Risk Based Audit Planning
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Risk Based Audit Planning as PDF for free.
More details
- Words: 644
- Pages: 18
Audit Program for Creating a Risk Based Audit Plan AUDIT PROCEDURES
Evaluate risks existing within the organization 1. Likelihood of risk occurring 2. Significance of the risk related to the organization
Risk-based auditing begins by reviewing the organizational objectives, then considers the risks that impact on the achievement of those objectives, and examines the methodologies in place to mitigate those risks. Risks can be avoided, shared, or transferred rather than controlled. Risk-based auditing also explicitly accepts that there will always be some risk that must be accepted; but the acceptable amount must be kept within the limits established by the Board and management. Audit Services identifies risk factors and evaluates them. The evaluation of risk factors includes, but is not limited to, discussions with management, observations made during previous audits, and the past history of the unit. Some examples of risk factors are: Example 1 of Risk Factors Size of the unit Recent changes in accounting or administrative systems Complexity of operations Liquidity of assets Recent changes in key personnel Economic condition of the unit Rapid growth or decline of the unit’s personnel Time since last audit Pressure on management to meet objectives Level of employees’ moral Example 2 of Risk Factors the date and results of the last audit financial exposure potential loss and risk requests by management major changes in operations, programs, systems and controls opportunities to achieve operating benefits changes to and capabilities of audit staff.
Example 3 of Risk Factors A. Financial Impact 1. Proposed revenues and expenses for fiscal year 2. Expenditures and revenue trend over last three years
Ref.
3. Fund type 4. Negative fund balances 5. Value of fixed assets 6. Capital expenditures 7. Proposed budget cuts B. Results of Prior Years Audit 1. Occurrence of fraud 2. Information obtained from external reviewers 3. Date of last audit C. Changes in Organization and/or Management 1. Management and staff capabilities 2. High employee turnover or new management 3. Management accountability D. Systems 1. Stability and reliability of information technology 2. Disaster recovery E. Political and/or Economic Environment 1. Regulations of a specific program’s activities 2. Adverse criticism or public embarrassment F. Impact of Not Providing Service 1. Central control responsibility 2. Complexity of operations 3. Dependency on centralized processing Based on the evaluation, assign a “Risk Rating” (low, medium or high) and a “Priority Level” of 1, 2 or 3 (with 1 being the highest priority).
Select audits based on the identification and evaluation of significant risk exposures as mentioned above. By focusing on the risk, internal auditors are able to identify controls that are absent or ineffective, as well as those that are no longer relevant. Consider requests originating from other sources including the Board, the Audit Committee, Administration or deparmental management.
Done By
Time Spent
Date Expected
Date Finished
Remarks
Checked By:
Audit Program
Audit Procedure
Control Objective
Risk if Objective Not Met
Control Technique
Workpaper Reference
Performed By
Date Expected
Date Completed
Budget Hours
Actual Hours
Document Reference
Source
Reviewed By
Remarks/Comments
AREA:
Process
Control Objective
Risk
Control Considerations
Assertion E,A,C,V,P
Description of control
Documentation W/P Ref.
Do controls meet objective? Yes/No
Test W/P Ref
Testing exceptions noted? Yes/No
Resolution / remediation/ comments W/P Ref
Potential Risk Factors Business strategic risks IT strategic operations risk Financial return Competitive impact Regulatory impact
Size of the unit Recent changes in accounting or administrative systems Complexity of operations Liquidity of assets Recent changes in key personnel Economic condition of the unit Rapid growth or decline of the unit’s personnel Time since last audit Pressure on management to meet objectives Level of employees’ moral
Audit Program Area Global Ref No,
Audit Procedure
Control Objective
Risks
Control Activity Number
Control KeyControl? Frequency Description
Owner
Exceptions
Type
Document Reference
Mapping to Standards
AREA DATE COMPLETED: COMPLETED BY: Question
Yes No
Comment
Finding Ref #
Control Testing
Finding
Management Response & Treatment
Evaluate risks existing within the organization 1. Likelihood of risk occurring 2. Significance of the risk related to the organization
Risk-based auditing begins by reviewing the organizational objectives, then considers the risks that impact on the achievement of those objectives, and examines the methodologies in place to mitigate those risks. Risks can be avoided, shared, or transferred rather than controlled. Risk-based auditing also explicitly accepts that there will always be some risk that must be accepted; but the acceptable amount must be kept within the limits established by the Board and management. Audit Services identifies risk factors and evaluates them. The evaluation of risk factors includes, but is not limited to, discussions with management, observations made during previous audits, and the past history of the unit. Some examples of risk factors are: Example 1 of Risk Factors Size of the unit Recent changes in accounting or administrative systems Complexity of operations Liquidity of assets Recent changes in key personnel Economic condition of the unit Rapid growth or decline of the unit’s personnel Time since last audit Pressure on management to meet objectives Level of employees’ moral Example 2 of Risk Factors the date and results of the last audit financial exposure potential loss and risk requests by management major changes in operations, programs, systems and controls opportunities to achieve operating benefits changes to and capabilities of audit staff.
Example 3 of Risk Factors A. Financial Impact 1. Proposed revenues and expenses for fiscal year 2. Expenditures and revenue trend over last three years
Ref.
3. Fund type 4. Negative fund balances 5. Value of fixed assets 6. Capital expenditures 7. Proposed budget cuts B. Results of Prior Years Audit 1. Occurrence of fraud 2. Information obtained from external reviewers 3. Date of last audit C. Changes in Organization and/or Management 1. Management and staff capabilities 2. High employee turnover or new management 3. Management accountability D. Systems 1. Stability and reliability of information technology 2. Disaster recovery E. Political and/or Economic Environment 1. Regulations of a specific program’s activities 2. Adverse criticism or public embarrassment F. Impact of Not Providing Service 1. Central control responsibility 2. Complexity of operations 3. Dependency on centralized processing Based on the evaluation, assign a “Risk Rating” (low, medium or high) and a “Priority Level” of 1, 2 or 3 (with 1 being the highest priority).
Select audits based on the identification and evaluation of significant risk exposures as mentioned above. By focusing on the risk, internal auditors are able to identify controls that are absent or ineffective, as well as those that are no longer relevant. Consider requests originating from other sources including the Board, the Audit Committee, Administration or deparmental management.
Done By
Time Spent
Date Expected
Date Finished
Remarks
Checked By:
Audit Program
Audit Procedure
Control Objective
Risk if Objective Not Met
Control Technique
Workpaper Reference
Performed By
Date Expected
Date Completed
Budget Hours
Actual Hours
Document Reference
Source
Reviewed By
Remarks/Comments
AREA:
Process
Control Objective
Risk
Control Considerations
Assertion E,A,C,V,P
Description of control
Documentation W/P Ref.
Do controls meet objective? Yes/No
Test W/P Ref
Testing exceptions noted? Yes/No
Resolution / remediation/ comments W/P Ref
Potential Risk Factors Business strategic risks IT strategic operations risk Financial return Competitive impact Regulatory impact
Size of the unit Recent changes in accounting or administrative systems Complexity of operations Liquidity of assets Recent changes in key personnel Economic condition of the unit Rapid growth or decline of the unit’s personnel Time since last audit Pressure on management to meet objectives Level of employees’ moral
Audit Program Area Global Ref No,
Audit Procedure
Control Objective
Risks
Control Activity Number
Control KeyControl? Frequency Description
Owner
Exceptions
Type
Document Reference
Mapping to Standards
AREA DATE COMPLETED: COMPLETED BY: Question
Yes No
Comment
Finding Ref #
Control Testing
Finding
Management Response & Treatment
Related Documents
Risk Based Audit Planning
April 2020 7
Sekilas Risk Based Operation Audit
July 2020 2
Risk Based Testing
May 2020 7
Risk Management Audit
October 2019 8