P5 The building of risk based audit work plan 2.7

A methodology that link internal audition to an org's overall risk management framework

RBIA allow IA to provide assurance to the board that risk management processes are managing risk effectively in relation to appetite

RBI managing A(ppetite)

First - assess risk maturity of org.  following methodology adopted:

• understanding of risk maturity discussed with board and SM
• look for evidence of training, risk workshop, risk questionnair
• manager interview to determine if feel RR is comprehensive
• assesed wither undertstanding embebeeded  to mgr feel responsible for monitoring and review framework and responses
• obtain and review documents showing objectives, risk registr, risk analysis, def of risk appetite, how risk used in decision makding, any existing assement by mgm of risk maturity of org

END WITH DEF - methodology link IA to org risk mgmt frameowrk.  RBIA allow IA assurance 2 board on RM process effectively managing risk in relation to appetite

there are a no including:

• make clear and valuable contribution to RM framework assisting IA assesment of whether mgmt approppriate id risk, respond effectively and risk properly recording and reported.
• objective assurance then be given enable mgmt to develop RISK FRAMEWORK

But requires:

• increased mgmt involvement and cover entire org - may be significant departure where trad aud focus was finance
• new way of thinking

Advantage - MAY ASSIST MGMT IN UNDERSTANDING RISK - care that mgmt see benefits and audit report appropriately structured.  THUS IA may require increased marketing of benefits by IA

RBIA is based on mgm't asesment of risk - audit MUST ensure do not take owenrsihp of risk by implementing RBIA before org reaches sufficient risk maturity If audit on basis of own view of risk instead of mgmt's detriments to goal to improve org risk maturity as reinforces misconception IA RESPONSBILE FOR RISK MANAGEMENT

Ensure audit resource directd on mgmt mos significant risk and thus increased mgmt buy in. MANAGEMENT AWARE AUDIT FOCUS ON PRIME CONCERNS

CHALLENGING FOR AUDIT dynamic process- thus difficult to monitor progress against annual plan!! RBIA justifies no. of auditors required. Audit plan incl resources drive by proportion of processes and risks the AC required obj assurance. This differs from currently resources determine no of audits.

IMPLEMENTING RBIA MAY REQUIRE DIFFERENT SKILL SET from present strategy - need for more people and business skills e.g. facilitation and interviewing.  Expansion of audit universer may require new specialist knowledge - involving specialist training or recruit new staff on perm or temp bais

RBIA NOT ABOUT AUDITING RISK but about AUDITING THE MGMT OF RISKS. Focus on process used to assess risk, responses to them and how they are monitored and reported to the board

• based on org own RM framework and responsiblitiies of mgm for owning and managing risk
• audit planning driven from org risk register
• if risk undefined or not collected thr risk register is not reliable and audit plan CANNOT be based soley onf mgmt's assessment of risk

IN RISK DEFINED ORG:

• some key principles of RM implemented BUT NOT CONSISITENTLY IN WHOLE. pocket good practice but area where not possible to rely on mgmt's view of risk - THUS RBIA CANNOT BE FULLY IMPLEMENTED AND ALTERNATIVE BUILDING ON EXISTING FRAMEWORK SHOUDL BE USED

... IN RISK ENABLED AND RISK MANAGED ORGANISATION. 

RISK DEFINED ORG:

•  has strategy and policies in place
• communicated and defined risk appetite but patch approach to the processes of RM e.g risk register not in all areas: monitoring of controls variable; no forma process whicm mgmt reporr risk to board; responsibility for RM not included in job descriptions

CONCLUSION

• patchy nature of implementation suggest more work in educating staff and embeding RM
• audit strategy thus aimto improve risk maturing of or by consulting to embed RM
• as risk register income - audit plan begign with mgmt view or risk supplemented by IA view
• planning based on key systems or business units
• RM deficiences reported to enable mgm to improve RM. IA give assurance on RM policies & control processes