budget period)
Constraint: limited resources  audit hours
Audit hours:
number of auditors x
hours per week x
week in a year auditor expected to perform the audit
Total number of hours of possible auditee than compare
with total audit hours available
Look exhibit 6-8
Audit Requested by Management or the Board
Arise from management concern over particular
asp1ects of the organization’s performance and
operations
 Pose a higher risk to the organization
Auditor should honor management request
Audit Requested by Auditees
Auditors possible to assist auditees that have
specific concerns regarding their operations
Auditors must be careful to maintain their
independency
The decision depends on the perceived risk
Risk Based Audit
Understanding the Risk
The Concept of Risk
To expose to chance of injury or loss
Related with loss
Related with uncertainty
Related with choice
Risk taker
Risk adverse
Risk in Internal Audit Context
Organization
Internal Auditor
Understanding the Risk
In Risky Situations, IA faces 3 level of uncertainty
- Descriptive/Structural Uncertaintyaudit evidence
- Measurement Uncertaintyaudit result
- Event Outcome uncertaintyaudit recommendation

Uncertainty ----------------------------------------- Certainty

Start the Completion

audit the audit
Risk Analysis and the Internal Auditor
1. Identification
-What is the risk
-How can the risk be categorized

2. Estimation
-What is the size of risk?
-What is exposed of risk?
-What is the risk’s likelihood of occurring?
3. Evaluation
-What is the acceptable of risk?
-What is exposure of risk?
-What choices exist to avert the risk?
Audit Evidence and Risk
Audit Risk When Relying on Internal Control
Low Risk of Internal Control
Depart from Low Risk of Internal Control
Defining Risk through Audit Standards
Inherent Risk
Control Risk
Detection Risk
Using of Risk Analysis
Distribute Audit Works (areas to be reviewed)
Plan Audit Project Internal Audit Budget
Quantitative Approaches to Risk Analysis
 Risk = Probability X Exposure (costs)
Assigning Risk Exposure Probabilities
 expected annualized loss per year
Estimating Expected Exposure Losses
Using of Risk Analysis
Example Estimated Loss Probabilities

Likelihood of Error Prob per year Prob per day

Every Week 5200% 14.24%

2 every week 2400% 6.58%
1 Every month 1200% 3.295
1 Every 6 month 200% 0.55%

1 Every year 100% 0.27%

1 Every 10 years 10% 0.14%

1 Every 100 years 1% 0.0027%