On the Frontlines: The Risk-based Internal Audit Plan

The internal audit function uses the results of the audit risk assessment to create a risk-based internal audit plan that focuses on the business areas with the most significant risk exposure, while also ensuring areas of low risk receive adequate audit coverage. After the audit risk assessment is complete, the audit committee approves the plan to put it into action.

The risk rating of different departments or processes usually determines the frequency of the audit engagements in more traditional audit functions. By following a risk-based approach in planning and executing internal audit assignments, the internal audit function can communicate to the board their commitment to assurance over the risk management process and their relationship with the defined organizational risk appetite.

The importance of the maturity of the organization's risk management function and its relationship with the internal audit function is often highlighted as an important cornerstone of the risk management framework, enabling the internal audit function to operate much more effectively.

An efficient and effective internal audit risk assessment would ideally analyze the key risk functions for an organization and the key risks within them in order to prioritize the auditable departments or processes within the audit universe. While it is permissible for internal auditors to use other risk assessments conducted by other entities within the organization — such as the risk management department, compliance department, fraud department, quality department, or any other function — internal auditors still need to apply their own independent professional judgment before using and integrating risk assessments conducted by functions other than internal audit into their own risk-based audit plans. Moreover, risk ought to be continuously assessed and the plan would ideally be periodically updated, with the same regularly reported to the audit committee for updates. 

The major risk factors most used in audit risk assessments include:

• The nature and scope of the business unit and/or function and the nature and scope of the product and/or service line.
• The nature of transactions, such as their size, volume, complexity, or distinct geographic location.
• The internal operating environment, including the organizational structure or how flat the organization is, how decisions are made, and how people, systems, and processes are managed, as well as the level of reliance on different information technology tools.
• The external business environment, such as the complexity of the regulatory environment.
• The operating model, such as whether functions are conducted in-house or outsourced with third-party providers.
• The organization's governance framework or the organizational structure and function. This is a key element of the audit risk assessment as the organization's governance would strongly influence the organizational culture and direction.

While the above list is not meant to be comprehensive, the most common major risk factors for an audit risk assessment would be addressed within it. With that in mind, based on the established criteria for conducting risk assessments and scoring risk areas, different risk areas would be classified as high, medium, or low risk areas.

As for the factors that would impact the risk rating of a department and/or process, they would generally be:

• The quality of the current internal control environment.
• The competence and integrity of the staff, the size of the unit, complexity of the unit operations, and extent of automation, amongst other factors.