Chapter 07. Internal Audit Planning and Strategy
07.03. Risk-based Long- and Short-term Audit Planning
Key Questions
Briefly reflect on the following before we begin:
- What is risk-based audit planning, and how does it differ from traditional audit planning?
- How are risks identified and assessed to inform the audit plan?
- What are the benefits of integrating risk-based planning into the audit cycle?
- How can the audit plan be updated to reflect emerging risks and changing organizational priorities?
Adopting a risk-based approach in internal audit planning and strategy is paramount for effectively allocating audit resources and addressing vital organizational risks. This section delves into the principles and practices of risk-based auditing, highlighting its significance in optimizing audit planning and enhancing the value of audit activities. At the core of risk-based auditing are the principles of identifying, assessing, and prioritizing risks to inform audit planning. Internal auditors can gain valuable insights into areas of vulnerability and significance by systematically evaluating potential risks across various organizational functions and activities. This proactive approach allows auditors to focus on areas with the highest risk exposure, thereby maximizing the impact of audit activities and providing stakeholders with assurance on critical risk management processes.
Prioritizing audits based on risk assessment outcomes ensures that audit resources are allocated judiciously, addressing the organization’s most significant risks. By aligning audit plans with the organization’s risk profile, internal auditors can tailor their audit programs to target areas with the most potential for adverse impact. Integrating risk-based planning with the overall audit cycle facilitates a comprehensive and systematic approach to audit activities, ensuring that audits are conducted to address critical risks while also providing insights into the effectiveness of existing controls. Additionally, employing tools and techniques for effective risk-based planning enhances audit efficiency and effectiveness, enabling auditors to adapt to changing risk landscapes and emerging threats. Finally, updating the audit plan based on emerging risks ensures that audit activities remain relevant and responsive to evolving organizational dynamics, safeguarding the organization against emerging threats and vulnerabilities.
Internal Audit in Action
Background
Rochdale Bank, a leading financial institution, faces various risks, from credit and market risks to cybersecurity threats. The internal audit function realized that its traditional, cyclical approach to audit planning needed to be more effective in prioritizing audits based on the bank’s evolving risk landscape.
Challenge
The primary challenge was transitioning to a risk-based audit planning approach that could more dynamically allocate audit resources to the highest-risk areas, ensuring that critical issues were addressed promptly and effectively.
Action Taken
- Comprehensive Risk Assessment: In collaboration with the bank’s risk management function, the internal audit team conducted a comprehensive risk assessment to identify and prioritize risks across the organization.
- Development of Risk-based Audit Plan: Using the risk assessment outcomes, the CAE developed a risk-based audit plan that allocated resources to audits based on the severity and likelihood of identified risks, ensuring that higher-risk areas received more immediate and thorough attention.
- Flexibility and Adaptability: The CAE introduced mechanisms for revising the audit plan in response to emerging risks or significant business changes, maintaining the plan’s relevance and responsiveness throughout the audit cycle.
- Stakeholder Engagement: The risk-based audit plan was communicated to the board and senior management, securing their buy-in by demonstrating how it aligned with the bank’s overall risk management strategy and business objectives.
- Continuous Monitoring: The internal audit function implemented continuous monitoring techniques to keep abreast of changes in the risk environment, feeding into regular risk assessment and audit plan updates.
Outcome
Rochdale Bank’s adoption of a risk-based audit planning approach significantly improved the efficiency and effectiveness of its internal audit function. The bank managed and mitigated critical risks better by focusing audit efforts on the highest-risk areas, contributing to its overall resilience and regulatory compliance. The flexible, adaptive nature of the plan ensured that the internal audit function remained agile in the face of a rapidly changing risk landscape.
Reflection
This scenario emphasizes the importance of a risk-based approach to audit planning in managing the complex risk environment faced by financial institutions like Rochdale Bank. By systematically assessing and prioritizing risks and adopting a flexible planning approach, internal audit functions can ensure that their activities are both strategic and responsive, providing maximum value to the organization.
Principles of Risk-Based Auditing
Risk-based auditing is a strategic approach that focuses audit efforts on areas of most significant risk and potential impact on the organization. This methodology ensures that internal audit activities are aligned with the organization’s risk management framework, contributing effectively to identifying, assessing, and managing risks.
Below are the fundamental principles that underpin risk-based auditing.
- Alignment with Organizational Objectives
- Risk-based auditing starts with an understanding of the organization’s objectives and the risks that could hinder the achievement of these goals.
- By aligning audit activities with organizational priorities, auditors can focus on areas that matter most, ensuring that their work directly supports the organization’s strategic direction.
- Dynamic Risk Assessment
- A cornerstone of risk-based auditing is the continuous assessment of risks. This dynamic process involves regularly updating the risk profile to reflect changes in the business environment, emerging trends, and new information.
- It ensures that audit plans remain relevant and focused on current and potential future risks.
- Prioritization of Audit Efforts
- Activities are prioritized based on the severity and likelihood of identified risks.
- This prioritization ensures that resources are allocated efficiently, focusing on areas where the audit can have the most significant impact regarding risk mitigation and enhancement of control systems.
- Proactive Identification of Risks
- Risks are proactively identified before they materialize into significant issues.
- This approach involves looking beyond past and present risks to forecast future risks, enabling the organization to implement preventive measures and strengthen its resilience.
- Comprehensive Risk Coverage
- Providing comprehensive coverage of the organization’s risk landscape includes looking out for not only financial risks but also operational, strategic, compliance, and reputational risks.
- A holistic view of risk ensures that no critical area is overlooked.
- Stakeholder Engagement
- Engaging with organizational stakeholders to gain insights into risks from various perspectives.
- This engagement enhances the understanding of risks, fosters collaboration, and ensures audit efforts align with stakeholder expectations and concerns.
- Flexibility and Adaptability
- Risk-based auditing principles advocate flexibility and adaptability in audit planning and execution.
- Auditors must be prepared to adjust their plans in response to emerging risks or unexpected findings, ensuring that audit efforts always focus on the most significant risks.
- Integration with the Risk Management Framework
- By integrating risk-based auditing into the organization’s overall risk management framework, auditors can leverage existing risk assessments, control evaluations, and risk management strategies.
- The integration enhances the efficiency and effectiveness of the audit process.
- Continuous Improvement
- Risk-based auditing is committed to continuous improvement.
- By regularly reviewing and refining audit processes, methodologies, and outcomes, auditors can enhance their ability to identify and assess risks, improving the value they deliver to the organization.
Identifying and Assessing Risks to Inform Audit Planning
Identifying and assessing risks is a foundational step in risk-based audit planning, ensuring that the focus aligns with the areas posing the highest risk to the organization. This process enables auditors to allocate resources effectively and target their efforts where they can have the most significant impact on risk management and control processes.
Gaining an Understanding of the Operations
The process begins by understanding the organization’s operations, objectives, and the environment in which it operates. This includes reviewing strategic plans, business models, and external factors such as economic, regulatory, or technological changes that could affect the organization. Such a thorough understanding lays the groundwork for identifying areas where risks could arise. Engaging with a broad range of stakeholders is another critical step. This includes management, employees, and sometimes, external parties. Such consultations are invaluable as they provide insights into perceived risks and areas of concern that might not be evident from documentation alone. Stakeholder input can reveal unique perspectives on potential vulnerabilities and emerging threats, offering a more nuanced view of the organization’s risk landscape. Analyzing findings from previous audits, risk assessments, and reports is also essential. This review helps auditors identify recurring issues, areas of non-compliance, and previously recognized risks. This historical perspective highlights areas that require ongoing attention and helps auditors anticipate future challenges.
Evaluation of Risk Responses
Once risks are identified, they must be thoroughly evaluated. This evaluation involves assessing the likelihood of each risk occurring and the potential impact of the risk on the organization’s ability to achieve its objectives. This step is crucial for prioritizing risks based on their significance. To aid in this evaluation, auditors often employ risk matrices or models. These tools help categorize and prioritize risks by visually representing them based on their likelihood and impact. Such tools facilitate informed decision-making, allowing auditors to focus on ‘high-impact, high-likelihood’ risks in the risk matrix’s critical ‘red’ zone. It is also essential to align the risk assessment with the organization’s risk appetite, which defines the level of risk the organization is willing to accept in pursuit of its strategic objectives. This alignment ensures that the audit planning focuses on risks surpassing the organization’s tolerance levels, safeguarding critical organizational goals.
Audit Planning
The risk assessment outcomes are crucial for informing the subsequent audit planning. Auditors use the results from the risk assessment to prioritize audit activities, ensuring that resources are allocated to areas with the highest risk ratings. This prioritization is integral to developing a risk-based audit plan that effectively utilizes available resources. Specific, measurable audit objectives should be defined based on the identified high-risk areas. These objectives should focus on assessing the adequacy of controls to manage identified risks and evaluating the effectiveness of risk management practices. The scope of audit activities also needs to be determined. This involves specifying which processes, departments, or functions will be audited. The scope should be broad enough to cover significant risks but focused enough to allow for an in-depth assessment of those risks.
Benefits of Risk Assessment
internal auditors must recognize that risk assessments are not static. They should adopt a dynamic approach to risk assessment by continuously monitoring for new risks or changes in the existing risk landscape. This ongoing vigilance is necessary to ensure the audit plan remains relevant and responsive to the organization’s evolving risk profile.
Establishing a feedback loop where insights from audit activities inform future risk assessments and audit planning is also essential. This loop enhances the accuracy of risk assessments over time, continually refining the focus of audit efforts and ensuring the function adapts to the organization’s changing needs.
Prioritizing Audits Based on Risk Assessment Outcomes
Prioritizing audits based on risk assessment outcomes is a fundamental aspect of risk-based audit planning, which focuses the internal audit function’s resources on areas posing the highest risk to the organization’s objectives. The process starts with a thorough analysis of risk assessment results to identify risks with the highest likelihood and impact on the organization, categorizing them as high, medium, or low. Subsequently, these risks are mapped against the organization’s audit universe—a comprehensive list of all potential audit areas, processes, or entities. This mapping helps pinpoint the most vulnerable regions needing priority in auditing.
In addition to risk assessment, prioritizing areas of audit requires consideration of the organization’s strategic priorities and objectives, ensuring that critical areas essential for achieving strategic goals are audited, regardless of their risk category. The availability of resources, including staff expertise, time, and technology, also plays a crucial role in determining which areas are audited first. In some instances, external expertise may be required for highly specialized audits. With these considerations, a flexible, risk-based audit plan is developed, detailing the audits’ scope, timing, and resources. This plan is subject to adjustments as risks evolve or new risks emerge.
Communication with stakeholders such as senior management and the audit committee ensures alignment with the current risk profile and secures support before finalizing the audit plan. Given the dynamic nature of the risk environment, it is vital to regularly review and adjust audit priorities to align with the current risk profile, focusing on emerging risks or areas where new information suggests more significant risks than initially assessed. Documenting the rationale for audit prioritization enhances transparency and accountability, clearly justifying why certain areas are prioritized over others based on risk assessment outcomes and organizational priorities. By methodically prioritizing audits, the internal audit function can maximize its impact on managing risks and strengthening the organization’s governance, risk management, and control processes.
Integrating Risk-Based Planning with the Overall Audit Cycle
Integrating risk-based planning with the overall audit cycle is crucial for ensuring that internal audit activities are aligned with the organization’s strategic objectives and risk management framework. This process involves the following steps to incorporate risk considerations throughout the audit cycle effectively:
- Risk Assessment and Planning
- The first step in integrating risk-based planning is to conduct a comprehensive risk assessment.
- This involves identifying and assessing risks across various business processes, functions, and activities.
- Auditors analyze internal and external factors impacting the organization’s objectives and operations.
- Based on this assessment, audit plans are developed to address the most significant risks identified.
- Audit Planning and Scoping
- Once the risks are identified and assessed, auditors prioritize audit activities based on the level of risk exposure.
- High-risk areas are given priority in the audit plan, ensuring that resources are allocated to address the most critical risks.
- The audit scope focuses on areas where the most significant impact on organizational objectives is expected.
- Audit Execution
- During the audit execution phase, auditors conduct fieldwork and gather evidence to evaluate the effectiveness of controls in mitigating identified risks.
- They assess the adequacy of existing controls and identify any control deficiencies or weaknesses that may expose the organization to risk.
- Risk-Based Testing
- Auditors tailor their testing procedures to focus on the areas with the highest risk of exposure.
- Controls for high-risk areas are extensively tested to ensure they operate effectively.
- Lower-risk areas may receive less testing scrutiny to optimize resource utilization.
- Reporting and Communication
- The findings from the audit are communicated to management and key stakeholders through audit reports.
- These reports highlight the results of the risk-based audit procedures, including any identified control deficiencies and recommendations for improvement.
- By clearly articulating the risks and their potential impact on the organization, audit reports facilitate informed decision-making by management.
- Continuous Monitoring and Feedback
- The integration of risk-based planning is an iterative process that requires continuous monitoring and feedback.
- Auditors remain vigilant for emerging risks or changes in the business environment that may impact the organization’s risk profile.
- Auditors update the audit plan to address new risks and ensure that activities remain relevant and responsive to evolving threats.
Integrating risk-based planning with the overall audit cycle involves aligning audit activities with the organization’s risk management framework, prioritizing audit efforts based on risk assessment outcomes, tailoring testing procedures to focus on high-risk areas, and continuously monitoring and updating the audit plan to address emerging risks. This approach helps internal auditors provide valuable insights and assurance to management regarding the effectiveness of risk management processes and controls.
Tools and Techniques for Effective Risk-Based Planning
Effective risk-based planning in an internal audit involves utilizing various tools and techniques that enable auditors to systematically identify, assess, and prioritize risks. These tools and techniques support the development of an audit plan that focuses on risks that would have the highest impact on the organization. Below are some tools and techniques used in effective risk-based planning:
- Risk Assessment Workshops: Risk assessment workshops involve gathering key stakeholders from various parts of the organization to discuss and evaluate risks. These sessions facilitate a comprehensive understanding of risks from multiple perspectives and encourage collaboration in assessing the likelihood and impact of risks on organizational objectives.
- SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats): SWOT analysis is used to identify internal and external factors that could affect the organization. By understanding strengths, weaknesses, opportunities, and threats, auditors can better assess where risks may arise and how they might impact the organization, prioritizing audit areas.
- Risk Heat Maps: Risk heat maps visually represent the risks identified in terms of their likelihood and impact, allowing auditors to prioritize risks easily. High-impact, high-likelihood risks are typically placed in the “red” zone, indicating they are a high priority for audit attention.
- PESTLE Analysis (Political, Economic, Social, Technological, Legal, Environmental): PESTLE analysis helps auditors consider external factors that could influence the organization. By analyzing these six factors, auditors can identify external risks that might not have been apparent from an internal perspective alone.
- Data Analytics and Continuous Monitoring Tools: Data analytics and continuous monitoring tools allow the analysis of large volumes of data to identify trends, anomalies, and patterns that indicate risks. These tools can be particularly effective in identifying financial, operational, and compliance risks and are helpful in the planning phase and during audit execution.
- Questionnaires and Surveys: Distributing questionnaires and surveys to employees across the organization can help gather insights into perceived risks, control weaknesses, and areas of concern. This information can be invaluable in identifying risks that may not be immediately visible to the audit team or senior management.
- Industry and Regulatory Updates: Staying informed about industry and regulatory environment changes helps in identifying new risks. Auditors should regularly review industry publications, regulatory announcements, and other relevant sources to understand how external changes might impact the organization.
- Audit Software: Audit software can streamline the risk assessment and audit planning processes by providing a centralized platform for documenting risks, planning audits, and tracking audit findings. Many audit software packages include features for risk assessment, audit scheduling, and reporting, making it easier to manage the entire audit cycle.
- Benchmarking: Comparing the organization’s risk management practices and performance against industry standards or peers can highlight areas of relative strength or weakness. Benchmarking can help identify areas where the organization may be at higher risk due to deviations from industry norms.
By leveraging these tools and techniques, internal auditors can enhance the effectiveness of their risk-based planning. This strategic approach ensures that audit resources are focused on the areas most critical to the organization’s success and resilience, thereby maximizing the value of the internal audit function.
Updating the Audit Plan Based on Emerging Risks
Progressive internal audit functions must adapt swiftly to emerging risks to ensure their plans remain relevant to the organization’s current risk environment. Effective management of these risks is essential to maintain the impact and relevance of the internal audit function. The process begins with continuous risk monitoring. Implementing a system for ongoing risk observation is crucial; this might involve using technology for real-time data analysis, keeping abreast of industry and regulatory developments, and maintaining open communication with various organizational departments. Engaging regularly with key stakeholders, such as senior management and the board, is also vital. These interactions can provide insights into new strategic challenges or external events affecting the organization’s risk profile, offering early warnings of potential risks.
The audit plan should be flexible to accommodate modifications as the risk landscape evolves. This might include reserving some audit resources specifically for emerging risks not previously identified. Periodic re-evaluations of the risk assessment are necessary to integrate new information about emerging risks. Ideally, such re-evaluation should occur more frequently than the annual planning cycle to ensure prompt identification and prioritization of emerging risks. When updating the audit plan, it’s essential to prioritize the impact and likelihood of emerging risks, focusing efforts on those posing the greatest threat to organizational objectives or those that could significantly impact the control environment. The audit plan should be formally updated to include specific audits that address these risks, with clear documentation and communication to stakeholders about the updates. This communication should explain the rationale for changes and the expected outcomes. Lastly, establishing a review and feedback loop to evaluate the approach’s effectiveness in managing emerging risks is crucial. This involves assessing whether the updated audit plan has adequately addressed the risks and contributed to the organization’s risk management and control processes. Feedback from this process should be used to refine risk monitoring and audit planning continuously. This proactive approach enhances organizational resilience by promptly identifying and managing emerging risks.
Internal Audit in Action
Background
Yochem Health, a healthcare provider, was significantly impacted by the COVID-19 pandemic, which introduced unprecedented operational and financial challenges and heightened health and safety risks.
Challenge
The internal audit function needed to rapidly adjust its audit plans to address the new and urgent risks presented by the pandemic, balancing the need for immediate action with the longer-term strategic audit objectives.
Action Taken
- Emergency Risk Assessment: Conducting an emergency risk assessment focused on the pandemic’s impact, identifying areas such as supply chain vulnerabilities, telehealth implementation risks, and employee health and safety.
- Short-term Audit Focus: Prioritizing short-term audits on critical risk areas identified in the emergency assessment, including procurement processes for personal protective equipment (PPE) and the security of patient data in telehealth services.
- Long-term Strategic Adjustments: Integrating the lessons learned from the pandemic into the long-term audit strategy, focusing on building resilience in critical operational areas and enhancing preparedness for future crises.
- Stakeholder Collaboration: Working closely with management and the board to ensure audit plans align with organizational priorities and are responsive to the changing environment.
- Dynamic Planning Process: Implementing a dynamic audit planning process that allowed for ongoing adjustments based on evolving risks and organizational needs, supported by regular risk reassessments.
Outcome
Through proactive and flexible audit planning, Yochem Health’s internal audit function addressed the immediate risks posed by the pandemic, providing critical insights and recommendations that supported the organization’s response efforts. Incorporating pandemic-related risks into the long-term audit strategy also positioned Yochem Health to manage future crises better, enhancing its overall risk management and resilience.
Reflection
Yochem Health’s experience highlights the critical role of internal audit in times of crisis and the value of a risk-based, dynamic approach to audit planning. By swiftly adjusting audit priorities to focus on the most pressing risks and incorporating strategic learnings into plans, internal audit functions can provide essential guidance and support to their organizations in navigating current and future challenges.
Key Takeaways
Let’s recap the concepts discussed in this section by reviewing these key takeaways:
- Risk-based auditing aligns audit efforts with organizational objectives and prioritizes areas by risk severity, ensuring resources focus on areas with the most significant impact.
- Risk identification and assessment involve analyzing organizational operations and the external environment, using techniques like SWOT analysis to align audit plans with risk profiles.
- Prioritizing audits based on risk assessment outcomes focuses resources on high-risk areas, influenced by the impact on organizational objectives and audit resource availability.
- Risk-based planning integrates with the overall audit cycle, requiring continuous risk management interaction and strategic alignment, with tools like PESTLE analysis and data analytics supporting effective planning.
Knowledge Check
Review Questions
- What is the primary purpose of aligning audit efforts with organizational objectives in risk-based auditing?
- How does a dynamic risk assessment process benefit risk-based audit planning?
- In risk-based auditing, why is it crucial to prioritize audits based on risk assessment outcomes?
- Describe one tool or technique used in effective risk-based planning and how it contributes to the process.
- How should the internal audit function respond to emerging risks not identified in the initial audit plan?
Essay Questions
- Explain the significance of stakeholder engagement in updating the audit plan to address emerging risks. In your answer, include how stakeholders can contribute to identifying these risks and the steps that the internal audit function should take to incorporate stakeholder insights into the audit planning process.
- Discuss the role of continuous monitoring and dynamic risk assessment in maintaining the relevance of the audit plan throughout the audit cycle. Describe how these processes interact and their impact on the agility and effectiveness of the internal audit function.
Mini Case Study
Imagine you are an internal auditor at a manufacturing company tasked with updating the audit plan based on emerging risks identified during the quarterly risk assessment. One of the emerging risks identified is the potential disruption in the supply chain due to geopolitical tensions affecting critical raw material suppliers.
Required: How would you incorporate this emerging risk into the audit plan, considering the principles of risk-based auditing and the tools and techniques for effective risk-based planning?
The phase of the audit where auditors collect evidence, perform tests, and conduct interviews at the client's location to gather information for their audit conclusions.