Professional Documents
Culture Documents
RISK-BASED
AUDIT PLAN
INTAUD - H004
(For In ternal Use Onl y)
RISK-BASED AUDIT PLAN
Page | 1
The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of
senior management and the board must be considered in this process.
1. Developing the internal audit activity’s audit plan often follows developing
or updating the audit universe.
a) The audit universe (all possible audits) may include the organization’s
strategic plan. Thus, it may reflect
Overall business objectives,
The attitude toward risk,
The difficulty of reaching objectives,
The results of risk management, and
The operating environment.
Page | 2
Thus, the audit plan includes audits requested by management or
required by regulators, e.g., as a condition of receiving government
contracts. Moreover, many entity operations or functions are audited
cyclically. Accordingly, the priority of an audit may depend on how
recently a specific operation or function has been audited.
Page | 3
Its ultimate purpose is to provide reasonable assurance of achieving entity
objectives. Control is often used to manage risk within the risk appetite.
Internal auditors audit key controls and provide assurance on the
management of significant risks.
3. Inherent risk and residual risk (also known as current risk) are basic
concepts.
Financial (external) auditors define inherent risk as the
susceptibility of information or data to a material misstatement
given no related mitigating controls.
Page | 4
c) Risk registers should be systematic, complete, and accurate. A risk
register (risk log) is used to identify and analyze risks. The register
describes each risk, its impact and likelihood, and the risk score (impact
× likelihood). The register also records planned responses if the event
occurs, preventive measures, and a risk ranking.
7. The internal auditor also coordinates with other assurance providers and
considers planned reliance on their work.
8. The internal audit activity needs to identify high inherent and residual risks
and key control systems, and management needs to be notified about
unacceptable residual risk.
9. Risk registers may document risks below the strategic level. They address
(a) significant risks, (b) inherent and residual risk ratings, (c) key controls,
and (d) mitigating factors.
The auditors then can identify more direct links between risk categories and
aspects described in the risk registers and, if applicable, the items already in
the audit universe.
10. Lower-risk audits need to be included in the audit plan to give them
coverage and confirm that their risks have not changed. Also, priorities
should be set for outstanding risks not yet subject to audit.
Page | 5
11. An internal audit plan normally focuses on the following:
a) Unacceptable current risks requiring management action
c) Areas where the difference between inherent risk and residual risk is
great Areas where inherent risk is very high
12. When planning individual audits, the internal auditor identifies and assesses
risks relevant to the area under review.
Page | 6
2. The skills, capabilities, and technical knowledge of the internal audit
staff should be appropriate for the planned activities. The CAE conducts a
periodic skills assessment based on the needs identified in the risk
assessment and audit plan.
Page | 7
When selecting the appropriate audit staff, the CAE must consider these
factors:
a) Complexity of the engagement
b) Experience levels of the auditors
c) Training needs of the auditors
d) Available resources
a) The CAE should agree with the board about (a) the frequency and
nature of reporting, (b) the internal audit activity’s charter, and (c)
performance.
Page | 8
Performance reporting should relate to the most recently
approved plan to report (1) significant deviations from the
approved audit plan, staffing plans, and financial budgets; (2)
reasons for the deviations; and (3) action needed or taken.
e) If the CAE and senior management cannot agree, the CAE must inform
the board.
If possible, the CAE and management should jointly present
their positions.
CAEs should consider timely discussion of financial reporting
issues with the external auditors.
Page | 9
The CAE may share and discuss the contents of the report with senior
management before presenting it to the board. The frequency and content of
reporting are determined in discussion with senior management and the board
and depend on the importance of the information to be communicated and the
urgency of the related actions to be taken by senior management or the board.
a) The CAE annually submits a summary of the (a) internal audit plan, (b)
work schedule, (c) staffing plan, and (d) financial budget.
The CAE also submits all significant interim changes.
The scope of work and any limitations on it should be
disclosed.
Page | 10