The document discusses risk-based auditing (RBIA) and its key concepts. RBIA requires internal audit to be strategically linked to an organization's risk management and assurance frameworks. It also discusses applying RBIA methodology to internal audit assignments and linking an organization's risk framework to the stages of RBIA. The document provides information on introducing RBIA to an organization and adapting it based on the organization's structures, processes and risk maturity.

1. RISK BASED
AUDITING
Tunde Elijah Kelani

2. First of all…
EXPECTATION ON THE COURSE

3. Can we agree?
• ATTENDANCE AND PUNCTUALITY- 10%
• CLASS PARTICIPATION -25%
• PRACTICAL DEMONSTRATION -15%
• TAKE-HOME ASSIGNMENTS-10%
• YOU HAVE TO DELIVER ON 6 IN-CLASS WORK ASSESSMENTS
• PROJECTS
ASSESSMENT AND GRADING
REQUIREMENTS

4. Training Outline
YOU ARE EXPECTED TO FOCUS WITHOUT GIVING
WAY TO DISTRACTIONS. THIS IS A CLASS AND NOT
THE CONVENTIONAL TRAINING. AVOID PHONE
CALLS, TEXTING, MAILING OR CHATTING WHILE IN
SESSION SO THAT YOUR GRADES ARE NOT
AFFECTED AS AN INDIVIDUAL OR AS A TEAM
MEMBER
PLEASE DO NOT BE DISTRACTED

5. INTRODUCTION
Risk based auditing is a methodology that enables
internal audit to assess the adequacy of the
assurance framework and the reliability of
assurance sources. It requires internal audit to be
strategically and operationally linked to the business
risk and assurance frameworks.
Here are the outcomes for participants on the
programme:
• Apply the key concepts of RBIA to your
organisation
• Link the organisation’s risk management
framework to each stage of RBIA
• Determine risk maturity and apply the relevant
approach
• Understand how internal audit fits into your
organisation’s assurance framework and
undertake an assurance mapping exercise
• Apply a risk based methodology to internal audit
assignments
• Provide meaningful assurance statements to
your audit committee and board

6. IDENTIFY THE VALUE OF INTERNAL
AUDITING
Today, more than ever, the question of Value has taken on
critical importance in every organization. In an increasingly
global economy with increasingly tougher competition, all
business activities have to look to contribute more value.
The Value of Internal Audit is reflected in an improvement in
internal control and the risks that face organizations, an
improvement that leads to a reduction in those risks to
acceptable levels. In other words, from a starting point of a
significant inherent risk, to arrive at a situation where the
residual risk is tolerable.

7. VAI = Value of Internal
Audit; Ri = Inherent Risk;
Rr = Residual Risk
RAI = Internal Audit
Resources
VAI = Ri-Rr
………………….
RAI
Finally, the Value of Internal Audit is achieved through the efficient use
of the resources available: people and tools. As in all activities, the
Value of Internal Audit depends to a large extent on people, or in other
words, good leadership and good work teams. Both leadership and the
teams depend on the general and specific preparation of the people
involved.

8. In becoming a more essential advisor to the C-suite
and the Audit Committee, Internal Audit should be
involved in any strategic business investment to grow
or improve the organization where a missed risk
could hurt share price, market capitalization or
earnings.
The following represent large-scale change programs
where the Internal Audit function can play a
significant role:

9. This is one of the most risk-heavy initiatives any
organization can undertake, and Internal Audit should be
involved in all the key steps throughout the M&A process.
It can conduct a review of the company’s readiness to go
through a merger or an acquisition.
It can also make sure that the value is being preserved.
If the company sets a stock price in a merger or
acquisition, how does it know that it is getting the right
value for the price that it is paying?
If the Internal Audit function understands the process, it
can alert the business to potential risks and monitor
associated controls.
Furthermore, Internal Audit may assist in the assimilation
of the newly acquired or merged entity by ensuring proper
control monitoring of new or changed processes, systems
and policies. Finally, Internal Audit can monitor the
process employed to realize synergies from the
combination.
Mergers and acquisitions

10. • There is a tremendous amount of risk
associated with an enterprise-wide
systems implementation.
• Internal Audit should have a seat at the
table from the beginning to help
identify the risks and to provide
controls consultation. A common role
for Internal Audit in such
implementations is as an active, full-
time member of the Program
Management Office (PMO)
Technology implementation

11. • Any major process transformation
(supply chain, procurement, finance)
requires evaluation of the current state,
determination of the future state, a
plan for implementation and a means
of measuring success. Internal Audit
can provide risk and controls
consultation to determine the
readiness for the process improvement,
levels of progress, and measurements
for success and overall value to the
organization.
Process improvement

12. Business process outsourcing
The outsourcing of any major process, from payroll
to IT, holds a number of inherent risks. How does
an organization know that it has the right
arrangement in place at the front end? Is the
business ready to enter into the arrangement?
Does the organization have the right processes in
place to measure whether it is getting all of the
benefits it is seeking from the arrangement?
Internal Audit can play a role in responding to all
of these issues

13. Real estate and construction
While risk management is a key consideration for
organizations undertaking real estate or construction
projects, few have complete visibility into the risks across
every element of the construction lifecycle.
Internal Audit can provide valuable input to help the
organization avoid such issues as scope creep, design
flaws, unrealistic timelines, cost overruns, vendor
mismanagement and change management concerns

14. New product development
A company has placed a big bet on a market-changing
product, but has it done enough planning and due
diligence to know that it is going to be a success? Has it
prepared for all possible risks and contingencies?
Internal Audit can provide the right risk and controls
analysis to help the company avoid recurring product
delays and cost overruns that could damage the
company’s reputation and hurt its share price.

15. Expanding footprint
Expanding a company’s footprint isn’t only about
moving into new geographies that may present
language, cultural or statutory requirement issues.
It’s also about understanding the impacts on
distribution channels and supply chains.
Internal Audit has already likely had to deal with these
issues and can play an important role in using existing
risk methodology to review the company’s readiness
for expansion.

16. Three steps to Internal Audit transformation
Link internal audit
to the business
value agenda
Build the business
case for change
Create a plan that
focuses on Value,
measurement and
accountability

17. What is Internal Auditing?
An internal audit is the examination, monitoring and
analysis of activities related to a company's operations,
including its business structure, employee behavior and
information systems
Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organization's operations

18. An internal audit begins by an auditor assessing
current processes and procedures. The auditor then
analyzes and compares the results to internal
control objectives.
He determines whether the results comply with
internal policies and procedures as well as state
and federal laws. Finally, the auditor compiles and
presents an audit report to the business owner.
Internal Audit Procedure

19. IIA defines risk based internal auditing (RBIA)
as a methodology that links internal auditing
to an organisation's overall risk management
framework. RBIA allows internal audit to
provide assurance to the board that risk
management processes are managing risks
effectively, in relation to the risk appetite.
RBIA is at the cutting edge of internal audit
practice. As a result, it is an area that is
evolving rapidly and where there is still little
consensus about the best way to implement it.
It is more difficult to manage than traditional
methodologies.
Monitoring progress against an annual plan
that is constantly changing is a challenge.
Setting targets and appraising staff may
become more complex.

20. Risk-based auditing in organizations.
Every organisation is different, with a different attitude to
risk, different structure, different processes and different
language. Experienced internal auditors need to adapt
these ideas to the structures, processes and language of
their organisation in order to implement RBIA.
RBIA seeks at every stage to reinforce the responsibilities
of management and the board for managing risk.

21. Risk-based auditing in organizations.
If the risk management framework is not very strong or
does not exist, the organisation is not ready for RBIA.
More importantly, it means that the organisation's system
of internal control is poor. Internal auditors in such an
organisation should promote good risk management
practice to improve the system of internal control.
Where RBIA is new to an organisation, the head of
internal audit will need to market the concept to
management and win their support, particularly since it
may mean a change for them in the way that they think
about risk.

22. Corporate Governance
Corporate governance is the system of rules, practices and
processes by which a company is directed and controlled.
Corporate governance essentially involves balancing the
interests of a company's many stakeholders, such as
shareholders, management, customers, suppliers,
financiers, government and the community.
Since corporate governance also provides the framework
for attaining a company's objectives, it encompasses
practically every sphere of management, from action plans
and internal controls to performance measurement and
corporate disclosure.

23. Corporate Governance
Corporate governance is the system of rules, practices and
processes by which a company is directed and controlled.
Corporate governance essentially involves balancing the
interests of a company's many stakeholders, such as
shareholders, management, customers, suppliers,
financiers, government and the community.
Since corporate governance also provides the framework
for attaining a company's objectives, it encompasses
practically every sphere of management, from action plans
and internal controls to performance measurement and
corporate disclosure.

24. Corporate Governance
Governance refers specifically to the set of rules, controls,
policies and resolutions put in place to dictate corporate
behavior.
Proxy advisors and shareholders are important
stakeholders who indirectly affect governance
The board of directors is the primary direct stakeholder
influencing corporate governance. Directors are elected by
shareholders or appointed by other board members, and
they represent shareholders of the company.

25. Corporate Governance
The responsibilities of the board include setting the
company’s strategic aims, providing the leadership to put
them into effect, supervising the management of the
business and reporting to shareholders on their
stewardship.
Corporate governance is therefore about what the board
of a company does and how it sets the values of the
company, and it is to be distinguished from the day to day
operational management of the company by full-time
executives.

26. Identify Performance Standard 2110: Governance
Standard 2110 specifically identifies the internal audit activity’s
responsibility for assessing and making appropriate
recommendations to improve the organization’s governance
processes for:
Making strategic and operational decisions – To evaluate an
organization’s governance processes for making strategic and
operational decisions, the internal audit activity may review
past audit reports as well as board meeting minutes, the
board policy manual, or related governance documents,
which can help provide an understanding of how such
decisions are discussed and ultimately made.
In addition, interviews with departmental heads may reveal
what processes led to strategic and operational decisions

27. Performance Standard 2110: Governance
Overseeing risk management and control – To determine how an
organization provides oversight of its risk management and
control activities, the internal audit activity typically reviews
the process for conducting the annual risk assessment.
The internal audit activity may also review minutes from
meetings wherein risk management strategy was discussed,
as well as previously conducted risk assessments, and may
interview key risk management personnel such as
compliance, risk, and finance officers.

28. Performance Standard 2110: Governance
Overseeing risk management and control – To determine how
an organization provides oversight of its risk management
and control activities, the internal audit activity typically
reviews the process for conducting the annual risk
assessment.
The internal audit activity may also review minutes from
meetings wherein risk management strategy was discussed,
as well as previously conducted risk assessments, and may
interview key risk management personnel such as
compliance, risk, and finance officers.
The information obtained can be compared to benchmarking
and industry trends to ensure all relevant risks have been
considered

29. Performance Standard 2110: Governance
Promoting appropriate ethics and values within the
organization – To assess how an organization promotes ethics
and values, both internally and among its external business
partners, the internal audit activity reviews the organization’s
related objectives, programs, and activities.
These could include mission and value statements, a code of
conduct, hiring and training processes, an anti-fraud and
whistleblowing policy, and a hotline and investigation process.
Surveys and interviews may be used to gauge whether the
organization’s efforts result in sufficient awareness of its
ethical standards and values

30. Performance Standard 2110: Governance
Promoting appropriate ethics and values within the
organization – To assess how an organization promotes ethics
and values, both internally and among its external business
partners, the internal audit activity reviews the organization’s
related objectives, programs, and activities.
These could include mission and value statements, a code of
conduct, hiring and training processes, an anti-fraud and
whistleblowing policy, and a hotline and investigation process.
Surveys and interviews may be used to gauge whether the
organization’s efforts result in sufficient awareness of its
ethical standards and values

31. Performance Standard 2110: Governance
Ensuring effective organizational performance management
and accountability – To evaluate how an organization ensures
effective performance management and accountability, the
internal audit activity could review the organization’s policies
and processes related to staff compensation, objective
setting, and performance evaluation.
Communicating risk and control information to appropriate
areas of the organization – To appraise how well an
organization communicates risk and control information to
appropriate areas, the internal audit activity could access
internal reports, newsletters, relevant memos and emails, and
staff meeting minutes to determine whether information
regarding risks and controls is complete, accurate, and
distributed timely

32. Performance Standard 2110: Governance
Coordinating the activities of, and communicating information
among, the board, external and internal auditors, other
assurance providers, and management – To assess an
organization’s ability to coordinate activities and
communicate information among the various parties, the
internal audit activity could identify the meetings that include
these groups (e.g., board, audit committee, and finance
committee) and determine how frequently they occur.
Members of the internal audit activity may attend the
meetings as participants or observers, and they may review
the meeting minutes, work plans, and reports distributed
among the groups to learn how these parties coordinate
activities and communicate with each other

33. In the post-SOX era, Corporate Governance further evolved to the integrated aspects of meeting both
compliance requirements and promoting a strategic business imperative. There are three aspects:
shareholder aspect, stakeholder aspect, and an integrated aspect.
Shareholder Aspect
This aspect is based on the premise that shareholders provide capital to the corporations that exists for
their benefit.
Stakeholder Aspect
Stakeholders are now becoming more engaged in a company performance on a variety of economic,
governance, ethical, social and environment issues.
Integrated Aspect
Modern corporate governance emphasizes BOTH financial aspects of increasing shareholders value AND
an integrated approach that considers the rights and interests of all stakeholders.
Aspects of Corporate Governance

35. Corporate Governance Structure
• Corporate governance is based on three interrelated components: corporate governance principles,
functions and mechanisms.

36. Corporate Governance Principles
HONESTY. Corporate communications with both internal and external
audiences, including public financial reports, should be accurate, fair,
transparent, and trustworthy
RESIELNCE. A resilient corporate governance structure is sustainable and
enduring in the sense that it will easily recuperate from setbacks and abuses.
RESPONSIVENESS. Effective corporate governance responsive to the
interests and desires of all stakeholders, as well as responsive to emerging
initiatives, and changes in political, regulatory, social, and environmental
issues.
TRANSPARENCY. Transparency means that the company is not hiding
relevant information, and disclosures are fair, accurate, and reliable.

37. What are the other principles corporate
governance structure should be developed on?

38. They are the following:
- Value-adding philosophy
- Ethical conduct
- Accountability
- Shareholder democracy and fairness
- Integrity of the financial reporting
- Transparency
- Independence

39. Corporate Governance Functions

40. Corporate Governance Functions
OVERSIGHT FUNCTION. The board of directors should provide strategic advice to management and oversee
managerial performance, yet avoid micromanaging.
MANAGERIAL FUNCTION. The effectiveness of this function depends on the alignment of management’s
interests with those of shareholders.
COMPLIANCE FUNCTION. The set of laws, regulations, rules, standards, and best practices developed by state
and federal legislators, regulators, standard-setting bodies, and professional organizations to create a
compliance framework for public companies in which to operate and achieve their goals.
INTERNAL AUDIT FUNCTION. Assurance and consulting services to the company in the areas of operational
efficiency, risk management, internal controls, financial reporting, and governance processes.
LEGAL AND FINANCIAL ADVISORY FUNDTIONS. Legal advice and assists the company, its directors, officers,
and employees in complying with applicable laws and other legal obligations and fiduciary duties.
EXTERNAL AUDIT FUNCTION. External auditors lend credibility to the company’s financial reports and thus add
value to its corporate governance through their integrated audit of both internal control over financial
reporting and financial statements.
MONITORING FUNCTION. Shareholders, particularly institutional shareholders, empowered to elect and, if
warranted, remove directors.

41. .
Corporate Governance Mechanisms
The corporate governance structure is shaped by internal and external
governance mechanisms, as well as policy interventions through
regulations. Both internal and external corporate governance
mechanisms of the company have evolved over time to monitor, bond
and control management.

42. Examples of internal governance mechanisms:
- board of directors, particularly
- independent directors
- audit committee
- management
- internal controls
- internal audit functions

43. Examples of external mechanisms:
- market for corporate control
- capital market
- labor market
- federal and state statutes
- court decisions
- shareholders proposals
- best practices of investors activists

44. Identify the areas an internal audit must assess,
evaluate, and report on to assure adequate
corporate governance.
1. Promote appropriate ethics and value within the
organization
2. Ensuring effective organization performance
Management and accountability
3. Communicating risk and control information to
appropriate areas of the organization
4. Coordinating the activities of and communicating
information among board, external and internal
auditors and management

45. Enterprise risk management (ERM or E.R.M.)
in business includes the methods and processes used by
organizations to manage risks and seize opportunities
related to the achievement of their objectives.
ERM provides a framework for risk management, which
typically involves identifying particular events or
circumstances relevant to the organization's objectives
(risks and opportunities), assessing them in terms of
likelihood and magnitude of impact, determining a
response strategy, and monitoring progress.
ERM AND RISK

46. Risk is the potential of gaining or losing something of
value.[1] Values (such as physical health, social status,
emotional well-being, or financial wealth) can be gained
lost when taking risk resulting from a given action or
inaction, foreseen or unforeseen. Risk can also be
as the intentional interaction
with uncertainty.[2] Uncertainty is a potential,
unpredictable, and uncontrollable outcome; risk is a
consequence of action taken in spite of uncertainty
Risk involves the chance an investment's actual return will
differ from the expected return. Risk includes the
possibility of losing some or all of the original investment.
ERM AND RISK

47. The difference between inherent and
residual risk
Inherent Risk: The risk that an activity would
pose if no controls or other mitigating factors
were in place (the gross risk or risk before
controls)
Residual Risk: The risk that remains after
controls are taken into account (the net risk or
risk after controls).
The difference between the inherent and residual risk
may be imagined or visualized as water flowing through
a filter. Inherent risk is above the filter, which constitutes
management controls. A smaller pool of residual risk
remains. Inherent risk is established only after the entity’s
key objectives have been defined, and steps have been
taken to identify what could go wrong to prevent the
entity from achieving those objectives. In addition to
impact and likelihood, management considers the nature
of the risk, whether the risk results from fraud, natural
events such as storms, or complex or unusual business
transactions

48. The difference between inherent and
residual risk
Example: Fire in a production facility which may have
catastrophic consequences is an inherent risk for the
organization.
Management puts controls in place to mitigate this risk
like installing fire extinguishers, sprinklers, preparing
emergency evacuation plan etc.
These controls will help reduce the damage in the event
of fire but in no way they can remove the danger
completely.
What remains there after taking all these controls into
account is a residual risk. We, internal auditors, evaluate
the adequacy and effectiveness of these controls in order
bring down residual risk to a level accepted by the board
(risk appetite).

49. Risk is the by-product of Assumptions and
Constraints. The entire process of Risk
Identification is the examination and review of
what we assume is going to happen during the life
of the project (Assumptions), and what are the
limitations that could cause impact the project,
either in execution or expected results
(Constraints)
RISK MANAGEMENT AND ASSUMPTION

51. • It ensures Compliance
• Identify system and provider weaknesses before an adverse event occurs
• Mitigation or reduction of potential loss after an event has occurred
• Provides a framework to gather data that can be used to improve patient outcomes
• Reduce number, type and severity of adverse events.
Benefit of Risk Management

52. Categories of Risk
The risk faced by an organization should be
categorized in relation to what they do.
However there are number of commonly
used categories. Which includes:
1. Strategic
2. Operational/Technology
3. Financial
4. People
5. Regulatory
6. Governance

53. Categories of Risk

54. Performance Standard 2120
2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the
adequacy and effectiveness of controls encompassing the organization's governance, operations, and
information systems. This should include:
 Reliability and integrity of financial and operational information.
 Effectiveness and efficiency of operations.
 Safeguarding of assets.
 Compliance with laws, regulations, and contracts.
2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and
objectives have been established and conform to those of the organization.
2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which
results are consistent with established goals and objectives to determine whether operations and
programs are being implemented or performed as intended.

55. 2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to
which management has established adequate criteria to determine whether objectives and goals have been
accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate,
auditors should work with management to develop appropriate evaluation criteria.
2120.C1 - During consulting engagements, internal auditors should address controls consistent with the
engagement's objectives and be alert to the existence of any significant control weaknesses.
2120.C2 - Internal auditors should incorporate knowledge of controls gained from consulting engagements
into the process of identifying and evaluating significant risk exposures of the organization.

56. The internal audit activity must assist the organization in maintaining
effective controls by evaluating their effectiveness and efficiency and by
promoting continuous improvement.
2130.A1- The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the organization's
governance, operations, and information systems regarding the:
Achievement of the organization's strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.
2130.C1 - Internal auditors must incorporate knowledge of controls gained
from consulting engagements into evaluation of the organization's control
processes.
Define Performance Standard 2130:
Control

57. As outlined by COSO, the framework provides eight components for
use when evaluating ERM:
1. Internal Environment
The internal environment sets the foundation for how risk is viewed
and addressed by an entity’s people, including risk philosophy and risk
appetite, integrity, ethical values, and the environment in which they
operate.
2. Objective-Setting
Objectives must exist before management can identify potential events
affecting their achievement. ERM ensures that management has in
place a process to set objectives and that the chosen objectives
support and align with the entity’s mission and are consistent with its
risk appetite.
Identify the elements of COSO
control and ERM frameworks

58. 3. Event Identification
Internal and external events affecting the achievement of an
entity’s objectives must be identified, distinguishing between
risks and opportunities.
4. Risk Assessment
Risks are analyzed, considering likelihood and impact, as a basis
for determining how they should be managed. Risks are
assessed on an inherent and a residual basis.
5. Risk Response
Management selects risk responses—avoiding, accepting,
reducing or sharing risk—developing a set of actions to align
risks with the entity’s risk tolerances and risk appetite.
Identify the elements of COSO
control and ERM frameworks

59. 6. Control Activities
Policies and procedures are established and implemented to
help ensure the risk responses are effectively carried out.
7. Information and Communication
Relevant information is identified, captured and communicated
in a form and timeframe that enable people to carry out their
responsibilities. Effective communication also occurs in a
broader sense, flowing down, across and up the entity.
8. Monitoring
The entire ERM process is monitored, and modifications made
as necessary. Monitoring is accomplished through ongoing
management activities, separate evaluations or both..
Identify the elements of COSO
control and ERM frameworks

60. Internal control is a process, effected by the entity's BOD,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives in the categories of
(a) effectiveness and efficiency of operations
(b) reliability of financial reporting
(c) compliance with applicable laws and regulations.
WHAT IS INTERNAL CONTROL?

61. COMPONENT OF INTERNAL
CONTROL
The five components of internal control include
1) the control environment
2) risk assessment
3) control activities
4) accounting information & communication
system
5) monitoring

63. Factors that make up an organizations control environment are:
a. communication and enforcement of the integrity an ethical values of
the personnel who are responsible for creating, administering, and
monitoring controls.
b. Commitment to competence - management should be committed to
hiring employees with appropriate levels of education and experience.
c. Effectiveness of its BOD or its audit committee.
d. Management philosophy and operating style.
e. Organizational structure
f. Responsibilities of Finance and Accounting Departments
g. Assignment of Authority and Responsibility
h. Human Resource Policies and Procedures.

64. types of control activities and describe how each type contributes
to effective internal control.
Performance Reviews- provides management with an overall
indication of whether personnel at various levels are effectively
pursuing the objectives of the organization.
• Segregation of duties
• Information processing controls- Proper authorization of all
types of transaction
• Physical controls - Include physical security over both records
and other assets.
• No one department or person should handle all aspects of a
transaction from beginning to end.

65. PERFORMANCE STANDARD 2130.A1

66. A business process has also been defined as a set of
activities and tasks that, once completed, will accomplish an
organizational goal. The process must involve clearly
defined inputs and a single output.
These inputs are made up of all of the factors which
contribute (either directly or indirectly) to the added value
of a service or product. These factors can be categorized
into management processes, operational processes and
supporting business processes.
What is Business Process

67. A business process is a series of steps
performed by a group of stakeholders to
achieve a concrete goal. These steps are
often repeated many times, sometimes by
multiple users and ideally in a standardized
and optimized way. A business process can
be manual or automated. If manual, the
process is achieved without the aid of an
automation or assisting technology. If
automated, a technology aid has been put
into place which assists users in
implementing the process in a more
accurate, standardized or optimized
manner.

68. DEVELOPING AN AUDIT PLAN
• Determine audit subject. Identify the area to be
audited (e.g., business function, system, physical
location).
• Define audit objective. Identify the purpose of the
audit. For example, an objective might be to
determine whether program source code changes
occur in a well-defined and controlled environment.
• Set audit scope. Identify the specific systems, function
or unit of the organization to be included in the
review. For example, in the previous example
(program changes), the scope statement might limit
the review to a single application, system or a limited
period of time

69. DEVELOPING AN AUDIT PLAN
• Perform preaudit planning.
• Conduct a risk assessment, which is critical in setting
the final scope of a risk-based audit. For other types of
audits (e.g., compliance), conducting a risk assessment
is a good practice because the results can help the IS
audit team to justify the engagement and further
refine the scope and preplanning focus.
• Interview the auditee to inquire about activities or
areas of concern that should be included in the scope
of the engagement.
• Identify regulatory compliance requirements.
• Once the subject, objective and scope are defined, the
audit team can identify the resources that will be
needed to perform the audit work.

70. DEVELOPING AN AUDIT PLAN
• Determine steps for data gathering. At this stage of
the audit process, the audit team should have enough
information to identify and select the audit approach
or strategy and start developing the audit program.
Some of the specific activities in this step are:
• Identify and obtain departmental policies, standards
and guidelines for review.
• Identify any regulatory compliance requirements.
• Identify a list of individuals to interview.
• Identify methods (including tools) to perform the
evaluation.
• Develop audit tools and methodology to test and
verify controls.
• Develop test scripts.
• Identify criteria for evaluating the test.
• Define a methodology to evaluate that the test and its
results are accurate (and repeatable if necessary).

71. Business Process Management (BPM)
What is it?
Body of principles, methods and tools to design, analyze, execute
and monitor and continuously manage business processes

72. What is a Business Process?
Events, activities & decisions involving multiple actors and resources, that
collectively lead to an outcome that is of value to an organization or its
customers.
Examples:
• Order-to-Cash
• Procure-to-Pay
• Application-to-Approval
• Claim-to-Settlement
• Fault-to-Resolution (Issue-to-Resolution)

73. fault-report-to-resolution process
“My washing machine won’t work!”
VALUE
Customer
Warranty?
Parts
StoreClient Engagement
Technician
Customer
Call Centre
Customer
© Michael Rosemann

74. Processes and Outcomes
• Every process leads to one or several outcomes, positive or negative
• Positive outcomes deliver value
• Negative outcomes reduce value
• Fault-to-resolution process
• Fault repaired without technician intervention
• Fault repaired with minor technician intervention
• Fault repaired and fully covered by warranty
• Fault repaired and partly covered by warranty
• Fault repaired but not covered by warranty
• Fault not repaired (customer withdrew request)

75. Your turn
• Think of a process in your organization:
• Is it order-to-cash, procure-to-pay, fault-to-resolution…
• Who is/are the customer(s)?
• What value does this process deliver to its customer?
• Who are the key actors of the process?
• List at least 3 outcomes of the process.

76. Why BPM? The Technology Perspective
Information
Technology
Process
Change
Yields
Yields
Business
Value
Index Group (1982)
Enables

77. Why BPM?
The Technology Perspective
“The first rule of any technology used in a business is that
automation applied to an efficient operation will magnify the
efficiency.
The second is that automation applied to an inefficient operation will
magnify the inefficiency.”

78. Why BPM? The Management Perspective
Roger Tregear: Practice Processes, BPTrends, July 2012

79. Why BPM?
Roger Tregear: Practice Processes, BPTrends, July 2012

80. Why BPM?

81. A well-defined business process benefits a company in
three dimensions: productivity, process, and people.
Because the performance of a particular enterprise is the
sum of the performance of its processes, well-defined
business processes contribute to a well-managed
company.
Productivity, process, and people are interdependent and
synergistic. As people learn more about the process and
become more proficient in the process, productivity will
increase, further increasing the morale of the work force.
Higher morale leads to motivated employees, which lead
to higher productivity.
BENEFIT OF A WELL DEFINED BUSINESS
PROCESS

82. Six steps are needed to improve a business
process:
1. Identify the process to be improved.
2. Choose, organize, and train the team.
3. Map the process.
4. Analyze and redesign the process.
5. Implement the process redesign.
6. Continually improve the process.

83. WHAT IS RISK ANALYSIS?
Risk Analysis is a process that helps you identify and
manage potential problems that could undermine key
business initiatives or projects.
To carry out a Risk Analysis, you must first identify the
possible threats that you face, and then estimate the
likelihood that these threats will materialize.
Risk Analysis can be complex, as you'll need to draw on
detailed information such as project plans, financial data,
security protocols, marketing forecasts, and other relevant
information.
However, it's an essential planning tool, and one that
could save time, money, and reputations.

84. Risk analysis is useful in many situations:
•When you're planning projects, to help you anticipate and neutralize possible problems.
•When you're deciding whether or not to move forward with a project.
•When you're improving safety and managing potential risks in the workplace.
•When you're preparing for events such as equipment or technology failure, theft, staff sickness, or
natural disasters.
•When you're planning for changes in your environment, such as new competitors coming into the
market, or changes to government policy.
When to use Risk Analysis

85. HOW TO USE RISK ANALYSIS
Identify Threats
The first step in Risk Analysis is to identify the existing and possible threats that you might
face. These can come from many different sources. For instance, they could be
1. Human – Illness, death, injury, or other loss of a key individual.
2. Operational – Disruption to supplies and operations, loss of access to essential assets,
or failures in distribution.
3. Reputational – Loss of customer or employee confidence, or damage to market
reputation.
4. Procedural – Failures of accountability, internal systems, or controls, or from fraud.
5. Project – Going over budget, taking too long on key tasks, or experiencing issues
with product or service quality.
6. Financial – Business failure, stock market fluctuations, interest rate changes, or non-
availability of funding.
7. Technical – Advances in technology, or from technical failure.
8. Natural – Weather, natural disasters, or disease.
9. Political – Changes in tax, public opinion, government policy, or foreign influence.
10. Structural – Dangerous chemicals, poor lighting, falling boxes, or any situation where
staff, products, or technology can be harmed

86. Estimate Risk
Once you've identified the threats you're facing, you need to
calculate out both the likelihood of these threats being realized,
and their possible impact.
One way of doing this is to make your best estimate of the
probability of the event occurring, and then to multiply this by
the amount it will cost you to set things right if it happens. This
gives you a value for the risk:
Risk Value = Probability of Event x Cost of Event
As a simple example, imagine that you've identified a risk that
your rent may increase substantially.
You think that there's an 80 percent chance of this happening
within the next year, because your landlord has recently
increased rents for other businesses. If this happens, it will cost
your business an extra $500,000 over the next year.

87. HOW TO MANAGE RISK
1. Avoid the Risk
2. Share the Risk
3. Accept the Risk
4. Control the Risk
Preventative action involves aiming to prevent a high-risk
situation from happening. It includes health and safety
training, firewall protection on corporate servers, and cross-
training your team.
Detective action involves identifying the points in a process
where something could go wrong, and then putting steps in
place to fix the problems promptly if they occur. Detective
actions include double-checking finance reports, conducting
safety testing before a product is released, or installing
sensors to detect product defects

88. Identify risks to your business
The first step in preparing a risk management plan is to
identify potential risks to your business. Understanding
the scope of possible risks will help you develop realistic,
cost-effective strategies for dealing with them.
It's important that you think broadly when considering
types of risks for your business, rather than just looking
obvious concerns (e.g. fire, theft, market competition).

89. Before you begin identifying risks, you need to assess your business.
Think about your critical business activities, including your key
services, resources and staff, and things that could affect them, such
as power failures, natural disaster and illness
Ask 'what if?' questions
Thoroughly review your business plan and ask as many 'what if?'
questions as you can. Ask yourself what if:
you lost power supply?
you had no access to the internet?
key documents were destroyed?
your premises was damaged or you were unable to access it?
one of your best staff members quit?
your suppliers went out of business?
the area your business is in suffered from a natural disaster?
the services you need, such as roads and communications, were
closed?
Assessing your business

90. Brainstorm
Brainstorming with different people, such as your accountant,
financial adviser, staff, suppliers and other interested parties, will
help you get many different perspectives on risks to your
business.
Analyse other events
Think about other events that have, or could have, affected your
business. What were the outcomes of those events? Could they
happen again? Think about what possible future events could
affect your business
Assess your processes
Use flow charts, checklists and inspections to assess your work
processes. Identify each step in your processes and think about
the associated risks.
Consider the worst case scenario
Thinking about the worst things that could happen to your
business can help you deal with smaller risks. The worst case
scenario could be the result of several risks happening at once

91. Control is a broad concept that means different things to
different people. The IIA definition, according to
the International Standards glossary is:
Any action taken by management, the board and other
parties to manage risk and increase the likelihood that
established objectives and goals will be achieved.
Management plans, organizes and directs the
performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.
CONTROL

92. CONTROL PROCESSES
These are the daily routines, checks and balances that
make the organization function.
The IIA definition of control processes is:
The policies, procedures (both manual and automated)
and activities that are part of a control framework,
designed and operated to ensure that risks are contained
within the level that an organization is willing to accept.

93. CONTROL ENVIRONMENT
Control environment
The control environment refers to the way the board and
senior management set the tone of the organization.
It is part of the organization's culture, influencing how risk
is viewed and the 'control consciousness' of its people. It
is an expression of the 'way things are done'.
Every organization operates differently, as is revealed by
their organizational ethics, values, structure, reporting
lines, authority, rules and the documentation of policy.

94. Performance Standards describe the nature
of internal audit activities and provide criteria
against which the performance of these services
can be evaluated.

95. 2000
2010
2020
2030
2040
2050
2060
2070
2100
2110
2120
2130
2200
2201
2220
2230
2240
2300
2310
2320
2330
2340
2400
2410
2420
2421
2440
2450
2500
2600

96. 2210 – Engagement Objectives
Objectives must be established for each engagement.
• 2210.A1 – Internal auditors must conduct a preliminary
assessment of the risks relevant to the activity under review.
Engagement objectives must reflect the results of this
assessment.
• 2210.A2 – Internal auditors must consider the probability of
significant errors, fraud, noncompliance, and other
exposures when developing the engagement objectives.

97. 2210.A3 – Adequate criteria are needed to evaluate
governance, risk management, and controls. Internal auditors must
ascertain the extent to which management and/or the board has
established adequate criteria to determine whether objectives and
goals have been accomplished.

98. If adequate, internal auditors must use such criteria in their
evaluation. If inadequate, internal auditors must work with
management and/or the board to develop appropriate evaluation
criteria.

99. 2240 – Engagement Work Program
Internal auditors must develop and document work programs that
achieve the engagement objectives.
2240.C1 – Work programs for consulting engagements may vary in
form and content depending upon the nature of the engagement

100. Overview of Planning
• Audit planning is a continuous process; the audit plan
may need to be adjusted as new information is
obtained
• Risk assessment is integrated throughout, including
assessing fraud risk
• Steps in planning
• Establishing the audit strategy
• Planning the audit resources
• Develop the audit plan
• Communication on planning

101. Obtaining Clients
• Submit a proposal
• Contact the audit committee
• Make fee arrangements
• Communicate with the predecessor auditor
• Topics
• Disagreements over accounting principles
• Predecessor’s understanding of reason for change of auditors
• Other
• Overall procedure is important for evaluation of management integrity

102. The Audit Process--Steps
After obtaining a client, the audit process includes:
1. Plan the audit
2. Obtain an understanding of the client and its environment,
including internal control
3. Assess the risks of material misstatement and design further
audit procedures
4. Perform further audit procedures
5. Complete the audit
6. Form an opinion and issue the audit report

103. Stages of an Audit--Diagram

104. 1. Plan the Audit
• Establish an understanding with the client
• This is ordinarily accomplished through use of an engagement letter
• Related, determine that
• The firm meets professional independence requirements
• There are no issues relating to management integrity
• The client understands the terms of the engagement

105. Items Included in
Engagement Letters
• Name of the entity
• Management responsibilities
• Financial statements
• Establishing effective internal control over financial reporting
• Compliance with laws and regulations
• Making records available to the auditors
• Providing written representations at end of the audit, including that
adjustments discovered by the auditors and not recorded
to the financials are not material
• Auditor responsibilities
• Conducting an audit in accordance with GAAS
• Obtaining an understanding of internal control to plan audit
and to determine the nature, timing and extent of procedures
• Making communications required by GAAS

106. Engagement Letters--Optional Items
• Arrangements regarding
• Conduct of the audit (e.g., timing, client assistance)
• Use of specialists or internal auditors
• Obtaining information from predecessor auditors
• Fees and billing
• Other services to be provided, such as examination of internal control
over financial reporting
• Limitation of or other arrangements regarding liability of auditors or
client
• Conditions under which access to the auditors’ working papers may
be granted to others

107. Audit Planning—Overall
• Develop an overall audit strategy and an audit plan
• Plan use of client’s staff
• Plan involvement of other CPAs
• Arrange for specialists
• On first year audits:
• Communicate with predecessor auditors
• Establish opening balances on the financial statements

108. 2. Obtain an Understanding of the Client
and its Environment
• Perform risk assessment procedures, including
• Inquiries of management and others within the entity
• Analytical procedures
• Observation and inspection relating to client activities, operations,
documents, reports and premises.
• Other procedures, such as inquiries of others outside the company (e.g., legal
counsel, valuation experts) and reviewing information from external sources
such as analysts, banks, rating organizations, journals.

109. Understanding the Client’s Business—Nature
of the Client
• Competitive position
• Organizational structure
• Accounting policies and procedures
• Ownership
• Capital structure
• Product and service lines
• Critical business processes
• Internal control

110. Understanding the Client’s Business,
Industry, Regulatory, and Other Factors
• Competitive environment
• Supplier and customer relationships
• Technology developments
• Major laws and regulations
• Economic conditions
• Attractiveness of the industry
• Barriers to entry
• Strength of competitors
• Bargaining power of suppliers of raw materials and labor
• Bargaining power of customers

111. Understanding the Client’s Business—
Objectives, Strategies & Business Risks
• Objectives—Overall plans
• Operating and financial strategies—
Operational actions to achieve objectives
• Business risks—Threats to achieving objectives

112. Understanding the Client’s Business—
Measuring and Reviewing Performance
• Budgets
• Key performance indicators
• Variance analysis
• Segment performance reports
• Balanced scorecard
• External parties

113. Understanding the Client’s Business – Internal Control
• Need knowledge and understanding of how a client’s internal
control works:
• What controls exists
• Who performs them
• How various types of transactions are processed and recorded
• What accounting records and supporting documentation exist

114. Determining Materiality
• Use professional judgment and based on reasonable person
• Considers both
• Quantitative and qualitative factors
• Materiality used in
• Planning the audit
• At the overall financial statement level
• Allocate to individual accounts
• Evaluating audit findings

115. 3. Assess the Risks of Material Misstatement and
Design Further Audit Procedures
• Overall approach
• What could go wrong?
• How likely is it that it will go wrong?
• What are the likely amounts involved?
• Particularly consider
• Inherent risks
• Risks of material misstatement due to fraud (fraud risks)
• Design further audit procedures

116. Assessing Fraud Risks
• Two types
• Fraudulent financial reporting (management fraud)
• Misappropriation of assets (defalcations)
• Procedures to assess fraud risks
• Discussion among engagement team
• Inquiries of management and other personnel
• Planning analytical procedures
• Considering fraud risk factors
• Incentives
• Opportunity
• Attitude

117. Assessing Fraud Risks –
Identifying Fraud Risks
• Considerations in identifying fraud risks
• Type
• Significance
• Likelihood that it will result in a material misstatement
• Pervasiveness

118. Responding to Fraud Risks
• Overall response
• Professional skepticism and audit evidence
• Assigning personnel and supervision
• Accounting principles
• Predictability of auditing procedures
• Alterations in audit procedures
• More reliable evidence
• Shifting timing to year end
• Increasing sample sizes
• Response to the possibility of management override
• Examining journal entries
• Review accounting estimates for biases
• Evaluating the business rationale for significant unusual
transactions

119. Consideration of Fraud
Throughout the Audit
• Evaluating the results of audit tests
• Discovery of fraud
• Communication to appropriate level of management
• If fraud involves senior management or material
misstatement communicate to audit committee

120. Design further audit procedures
• Types
• Tests of controls
• Analytical procedures
• Tests of details of transactions and balances
• Audit procedures
• Inspection
• Observation
• Inquiry
• Confirmation
• Recalculation
• Reperformance

121. Design further audit procedures
• Further audit procedures should include
• Substantive procedures for all relevant assertions
• Tests of controls when the auditors’ risk assessment includes an expectation that controls are
operating effectively, or when substantive procedures alone are not sufficient
• Procedures should be linked with the assessed risks of material misstatement at
the relevant assertion level
• Overall responses when assessed risks of material misstatement are high
• Heightened professional skepticism
• Assigning more experienced staff
• Assigning staff with specialized skills
• Providing more supervision

122. Audit Documentation
• Audit Documentation
• Risk assessment
• Discussion of the audit team, elements of understanding, assessment of risk of
material misstatement and risks identified
• Procedure results
• Overall responses, nature, timing and extent of further audit procedures, linkage of
procedures with assessed risks, results of audit procedures, conclusions reached
about operating effectiveness of controls, significant risk identified, circumstances
in which substantive procedures alone will not provide sufficient evidence
• Consideration of fraud
• Similar to risk assessment as document discussion, procedures used to identify
fraud risks, fraud risk and response, any other conditions that caused fraud-related
procedures and communications with management or audit committee.

123. Audit Trail
• A trail of evidence that links source documents, journal entries and
ledger entries
• Auditor may follow the audit trail in either of two directions related to
the direction of testing
• Test for existence or occurrence
• Test for completeness

124. Direction of Audit Testing

125. Transaction cycles
• Auditors’ consideration of internal control is often organized around
client’s major transaction cycles (examples)
• Revenue cycle
• Acquisition cycle
• Conversion cycle
• Payroll cycle
• Investing cycle
• Financing cycle

126. Transactions Affecting Accounts
Receivable

127. Audit Program
• Systems portion
• Deals with client’s internal control
• Evidence of test of controls and assessing control risk
• Substantive test portion
• Deals with financial statement account balances
• Indirect and direct verification of income statement accounts

128. Indirect Verification of Income Statement
Accounts

129. Objectives of Substantive Programs
for Asset Accounts
• Establish the existence of assets
• Establish that the company has rights to the assets
• Establish the completeness of recorded assets
• Verify the cutoff of transactions
• Determine the appropriate valuation of the assets and
accuracy of related transactions
• Determine the appropriate financial statement
presentation and disclosure of the assets

130. Relationship of
Financial
Statement
Assertions to
the Audit

131. Relationships
among Audit
Objectives,
Risks of
Material
Misstatement,
and Audit
Procedures

132. Overall Audit Strategy
• Big picture of the audit; auditors can do this before
they do audit procedures based on
• Experience in and knowledge of the industry
• Information gained through client acceptance process
• Previous audit engagements, such as quarterly reviews
• Components of the audit strategy
• Scope of the engagement
• Timing
• Materiality and risk
• Fraud risk

133. Audit Strategy: Scope of the
Engagement
• What are deliverables for this particular client?
• How much and what type of work does the auditor need to do?
• When and where does the work need to be done?
• How should the work be scaled to fit the size, environment and
complexity of the audit client?

134. Audit Strategy: Scope of the
Engagement
Client attributes that affect scope:
• Accounting presentation
• Is the presentation US GAAP, IFRS, GASB, statutory based, other?
• Entity structure
• Is it public or privately owned? Is it a parent or subsidiary? Does it have
multiple locations, and if so what is the materiality at the other locations?
• Information technology
• Complexity of the system? Entity level and application controls?
• Client outsourcing
• How important are outsourced services? How will audit address the service
provider?
• Work of others
• How will this affect the nature, timing and extent of audit procedures?
• First year vs. continuing audits

135. Audit Strategy: Timing
• Client events that create audit deadlines
• Key dates for communication with management, Audit
Committee and Board of Directors
• SEC deadlines for filing quarterly and annually
• Date at which other auditors will supply or need audit
reports
• Requirements of other regulators
• Are audit resources (human resources) available in the right
combinations at the right times?

136. Audit Strategy: Materiality
and Risk
• Materiality
• …the magnitude of an omission or
misstatement of accounting information that,
in the light of surrounding circumstances,
makes it probably that the judgment of a
reasonable person relying on the information
would have been changed or influenced by
the omission or misstatements

137. Audit Strategy: Materiality and
Risk
• Auditors assess materiality based on whether the issue
would influence the economic decisions of users with
certain qualifications
• Appropriate knowledge
• Willingness to study the financial statements
• Understand the concept of materiality
• Understand measurement issues like estimates and
judgments
• Will make appropriate economic decisions using the
financial statements

138. Audit Strategy:
Materiality and Risk
Top Down Approach
• What amount is material at the financial statement level?
• What accounts and disclosures are significant to the financial
statements?
• What assertions are relevant to the significant accounts and disclosures?
• What could go wrong to cause a material misstatement or omission
related to each relevant assertion in each significant account or
disclosure?
• Is there a control in place that is intended to prevent that event (the risk)
from occurring or that will detect it on a timely basis? If yes, is the
control designed sufficiently well that (if it operates effectively) it will
prevent or detect the risk? If yes, does the control operate well enough
(effectively) to prevent or detect the risk?
• Are there any material misstatements or omissions in any significant
accounts or disclosures?

139. Audit Strategy: Materiality
and Risk
• Materiality includes both quantitative and qualitative aspects;
something might not be material from a quantitative perspective
but have qualitative characteristics that make it material regardless
of amount. Management fraud is an example of something that is
material regardless of amount.
• Significant risks are risks in the business that are important enough
to require special audit consideration. When auditing a non-public
company that does not require an ICFR opinion the auditor may
not choose to rely on internal controls when planning tests of
balances. Even in that situation, the auditor must identify and assess
the impact of significant risks.

140. Planning the Audit Resources
•Assignments of the audit team
•Timing of audit work
•High-risk areas
•Engagement budget

141. Audit Resources: Assignments
• The work must be planned and any assistants must be
properly supervised; required by auditing standards and
quality control standards
• Supervision includes instruction and review
• The firm should match jobs to individuals based on
difficulty and complexity of the job and experience and
expertise of the individual
• How much time of people at which levels does the audit
require?
• Sometimes there is a trade-off – a person with greater skills
can perform the task faster and better, will require less
instruction and the review will be easier

142. Develop the Audit Plan
•Nature, timing and extent of audit
procedures
•Top down approach
•Different types of audit procedures

143. Audit Plan: Nature, Timing and Extent
• First the auditor has to know:
• Management assertions (which requires knowing
which accounts are important), materiality, risk, timing
driven by client specifics
• Terms are used a lot; meaning is simple:
• Nature is type of test, control or substantive, and
which specific audit procedures is to be performed
• Timing is when it is to be performed; considerations
are having audit resources available, evidence
availability, being able to test the period for which
evidence is needed
• Extent is quantity of testing to be performed

144. Communication on Planning
• After initial audit planning, auditor may meet
with management
• Auditor may provide an overview of the plan for
the audit
• Auditor provides general information about
scope and timing, but not a level of detail that
would compromise the audit’s effectiveness

145. Overview of Planning
Exhibit 6-9