Guide On Risk-based Internal Audit Risk Based Internal Audit
GuideonGuide onGuide onRisk-based Internal Auditased Internalsk-based Internal AuCommittee on Internal AuditThe Institute ofChartered Accountants of India(Set up under an Act of Parliament)
O 3 442 21GuideonRisk-based Internal AuditCommittee on Internal AuditThe Institute ofChartered Accountants of India(Set up under an Act of Parliament)
The Institute of Chartered Accountants of IndiaAll rights reserved.No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in anyform, or by any means, electronic, mechanical, photocopying, recording, or otherwise, withoutprior permission, in writing from the publisher.First Edition: November 2007Price: Rs. 250ISBN No. 978-81-8441-008-2E-mail: cia@icai.orgWebsite: http://www.icai.orgPublished byVijay Kapur, DirectorThe Institute of Chartered Accountants of India‘ICAI Bhawan’, Indraprastha MargNew Delhi - 110 002 INDIACover & IllustrationsNarendra BholaRealisationSterling Preferred PrintingNew Delhi INDIA
GuideonRisk-based Internal AuditThe Institute ofChartered Accountants of India(Set up under an Act of Parliament)
The basic draft of this Guide was prepared by the study group under theconvenorship of CA. Deepak Wadhawan, its members being CA. R.N.Joshi, CA. Neville Dumasia, CA. Pankaj Sahai, CA. Srikant Sarpotdar andCA. Swapnil Kabra.The views expressed in the Guide are those of the authors and may notnecessarily be the views of their employers.
ContentsContentsForeword .viiPreface .ixCHAPTER 1Introduction .1-6CHAPTER 2Risk Management .7-20CHAPTER 3Using Risk-based Internal Audit (RBIA) Methodology .21-33CHAPTER 4The Internal Audit Process .34-47CHAPTER 5Some Pitfalls and the Way Ahead .48-51
EXHIBITS .52-631. Measurement Yardstick for Likelihood of Risk .522. Measurement Yardstick for Risk Consequences .533. Measurement Yardstick for Risk Score .544. Illustrative Risk Heat Map .555. Illustrative Risk Register .56-586. List of Information in a Risk and Audit Universe(RAU) Database .59-627. Illustrative Internal Audit Report-Executive Summary .63APPENDICES.64-74Appendix 11. Model Process for Assessing and Evaluating Risks .65-72Appendix 22. Score Card for Assessing Risk Maturity .73-74
ForewordForewordWith a dynamic entrepreneurial environment, which is changing andprobably becoming more difficult to cope with every passing day, and thesteeply rising expectations of the stakeholders in these entrepreneurialventures, keeping pace and more often than not surpassing the changes in theentrepreneurial environment has everybody involved in running that venture ontheir toes. In that scenario, chartered accountants have a critical role to playwhether at the forefront or at the back office.But to be able to play an instrumental role in the sustained growth and meaningfuldevelopment of a business, an Industry, the economy and the society, it is essentialthat we keep our knowledge base and skill sets at their sharpest best. The biggestchallenge today, however, is not just keeping abreast with the existing technicalknowledge and skills, but to imbibe such as are able to help us pre-empt the changesin the business environment and the stakeholders' expectations and adapt to thesame. Whereas, the Institute is committed to that concern, and brings out a numberof technical publications, organizes various dedicated conferences, seminars,workshops. At this juncture, I would also urge the members to come forward and
actively participate in development of the technical literature and share theirinvaluable treasure of knowledge and experience with their professional colleagues.In addition to the above, it is equally essential that the members also remain alert torelevant developments at the global front. That, with the spread and penetration oftechnology to even the most interior parts of the country, I feel, should not be adifficult task, what is necessary is the commitment and zeal in our hearts.Only when we are able to embed that commitment and zeal in our hearts, would webe partners in national building in real sense of the word.New Delhi2nd November, 2007CA. SUNIL H. TALATIPresident, ICAI
PrefacePrefaceTraditionally, the main focus of the internal audit was confined to the controlsand processes relating to financial transactions. Even in certain entities,internal audit was more used as review and inspection. With the passage oftime and combined with the growth of organisations, the managements viewinternal audit as a significant resource in evaluating entire operations and achievemore effectiveness in day to day activities. In today's era of globalisation, theemergence of new models of governing the enterprises, a subtle shift towardscontrols and strategic decisionmaking, identification and assessment of risk hasbecome one focal point. In recent times, the risk-based internal audit is being viewedby the management as an important tool to assess the management of the risks thatare barriers to the objectives and success of the organization. Risk-based internalaudit involves the assessment of the risks' maturity level, expressing opinion onadequacy of the policies and processes established by the management to managethe risks. Risk-based internal audit mainly report on the risk management thatincludes identification, evaluation, control and monitoring of the risk. A risk-basedinternal audit mainly focuses on the objectives rather than looking at the controlsand transactions. This demands the internal auditor to have the skills to providebroad level of the assurance to the management.
Keeping this in mind, the Committee on Internal Audit is issuing this Guide onRisk-based Internal Audit as a part of series of the publications on Internal Audit.This guide would help the members of the Institute as well as others to understandnot only the concept of the risk-based internal audit but also the methodology of thesame.This Guide is divided into six chapters with a view to provide the guidanceregarding the risk-based internal audit to all the readers. Chapter 1, Introduction,would help the readers to understand the concept of the risk-based internal audit.Chapter 2, Risk Management, deals with aspects such as understanding risk, basicconcepts of risk management, enterprise wide risk management, risk maturity of anorganisation. Chapter 3, Using Risk-based Internal Audit Methodology, covers thebuilding blocks of RBIA, stages in RBIA and a case study. Chapter 4, The InternalAudit Process explains the phases of the internal audit process. Chapter 5, SomePitfalls and The Way Ahead describes the prospective picture of the RBIA. TheGuide also contains the Exhibits and Appendices illustrating complex subjects in asimplified manner for easy understanding of the readers.I am grateful to CA. Deepak Wadhawan, convenor of the study group and itsmembers, CA. R. N. Joshi, CA. Neville Dumasia, CA. Pankaj Sahai, CA. ShrikantSarpotdar and CA. Swapnil Kabra for squeezing the time to prepare the draft of theGuide.I am also thankful to CA. Sunil H. Talati, President, ICAI and CA. Ved Kumar Jain,Vice President, ICAI for their continuous support. I also wish to thank all themembers of the Committee, CA. Charanjot Singh Nanda, (Vice Chairman), CA.Rajkumar S. Adukia, CA. Atul Chunilal Bheda, CA. Sanjeev KrishnagopalMaheshwari, CA. Mahesh Pansukhlal Sarda, CA. Shanti Lal Daga, CA. J.Venkateswarlu, CA. Anuj Goyal, CA. Amarjit Chopra, Shri Manoj K. Sarkar, CA.Prashant S. Akkalkotkar, CA. Shyam Lal Agarwal, CA. Vivek R. Joshi, CA. KrishanLal Bansal, CA. Satyavati Berera, CA. Brij Bhushan Gupta, CA. Anil Jain for theirvaluable support.I am sure that this Guide would help the readers in learning techniques andmethodologies that would boost their skills to divert the audit process to risk basedapproach.Kolkatath5 November, 2007CA. ABHIJIT BANDYOPADHYAYChairmanCommittee on Internal Audit
Introduction11OneBackground1.1. During recent years, managements are increasingly getting risk focused.Expectations from internal auditors are hence shifting from providing anassurance on the adequacy and effectiveness of internal controls to anassurance on whether risks are being managed within acceptable limits aslaid down by the Board of Directors. This shift in assurance from a controlbased focus to a risk based focus requires that the internal audit activity becarried out by an experienced multidisciplinary team using risk-basedinternal audit (RBIA) methodology.1.2. The objective of this Guide is to provide guidance to the members of theInstitute, as to the concepts and steps involved in risk-based internal audit(RBIA) methodology.Internal Audit - Definition, Objectives and Scope1.3.Preface to the Standards on Internal Audit, issued by the Institute ofChartered Accountants of India defines the term “internal audit” as:
2Guide on Risk-based Internal Audit“Internal audit is an independent management function, which involves acontinuous and critical appraisal of the functioning of an entity with a view tosuggest improvements thereto and add value to and strengthen the overallgovernance mechanism of the entity, including the entity's strategic riskmanagement and internal control system.”1.4.To achieve the objectives of appraising and suggesting improvements in theoverall governance mechanism of the organisation, internal auditors havebeen carrying out assurance and consulting activities in the following areas:a. Internal policy compliance.b. Regulatory policy compliance.c. Process improvement.d. Training and development.Assurance and consulting activities undertaken by internal auditors in theabove four areas have normally taken the shape of the following activities: Examination and evaluation of the adequacy and effectiveness of theinternal control system. Undertaking risk assessments in focus areas, either as a consultingactivity or as an input to the internal audit plan. Review of financial information system, Management InformationSystem (MIS) and the underlying technology platform that delivers thiselectronic data. Review of the accuracy and reliability of accounting records and financialreports. Review of safeguarding of assets. Appraisal of the economy and efficiency of activities in operational areas. Carrying out process improvement activities through business processaudits. Carrying out performance reviews of functions through operationalaudits. Review of the systems established to ensure compliance with legal andregulatory requirements, code(s) of conduct and the implementation
Introductionreview of policies and procedures. Testing the reliability and timeliness of legal compliance. Using the internal audit department as a training ground for developingfinance and accounts managers.Need for Internal Audit and the “Expectation Gap”1.5.In spite of the above activities and the mission - critical area of corporategovernance that it operates in, the internal audit function has beenhistorically viewed as stable and beneficial but not necessarily essential forthe organization. Internal audit has traditionally drawn its importance fromthe legal and regulatory framework in which the entity operates and it islikely that in some organizations it still owes its existence to it. Of late, manylegislations across the world have reiterated the importance of sound andeffective internal audit function as part of effective internal controlframework (for example, the Sarbanes Oxley Act of 2002, London StockExchange Combined Code, backed up by the Turnbull Committee guidance,etc.) The Indian requirement is in Clause 49 of the listing agreement. Also TheCompanies Auditors Report Order 2003 provides for the statutory auditor tocomment on internal audit function of listed companies and other companieshaving paid capital of more than Rs. 50 lakh or average annual turnover morethan Rs. 5 crore for last 3 consecutive financial years thereby making Internalaudit a tacit mandatory requirement in such companies.1.6.The lower status of “beneficial but not necessarily essential” in theorganization can only be attributable to an “expectation gap” between whatthe internal auditors are delivering as assurance/ consulting and what themanagement expects out of an essential function.1.7.Management's focus is to meet the overall corporate objective and those in thebusiness plan. The business environment is increasingly throwing up newerchallenges and opportunities with globalization, disruptive technologies andrules being continuously rewritten. New risks are hence coming upfrequently. Focus on internal controls does not give the organization anassurance on whether all the significant risks which can impact the objectives3
4Guide on Risk-based Internal Auditof the organization are within acceptable levels as defined by the Board. Focuson risks and providing consulting and assurance services around acontinuously updated “risk registe
based focus to a risk based focus requires that the internal audit activity be carried out by an experienced multidisciplinary team using risk-based internal audit (RBIA) methodology. 1.2.The objective of this Guide is to provide guidance to the members of the Institute, as to the concepts and steps involved in risk-based internal audit
Risk-based internal auditing Links internal auditing to the overall risk management framework Allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite Opportunities for collaboration Internal Audit and SAIs
RBIA (Risk Based Internal Auditing) is a methodology that integrates internal auditing to an organization's entire risk management framework, according to the IIA. Internal audit can reassure the board that risk management mechanisms are effectively managing risks in terms of risk appetite. Risk-based auditing is generally based on models that
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
The Institute of Internal Auditors defines Risk Based Internal Auditing (RBIA) as: a methodology that links internal auditing to an organization’s overall risk management framework that allows internal audit to provide assurance to the board that risk
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
Internal Controls and You (risk assessment and risk management training) 7 Introduction - What Is Risk Assessment and Risk Management? By the end of this course, you should be able to: Identify the components of risk assessment and risk management as they relate to internal controls. Establish a risk management and internal controls
change of internal auditing from system based internal auditing to risk based internal audit has been applied extensively with the developed nations in the centre stage, previous research in internal audit has explored objectivity issues in relation to computerized accounting systems.
The AAT Advanced Diploma in Accounting is a potential stepping stone for students to take into employment, further education or training. It may be suited to students studying part time alongside employment or to those already working in finance. This qualification will also suit those looking to gain the skills required to move into a career in finance as it provides a clear pathway towards a .
