RBIA ties all RBIA ties all aspects of internal auditing together; objectives, processes, risks,aspects of internal auditing together; objectives, processes, risks,
controls, tests and reports (see diagram below). The relevance of any test can be seen controls, tests and reports (see diagram below). The relevance of any test can be seen in relation to the
in relation to the opinion on the entire risk management framework because of theopinion on the entire risk management framework because of the relationships set up in the risk and audit universe. This is not always possible where relationships set up in the risk and audit universe. This is not always possible where audit programmes are used, as it is not always clear why the test is being carried out;
audit programmes are used, as it is not always clear why the test is being carried out;
the significance if a control is found to be
the significance if a control is found to be defective; what risk the control is treating anddefective; what risk the control is treating and what objective is being threatened by that risk. RBIA provides an ‘audit trail’ from an what objective is being threatened by that risk. RBIA provides an ‘audit trail’ from an individual audit report back through tests, controls and risks
individual audit report back through tests, controls and risks to objectives, and forwardto objectives, and forward to the
to the audit committee report on whether those objectives are taudit committee report on whether those objectives are t hreatenedhreatened. In . In additionaddition the high level objectives, processes, risks, scores and controls form the basis of the the high level objectives, processes, risks, scores and controls form the basis of the individual audit database.
individual audit database.
processes processes
risks risks
last audits last audits
scores scores controls controls
Audit Audit Committee Committee
report report
risk and audit risk and audit
universe universe
processes processes
risks risks
tests tests scores scores controls controls
audit audit reports reports
audit databases audit databases
objective objective s s
risks risks
last audits last audits
scores scores controls controls
Audit Audit Committee Committee
report report
processes processes
risks risks
tests tests scores scores controls controls
audit audit reports reports
objective objective s s
Fig 7
Fig 7 Audit trails in the risks and audit universe and auditAudit trails in the risks and audit universe and audit
3.8
3.8 I’ve I’ve got got some some questions questions
What’s the difference between Risk based internal auditing and internal auditing?
What’s the difference between Risk based internal auditing and internal auditing?
Theoretically, not much. The IIA Standards require that audit plans are based on risk Theoretically, not much. The IIA Standards require that audit plans are based on risk
(Performance Standard 2010) and that audit engagements take risk into account (2201). In (Performance Standard 2010) and that audit engagements take risk into account (2201). In reality there may be
reality there may be a considerable differena considerable difference, especially if the ce, especially if the audit department isaudit department is carrying out compliance audits, or those based on audit programmes. Such audits are carrying out compliance audits, or those based on audit programmes. Such audits are usually confined to finance processes and wil
usually confined to finance processes and will not cover many of l not cover many of the major risksthe major risks threatening the objectives of the organisation. There is also a danger with audit threatening the objectives of the organisation. There is also a danger with audit
programmes that questions may be missing and staff do not appreciate the underlying programmes that questions may be missing and staff do not appreciate the underlying risks, and therefore do not necessarily understand the impact of a “no” answer. Audit risks, and therefore do not necessarily understand the impact of a “no” answer. Audit programmes should therefore be abandoned!
programmes should therefore be abandoned!
What’s the difference between a risk and the absence of a control?
What’s the difference between a risk and the absence of a control?
A
A risk involves a threat occurrinrisk involves a threat occurring and therefore its descripg and therefore its description will involve action, whtion will involve action, while theile the absence of a control will involve a negative. Therefore, ‘Invoices may be paid where no absence of a control will involve a negative. Therefore, ‘Invoices may be paid where no goods or services have been received’
goods or services have been received’, is a , is a risk. ‘Invoices are not authorised’, is therisk. ‘Invoices are not authorised’, is the absence of a control.
absence of a control.
In addition, a risk will result in the organisation losing money, as in the first example above.
In addition, a risk will result in the organisation losing money, as in the first example above.
However, in the second example, if invoices are not authorised, money is not necessarily However, in the second example, if invoices are not authorised, money is not necessarily lost and it is not a risk.
lost and it is not a risk.
Why can’t I just carry
Why can’t I just carry on as normal? on as normal?
That depends on the organisation you work for and what ‘normal’ is. If your organisation is That depends on the organisation you work for and what ‘normal’ is. If your organisation is required to ensure its risks are being properly managed but the internal audit department required to ensure its risks are being properly managed but the internal audit department is only carrying out financial audits using audit programmes, then you need to adopt RBIA is only carrying out financial audits using audit programmes, then you need to adopt RBIA for the reasons noted in this guideline. Even if you are in an organisation not required by for the reasons noted in this guideline. Even if you are in an organisation not required by regulations to manage risks, establishing a risk management framework and adopting regulations to manage risks, establishing a risk management framework and adopting RBIA will ensure internal audit resources are directed at those risks t
RBIA will ensure internal audit resources are directed at those risks t hat have thehat have the potentially greatest impact on your stakeholders.
potentially greatest impact on your stakeholders.
My Internal Audit Department Terms of Reference only covers financial controls. Can I My Internal Audit Department Terms of Reference only covers financial controls. Can I carry out risk based internal audits?
carry out risk based internal audits?
Y
Yes, since you can es, since you can restrict the risks to restrict the risks to only those threatening the financial systems.only those threatening the financial systems.
However, since these may not be the major risks threatening your organisation’s However, since these may not be the major risks threatening your organisation’s objectives, it would be advisable to persuade your board to widen the remit of your objectives, it would be advisable to persuade your board to widen the remit of your department.
department.
My department is used to supply staff for covering vacancies and for special projects. Can My department is used to supply staff for covering vacancies and for special projects. Can this continue if I implement RBIA?
this continue if I implement RBIA?
There is no reason why not, provided such loss of resources does not prevent you from There is no reason why not, provided such loss of resources does not prevent you from fulfilling your main obligation to your board or
fulfilling your main obligation to your board or audit committee – assurance that the audit committee – assurance that the riskrisk management framework is effective. However, every other activity that the internal audit management framework is effective. However, every other activity that the internal audit department does reduces the resources available to provide assurance on risks. Therefore department does reduces the resources available to provide assurance on risks. Therefore each request should be looked at in that light before committing resources. HIA should each request should be looked at in that light before committing resources. HIA should account to the Audit Committee for risks
account to the Audit Committee for risks not audited and the work not audited and the work done instead. An IIA-UKdone instead. An IIA-UK and Ireland Professional Issues Bulletin ‘Independence and objectivity’ provides further and Ireland Professional Issues Bulletin ‘Independence and objectivity’ provides further