From risk to planning Making the bridge from risks to audit plans Richard Maggs Astana September 2014

Risk Audit plans must be risk based The chief audit executive must establish risk-based plans to determine the priorities of the internal audit. IIA Standard 2010 The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. IIA Standard 2010.A1 The last RAWG meeting considered risk assessment This meeting will focus on preparing strategic and annual plans

Key definitions for risk based planning The objective is of risk-based planning is to ensure that the Auditor examines subjects of highest risk to the achievement of the organisation’s objectives Audit plans must be developed through a process that identifies and prioritizes potential audit topics The audit universe is the entire population of potential audit topics The risks or opportunities have to be assessed and decisions taken on other risk factors that may influence the priority to be given to each element of the audit universe (audit objects).

Recap on five steps in guide Determining and categorising the audit universe. (See chapter 2 of RAAP) Identifying individual events that may give rise to risks and opportunities across the audit universe. (See chapter 3 of RAAP) Scoring events in terms of probability and impact (taking into account management actions to mitigate risk) to identify the level of residual risk. (See chapter 3 of RAAP) Building risk-based audit plans by using generic risk factors and scoring criteria for each factor to determine the audit priority of all audit objects within the audit universe. (See chapter 4 of RAAP) Presenting the results of risk-based planning by writing and updating strategic and annual work plans. (See chapter 5 of RAAP)

Audit risk assessment Audit risk assessment is part of planning and a process where auditors consider (i) individual events and the risks and opportunities these represent to the achievement of the objectives of elements of the audit universe and (ii) generic risk factors that help prioritize work to areas of highest risk. The purpose of audit risk assessment is to ensure that audit resources are addressed to the audit of areas of highest risk to the Organisation. Audit risk assessment is different from risk management undertaken by managers. See Table 1 in RAAP guide.

Why do we need a bridge from risks to plans? There may be hundreds of individual risks Risk is not the only factor that influences the decision to carry out an audit. Others include: Materiality Complexity of transactions Controls The auditor is interested in residual risk which must take into account effectiveness of controls. Inherent Risk minus controls = Residual Risk

Recap on audit Universe 1 The phrase “audit universe” is a simple way of referring to the totality of all things that an internal auditor could separately examine. The universe consists of the totality of “auditable objects” which is a way of identifying a describing discrete part of the business, system or process, which can be separately audited. Auditable objects need to be large enough to justify an audit and small enough to be manageable.

Recap on audit Universe 2 Traditionally, auditable objects were categorised by organisational structure - a “vertical” analysis. Here an auditable object equated with one or a number of organisational units. But its also important to design audit coverage from a horizontal or cross-functional view of the entity - that is ‘horizontal’ audits based on entire business processes. The top five categorisations used by IA are: Organisational structure (Departments, Divisions, Units, Stand-alone Projects); Common processes (Payments, Receipts, Asset Management, Procurement, Contracting, Inventory, Human Resource Management) Location (Headquarters, Regional offices, Local offices) Operational programmes Service lines

Selecting audits from the audit universe The objective of this stage of the process to determine what needs to be audited from within the audit universe. We build risk based audit plans by applying risk factors to each element of the audit universe. It may help to think of “risk factors” as” selection factors” Keep the number of risk factors to between 4 and 8. Too few risk factors will limit the effectiveness of the exercise; too many will increase the time it takes to and will not produce substantially better results Choose risk factors that make the most sense for the Organisation you are auditing.

Common risk (selection) factors Financial materiality Complexity of activities. Control environment Reputational sensitivity. Inherent risk Extent of change. Confidence in Management. Fraud potential. Political sensitivity. Time since last audit.

Process Develop a set of criteria to score and therefore rank the relative need to audit each of the possible audit objects within the audit universe Consider adding a weighting factor as not all risk(selection) factors are equally important Make sure that risk index scores and priorities are reasonable. (a) Calculate the theoretical maximum before setting the index priorities and (b) be prepared to change the index priorities if the results are obviously unrealistic (for example if every audit is show as high priority).

Example – scoring factors

Example – weighting factors

Final Comment The process of moving from individual risk assessment to selection subjects for audit can be confusing as there is no direct link between assessing individual risks This is a transition issue that arises because of the lack of good risk management in Government Ministries and Agencies Consider carrying out internal audits which encourage management to have more effective risk management processes