Professional Documents
Culture Documents
Sesi4 Internal Audit Strategy and Risk Based Audit
Sesi4 Internal Audit Strategy and Risk Based Audit
taufikur@ugm.ac.id
Standard Related to
Internal Audit Strategy (Auditee
Selection)
Standard 520.01 states that the director of the
internal auditing department should establish audit
plans “consistent with the internal auditing
department’s charter and the goal of organization.”
Guideline 520.04 states that the audit work
schedules should include
(a) what activities are to be audited
(b) when they will be audited
(c) the estimated time required
Standard Related to
Internal Audit Strategy (Auditee
Selection)
Standard 520.04 adds that auditor should consider
7 factors when considering audit priorities:
1. The date and results of the last audit
2. Financial exposure
3. Potential loss and risk focus on internal control
4. Requests by management
5. Major changes in operations, programs, systems and
control
6. Opportunities to achieve operating benefits
7. Changes to and capabilities of the auditing staff
3 Types of Internal Audit Strategy
(Auditee Selection)
Systematic Approach
Ad Hoc
Audit requested by the board
Audit requested by auditees
Steps to Internal Audit Strategy
(Auditee Selection)
Systematic Approach
Set strategy for Identify potential Rank potential
selection of auditees auditees auditees by risk
Choose entities
to be audited
Steps to Select Auditees
Step 1: Set strategy to identify potential auditees
Look at organization relative to:
1. The location of plants, stores, assets, etc
2. The total dollar amounts associated with each location or with types of
operations
3. The level of detail or complexity of the various activities, operations, or
processes
4. Available manpower in the audit department
5. The degree of management concern regarding the various activities,
operations, or process
6. Functional organizational units
7. Transaction cycles
8. Decision centers
Steps to Select Auditees
Step 2: Identification of possible auditees
Based on the strategy, selects potential possible auditees
(unit organization being audited)
Define potential auditees so that no more than specific
amount of hours are required for any one audit
Where a choice exists of whether to select a larger unit
organization or its several subunit organization separately,
define auditee according to the relative independence (or
integration) of the subunit organization
Steps to Select Auditees
Step 3: Rank potential auditees by risk
7 factors that auditor should consider when assessing the
comparative risk associated with different potential auditees:
1. The date and results of the last audit
2. Financial exposure
3. Potential loss and risk focus on internal control
4. Requests by management
5. Major changes in operations, programs, systems and control
6. Opportunities to achieve operating benefits
7. Changes to and capabilities of the auditing staff
Other factors could be considered such as a study performed by
James M. Patton, John H. Evans, and Barry L. Lewis (A Framework
for Evaluating Internal Audit Risk, Research Report Number 25, the
IIA, 1982)
Steps to Select Auditees
Ways to incorporating the various risk factors
into the needed ranking decision
Select the 5 most important risk factors for units in
the organization
Score each auditable unit on each of the 5 selected
risk factors
Total the points for each auditable unit to compute
a ‘risk score’
Rank the units according to their risk scores
Look at exhibit 6-7
Steps to Select Auditees
Step 4: Choose entities to be audited
(Selection of auditees for budget period)
Constraint: limited resources audit hours
Audit hours:
number of auditors x
hours per week x
week in a year auditor expected to perform the audit
Total number of hours of possible auditee than compare
with total audit hours available
Look exhibit 6-8
Audit Requested by Management or the Board
Arise from management concern over particular
asp1ects of the organization’s performance and
operations
Pose a higher risk to the organization
Auditor should honor management request
Audit Requested by Auditees
Auditors possible to assist auditees that have
specific concerns regarding their operations
Auditors must be careful to maintain their
independency
The decision depends on the perceived risk
Risk Based Audit
Understanding the Risk
The Concept of Risk
To expose to chance of injury or loss
Related with loss
Related with uncertainty
Related with choice
Risk taker
Risk adverse
Risk in Internal Audit Context
Organization
Internal Auditor
Understanding the Risk
In Risky Situations, IA faces 3 level of uncertainty
- Descriptive/Structural Uncertaintyaudit evidence
- Measurement Uncertaintyaudit result
- Event Outcome uncertaintyaudit recommendation
2. Estimation
-What is the size of risk?
-What is exposed of risk?
-What is the risk’s likelihood of occurring?
3. Evaluation
-What is the acceptable of risk?
-What is exposure of risk?
-What choices exist to avert the risk?
Audit Evidence and Risk
Audit Risk When Relying on Internal Control
Low Risk of Internal Control
Depart from Low Risk of Internal Control
Defining Risk through Audit Standards
Inherent Risk
Control Risk
Detection Risk
Using of Risk Analysis
Distribute Audit Works (areas to be reviewed)
Plan Audit Project Internal Audit Budget
Quantitative Approaches to Risk Analysis
Risk = Probability X Exposure (costs)
Assigning Risk Exposure Probabilities
expected annualized loss per year
Estimating Expected Exposure Losses
Using of Risk Analysis
Example Estimated Loss Probabilities