Risk-Based Internal Audit
4.5/5
()
About this ebook
Risk-based internal auditing is about aligning the annual audit plan, and corresponding audit projects and efforts, with the objectives of the organization. This book takes a unique approach to risk-based auditing by incorporating risk management and internal audit concepts to create a new Risk-Based Internal Audit Framework, while still being consistent with internal auditing standards.
The risk-based internal auditing framework includes seven related components: Understand, Identify, Assess, Plan, Perform, Report, and Monitor. The focus of this book is to explain how to approach the Understand, Identify and Assess components of the framework in an innovative way, improving the overall value internal audit can provide to its organization, instead of testing the same internal controls over and over again.
The principles outlined in this book are applicable to internal audit activities in any organization.
This book provides answers and practical how-to information to help internal audit activities take that next step in the evolution of the internal audit profession. It is a must read for any internal auditor.
Related to Risk-Based Internal Audit
Related ebooks
A Step By Step Guide: How to Perform Risk Based Internal Auditing for Internal Audit Beginners Rating: 4 out of 5 stars4/5The Executive’S Guide to Internal Auditing Rating: 0 out of 5 stars0 ratingsMastering Internal Audit Fundamentals A Step-by-Step Approach Rating: 4 out of 5 stars4/5Internal audit Third Edition Rating: 0 out of 5 stars0 ratingsHardening by Auditing: A Handbook for Measurably and Immediately Improving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsImplementing an Integrated Management System (IMS): The strategic approach Rating: 5 out of 5 stars5/5Risk Management Simplified: A Definitive Guide For Workplace and Process Risk Management Rating: 5 out of 5 stars5/5Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsLean Auditing: Driving Added Value and Efficiency in Internal Audit Rating: 5 out of 5 stars5/5SWANSON on Internal Auditing: Raising the Bar Rating: 5 out of 5 stars5/5Risk based internal audit A Complete Guide Rating: 0 out of 5 stars0 ratingsAuditing Essentials Rating: 3 out of 5 stars3/5Internal Auditing A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsAudit Process A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsCourageous Auditing Rating: 0 out of 5 stars0 ratingsDare to Be Different: An Auditors Personal Guide to Excellence Rating: 5 out of 5 stars5/5Frequently Asked Questions in International Standards on Auditing Rating: 1 out of 5 stars1/5Remote Audit: From Planning to Implementation Rating: 4 out of 5 stars4/5Audit Planning: A Risk-Based Approach Rating: 4 out of 5 stars4/5Internal Audit A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsHow to Audit Your Account without Hiring an Auditor Rating: 0 out of 5 stars0 ratingsCOSO ERM A Complete Guide - 2021 Edition Rating: 5 out of 5 stars5/5
Auditing For You
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide Rating: 3 out of 5 stars3/5Auditing Your Human Resources Department: A Step-by-Step Guide to Assessing the Key Areas of Your Program Rating: 0 out of 5 stars0 ratings2022 Best Ways To Make Money Online Rating: 4 out of 5 stars4/5How To Earn $1000 Weekly Proofreading & Copyediting Rating: 0 out of 5 stars0 ratingsStrategic Consulting Frameworks: Consulting Preparation Rating: 0 out of 5 stars0 ratingsAuditing For Dummies Rating: 4 out of 5 stars4/5Budgeting: How to Make a Budget and Manage Your Money and Personal Finances Like a Pro Rating: 0 out of 5 stars0 ratingsBudgeting - The Right Way Rating: 0 out of 5 stars0 ratingsThe Internal Auditing Pocket Guide: Preparing, Performing, Reporting and Follow-up Rating: 0 out of 5 stars0 ratingsCutting Edge Internal Auditing Rating: 3 out of 5 stars3/5Fraud Casebook: Lessons from the Bad Side of Business Rating: 0 out of 5 stars0 ratingsExecutive's Guide to COSO Internal Controls: Understanding and Implementing the New Framework Rating: 0 out of 5 stars0 ratingsSocial Media Marketing Revolution Rating: 0 out of 5 stars0 ratingsTax Cuts and Jobs Act: The Complete Bill Rating: 0 out of 5 stars0 ratingsConstruction Contractors: Advanced Issues Rating: 0 out of 5 stars0 ratingsArtificial Intelligence for Audit, Forensic Accounting, and Valuation: A Strategic Perspective Rating: 0 out of 5 stars0 ratingsHealthcare Fraud: Auditing and Detection Guide Rating: 0 out of 5 stars0 ratingsTrafficking and the Traffickers: JUSTICE Rating: 0 out of 5 stars0 ratingsThe Prosperity Bible Rating: 5 out of 5 stars5/5Essentials of Corporate Fraud Rating: 0 out of 5 stars0 ratingsInternal Audit Quality: Developing a Quality Assurance and Improvement Program Rating: 0 out of 5 stars0 ratingsLean Auditing: Driving Added Value and Efficiency in Internal Audit Rating: 5 out of 5 stars5/5Trade-Based Money Laundering: The Next Frontier in International Money Laundering Enforcement Rating: 0 out of 5 stars0 ratingsMadoff Talks: Uncovering the Untold Story Behind the Most Notorious Ponzi Scheme in History Rating: 4 out of 5 stars4/5Detecting Accounting Fraud Before It's Too Late Rating: 0 out of 5 stars0 ratingsFinancial Statement Fraud: Prevention and Detection Rating: 0 out of 5 stars0 ratingsBreaking Into Risk Management In Banks Rating: 4 out of 5 stars4/5Courageous Auditing Rating: 0 out of 5 stars0 ratingsThe Layman's Guide GDPR Compliance for Small Medium Business Rating: 5 out of 5 stars5/5
Reviews for Risk-Based Internal Audit
20 ratings7 reviews
- Rating: 5 out of 5 stars5/5It gave me an overview of the three risk management frameworks.
- Rating: 4 out of 5 stars4/5Informative yet relatively simplistic. Explains terms used by auditors in general and more. Loved it!
- Rating: 1 out of 5 stars1/5Too much theory, less practical. Lead to understanding, not wisdom. Suitable for basic IA
- Rating: 5 out of 5 stars5/5This book help me to prepare annual audit plan and understand risk based audit.
- Rating: 5 out of 5 stars5/5Simple and informative, with a welcome focus on alignment business objectives
- Rating: 5 out of 5 stars5/5good book for internal auditors for planning and executing risk based audit.
- Rating: 4 out of 5 stars4/5EXCELLENT PRESENTATION,CLEARLY AND VERY EASY TO UNDERSTAND
THANK YOU !
Book preview
Risk-Based Internal Audit - Jason Lee Mefford
www.grc-certifications.com
PART I: INTRODUCTION
Chapter 1:
Introduction
Introduction
As internal auditors, we are told to use a risk-based approach in developing an annual audit plan. In fact, professional standards specifically require this (IPPF Standard 2010). Most internal audit departments I talk with are doing some form of a risk-based audit plan but struggle in knowing how to incorporate a risk-based approach into their activities. This book provides you with answers and how-to information to help you take that next step in the evolution of your audit department. It is intended to be a summary and overview of the topic.
The 2013 State of the Internal Audit Profession Study¹ by PriceWaterhouseCoopers (PwC) showed a large disconnect between what value board members and internal auditors believe internal audit brings to an organization versus the value perceived by management. In fact only 44% of executive management surveyed believe internal audit contributes significant value to their organizations. I believe one of the reasons for this disconnect is internal audit often focuses on auditing areas of the business that do not directly relate to helping the organization meet its objectives. They focus too much time on detailed internal controls (the trees) while forgetting to concentrate on the organization’s objectives (the forest).
What I am proposing is a way for internal auditors to provide assurance on the performance, risk, and compliance aspects of an organization while focusing on business objectives instead of internal controls. Only considering and auditing to see if internal controls are working does not provide assurance on whether the organization is meeting, or is on target to meet, its objectives.
Risk based internal auditing is focused on objectives rather than controls. For many seasoned auditors, this will sound like blaspheme seeming to ignore internal controls, but bear with me and you will see how this focus is much more in line with what our organizations want from internal auditors. It is not only more in line with what they want, it also helps us provide much better assurance on what the governance group and management is really concerned about - meeting the organization’s objectives.
Our insistence on making everything about internal controls has cheapened and diminished our effectiveness as internal auditors. As a quick illustration, there are four different ways to respond to risks, and only one of them includes creating internal controls. So why do so many internal auditors insist management must respond to every risk with an internal control? Likely because they do not really understand risk management.
The principles outlined in this book are applicable to all internal audit activities, regardless of geographic location, industry, or type of organization. They can be used in the private or public sector, for profit or non-profit, large or small organizations. The concepts you will learn in this book can be used to improve the audit quality in any organization and ensure the internal audit activity is adding value by focusing on helping the organization meet its objectives, not just adding and testing internal controls.
Why have I chosen to use the term Risk Based Internal Audit instead of something else? Risk based internal auditing is required by the IIA standards and is a term that auditors are talking about now. It is something that is getting attention. It is something I feel most internal auditors are only doing half-heartedly.
Internal auditors may consider risk when doing the annual audit plan, but then they tend to go right back to auditing internal controls where they are more comfortable. They audit internal controls instead of focusing on the biggest threats, and corresponding risks, to the organization meeting its objectives. Risk based internal auditing is also a lot shorter than: Internal Auditing of Business Objectives in the Areas of Performance, Risk and Compliance. At times during this book, risk based internal auditing will also be abbreviated to RBIA.
Before we get too far ahead of ourselves, though, it is important to remember the reason organizations exist. Understanding and reminding ourselves of the big picture
of business will be a constant theme in this book and a tool to use in developing and implementing risk-based auditing. It is the reason why we are even concerned with risk management and providing independent, objective assurance.
¹http://www.pwc.com/us/en/risk-assurance-services/publications/pwc-2013-state-of-profession.jhtml
Chapter 2:
The Big Picture of Business and Principled Performance
The Big Picture of Business and Principled Performance
Organizations are created to meet specific objectives or meet identified needs. For many organizations a major objective is to earn money and make a profit for its owners and investors. Even public sector and nonprofit entities are concerned about staying within financial budgets and providing a net contribution, after expenses, the organization can use for providing those services. Other objectives often relate to strategic, operational, customer, or processes. We will discuss objectives in more detail later in the book.
Regardless of the type of organization, a group of concerned individuals came together seeing some opportunities or needs in the marketplace. They created a business model to meet those objectives. Business models include strategy, processes, technology and infrastructure that help organizations meet their objectives.
Along the road to meeting objectives, uncertainty happens; uncertainty that invariably has an impact on whether or not the organization will meet its objectives. This uncertainty comes in the form of opportunities and threats, which we will discuss in more detail later in the book. This uncertainty creates obstacles the organization must navigate around on the way to meeting its objectives.
In addition to navigating around the obstacles, an organization must also stay within certain mandatory and voluntary boundaries. Mandatory boundaries include those requirements imposed on an organization by an external party: for example, laws and regulations. Voluntary boundaries are values, policies, procedures, processes, contracts and promises the organization has voluntarily chosen to follow. Often these voluntary promises are made in public statements expressed to its stakeholders or are in the form of agreements with its business partners.
A stakeholder is a person, group, or organization that has direct or indirect stake in an organization because it can affect or be affected by the organization's actions, objectives, and policies. This is a very broad definition, but in today’s inter-connected world it means almost anyone can be a stakeholder of your organization.
To summarize, organizations are trying to achieve certain objectives, while navigating around obstacles and staying within boundaries. Principled Performance² is the reliable achievement of objectives while addressing uncertainty and acting with integrity. In order for an organization to reliably achieve its objectives, it must ensure it addresses opportunities, threats and requirements.
We can put all of these concepts together into a graphical representation like this: