Home » , » IIA Forum Disccusion: Risk Based Internal Audit Plan

IIA Forum Disccusion: Risk Based Internal Audit Plan

Written By YCS on Sunday, June 21, 2015 | 11:14 PM

In this posting, I would like to share my thought / discussion in Linkedin forum discussion of The Institute of Internal Auditors (Official Global Group),75,410 members. The topic of discussion  is Risk Based Audit Annual Plan, proposed by Laura Rea. From this discussion, I hope we can learn something, and I believe that some of readers may agree with, disagree with, or have opinions other than opinions presented below.  I have posted a simple practical guide risk based internal audit - for auditing application control. In next posting I would like to share more about what is RBIA? How if there is no risk management process performed by management?

Laura Rea, CIA Senior Manager

Assurance Services at University Federal Credit Union, Top Contributor
I have a couple of questions regarding annual risk assessments:
1.Who conducts the annual risk assessment used for establishing a risk-based plan to determine priorities of the internal audit activity?
2.Is this a risk assessment the Internal Audit Department develops, or do you use a risk assessment developed by Risk Management or Enterprise Risk Management or another business unit in your organization?
3.Does it impair independence or violate auditing standards to use a risk assessment developed by another party to determine your risk-based audit work plan? Why or why not?

Rudzani Thagwana CIA

Audit Specialist(Likelihood Change Agent)
My comment is based entirely on the my experience.
1. Risk Assesment is conducted by Enterprise Risk Department involving representatives from all business units Annually
2 The risk register is used to develop the audit plan. Furthermore internal audit considers previous years audit
Assessments, knowledge of the business as well as emerging risks which may have been omitted during the assessment
3 I would advice that u still evaluate what is contained in the Risk assessment to ensure that all relevant risks were considered. I hope I have assisted

Venkata S. Akella, MMS; CFE

Certified Fraud Examiner
I fully agree with Mr.Rudzani


Head,Internal Audit at China Yuchai International Ltd
Hi Laura, pertaining to the questions on risk assessment, please see below:
1. Head of Internal Audit (or Audit Director) will conduct the annual risk assessment for the preparation of risk based audit plan.The annual audit plan will then be submitted to the Audit Committee Chairman for his/her comment and review and eventually to the Board of Directors for approval.
2. The risk assessment will be developed by the Internal Audit ("IA"). If an organisation has an ERM department which has a risk register, IA may use it as a reference for its preparation of annual audit plan. While IA conducts the risk analysis and assessment, IA should take into consideration of the following areas prior grading the risks in the risk scoring system developed by IA:
a) assessment of internal and external environment (using PEST and SWOT analysis)
b) annual group business strategy and objective
c) past and pesent (or recurring) major audit issues highlighted by external audit, internal audit and SOX team (if any).
d) financial data (balance sheet and P&L)
e) understanding of control of individual core business processes as well as analysing the risk of individual process
3. If you refer to statement 1 and 2, the answer is there. IA reports functionally to Audit Committee. Hence IA should perform the risk assessment independently.

Arnold Schanfield, CIA, CPA

Principal, Schanfield Risk Management Advisors LLC
Top Contributor
Risk assessment is the responsibility of management to do and it is not a static thing done yearly. It should be done on an ongoing basis. Risk assessment is a critical piece of the entire risk management system.
Internal audit is responsible for providing assurance to the company on the risks and after making sure that the risk assessment is "sound" , should identify the critical risks which will form basis for the annual audit plan

Kaya Kwinana, CIA

Certified Internal Auditor
Top Contributor
An organisation which implements adequate governance, risk management and control processes will have:
1. Risk assessments conducted by management throughout the organisation and consolidated for the organisation.
2. Risk assessments which are always up to date (changes in elements of the risk assessment - objectives, criteria, risks, risk appetite, risk significance, risk strategy, controls etc - are made immediately)
3. Risk assessments never to be conducted by internal auditing for any reason - who only provide advice on and assess how they are done.
4. The utility of risk assessments for development of the internal audit plan is in the information provided by the monitoring component, which should conclude whether the governance, risk management and control processes are adequate and effective.  If the answer is negative, a consulting engagement is indicated, if positive, an assurance engagement. The final decision on type of engagement is to be made during engagement planning.
5. An appropriate internal audit plan is one which seeks firstly to provide to extend advice on the implementation of governance, risk management and control processes to as much of the organisation as soon as possible, secondly to provide independent assessments of the same where appropriate and, increasingly rarely, provide the appropriate consulting or assurance services regarding particular organisational objectives senior management is concerned with.
In time there should be no need for management to want to be assured by internal auditing that the processes are in place to provide reasonable assurance that particular organisational objectives will be achieved. Such assurance should be available directly from the organisation on an ongoing basis. such management requests are an indication of gaps still to be filled in the service provided b internal auditing.

Sharafuddin Modhawi

Head of Internal Audit at Raysut Cement Company
Risk assessment is conducted by steering committee representing all processes within the organization. Whilst, risk management is the responsibility of senior management, the role of internal audit is to assure established control is adequate to mitigate such risks. However, risks assessment or risk register will help development of internal audit plan that shall consider strategic and operational risks, governance , management concerns and results of previous audits.
Therefore, I think independence is not impaired by using such documents and other as long as audit function is performed by independent auditors based on records and reports made by management,

Rob Jones

Hi Laura,
Interesting questions and some equally interesting responses.
Firstly, I would suggest that an Annual Risk Assessment is no longer good enough, as we have to be conscious of 'emerging risk' and therefore an Annual Audit Plan should not be cast in stone. I tend to build in 'ad hoc' (uncommitted time) in the Plan to cater for 'emerging risk' without effecting the Planned Assignments if possible, but should priorities changes, we need to be in a position to identify the emerging requirements and go back to our stakeholders (principally the Audit Committee but Executive Management as well) and advise of the need to change the plan due to a higher risk becoming apparent.
Secondly, if you consider the 'three lines of defence' model put forward by the Basel Committee; then Risk Management is clearly a 'second line' with IAD being the 'third line' (and independent), therefore, why would I rely on the 'second line' of defence to perform my risk assessment? After all they themselves will be subject to audit. I would foolish to ignore their risk assessment, but I would still prefer to perform my own. I'm not sure about your Audit Department, but most I've worked for, the annual hours required for coverage of the whole Audit Universe exceeds the hours available, and whilst there is the option of insourcing resources, this can only really be applied to High Risk areas, or areas where specialist skills are required which are not immediately available within the department. So we need to determine our own priorities i.e. High, Medium and Low Risks.
Lastly, does reliance on a third party risk assessment impair objectivity? I would say yes, as we have a responsibility to be Objective and 'Independent'.
So I suggest, meeting with Stakeholders (Audit Committee / Executive and Senior Business Managers) getting an understanding of their concerns (Audit Committee / Executive Mgt), and for the business managers the direction in which they are heading (i.e. new products, new business lines, new processes, new or changes to systems, organisational / staffing changes, regulatory changes etc.). Reviewing the Risk Assessment performed by Risk Management. Considering past audit ratings / findings and knowledge of the Audit Team; and use the information gathered to conduct our own Risk Assessment and prepare the Audit Plan for Audit Committee approval.
These are purely my personal thoughts based on my previous experience - hope they provide food for thought.

Yulias Sihombing, Ak, MAk, CIA, CPA

Senior Auditor at Badan Pengawasan Keuangan dan Pembangunan
I would like to share my understanding regarding to risk assessment approach used in establishing risk based annual audit plan.
First, the term used in Standard No. 2010 or Practice Advisories, is "risk assessment approach/ technique". In my understanding, IA does not perform risk management processes, but rather use the similar risk assessment technique or approach, like the technique used in risk management processes.
So, IA is the one who conduct the risk assessment techniques when establishing the risk bases audit plan.
Second, as required by Standard No. 2010, IA must "consider (not must use)" the input from Senor Management and Board, in the process of Risk Based Audit Plan. Further Practice Advisories state that "IA make 'An Assessment of the Organization’s RM Process' and determine what parts can be used in developing the internal audit activity’s plan and what parts can be used for planning individual internal audit assignments." It means that IA consider to use risks identified by management in their risk register/ risk map, as one of risk factors when we develop our risk based audit plan. Other risk factors would be, such as, monetary exposure, internal control assessment from previous audit, management integrity, current change in environment, initial or repeated audit, etc.
Before we use the management risk register/ map as an input, we first should assess the adequacy and the effectiveness of the organizations RM process. If appropriate, we can use the risk register/map, otherwise, CAE should use his own judgment of risk, after considering the input from SM / Board.
So, considering those steps when IA perform risk assessment approach for establishing risk based audit plan, I believe that IA is comply with the standards and the independence of IA would not impaired because IA "just considering the input from Mgt/Board, and after assessing the appropriateness of the input"
Please correct me if I am wrong.
I hope it would answer your questions.

Venkata S. Akella, MMS; CFE

Certified Fraud Examiner
I sincerely appreciate the comment made by Mr.Rob Jones. This is almost in line with the practice prevalent in the internal audit practices of the Indian banking industry. The internal audit can not plan for audits based on only the risks mapped by the Risk Management dept. based on merely the historical perspective. We need to invariably take into account the emerging risks not only the same enterprise but also emerging in the total environment to review the adequacy and or efficacy of the existing controls and suggest measures to strengthen the same further or even introduce new checks and controls.
Further, internal audit can not and should not ignore their responsibility of providing adequate assurance to all stake-holders. In my experience for over three decades, Audit Committee as well as the regulator questioned the bank's adequacy and ability of identifying and assessing the internal controls as well as checks whenever a major fraud surfaced in the organization. They ( the audit committee and regulator ) always tend to question the internal audit and not the risk management dept or the executive management.
Thanks and regards.

Juan Carlos Corrales Corrales
Consultor en riesgos, finanzas, economía y contaduría pública.
I agree with Mr. Rudzani Thagwana. Why? In order to better use of the resources in the compañy, it is as best practice to be aligned with the organization and deliver more added value, and exist organizations that have processes of identification and analysis of risks very robust, so inclusive of the AI work could never be replicated by themselves, so you should always consider the information generated by these processes.

Darrell Lee

Vice President - Internal Audit at American Century Investments
Hi Laura,
In our organization, Internal Audit performs an annual risk assessment used for establishing our risk based internal audit plan. The risk assessment model that we use is one provided by the Institute of Internal Auditors decades ago (maybe in the 1980's) that we have modified over the years. Actually, we evaluate our risk assessment questionnaire each year and may modifiy or add questions, or change the weightings as needed. Our risk assessment includes a section that addresses the risk assessments performed by management. In this way we do consider managment's own risk assessment. The internal audit risk assessment consists of both a scored section and section of open ended questions. From the internal audit risk assessment, a quantitative score to determine relative risk rankings for each audit area is achieved and the open ended questions provide subjective information that can be considered beyond the relative risk ranking when developing the risk based internal audit plan. The philosophy on how we develop our risk based plan is a discussion for another day.
I agree with Rob Jones that internal audit's objectivity could be impaired if internal audit relied on a risk assessment performed by management or any other third party and thus would compromise the internal audit function's conformance with professional standards.

Robert Cochrane

Principal Consultant at Pt UNICO NUSANTARA
Top Contributor
Bapak Yulias Sihombing, Ak, MAk, CIA makes the key point here I believe ie the the IIA International standards highlight the need for IA to be independent, and given that Risk Management / Assurance / Insurance are line management functions, IA cannot rely on the adequacy of a line function but must exercise its independence in evaluating managements ability to protect the entity from risk and threats.

Kaya Kwinana, CIA

Certified Internal Auditor
Top Contributor
I find the suggestion that internal auditing should be conducting risk assessments very interesting but misguided, in my opinion.
Let us say new risks (not identified by the engagement clients) have been identified, what then?
Let us further say that an engagement is schedule for six months hence, to “address” that risk. What engagement type will that be, an assurance or consulting engagement? If it is an assurance engagement, what alternative opinions are anticipated? If a consulting engagement, on what will it be said consulting was provided on?
Will internal auditing share the risk with the engagement clients? When? If not immediately, why not? If not at all, why?
What happens should the risk be “addressed” before the scheduled engagement?
It is a mistake to look at internal auditing, or whoever, to provide this assurance.
For reasons articulated in the “Internal Audit Plan” discussion, I consider the 2010 group of standards to be populist and contrary to the rest of the mandatory IPPF guidance, for example, standard 2100, 2110, 2120 (interpretation), 2201, the definitions of internal auditing, added value, assurance and consulting services, all of which focus internal auditing on governance, risk management and control PROCESSES as opposed to the risks espoused by the 2010 group of standards.
Risk assessments are not an internal audit plan development tool.
I suggest that one should rather look at the periodical assessments of engagement clients as a basis for developing an internal audit plan which aims firstly, to get the whole organisation to understand how to implement adequate and effective governance, risk management and control processes and, secondly, as reliable engagement client periodic assessments return positive results, to provide independent assessments thereof.
So, how much of your organisation knows how to implement adequate and effective governance, risk management and control processes?
How much of your organisation currently has 2 or more quarters of reliable periodic assessments affirming the implementation of adequate and effective governance, risk management and control processes?
How much of the organisation, with 2 or more quarters of reliable periodic assessments affirming the implementation of adequate and effective governance, risk management and control processes, have you provided independent assessments on?
How much of the organisation on which you have provided independent assessments on, has not had an independent assessment in the last 12 months?
Your internal audit plan should be focused on improving your answers to the above. I bet you’ll know intuitively in which direction the improvements are to be found for each of the questions!

Dom Tallerico

Financial Services
Going back to Laura's specific questions:
For 1, typically Internal Audit.
For 2, again, Internal Audit,though in most organizations I have been in or know of there is another dept. (usually some sort of risk management area) that also does it.
For 3, independence impairment if done by another party should not occur because, after all, there should logically be only one risk assessment for any organization.
Now the reality is that many risk management areas in an organization do not have, or fail to maintain, a risk assessment suitable for internal audit purposes, such as scheduling audits and related activities. I always strive to move toward one organizational risk assessment. Ways of achieving this include sharing an internal audit prepared risk assessment with management, particularly risk management areas; fostering management involvement in the risk assessment process (e.g., solicit feedback, interviews, attend meetings, review minutes of meetings not attended, etc.); conforming internal audit risk assessments with others in the organization (e.g., use same risk categories, match big picture items, etc.); and continuously updating the risk assessment during the year.

Robert Cochrane

Principal Consultant at Pt UNICO NUSANTARA
Top Contributor
Kaya's comments support my statement of yesterday that the IIA International Standards require IA not to be the providers of risk analysis services for an entity, but to audit that management process. Yes to do an audit properly IA should review risks and risk management, and part of that process is to review line managements risk management functionality etc.
Kaya some of the worst examples of IA hopelessness I have seen or read about have been where corporations, and other entities use contractors to carry out IA's. I am new to this Linked in group, but I am sure other truly internal, FT employed IA execs would support my view. If you know IA as I do (after ten years of senior executive roles in IA), contract IA is a contradiction in terms, as the contractors invariably do not get the inside oil about issues and people in the audit client.

Yulias Sihombing, Ak, MAk, CIA, CPA

Senior Auditor at Badan Pengawasan Keuangan dan Pembangunan
I would like to clarify my previous comments.
First, I am not saying that IA do the risk management function, but in establishing a "risk-based annual audit plan", IA should do a risk assessment approach (steps similar with risk management process). That is why it is called as "a risk based annual audit plan", so IA would allocate its limited resources to focus to audit on areas which have significant risks. IIA has issued GTAG 8 Auditing Application Controls and GTAG 11 Developing the IT Audit Plan, which use a risk assessment approach. Perhaps GTAG 8 and 11 would be a good material for us, as a guidance how to establish a risk-based annual audit plan.
Second, our discussion topic is about risk-based annual audit plan. Regarding to what type of engagement IA should perform, IPPF (specifically in Position Paper: the role of Internal Auditing in ERM) suggest that if there is no or weak risk management process, than IA should plan and perform a consulting engagement, and may conduct assurance engagement if applying safeguarding criteria. If there is a sound risk management process, than IA should plan and perform an assurance engagement.

Arnold Schanfield, CIA, CPA

Principal, Schanfield Risk Management Advisors LLC
Top Contributor
I agree with your first paragraph of above and this is quite a sore subject in the internal audit world as the reason, most internal audit departments do not specifically comply with what you are stating because they truly do not grasp essence of the specifics of the risk management framework and the risk management process. It is unacceptable in any situation for internal audit to be performing the risk assessment, or modifying, or tweaking it or doing a million different things to it. Yet most of the internal audit departments you speak to especially in the United States are actually doing bits and pieces of the risk assessment. That is management's job and if management has not done their job, they to be told about it. Unfortunately, internal audit is missing some of the training needed to describe the kinds of things needed to improve the end product
In your second paragraph, I too have seen awful t hings from contractors. On the other hand, I have also seen awful things from the internal auditors. There is a rationale on whether something should be outsourced and I am not saying this because I in fact am a contractor. I spend most of my professional time advising clients whether they should outsource internal audit or not. I use many materials to help clients through this process. In some cases, after reviewing the materials, I come to the conclusion that it should be management that is outsourced and internal audit kept

Robert Cochrane

Principal Consultant at Pt UNICO NUSANTARA
Top Contributor
Well said Arnold !
I agree with you, and clearly you have great experience.
Perhaps if CFO's who signed the accounts had to sign a declaration that their entities' IA function met the IIA's international standards things might improve on the independence front.
I guess my outsourcing conceptual problem is due to seeing the big 6 firms carry out "IA's" by sending out junior staff, in short bursts to do the task, and in many years of seeing them do that I have never been asked about systems soundness from a risk assessment perspective - the best I have seen is for these junior staff to look at internal controls on expenditure transactions / order generation. I am sure that in the US their are specialist highly skilled firms like yours that do not fit this mould, but I have yet to see this in Australia.
I guess the main argument for outsourcing IA is that it avoids the sycophant syndrome - where chief executives often hire older finance staff who are very sensitive to being fired, or very junior staff who may be very easily intimidated, to the role, and they rarely stand up and be counted when the CEO perpetrates a massively risky strategy.

Kaya Kwinana, CIA

Certified Internal Auditor
Top Contributor
Yulius, I welcome these comments you make, "Regarding to what type of engagement IA should perform, IPPF (specifically in Position Paper: the role of Internal Auditing in ERM) suggest that if there is no or weak risk management process, than IA should plan and perform a consulting engagement, and may conduct assurance engagement if applying safeguarding criteria. If there is a sound risk management process, than IA should plan and perform an assurance engagement".
My point is that one obtains knowledge of whether or not organisational units are implementing adequate and effective governance, risk management and control processes form the respective units' periodic assessments, rather than from risk assessments.
One then schedules engagements to respond to the reliability and results of those periodic assessments. If reliability and/or results are negative, consulting engagements are provisionally scheduled. If both reliability and results are positive, assurance engagements are provisionally scheduled.
I say "provisionally scheduled" because the situation may have changed by the time internal auditing is ready to conduct the engagement. At that time, internal auditing should reconfirm the previous information. Standard 2201 and the 2210 group of standards, are there to specifically help in this regard - of deciding which of assurance or consulting engagement must be conducted.
It is irresponsible of any internal auditor in charge of an engagement to blindly follow instructions from whoever as to what engagement type to conduct, be it management, audit committee or CAE. That decision is made on the basis of specific information obtainable from the engagement planning stages mentioned above.
Back to the internal audit plan. As internal auditors we need to respect the hierarchy of the authoritative guidance. In other words, strongly recommended guidance may support mandatory guidance but may not be contrary to it. By the same token, strongly recommended guidance needs to be internally consistent, that is, any mandatory guidance must be consistent with the mandatory guidance taken as a whole. This is important!
Any guidance, (strongly recommended or mandatory or neither), supporting risk based internal audit plans or risk based internal auditing is not consistent with the mandatory IPPF guidance taken as a whole.
This is because standard 2100, the definitions of internal auditing, added value, assurance and consulting services, all require internal auditing to provide advice or independent assessments on governance, risk management and control PROCESSES, not risks or controls.
It is these PROCESSES, when adequate and effective, rather than internal auditing or the process owners or whoever, that provides the organisation with TIMELY reasonable assurance that organisational objectives will be achieved.
Internal auditing is grossly unequipped to provide this reasonable assurance, which is the life blood of organisations. Even less likely will it do so with a risk based approach, which is in reality a populist approach which only provides a feel good factor to organisations - that something is done to address the PROBLEMS.
Share this article :


  1. This comment has been removed by the author.

  2. Pak kalo bisa sering" post hasil diskusi seperti itu saya benar" tertolong berkat diskusinya, dan terimakasih banyak pak ilmunya

  3. Asiap, trims atas kunjungannya...

  4. Thanks for giving such a in formation. If You are looking for Audit, Tax, Accounting & Business Advisory Firm In Dubai, UAE Then Alliance CA is one of the leading accounting and auditing firms in Dubai providing Internal Audit services to firms in the UAE. Internal auditing is an independent consulting activity designed to add value and optimize an organization’s operational efficiency.


Total Pageviews

  • Posts
  • Comments
  • Pageviews

Support : IIA Website | CPA Room | Your Link
Copyright © 2015. Internal Auditor's Corner - All Rights Reserved
Template Created by Creating Website Modified by CaraGampang.Com
Proudly powered by Blogger