RISK-BASED INTERNAL

AUDIT PLANNING
Important Considerations
BY PRABATH JAYAKODY
RISK-BASED AUDIT PLAN

➢ Organizations/businesses exist to achieve diverse strategic and operational goals and objectives set by the key stakeholders.
They formulate and implement strategies to achieve these goals and objectives. Such strategies and the environment within
which such strategies are implemented expose them to diverse risks (and opportunities), which may affect their ability to
achieve their goals and objectives. Thus, businesses/organizations would need assurance and advice that adequate systems,
processes and controls are in place to ensure that such risks are managed effectively. One of the leading functions that provide
this assurance and advice is the Internal Audit Activity.
➢ In order to meet this expectation, the Internal Audit Activity’s Plan should establish a logical relationship/link with the identified
risks of the Organization and its strategic and operational goals and objectives. This link can be established by performing a
comprehensive assessment of risks prior to preparation of the IA Plan. The priorities of the IA Activity should be determined
based on the outcome of the risk assessment. This approach is generally identified as a Risk-based IA Plan.
➢ With a risk-based approach, the scarce resources of the IA Activity will be utilized based on a plan, which determines its
priorities consistent with the Organization’s goals and objectives. A risk-based audit plan helps the IA activity ensure sufficient
assurance coverage of the auditable units and areas of greatest exposure to risk and hence, the scarce resources will be
allocated in an effective manner.
IMPORTANT CONSIDERATIONS

➢ While the primary responsibility for the risk-based IA plan rests with the Chief Audit Executive (CAE), the effectiveness of this approach
heavily depends on the level of co-ordination and communication with the key stakeholders and their timely input and feedback.
➢ A comprehensive risk assessment should be performed and reviewed with adequate frequency. While an annual risk assessment is a must,
the frequency in practice should be determined based on the Organization’s own circumstances including the level of volatility and
sophistication in the environment and operations. This makes the risk-based IA plan more dynamic, realistic, responsive and proactive.
➢ Effective and timely two-way communication should be maintained with key stakeholders including Those Charged With Governance
(TCWG) and the senior management at all stages of the process. This level of engagement ensures that the IA Activity’s plan and efforts
eventually meet the reasonable expectations of and add value to the stakeholders throughout. Timely review, feedback and approval by
the TCWG and the senior management will be an integral part of this engagement process.
➢ The CAE should keep the risk assessment and the IA Plan up-to-date with frequent review and should respond to changes in the internal
and external environment, i.e., risks, on a timely basis by way of required changes to the risk assessment, re-evaluation of priorities and
the necessary adjustments to the IA Plan.
PROCESS FOR DEVELOPING RISK-BASED
PLAN
The process for the development of the Risk-based IA Plan can broadly be organized into
the following phases.
➢ Understand the Organization and its environment
➢ Perform a comprehensive risk assessment
➢ Evaluate the resources of IA Activity
➢ Prepare and finalize the IA Plan
UNDERSTANDING THE ORGANIZATION AND
ENVIRONMENT
Important matters to consider:
➢ Effectiveness of the 1st and 2nd line of defense, i.e., risk management, compliance and other assurance activities in place
➢ Roles and responsibilities in relation to governance, risk management and controls
➢ Goals and objectives, strategies and major projects of the Organisation
➢ Main business processes and operations, systems, programs and any significant changes therein
➢ Key risks and relevant controls in processes including emerging risks and any changes therein
➢ Relevant changes in the macro-economic, political and competitive environment including any emerging risks (e.g., ESG
developments)
➢ Key regulatory and legal requirements and changes therein
➢ Updates on fraud risk and how it’s managed
UNDERSTANDING THE ORGANIZATION AND
ENVIRONMENT (CONT.)
Key documents to peruse:

➢ Latest organizational/corporate strategy documents

➢ Latest organizational chart

➢ Relevant Board and committee meeting minutes including governance committees

➢ Relevant minutes of key senior management meetings

➢ Regulatory filings and correspondence

➢ Annual report and relevant interim financials

➢ Corporate risk assessments and updated risk registers

➢ Important press releases

➢ Reports compiled/submitted by other assurance providers (e.g., compliance reports, review and consultancy reports, external auditor’s management letter, periodic risk reports
and updates)

➢ Available process documents, process maps, walkthrough documents and CSA reports

➢ Important incident reports and continuous risk monitoring reports

ENSURE TWO-WAY COMMUNICATION

➢ The CAE should maintain frequent communication with TCWG and the senior management throughout the planning process in order to
ensure that there is a common understanding and agreement on the organizational priorities, key risks facing the organization and the
expectations from the internal audit function.
➢ The CAE should establish a process and channels for the key stakeholders including the TCWG and the senior management to provide
timely feedback regarding the risk assessment and the audit plan and this feedback should be factored in the review process and
accommodated appropriately to reflect the organizational priorities and expectations and to obtain the necessary stakeholder support
during approval and implementation process.
➢ The audit plan along with the supporting documentation including the underlying risk assessment should be discussed with the senior
management and presented to the audit committee and the Board on a timely basis. While the process and frequency of reporting to the
audit committee and senior management depends on the specific requirements of the Organization, it would be a good practice to
report on the progress of implementation of the audit plan (and an update on the risk assessment if significant changes are deemed to
have occurred in the risk profile) at least on a quarterly basis and to each of the standard audit committee meeting. Further, more
frequent communication (e.g., via circulation) regarding critical audit matters and developments with the audit committee members and
senior management may also be considered. Timely and enhanced two-way communication may strengthen the oversight of the audit
process by the TCWG while improvements to the process (e.g., new engagements) can be implemented in a timely manner.
RISK ASSESSMENT – IMPORTANT
CONSIDERATIONS
➢ A comprehensive and effective Risk Assessment (RA) is of prime consequence as determining internal audit priorities and
aligning the same with the management’s expectations/priorities are mainly dependent on the results of this RA.
➢ If the Organization has a corporate- or individual SBU-level risk assessment, the CAE should review this to gain insights as
input to their own risk assessment. However, this information should be validated prior to being accepted as input.
➢ When adopting risk categories, the IA team should ensure that all important risk types are considered (e.g., strategic,
operational, compliance, financial, etc.) and consistent with any RM framework already in place, any applicable regulatory
requirements and the practices and requirements across the Organization. This should cover risks from internal and external
sources, emerging risks (e.g., ESG developments, potential international and macro-economic issues, which could have an impact
on the Organization and its supply chains and reputation), IT risks, third party risks and fraud risk too.
➢ In practice, it would be more appropriate to apply risk assessment approaches based on specific risk or risk factors in
combination as this would enhance efficiency of the planning process while making the RA and planning process more
comprehensive and dynamic.
RISK ASSESSMENT – IMPORTANT
CONSIDERATIONS (CONT.)
➢ The IA team should consult management to determine the risk factors, which could most affect the Organization’s ability to achieve its objectives. This will assist
the planning process to be aligned with the corporate priorities. But remember to remain objective in final selection!

➢ While the range of risk factors and the assignment of weights to the individual risk factors should be sufficiently comprehensive to make the outcome an
approximation to reality, an appropriate grouping can be considered to avoid complicating the process in its practical application. Also remember that the
application should be customized to the specific circumstances.

➢ While all material risk factors relevant to both “Impact” and “Likelihood” should be identified and appropriately rated, effectiveness of controls should also be
considered under likelihood category to ensure that the residual risk is factored in the prioritization. Among a no of factors to be considered, the results of
previous reviews, the results of other assurance engagements and more importantly the implementation status of previously agreed action plans
(recommendations) should be regarded as important considerations in this process.

➢ The risk factors identified, the weights proposed to be assigned to individual risk factors, and ratings and definitions to be assigned should be discussed with the
TCWG and the senior management to ensure that there is a common understanding and that all important prioritization considerations are factored in.

➢ The IA team should use quantifiable, measurable or specific criteria in determining ratings and weights to be assigned so as to reduce the extent of subjectivity to
an acceptable level. However, any decisions in this regard should be consistent with the priorities, risk appetite and exposure limits established by the Board. For
example, when determining the financial thresholds for impact-related ratings, exposure limits and risk appetite levels established by the senior management
should be considered.
RISK ASSESSMENT – IMPORTANT
CONSIDERATIONS (CONT.)
➢ The IA team should maintain adequately detailed documentation in relation to the movement of overall
risk rating of each auditable unit reflecting both the inherent (gross) risk and the residual (net) risk of
each unit after considering the effectiveness of the controls. In order to reduce the level of subjectivity in
determining the effectiveness of controls (that is to provide a reasonable basis), the IA team should
maintain adequate up to date records relating to specific individual risks and controls pertaining to each
auditable unit along with ratings relating to such individual key risks. For this purpose, an up to date Risk
Control Matrix (RCM), CSA results and risk heat maps would be highly useful.
➢ While in a small organization with less complexity, the audit universe would be relatively straightforward,
in a more complex organizational context, the IA team should pay special attention to ensure that the
records relating to the audit universe is kept up to date with relevant details as the risk assessment will
be performed and the audit plan will be formulated based on this.
EVALUATE RESOURCES

➢ Most audit plans cannot be achieved due to lack of adequate resources. Thus, the CAE needs to assess the currently available resources and estimate
the resources required to meet the audit plan. An important matter to consider is that the CAE should reflect the assurance coverage in the draft
audit plan documentation in accordance with the results of the risk assessment when it’s presented for discussion with the TCWG and the senior
management. Any additional resources required to provide adequate assurance based on the risk assessment results (e.g., high risk rated auditable
units) should be clearly highlighted in the audit plan documentation in support of the budget approval. Any exclusions (e.g., auditable
units/engagements) from the audit plan should be approved by the TCWG and senior management with adequate justification and alternative
strategies to address the associated risk.

➢ Evaluation of resources should include human resources (quantity as well as the skills), financial resources/funds (e.g., meeting audit related
expenses) and technology (e.g., audit tools and software and hardware equipment). Further, this assessment should be proactive and future-oriented
with a planning horizon consistent with that of the Organization but at least 3 to 5 years would be appropriate. For this purpose, the CAE should be
able to determine the resource requirements including the skills and competencies of its team to meet the strategic objectives of the internal audit
activity consistent with the strategic plan of the Organization and the forecast requirements of the industry, regulatory environment and the
profession.

➢ The CAE should maintain a comprehensive skills inventory for the internal audit function covering all staff positions in the desired/approved cadre
plan and the current employees incorporating their existing skills, required/desired skills, identified skill gaps and planed strategies to bridge these
gaps according to the planned timelines.
EVALUATE RESOURCES (CONT.)

➢ In order to ensure optimal use of scarce resources, the CAE should take necessary steps to avoid duplication of assurance work to the maximum
extent possible by way of an integrated planning process with other internal and external assurance providers (e.g., risk department, compliance
department, external auditor, etc.) so that the internal auditors should consider relying on the work of other assurance providers where
appropriate. Further, the CAE should consider the possibility to use continuous monitoring techniques with the use of technology (e.g., monitoring
through data analytics software) to enhance the effectiveness and efficiency of the audit process and focus the resources on the higher risk areas.

➢ If the existing resources of the IA activity is deemed to be insufficient to provide adequate assurance coverage or other important advisory services,
the CAE should consider the possibility of obtaining the services of external or other internal assurance service providers to provide such gaps in
assurance in the form of either outsourcing or co-sourcing arrangements. These options should all be incorporated in the draft audit plan for
discussion, evaluation and approval. Lack of resources should not a constraint on the risk-based audit plan. Instead, it should be communicated to
TCWG and senior management as a sound and logical basis to consider and evaluate viable alternatives/options to bridge assurance gaps.

➢ The CAE should take several factors into consideration when the decisions are made on allocation of time and audit staff to individual engagements.
These factors may include the size and complexity of the operation/process under review, assessed fraud risk associated, residual risk assigned in risk
assessment, the experience and skills of the staff available to be assigned, staff training requirements, nature and complexity of audit procedures
involved (e.g., analytical procedures, tests of control, substantive procedures), level of regulatory supervision/review expected and specific
expectations of the senior management.
INTERNAL AUDIT PLAN – IMPORTANT
CONSIDERATIONS
➢ All engagements and activities including non-audit activities identified based on the risk assessment should be included in the audit plan
along with their budgeted/estimated man hours, which should be a realistic estimate.
➢ The audit plan should reserve a sufficient amount of man hours for special management requests and any ad hoc assignments, which
should be discussed and agreed with the management. Inadequate allocations may lead to significant disruptions to the planned core
activities.
➢ The residual risk rating and the frequency of the planned engagements should be clearly indicated, which should be reviewed and revised
periodically or when the circumstances demand to do so subject to necessary approvals.
➢ Higher risk rated auditable units should be audited at least annually while it would be prudent to cover all auditable units irrespective of
the risk rating at least every two to three years in order to ensure the deterrent effect of audit engagements. In respect of lower risk
rated auditable units, limited scope reviews can be planned along with selected continuous monitoring techniques covering at least
selected most significant risks associated with such auditable units in terms of their impact on the ability to achieve the organizational
objectives.
➢ Provided the estimates are realistic and achievable, the budgeted time (man hours) indicated in the audit plan should be strictly enforced
and monitored at the execution level as this will provide assurance to the management that the audit plan will eventually be achieved.
INTERNAL AUDIT PLAN – IMPORTANT
CONSIDERATIONS (CONT.)
➢ The CAE should take necessary steps to document the policies and procedures relating
to the risk-based audit planning process with relevant approvals. Further, the audit plan,
other documents developed, minutes of the meetings and relevant correspondence
should all be maintained along with adequate version control.
➢ It would be a good practice to include a high level scope of audit/review engagements
included in the audit plan when this is presented to the senior management for review
and approval.