The IIA standards require us to develop a risk based internal audit planning. There is however little material available on how organisations actually perform this. Organisations with good risk management systems can provide information from these approaches or systems to internal audit. However, if there are no risk management systems available, you will need to do a lot of the work yourself. And even when these systems are present, that does not necessarily mean that you will be able to easily repurpose the output for internal audit planning.
We’ve developed a two phase approach. In the first phase we execute the analysis at the level of the entire organisation. In the second phase we prepare the specific audit at the level of the auditable entity or activity (process, subprocess).
Today, I will cover phase 1, the organisation-wide analysis. A next post will cover the analysis at the level of the auditable entity. Let’s kick off phase 1.
Phase 1 – Organisation-wide analysis
Analysis coverage
Any activity within the audit universe needs to be subject to the risk analysis. If your organisation includes decentralized entities, these need to be included as well. We query all people accountable for an activity. You need to read accountable as it’s meant in the RACI matrix. For us, this is middle management, including all local representatives of our organisation. However, each accountable can ask as many collaborators as they want to identify the questionnaire. At the least the middle manager needs to answer, at the most everyone involved in the activity can answer. Our systems provide us with enough flexibility to treat that volume.
Analysis frequency
The analysis is to be executed at least once during the duration of the management agreement which covers our activities. It should take place at the start of the agreement. If the agreement runs for a longer period that five years, a new risk analysis needs to be executed which remains valid until the signing of the new agreement or for a period of five years, whichever comes first.
Additional analyses need to be executed on part of the audit universe if there are significant changes in that part of the audit universe. For example, were we to take on new responsibilities which are not explicitly covered in our current responsibilities but were foreseen in the management agreement, we need to execute an additional risk exercise on this responsibility. In the case of significant adaptations or alterations to activities or processes, a new risk exercise needs to be executed on that activity and all downstream activities depending on that specific activity or process. Finally, in case an adaptation in the management agreement would lead to a significant adaptation in roles or responsibilities, our function or our structure, we need to execute a new risk exercise on the activities impacted.
Analysis execution
The analysis is executed by means of an online survey. Participants are asked to judge about 80 statements on risks to their current responsibilities. In case someone is accountable for more areas of responsibility as defined in the audit universe, they need to pronounce themselves on each of these areas of responsibility through a separate survey.
Participants are asked to judge the relevance of the statement for their areas of responsibility. In addition, they are asked to judge their risk exposure over a period of five years, both in terms of impact of the risk, likelihood of occurrence and current level of risk management.
The people accountable for a process or a function are asked to execute this analysis within three months after signature of the new management agreement.
Translating the results of the risk analysis into a long term audit planning
The information gathered in the survey is translated into a risk control matrix, which is proposed for validation to the management committee. The purpose of the risk control matrix is not to develop a detailed and nuanced view on the relative proportions of the risks. Rather, we want to create a clustering of risk exposure levels to develop a prioritisation in the auditable activities (hence, the audit universe).
However, internal audit retains its independence with respect to the results of the risk analysis, which is a subjective perception on risk exposures by the people accountable for the processes. We combine the information gathered in the risk analysis with other information, such as total budgetary spend over a period (historical and forward looking) and prior audit experiences. In order to remain fully transparant, proposed changes to the priorities as derived from the risk analysis need to be motivated by internal audit.
A theoretical example: Let’s imagine for a moment that risks related to types of cash transactions are considered to be high exposure. This is based on the experience of the accountable people. However, internal audit knows and has confirmed that the number of cash transactions is significantly being reduced in the organization because of initiatives taken to cover this risk. At that moment internal audit may motivate and reduce the risk exposure level.
As risks have already been linked to auditable areas (the audit universe) since the accountable collaborators need to fill out the survey for each of these areas of accountability, we can easily prioritise based on the risk control matrix. For each area of accountability, be it an activity, a process or a subprocess, we can now calculate an overall risk exposure level. This prioritisation along the areas of responsibility (the audit universe) allows us to determine the frequency within the audit cycle of five years an audit of this area needs to be executed.
Audit coverage
Areas of responsibility with a high risk exposure level will be covered twice each audit cycle. This in effect may be two full audits, an audit and an elaborate follow-up audit, or even an audit by internal audit followed by a coverage by the court of auditors. Areas of responsibility with an average risk exposure level are covered once every audit cycle, while areas with a low risk exposure level are covered if adequate resources are available.
Audit coverage includes audits executed by our external auditors or the Court of Auditors. In order to ensure an adequate level of execution we will, at least once over the duration of the management agreement execute an audit on audit, an audit peer review of the work of the external auditors and the Court of Auditors. This peer review will allow us to assess whether the quality level of the work executed by these external parties is adequate to provide us with a reasonable assurance on the adequacy of governance, controls and risk management in the activities covered by their audits. We will use the IIA’s peer review approach. These audits will not influence the independence of the external auditors or the Court of Auditors.
Planning frequency
The long term internal audit planning is based on the risk analysis executed once over the duration of the management agreement or each five years, whichever duration is the shortest. The continued relevance of the risk analysis is questioned each year by re-introducing the assessment for validation to the management team. In case of adaptations to the risk analysis by the management team, the internal audit planning is reassessed and if necessary re-introduced to the audit committee for validation.
Other adaptations to the audit planning are only possible in case of changes within our organisation or in its operating environment which require a full or partial re-execution of the risk analysis.
You can find part II of this article here.
Exploring The Black Box 