An Introduction To Risk Based Auditing PDF
An Introduction To Risk Based Auditing PDF
An Introduction To Risk Based Auditing PDF
internal
auditing
An
introduction
David
Griffiths
PhD FCA
www.internalaudit.biz
Version 4.4
RBIA - An introduction - contents
Contents
Contents .......................................................................................................... 1
David M Griffiths .............................................................................................. 1
Introduction ...................................................................................................... 1
1 The basics ................................................................................................ 3
1.1 What is a risk? .................................................................................... 3
1.2 How do we manage risks? .................................................................. 3
1.3 How do we assess internal controls? .................................................. 4
1.4 Who is responsible for implementing internal controls? ...................... 4
1.5 What is the role of internal audit? ....................................................... 5
1.6 Where does risk management fit in? ................................................. 6
1.7 Summary ............................................................................................ 6
2 The internal audit opinion.......................................................................... 8
2.1 What is the opinion? ........................................................................... 8
2.2 Declarations about the state of internal control ................................... 8
2.2.1 Committee of Sponsoring Organizations of the Treadway
Commission (COSO) (US) ........................................................................ 8
2.2.2 The UK Corporate Governance Code .......................................... 8
2.2.3 King (South Africa) ....................................................................... 9
2.3 The opinions ....................................................................................... 9
2.4 When is the opinion presented? ....................................................... 10
2.5 How is the opinion reached?............................................................. 11
3 Establishing the internal control framework ............................................ 12
3.1 The stages ........................................................................................ 12
3.2 Measuring risks ................................................................................. 12
3.2.1 Scoring ....................................................................................... 12
3.2.2 Measuring the effect of controls ................................................. 13
3.3 What risks is the board prepared to accept? ..................................... 14
3.4 Specifying objectives ........................................................................ 16
3.5 Identifying risks ................................................................................. 16
3.5.1 The role of management ............................................................ 16
3.5.2 The role of internal audit ............................................................. 17
3.6 Finding the significant risks ............................................................... 17
3.6.1 Start at the top ............................................................................ 17
3.6.2 Interviewing ................................................................................ 17
3.6.3 Risk workshops .......................................................................... 17
3.6.4 The accounts .............................................................................. 18
3.7 Identifying controls ............................................................................ 18
David M Griffiths
RBIA An introduction - contents
3.8 Organizing objectives, risks and controls .......................................... 18
3.8.1 What we have ............................................................................ 18
3.8.2 Level 1 objectives and risks ....................................................... 19
3.8.3 Level 2 objectives and risks ....................................................... 19
3.8.4 Level 3 objectives and risks ....................................................... 20
3.8.5 A hierarchy of objectives, risks and internal controls .................. 20
3.8.6 An alternative method ................................................................ 21
3.9 Recording the risks ........................................................................... 21
3.9.1 What weve got so far. ................................................................ 21
3.9.2 The Objectives, Risks and Controls Register ............................. 22
3.9.3 Updating the register .................................................................. 22
3.9.4 The next steps ............................................................................ 23
4 The Risk Based Internal Audit ................................................................ 24
4.1 What is risk based internal auditing? ................................................ 24
4.2 The RBIA stages ............................................................................... 25
5 Risk maturity ........................................................................................... 27
5.1 Assessing the organization's risk maturity ........................................ 27
5.2 Levels of risk maturity ....................................................................... 27
5.3 The impact of risk maturity ................................................................ 28
5.4 Reliability of the risk register ............................................................. 29
5.4.1 Objective of this step .................................................................. 29
5.4.2 Internal audit work ...................................................................... 29
5.4.3 The risk maturity checklist .......................................................... 29
5.4.4 Opinion ....................................................................................... 30
6 Compiling the risk and audit universe ..................................................... 31
6.1 Objective of this step......................................................................... 31
6.2 Which risks? ..................................................................................... 32
6.3 Allocate risks to audits ...................................................................... 32
6.3.1 Categorize the risks.................................................................... 32
6.3.2 Group the risks ........................................................................... 33
6.3.3 Small organizations .................................................................... 34
6.3.4 Systems audits? ......................................................................... 34
6.4 The RBIA Documentation ................................................................. 34
6.4.1 The risk and audit universe (RAU) ............................................. 34
6.4.2 The audit database..................................................................... 34
6.4.3 Summary .................................................................................... 35
7 The annual audit plan ............................................................................. 36
7.1 Objective of this step......................................................................... 36
David M Griffiths
RBIA An introduction - contents
7.2 Why an annual plan? ........................................................................ 36
7.3 Which audits to select? ..................................................................... 36
7.4 How often to audit? ........................................................................... 37
7.4.1 Use a 'Heat map' ........................................................................ 37
7.4.2 Reduce the inherent risk score ................................................... 38
7.5 Resources......................................................................................... 39
7.6 The ongoing risk and audit universe ................................................. 39
7.7 Publishing the annual plan ................................................................ 40
7.8 Quarterly plan ................................................................................... 40
8 The audit ................................................................................................. 41
8.1 Objective of the audit ........................................................................ 41
8.2 What is an audit? .............................................................................. 42
8.2.1 The aim of an audit..................................................................... 42
8.2.2 The basic structure of an audit ................................................... 42
8.3 A - Planning ...................................................................................... 43
8.4 B - Background information .............................................................. 43
8.5 C - The audit scope .......................................................................... 43
8.6 D - Meetings ..................................................................................... 44
8.7 E - Evaluate risk maturity .................................................................. 44
8.8 F -The audit database (ORCR) ......................................................... 45
8.8.1 Set-up......................................................................................... 45
8.8.2 Determine risks and controls ...................................................... 45
8.9 G - Testing controls .......................................................................... 46
8.10 H - Deficiencies ............................................................................. 46
8.10.1 Update reports ........................................................................ 46
8.10.2 Identifying deficiencies ............................................................ 47
8.10.3 The close down meeting ......................................................... 48
8.11 I & J - Reporting to management ................................................... 49
8.11.1 The report ............................................................................... 49
8.12 Projects.......................................................................................... 50
8.13 Summary report to the audit committee ......................................... 50
9 Pushing out the boundaries .................................................................... 52
9.1 How the boundaries of internal auditing are changed ....................... 52
9.2 Perception of internal audit ............................................................... 54
9.3 Relationship with management ......................................................... 54
9.4 Staff expertise ................................................................................... 54
9.5 Management responsibility for risk management .............................. 55
9.6 Management of the internal audit department .................................. 55
David M Griffiths
RBIA An introduction - contents
9.7 The benefits ...................................................................................... 55
9.8 Disadvantages .................................................................................. 56
9.9 Some questions ................................................................................ 57
9.9.1 What happened to the consultancy responsibilities of internal
auditing? ................................................................................................. 57
9.9.2 Do I have to throw away my work programs and questionnaires?
57
9.9.3 Do financial audits disappear? ................................................... 57
9.9.4 Where does Control Self-assessment (CSA) fit in? .................... 57
9.9.5 Whats Enterprise Risk Management (ERM)? ............................ 58
9.9.6 What about the IIA standards? ................................................... 58
9.9.7 What about the COSO framework? ............................................ 58
9.9.8 Where do fraud investigations fit in? .......................................... 59
10 Glossary ............................................................................................... 60
11 Further reading..................................................................................... 62
11.1 Links .............................................................................................. 62
11.2 You want to manage information or teach computing?? ................ 62
12 Appendices .......................................................................................... 63
A Internal auditing objectives ........................................................................ 64
B Interviewing ............................................................................................... 65
C Running a risk workshop ........................................................................... 66
D Objectives and risks .................................................................................. 69
E The ORCR inherent scores (part only) .................................................... 70
F Assessing the organization's risk maturity ................................................. 71
G Risk and audit universe for the year 20X1 (part) ....................................... 74
H Risk and audit universe annual plan (part) ............................................. 75
I Quarterly plan (part) .................................................................................... 76
J Audit database (146 Transport of food to camps) (part) ............................. 77
K Risks to be considered .............................................................................. 78
L Transport of food - objectives, risks and controls report (part) ................... 80
Risk based internal auditing by David Griffiths is licensed under a Creative Commons
Attribution-NonCommercial 3.0 Unported License.
David M Griffiths
RBIA David M Griffiths
David M Griffiths
Biography
In 1972, I finished my chemistry Ph.D. at the University of Nottingham (UK) and
joined Price Waterhouse as a trainee accountant.
I qualified in 1976 and moved to the internal audit department of the Boots Company
PLC, a retail chemists and healthcare company (5bn turnover), before assisting in
the introduction of inflation accounting.
I returned to be Head of the internal audit department (Chief Audit Executive) a year
later, in charge of 12 staff. Promotion to Head of Pharmaceutical Accounting
Services followed, where I was responsible for 100 staff in payroll, fixed assets,
accounts payable and accounts receivable departments.
Following the reorganization of Accounting Services, I returned to internal audit, as
Internal Audit Manager. I introduced risk based auditing into the department, using a
database at its core similar to the Excel spreadsheet used on the website. This
methodology was used for most audits, including computer and systems
development audits.
I have now retired and am spending my spare time trying to keep my web site
maintained! I was a member of the Institute of Internal Auditors (U.K.) Technical
Development Committee and was involved in the writing of the Guidance Note on
implementing RBIA. I also served as a trustee for an almshouse charity, where I
compiled the risk database in Microsoft Access, which is available on the website.
The views expressed in this book and on the web site, are my own and are not
endorsed by the IIA or Boots.
I have written websites on managing information (http://www.managing-
information.org.uk/) and teaching the basics of computing
(www.learncomputing.org.uk).
David M Griffiths
RBIA - Introduction
Introduction
Welcome to risk based internal auditing (RBIA). The aim of this website, and the
books and spreadsheets available from it, is to push out the boundaries of internal
auditing by providing practical ideas on implementing (risk based) internal auditing.
These ideas are not meant to represent best practice but to be thought provoking.
There are four books with associated spreadsheets
1. Book 1: Risk based internal auditing - an introduction. (This book). This
introduces risk-based principles and details the implementation of risk based
auditing for a small charity providing famine relief, as an example. It includes
example working papers.
2. Book 2: Compilation of a risk and audit universe. This book aims to show you
how to assemble a Risk and Audit Universe (RAU) for a typical company and
extract audit programs from it. The audit program in Book 4 is based on the
accounts payable audit from the RAU in Book 2
3. Book 3: Three views on implementation. Looks at the implementation of risk
based internal auditing from three points-of-view: the board; Chief Audit
Executive (CAE); internal audit staff.
4. Book 4 Audit Manual. The manual provides ideas about how to carry out a risk
based internal audit of accounts payable. It is based around the actual working
papers, similar to those in the audit from Book 1.
I won't claim that my ideas in this book are shockingly original; indeed most are built
on accepted thinking and practices. This book is not intended to be a lengthy, well-
researched academic treatise, but a simple introduction. Ive therefore used an
informal, as opposed to an academic, style. Ill leave you to judge whether this works.
I would also advise you to look for further information from the links on the website.
This introduction is aimed at anyone interested in internal auditing, from audit
committee members to students. It is split into chapters. The first deals with the
principles of internal auditing and should be of interest to all readers. The remaining
chapters show how to introduce risk based internal auditing into an organization and
are more suited to readers who have some experience of internal auditing.
Internal auditing is related to both corporate governance and risk management.
Corporate governance includes internal auditing and I have not covered other
aspects of it in this book. I have covered risk management, but only as it affects
internal auditing.
Please remember when reading the book and the spreadsheets that they are only
presenting simplified examples. In practice there would be many more objectives,
risks and controls than I have listed. It is your responsibility to take the ideas you like
and adapt them for your organization. Please don't blindly copy them.
I should mention that this book discusses the objectives of internal auditing as a tool'
within an organization, and not the objectives of an internal audit department.
Hopefully, the primary objective of an internal audit department will be to achieve the
objectives of internal auditing, but other aims may also involve documenting controls,
stock counting, providing staff on secondment, routine branch audits and efficiency
audits.
1 The basics
1.1 What is a risk?
Risk based internal auditing involves risks. So why are we bothered about risks?
Because they threaten our objectives.
They may threaten our personal objectives - the risk of a delayed train threatens a
visit to our family; or our organization's objectives - the risk of a competitor's new
product threatens our profits.
So what is a risk? My definition:
A risk is a set of circumstances that hinder the
achievement of objectives.
This definition requires the existence of objectives. If we dont have any objectives
we dont have any risks. It also results in an interesting observation: that the same
set of circumstances can be an opportunity, or a risk, depending on our objectives.
For example: take a farmer with land near the River Nile and a Curator managing a
nearby museum. One objective of the farmer is to work fertile land, helped by the
annual flood, which deposits river silt. One objective of the Curator is to keep the
exhibits in his museum safe. The flooding of the Nile is therefore a risk to the curator,
but an opportunity for the farmer. So if you dont know your objectives, you arent
going to get far in managing your risks.
Its often said thats risks are not always unwanted. For example, launching a new
product is considered as a risk, although not an unwanted one. I dont agree;
launching a new product is a process with risks threatening its success. That doesnt
mean we dont launch the product; it does mean we aim to reduce the risks to levels
we can accept, which would at least be to a level where we can reasonably expect
the product to make a profit! So we should aim at managing all risks. Ideally, we
should try and quantify risks threatening projects, for example by using financial risk
modeling. In this way the risks can be compared with the potential benefits.
Risks are also a fact of life. Some managers would like to remove them completely,
but this is impossible without closing down the entire organization (which also
presents risks). So they need to be mitigated (managed).
1.7 Summary
So my current definitions may be summarized:
Risks threaten objectives.
Internal controls manage risks.
Internal auditing provides opinions about whether internal controls are managing
risks to acceptable levels.
Although my definitions are not the same as those from official bodies, I prefer them
because:
They are simple
They provide a clear trail from an organization's objectives to all the internal
controls it requires, and to the purpose of internal auditing.
Opinion on Assessment
Has management Thorough Processes have been Inadequate, or no,
established a proper processes have used, but there are processes have
control framework? been used with some deficiencies been used and, it is
That is, has the result that which are not judged probable that the
management: necessary sufficient to prevent objective will not be,
specified their controls to risks the achievement of OR
objectives, identified have been the objective.
is not being
the risks threatening established. The
achieved
these objectives and objective will be
established controls achieved if the
which should reduce controls are
the risks to acceptable operating.
levels?
Are these controls Controls are Controls are sufficient Controls are not
sufficient and sufficient and are and are operating to sufficient and/or are
operating to bring the operating to bring most risks to not operating to
risks to below the risk bring risks to below the risk bring risks to below
appetite and ensure below the risk appetite. However, the risk appetite. It is
the achievement of appetite. some risks are not probable that the
the related objective? (although some below the risk objective will not be,
action may be appetite but are not OR
required note judged sufficient to
is not being
in prevent the
achieved.
Supplementary achievement of the
issues.) objective. Major improvements
are required to the
No more Some additional
monitoring of
monitoring is monitoring may be
controls
necessary than required (see the
is done at report for details)
present
The objective is
being achieved.
Is action being taken The action being The action being No action is being
which will bring the taken will result taken will still leave taken, OR
risks to below the risk in all risks being some risks above the
Insufficient action is
appetite and ensure mitigated to risk appetite but these
being taken to
the achievement of below the risk are not judged
mitigate risks to
the objective? appetite. sufficient to prevent
below the risk
the achievement of
appetite.
the objective.
Opinion: YES YES WITH NO
EXCEPTIONS
Report as: No Deficiency Major
deficiency deficiency
The
likelihood
If the consequence when
of the risk Score
the risk occurs is:
occurring
is:
To close down the Almost Very high
organization, or a significant certain
part, for a very long period
(5)
To prevent the organization Probable High (4)
achieving a major part of its Then the
objectives for a long time measure
To stop the organization OR Possible is Medium
achieving its some of its defined (3)
objectives for a limited to be
period
To cause inconvenience but Unlikely Low (2)
not affecting the
achievement of significant
objectives
To cause very minor Rare Very Low
inconvenience, not affecting
the achievement of
(1)
objectives
If possible, it is useful to put values to the consequence score, for example, a cash
loss over $1m might be considered very high if it threatened the existence of the
organization. However, dont get carried away with a need for accuracy, remember
we only need an approximate value to determine where we audit.
Since we need to sort risks, it helps to attach numbers to the risk measure (for
example 4 for High). Consequence and likelihood can be multiplied together to give
a single measure of the significance of a risk, or a different combination can be used.
For example, take the risk that one of our lorries used to deliver famine relief may
break down. Assuming we have only three, old lorries, the consequence could be
medium (scores 3) but the likelihood could be high (scores 4), giving a significance of
12.
4 8 12 16 20
Likelihood of risk
Internal control
Supplementary
Acceptable Issue Issue Unacceptable Unacceptable
Possible (3)
3 6 9 12 15
Supplementary
Acceptable Issue Issue Issue Unacceptable
Unlikely (2)
2 4 6 8 10
Supplementary Supplementary
Acceptable Acceptable Issue Issue Issue
1 2 3 4 5
Rare(1)
Acceptable Acceptable
RR
Acceptable Acceptable Issue
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Consequence of risk
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required
Note that the board has determined that a risk with catastrophic consequences and
rare likelihood requires action to manage it, even if it only has a score of five. Of
course that action may be to tolerate the risk if it cannot be cost-effectively reduced.
If we have a residual risk in an 'unacceptable' or 'issue' combination then this:
Gives a 'NO' opinion against our control question.
Is a 'major deficiency' in COSO terminology
The risk appetite could be set higher for different parts of the organization, or for
development projects aimed at increasing the value of the organization.
3.6.2 Interviewing
The output from an interview is an individuals view of the risks hindering their
objectives within the organization. The advantages of an interview are:
Its easier to arrange than trying to get a group of people together.
People may be prepared to express their concerns, which they may not wish to
do in a meeting. This should give rise to a wider range of risks than from a
meeting.
The disadvantages are:
The wide range of risks will be more difficult to categorize.
You will still have to run a risk workshop to get consensus on the consequence
and likelihood of risks.
Some practical tips for interviews are given in appendix B.
5 Risk maturity
5.1 Assessing the organization's risk maturity
We've seen
How risks can be measured
How this measure can be used to decide whether risks are acceptable
That managers own risks and it is their responsibility to control them.
That internal auditing provides an opinion, to management, as to whether these
risks are properly controlled to within the board's risk appetite.
So internal audit can only provide an opinion where managers have determined their
risks.
In an ideal world, internal audit will have assisted managers to build a risk register
(ORCR) which can be the basis of a risk and audit universe (RAU).
In the real world we may not get the opportunity to influence the compilation of the
ORCR. If we are lucky, it may be collection of risks put together by managers who
have been properly trained. If we are unlucky we may get a collection of risks thrown
together by untrained managers who want to get on with their real jobs. The degree
to which the organization understands risks and has implemented risk management
is known as its risk maturity.
The tasks involved in using the ORCR to derive the Risk and Audit Universe (RAU)
are shown below.
5 10
15 20 25
Every three Every two
Every year Every year Every year
years years
Likelihood of inherent risk
4 8 12
16 20
Every three Every two
Never years years
Every year Every year
Possible (3)
3 6 9 12
15
Every three Every two Every two
Never years years years
Every year
Unlikely (2)
2 4 6 8 10
Every three Every three Every two
Never Never years years years
1 2 3 4 5
Rare(1)
Every three
Never Never Never Never years
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
0.75 1 1
Time since last audit
2 years
0.5 0.75 1
1 year
Audit result opinion: green = risk is controlled, amber = risk is partially controlled, red
= risk is not controlled)
So, if the risk has a score of 12, was audited one year ago and found not to be
controlled (red), it would be scored with a significance of 12*0.75 = 8 when drawing
up the audit plan.
So, we take the risk and audit universe (RAU) (appendix G) we have so far, add
details of previous audits to it, and apply the factor to give us the adjusted score for
the year (appendix H - full version in spreadsheet). This is a more sophisticated
system than the cyclical method and does have the important advantage of taking
into account the results of the last audit. At this point we now have a means of sorting
the RAU by the adjusted inherent risk score to give us risks in order of priority for an
opinion on the effectiveness of their management.
8 The audit
8.1 Objective of the audit
To provide an opinion as to whether the risks covered by the audit are being
managed to within the risk appetite. The processes involved are shown below.
8.3 A - Planning
Planning is important for any audit but more important if we are involving managers
and staff who have never seen an auditor. Meetings will have to be arranged months
before the audit to brief managers about the audit process, while at the same time
learning about the state of risk maturity in their department. If this needs improving,
now is the time for management to get it done.
The better everyone is prepared, the easier the audit process.
8.6 D - Meetings
This section of the working papers includes notes of all meetings up to the writing of
the draft report. Detailed minutes of meetings are usually unnecessary but notes of
meetings which record important issues raised and decisions made should be typed
up and sent to all concerned. This, hopefully, will avoid any misunderstandings about
what was decided!
8.10 H - Deficiencies
8.10.1 Update reports
We should have kept the managers (of the objectives being audited) informed of
progress throughout the audit, particularly if major deficiencies were found. This
gives them the opportunity to implement additional controls as soon as possible and
avoids nasty surprises at the close down meeting. Circulate notes from these
meetings (section D).
BUT
Don't place too much reliance on the scoring! It's a guide not an absolute.
Before you finalize the list of deficiencies, for each risk, ask yourself:
Am I convinced the control, as specified by management is working?
Am I able to inform the board/audit committee that the control is sufficient to bring
the risk threat to below their risk appetite?
Will management know if the control fails in the future?
If the answer to any of these questions is not a clear 'YES', you must report a
deficiency, whatever the risk score (which needs to be changed to reflect your
concern).
We are now able to form preliminary opinions on the management of each of the
risks:
Has management: specified this objective, identified the risk threatening this
objective and established control(s) which should reduce the risk to acceptable
levels?
Is the control(s) sufficient and operating to bring the risk to below the risk appetite
and ensure the achievement of the related objective?
Where residual risks are above the risk appetite (opinion = No or Exception), these
will be listed for discussion with management (section H). The opinion on each risk
will determine the overall conclusions.
8.12 Projects
The audit of projects, for example the implementation of a new computer system, is
different from the risk-based audit of an ongoing system for two reasons:
1. The timescales are much longer. An audit of a major project would last over its
life, possibly several years.
2. An opinion is required whether that the following risks are being managed:
Risks hindering the project from delivering the objectives on time and within
budget.
Risks which will be present from day one of the project implementation (for
example when the system goes live)
The identification of risks hindering the project should be relatively straightforward;
for example, we can hold risk workshops with the project team. These should help us
identify most risks, but we will have to update the risk database every month, to take
account of risks changing as the project progresses. For the same reason, we will
issue a brief report every month, providing an opinion to management as to whether
risks are being managed, reporting those that are not and indicating the action being
taken.
The risks that will be present when the project is implemented are more difficult to
assess. For a start, we are unlikely to know the controls which will be in place; in fact
well probably have to advise on them. Its difficult to maintain objectivity here, but we
can hardly refuse since were meant to be the experts! However, in a large project,
the team should have their own control experts leaving us to assure management
that they are operating properly. In practice, the least we should expect in the early
stages of a project is an ORCR with possible controls. As the project progresses this
should become more detailed, until it resembles the standard ORCR. As with the
project risks, we should issue regular monthly reports.
9.8 Disadvantages
With every advantage there are always some disadvantages:
The closer relationship with the rest of the organization may reduce the
independence of the internal audit function. We should prevent this by making the
responsibility of internal auditing clear and by adopting the iron fist in a velvet
glove approach.
Its hard work! We have to sell the risk-based process to the organization, get it to
tell us its risks, score them and then have to carry out some difficult audits which
we have never done before! Stakeholder management is vital, and takes time.
While the principles are simple, the delivery can be complex, as we can see from
the spreadsheets.
10 Glossary
Beware these are not official definitions!
Audit Plan: A list of audits to be carried out in a specified time frame.
Board: An organization's governing body, such as a board of directors, supervisory
board, head of an agency or legislative body, board of governors or trustees of a
non-profit organization.
Control: a process which manages a risk.
Control Score (gap): The difference between the inherent and residual risk scores.
The higher the value, the more important the control.
Deficiency: A risk which is not below the residual risk appetite and which, if it
occurred, would hinder, but not prevent, the achievement of the objective it is
threatening.
Director: Member of a controlling board, such as a company director, trustee,
councilor or governor.
Enterprise-wide Risk Management (ERM): A structured, consistent and continuous
process across the whole organization for identifying, assessing, deciding on
responses to and reporting on opportunities and threats that affect the achievement
of its objectives.
Facilitating: Working with a group (or individual) to make it easier for that group (or
individual) to achieve the objectives that the group has agreed for the meeting or
activity. This involves listening, challenging, observing, questioning and supporting
the group and its members. It does not involve doing the work or taking decisions.
Inherent (gross) Risk: a risk evaluated without any responses being taken into
consideration.
Internal auditing: provides an independent and objective opinion to an
organization's management as to whether its risks are being managed to acceptable
levels.
Internal audit activity: the function (department) which delivers internal auditing to
the organization. It may also be responsible for other activities such as providing
accounting staff to cover vacancies and facilitating risk management. It will usually
consist of internal audit staff, managed by a Head of Audit (HIA), governed by a
charter established by the organization's audit committee.
Internal control: a term usually used to indicate the response to a risk, the options
being; terminate; transfer; tolerate; treat.
Management of Risks: The implementation of responses to risks, which reduce
their threat to below the level of the risk appetite or, where this is not possible,
reports the risk to the board.
Major deficiency: A risk which is not below the residual risk appetite and which, if it
occurred, would prevent the achievement of the objective it is threatening.
Monitoring: Processes which report to management, at appropriate intervals, the
success, or otherwise, of the responses to risks.
ORCR (Objectives, Risks and Controls Register): The complete list of objectives
of the organization, with the risks threatening their achievement and the controls
intended to bring the risks to below the risk appetite.
Process: a task which assists in delivering an organization's objectives (for example,
dispatch of goods), or controls risks (authorization of invoices), or provides a risk
framework (identifies risks).
David M Griffiths www.internalaudit.biz
60
RBIA Glossary
Residual (net) Risk: a risk evaluated with any responses being taken into
consideration.
Risk: a set of circumstances that hinder the achievement of objectives.
Risk Appetite: The level of risk that is acceptable to the board or management. This
may be set in relation to the organization as a whole, for different groups of risks or at
an individual risk level. Risks above the risk appetite are considered a threat to the
reasonable assurance that an organization will achieve its objectives.
Risk and Audit Universe: The ORCR showing the audits which are intended to
provide assurance that each risk is properly managed.
Risk based internal auditing: see Internal auditing!
Risk Management Framework: all the processes which aim to identify, assess and
manage risks.
Risk Maturity: An assessment of how well an organization understands its risks and
is managing them.
Significant Risk: A risk, inherent or residual, above the risk appetite.
11 Further reading
11.1 Links
As it difficult to keep links up-to-date and add new information as it becomes
available, I am making this available on www.internalaudit.biz.
12 Appendices
TOPIC Original*
Internal auditing objectives A Excel
*Excel appendices are in the 'RAU' spreadsheet which may be downloaded from
http://www.internalaudit.biz
David M Griffiths
63
RBIA appendix A
David M Griffiths
64
RBIA appendix B
B Interviewing
Tips are:
Find a champion for risk assessment among the group of people you are to
interview. This is typically the finance director (chief financial officer). Discuss the
best approach with them and get them to sell risk assessment to any doubters.
Do your homework. Ensure you know the organization's objectives and any
specific targets the director (or equivalent) may have. Think about the risks
yourself you may have to provide examples. Talk to other parts of the business
that have regular contact with the directors, to get their advice.
Have someone to take notes, while you question. This doesnt inhibit the
conversation, provided you tell the person being interviewed what is happening.
You can then classify these notes and discuss them at the later risk workshop.
The advantage of this approach is that it limits the possible wide ranging
discussion about risks at the workshop and enables you to concentrate on the
necessary action to take on the major risks. However, limiting the discussion
could be a disadvantage.
At the start of the interview explain what a risk is, and why its important to
determine them. Focus on the output of the exercise (it will help deliver the
objectives), so people can see, at the start, that their time in the meeting will have
benefits.
Interview people individually, with an agenda circulated before.
Allow an open discussion, dont try and direct it.
Bear in mind that one of the biggest risks to any organization is the directors, and
the decisions they make. There are plenty of examples over the past few years to
illustrate this point! You should therefore expect to have Make poor decisions as
at least one risk.
When you have determined the risks from the interviews, these should be
documented and circulated. They can be used as the basis for a risk workshop to
decide on the significance of the risks, who is to ensure they are mitigated, and
when by.
David M Griffiths
65
RBIA Running a risk workshop appendix C
Preparation:
Identify the people who can best identify the risks. In the case of high-level risks
this will be the board (or equivalent). Avoid numbers of people more than 10.
Have two meetings if necessary.
Invite them to the workshop. Send an agenda, explaining why the output from the
workshop is important.
Experience has shown the workshop will last two hours to identify risks and their
consequence and likelihood. After two hours everyone will be too tired to carry
on. If you want a meeting to assign actions to risks, set up another meeting.
If you have difficulty in getting everyone together try:
Adding the workshop onto a meeting that most of your people attend (for
example, board meetings)
Have a long lunchtime workshop with a working buffet.
Prepare an introduction, which will define a risk and illustrate the output from the
meeting, and how it will be used.
Make sure you understand the objectives that are threatened by the risks you are
hoping to find.
The workshop
You will need a chairman, to ensure that everyone gets a chance to say
something and a scribe, to write down the risks. The role of the scribe is very
important, it is not a silent role - they will ask for clarification before writing down a
risk.
Dont use complex technology as it may slow down the meeting and hence stifle
lively debate. When people are shouting out risks you need a good supply of
pens and flipchart paper (or chalk/white board).
Start by giving a short (no longer than 10 minutes) presentation that you prepared
earlier. This is when you can use technology.
Ascertain, from people at the meeting, the objectives of the organization, project
or area being audited. I believe this stage to be essential, as without objectives,
how can you begin to talk about risks? If people dont know their objectives, you
have just found a significant risk!
You should have no more than 6 objectives. Any more will result in people being
uncertain as to priorities (another risk). These objectives should be those of the
organization, project, or area being audited, not your objectives!
Write each objective on the top of a flip chart page, or whatever you are using to
record the risks. They must be visible to the entire meeting.
5 10 2 15 20 1 25 5
Supplementary
Issue Issue Unacceptable Unacceptable Unacceptable
4 8 12 16 20
Likelihood of risk
Supplementary
Acceptable Issue Issue Unacceptable Unacceptable
Possible (3)
3 6 9 12 15 6
Supplementary
Acceptable Issue Issue Issue Unacceptable
Unlikely (2)
2 4 6 8 10
Supplementary Supplementary
Acceptable Acceptable Issue Issue Issue
1 2 3 3 4 5 4
Rare(1)
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Consequence of risk
David M Griffiths www.internalaudit.biz
67
RBIA Running a risk workshop appendix C
For each risk, ask the meeting where it fits on the graph. This can be done by
writing the number on a Post-it note and sticking on the paper. The advantage of
this method is that you can change your mind easily. Whatever you do, write the
agreed numbers directly on the paper after the meeting, as the post-it notes fall
off when you take it down!
Dont be surprised if many of our absolute risks are scored as 25. We are looking
at significant risks, with no controls. External risks, such as Information
predicting next year's harvest is not available may have likelihoods less than
high.
For some risks there is a link between consequence and likelihood. For example
take the risk, lorries may break down. If we have many lorries, we could score
this risk as the possibility of all lorries breaking down at once (consequence =
very high, likelihood = low) or the possibility of one lorry breaking down
(consequence = low, likelihood = very high). Either way the risk score is the same
(10). In these circumstances, the risk should be clearly stated.
We have defined likelihood and consequences measures for a 5X5 grid but you
may wish to make up your own, particularly assigning monetary values to
consequence
So you now know what risks are threatening your objectives, and which ones are
considered significant. Experience shows that you also have a group of people
who now understand, if they didnt before, the importance of understanding risks.
You will have taken about two hours to reach this point and everyone is
exhausted. STOP NOW!
Assigning risks
The next stage is to consider how each risk is being, or should be mitigated, by
internal controls, who should be accountable and when they should have
completed their task.
This can be done using another meeting of all the people involved, an individual
meeting, for example with the project sponsor, or several meetings, for example if
you are wanting to determine the internal controls present as part of an audit.
Devise a strategy for the next five The strategy is converted into targets People in the organization are unaware of
Strategy not put into action 5 5 25
years to deliver our objectives and action for all staff the strategy
Devise a strategy for the next five The strategy is converted into targets Charities aims not achieved effectively and
Strategy not put into action 5 5 25
years to deliver our objectives and action for all staff efficiently. Possible loss of funds
Devise a strategy for the next five The strategy is converted into targets
Strategy not put into action New projects do not add value 5 5 25
years to deliver our objectives and action for all staff
Devise a strategy for the next five Aims and plans to be regularly updated Charity does not achieve its objectives
Strategy becomes out-of-date 4 5 20
years to deliver our objectives as circumstance change because strategy not updated
Key characteristics No formal Scattered silo Strategy and policies in Enterprise approach to Risk management
approach based approach place and risk management and internal
developed for to risk communicated. Risk developed and controls fully
risk management appetite defined communicated embedded into the
management operations
Process
Are the organization's Check the organization's objectives are
objectives defined? determined by the board and have
been communicated to all staff. Check
other objectives and targets are
consistent with the organization's
objectives. (1)
Have management have Interview managers to confirm their
been trained to understand
In understanding of risk and the extent to
what risks are, and their
responsibility for them?
Has a scoring system for
assessing risks been No part
Yes which they manage it. (1)
Risk nave Risk aware Risk defined Risk managed Risk enabled Audit test (core IA roles in
brackets)
Have all risks been Examine the Risk Universe. Ensure it
collected into one list? Have is complete, regularly reviewed,
risks been allocated to assessed and used to manage risks.
specific job titles? Risks are allocated to managers. (1)
Have all risks been Check the scoring applied to a
assessed in accordance selection of risks is consistent with the
with the defined scoring policy. Look for consistency (that is,
system? similar risks have similar scores). (2)
Have responses to the risks Examine the risk register to ensure
(e.g. controls) been proper controls should be in place. (3)
selected and implemented?
Have management set up For significant risks, examine the
controls to monitor the control(s) treating it and ensure
proper operation of key management would know if the control
controls? failed. (5)
Are risks regularly reviewed
by the organization? In Check for evidence that a thorough
review process is regularly carried out.
No Yes (1)
part
Has the risk appetite of the Check the document on which the
organization been defined controlling body has approved the risk
in terms of the scoring appetite. Ensure it is consistent with
system? the scoring system and has been
communicated. (1)
Have management reported For risks above the risk appetite, check
risks to directors where that the board has been formally
responses are not informed of their existence. (4)
managing the risks to a
level acceptable to the
board?
Are all significant new Examine project proposals for an
projects routinely assessed analysis of the risks which might
for risk? threaten them. (1)
Risk nave Risk aware Risk defined Risk managed Risk enabled Audit test (core IA roles in
brackets)
Is responsibility for the Examine job descriptions. Check the
determination, assessment, instructions for setting up job
and management of risks descriptions. (1)
included in job
descriptions?
Do managers provide Examine the assurance provided. For
assurance on the
In key risks, check that controls and the
No
effectiveness of their risk management system of monitoring, are
management?
Are managers assessed on
their risk management
performance? part Yes operating.(4)
Examine a sample of appraisals for
evidence that risks management was
properly assessed for performance. (1)
Internal Audit Promote risk Promote Facilitate risk Audit risk Audit risk
approach management enterprise-wide management/liaise with management management
and rely on approach to risk risk management and processes and use processes and
audit risk management and use management management use management
assessment rely on audit risk assessment of risk assessment of risk as assessment of risk
assessment where appropriate appropriate as appropriate
The strategy is converted People in the Managers brief all staff yearly.
B Strategy
into targets and action for all organization are The strategy is on the intranet. HR 20X0
5 5 25 Communicat red 131 1 0.75 18.75
staff unaware of the strategy New staff have an induction Director
ion
course.
Charities aims not HR director meets with all
The strategy is converted management prior to the setting
achieved effectively HR C Staff never never
into targets and action for all 5 5 25 of targets to discuss the targets n/a n/a 1 25
and efficiently. Possible Director Targets done done
staff which will achieve the
loss of funds
objectives
The strategy is converted All new projects must have a
New projects do not clear purpose, a risk analysis, Managing D Project never never
into targets and action for all 5 5 25 n/a n/a 1 25
add value financial justification using Director Approval done done
staff
@RISK
Charity does not
Aims and plans to be Board discuss and update A Strategy
achieve its objectives Managing
regularly updated as 4 5 20 strategy at their October setting and green 20X0 130 n/a 0.75 18.75
because strategy not Director
circumstance change meeting update
updated
Total days 65 5 5 5 5 5 5 5 5 5 5
Total days 65 5 5 5 5 5 5 5 5 5 5
Total days 65 5 5 5 5 5 5 5 5 5 5
Drivers not List of drivers available for hire Checked list. It is not Drivers may not be
Insufficient
drivers available
Hire drivers
available is kept by the compound office regularly updated available no yes 1
This is only part of the audit database. It should be downloaded from www.internalaudit.biz (Book 1 spreadsheet 146workingpapers)
K Risks to be considered
The following key risks should be considered in any audit although, in practice, they
may be more specific, and extensive, depending on the audit area.
Competencies
Staff competencies required Job descriptions for all staff, showing
have not been identified competencies required
Actual competencies of the staff Regular appraisals. Linked to training
have not been matched with
required competencies
Training is not provided Appropriate training courses available
Staff not allowed to attend Monitoring attendance at courses and follow up
training by a senior manager committed to training
Contingency
Major incident destroys A Business Contingency Plan exists, has been
important company resources tested and kept up to date
David M Griffiths
78
RBIA risks to be considered appendix K
Computer
There are many risks connected with computers. The controls over some of these,
such as viruses and access to change programs, can be checked as part of audits
to look specifically at the risks. Controls over other risks, such as access to change
data, can be considered in the audit which involves testing this data.
David M Griffiths
79
RBIA Objectives, risks and controls report appendix L
(from audit)
Receive instructions
Instructions not received Country office confirms receipt.
from country office
Receive instructions
Instructions are late No controls at HQ to ensure instructions are sent on time
from country office
Hire drivers Drivers not available List of drivers available for hire is kept by the compound office
Hire drivers Drivers not properly qualified Drivers documents are checked and copies made
Plan route Route is blocked Work with other agencies and the military to plan routes
Arrange to collect food No food available! HQ arrange for food to available in the warehouses
Load fuel Fuel not available for lorries Fuel is stored in the compound
David M Griffiths 80
RBIA Comparison with IIA standards appendix M
David M Griffiths 81
RBIA Comparison with IIA standards appendix M
David M Griffiths 82
RBIA Comparison with IIA standards appendix M
2050 - Coordination
The chief audit executive should share information and coordinate The CAE will need to liaise with any 'Risk Book 2 1.2
activities with other internal and external providers of assurance Management' function.
and consulting services to ensure proper coverage and minimize
The board will need to define the responsibilities
duplication of efforts. Book 3 2.3
of functions responsible for risk, such as Health
and Safety and Quality Control.
2060 - Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior A summary report will be sent to the audit Book 1 8.13
management and the board on the internal audit activitys purpose, committee.
authority, responsibility, and performance relative to its plan.
Reporting must also include significant risk exposures and control
issues, including fraud risks, governance issues, and other matters
needed or requested by senior management and the board.
David M Griffiths 83
RBIA Comparison with IIA standards appendix M
2110 - Governance
The internal audit activity must assess and make appropriate The first three bullet points are included within
recommendations for improving the governance process in its the Objectives, Risk and Controls Register
accomplishment of the following objectives: (ORCR) and individual audits.
Book2 ORCR
Promoting appropriate ethics and values within the The first bullet point is included in Book 2's
organization; ORCR: Level 2 strategic objective, 'Establish
Ensuring effective organizational performance management clear codes of conduct to be followed by all staff
and accountability; (includes the board)'
Communicating risk and control information to appropriate The second and third bullet points are included
areas of the organization; and in all audits.
Coordinating the activities of and communicating
information among the board, external and internal auditors, The fourth bullet point is not addressed in the
and management website.
2110.A1 - The internal audit activity must evaluate the design, Included in the ORCR Strategic Objectives Book 2 ORCR
implementation, and effectiveness of the organizations ethics-
related objectives, programs, and activities.
2110.A2 - The internal audit activity must assess whether the Included in the ORCR and each audit Book 2 ORCR
information technology governance of the organization supports the
Book 4 ORCR
organizations strategies and objectives.
2120 - Risk Management
The internal audit activity must evaluate the effectiveness and The risk maturity of the organization is assessed Book 1 5, 8.7
contribute to the improvement of risk management processes. before audit planning and as part of each audit.
Book 4 E
2120.A1 - The internal audit activity must evaluate risk exposures
relating to the organizations governance, operations, and
Covered by each audit Book 4 ORCR
information systems regarding the:
Achievement of the organizations strategic objectives;
Reliability and integrity of financial and operational
information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures,
and contracts
David M Griffiths 84
RBIA Comparison with IIA standards appendix M
2120.A2 - The internal audit activity must evaluate the potential for
the occurrence of fraud and how the organization manages fraud
Covered by each audit Book 4 ORCR
risk.
2130 - Control
The internal audit activity must assist the organization in Covered by each audit Book 4 ORCR
maintaining effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.
2130.A1 - The internal audit activity must evaluate the adequacy
and effectiveness of controls in responding to risks within the
Covered by each audit Book 4 ORCR
organizations governance, operations, and information systems
regarding the:
Achievement of the organizations strategic objectives;
Reliability and integrity of financial and operational
information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures,
and contracts
2200 - Engagement Planning
Internal auditors must develop and document a plan for each Included in the scope for an individual audit. Book 4 A, C
engagement, including the engagements objectives, scope, timing,
and resource allocations.
David M Griffiths 85
RBIA Comparison with IIA standards appendix M
David M Griffiths 86
RBIA Comparison with IIA standards appendix M
2210.A3 - Adequate criteria are needed to evaluate governance, The risk maturity of the organization is assessed Book 1 5, 8.7
risk management, and controls. Internal auditors must ascertain the before audit planning and as part of each audit.
extent to which management and/or the board has established
adequate criteria to determine whether objectives and goals have Book 4 E
been accomplished. If adequate, internal auditors must use such
criteria in their evaluation. If inadequate, internal auditors must
work with management and/or the board to develop appropriate
evaluation criteria.
2220 - Engagement Scope
The established scope must be sufficient to achieve the objectives The scope is approved by the CAE and agreed Book 4 C
of the engagement with management.
2220.A1 - The scope of the engagement must include The scope will consider these where the risk is Book 4 C
consideration of relevant systems, records, personnel, and physical above the risk appetite
properties, including those under the control of third parties.
2220.A2 - If significant consulting opportunities arise during an Not included
assurance engagement, a specific written understanding as to the
objectives, scope, respective responsibilities, and other
expectations should be reached and the results of the consulting
engagement communicated in accordance with consulting
standards.
2230 - Engagement Resource Allocation
Internal auditors must determine appropriate and sufficient Resources are decided as part of the annual Book 1 7.5
resources to achieve engagement objectives based on an planning process.
evaluation of the nature and complexity of each engagement, time
Resources are allocated in the quarterly plan.
constraints, and available resources. Book 1 7.8
2300 - Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document The manual details these procedures to be used Book 4 B, E, F, G, H
sufficient information to achieve the engagements objectives. during an audit.
2310 - Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and The manual details these procedures to be used Book 4 B, E, F, G, H
useful information to achieve the engagements objectives during an audit.
David M Griffiths 87
RBIA Comparison with IIA standards appendix M
David M Griffiths 88
RBIA Comparison with IIA standards appendix M
2410.A1 - Final communication of engagement results must, where Report is headed by opinions, supported by Book 1 Chapter 2
appropriate, contain the internal auditors opinion and/or proper evidence.
conclusions. When issued, an opinion or conclusion must take
account of the expectations of senior management, the board, and Book 4 J
other stakeholders and must be supported by sufficient, reliable,
relevant, and useful information
2410.A2 - Internal auditors are encouraged to acknowledge Report shows a percentage for risks which are Book 4 J
satisfactory performance in engagement communications. properly controlled which demonstrates the
performance of management and staff.
2410.A3 - When releasing engagement results to parties outside
the organization, the communication must include limitations on
Not included
distribution and use of the results.
2420 - Quality of Communications
Communications must be accurate, objective, clear, concise, The manual is based on these qualities. Book 4
constructive, complete, and timely
2421- Errors and Omissions
If a final communication contains a significant error or omission, the Not included
chief audit executive must communicate corrected information to all
parties who received the original communication.
2430 - Use of Conducted in Conformance with the International
Standards for the Professional Practice of Internal Auditing
Not included
Internal auditors may report that their engagements are "conducted
in conformance with the International Standards for the
Professional Practice of Internal Auditing, only if the results of the
quality assurance and improvement program support the
statement.
David M Griffiths 89
RBIA Comparison with IIA standards appendix M
2440.A1 - The chief audit executive is responsible for The CAE approves the final report and signs the Book 4 A1
communicating the final results to parties who can ensure that the 'Milestones' document as evidence
results are given due consideration.
2440.A2 - If not otherwise mandated by legal, statutory, or Not included
regulatory requirements, prior to releasing results to parties outside
the organization the chief audit executive must:
Assess the potential risk to the organization;
Consult with senior management and/or legal counsel as
appropriate; and
Control dissemination by restricting the use of the results.
2450 - Overall Opinions
When an overall opinion is issued, it must take into account the The overall opinion in the report is supported by Book 4 J
expectations of senior management, the board, and other further details which can be easily traced back to
stakeholders and must be supported by sufficient, reliable, relevant, supporting documentation.
and useful information.
David M Griffiths 90
RBIA Comparison with IIA standards appendix M
David M Griffiths 91
RBIA - Version control
4 4-May-2015 Added section on audit opinion and rearranged chapters to emphasize two parts to the audit process
4.1 12-May-2015 Working papers added as spreadsheet and documents. Book 1 updated to include more details of audit work
to correspond to the working papers. Heat maps changed to reflect opinion. (This version not issued)
David M Griffiths 92
RBIA - Version control
End of Book 1
David M Griffiths 93