Emphasis on Risk Based Approach (RBA)
Internal audit supports an organization by providing a structured approach to evaluate and improve its effectiveness of risk management and governance processes.
The primary objective is to protect and increase organizational value through a risk based and objective assurance, insight, and advice to the management. As per the Institute of Internal Auditors, the core principles of internal auditing are to provide risk-based assurance and aligning the audit activities with the strategies, objectives, and risks of the organization.
Risk Assessment and Audit Planning
Internal Audit evaluates the organization’s governance, risk management and control processes through a systematic and risk-based approach.
While designing the risk-based approach, the internal auditor should determine if,
- The audit program is in alignment with the organization’s objectives.
- Identification and assessment of significant risks
- Appropriate responses are provided to the identified risks based on the organization's risk appetite.
The internal auditor also evaluates the efforts taken by the organization to manage its mitigation plans against potential fraud risk. An audit plan is prepared based on the results of the risk assessment.
Evaluation of Controls
A proper planning of field work is necessary for an internal audit to be conducted in accordance with the overall audit plan. During the field work the auditor is expected to establish if the controls are designed adequately (Control Design Effectiveness or CDE). To do so, a general process walk through with one or two samples will be sufficient. If controls are designed effectively, then the auditor collects a set of samples to assess if the controls are applied consistently on the samples. By doing so, the control operation effectiveness (COE) can be established.
Reporting and Follow Up:
By the end of the audit work, an audit report is submitted to the management. The report highlights key findings, along with evidence of exceptions in the samples, the risk arising out of the finding, the root cause for such exceptions and the impact of the risk.
It is the management’s responsibility to clearly stipulate the necessary actions to address the risk exposure. The report should capture the person(s) within the organization who is responsible for implementing the actions along with a target date.
The action points are reviewed during the follow-up audit. Unimplemented actions or recommendations would mean that the risk remains unmitigated thereby exposing the organization to risks pertaining to it strategy, finance, legal, etc.