MODULE 3A:

RISK ASSESSMENT IN AUDIT PLANNING- UNDERSTANDING RISK BASED AUDIT

The Risk Assessment in Audit Planning emphasizes the importance and the impact that an effective audit strategy
and audit plan for the achievement of the goals, objectives and the mission of the internal audit unit. Planning
provides for a systematic approach to internal audit work and requires knowledge covering a wide range of issues
in public management, including risk assessment and internal control.

Risk Assessment is management's process of identifying risks and rating the likelihood and impact of a risk event.
An internal control assessment can be performed at the same time. This takes the risk assessment and maps
internal controls to the risks to determine if there are gaps between risks and controls.

Why is risk-based planning important for an internal audit unit

The main challenge faced by majority of internal auditors is how to allocate limited internal audit resources in the
most effective way - how to choose the audit subjects to examine. This requires an assessment of risk across all
the auditable areas that an auditor might examine.

The objective is of risk-based planning is to ensure that the Auditor examines subjects of highest risk to the
achievement of the organization’s objectives.

Strategic and annual audit plans must be developed through a process that identifies and prioritizes potential
audit topics. The entire population of potential auditable areas, which can be categorized in many ways, is called
the audit universe . For each element of the audit universe the risks or opportunities have to be assessed and
decisions taken on other risk factors that may influence the priority to be given to each element of the audit
universe (audit objects).

The strategic and annual plans are important documents, which are normally presented to management. The
strategic plan provides an opportunity to present the work of the internal auditor and the benefits that will arise
from the audit function. It represents a shop window, which explains what internal audit can do for management.
The annual plan translates the strategic plan into the audit assignments to be carried out in the current year. The
strategic and annual plans must be clearly structured and well written and should provide management with a
persuasive summary of the logic supporting the judgments made on the priority given to certain topics. A
structured approach to risk-based planning is an important step towards an effective audit strategy.

What are risks?

11. The key definitions concerning risk are:

• Event – an incident or occurrence, from sources internal or external to an organization, which may affect
the achievement of objectives. Events can have negative impact, positive impact or both. Events with
negative impact represent risks. Events with positive impact represent opportunities.

• Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk is
measured in terms of impact and likelihood.

• A Risk Event is a potential event or missed opportunity that may negatively impact your ability to meet
your business objectives.

• Likelihood is how likely it is for a Risk Event to occur.

• Impact is how much impact a Risk Event may have on your operations.

• Control is an activity that helps ensure that management directives to mitigate risk are carried out.

• Internal Controls are control activities including policies that establish what should and should not be
done and procedures that are the actions to implement the policies. Control activities either deter

1|Page
 undesirable acts or prevent errors from occurring (preventative) or find undesirable acts or errors after
they've occurred and provide evidence as to whether the preventative controls are effective (detective).
Internal controls are either automated by software or manually performed.

• Opportunity is the possibility that an event will occur and positively affect the achievement of objectives.

• Key risks are these risks that, if properly managed, will make the organization successful in the
achievement of its objectives or, if not well managed, it (the organization) will not achieve its objectives.

• Inherent risk is the level of risk before any risk mitigation actions such as control activities have been
taken into account (e.g. the inherent risk of flooding before taking into account flood prevention
measures).

• Residual risk is the level of risk after taking into account risk mitigation actions such as control activities.
The auditor is most concerned with the level of residual risk. (In some cases inherent and residual risk will
be the same. But areas that are well controlled will usually have lower levels of residual risk.

• Risk appetite is the level of risk that an organization is willing to accept in pursuit of its objectives.

• Risk factors – a term used to describe generic factors that can indicate a higher level of risk and/or
priority to be given to one element of the audit universe.

Understanding the differences between risk management and risk assessment in audit planning

Risks are considered by both managers and auditors and are similarly defined.

• Risk management is (or should be) an integral part of internal control system and is the responsibility of
management. It is a structured process where managers (a) examine likely future events and the risks and
opportunities these represent to the achievement of organization’s objectives; and (b) determine and implement
risk management actions (e.g. control activities).

• Audit risk assessment is part of planning and a process where auditors consider both (i) individual events
and the risks and opportunities these represent to the achievement of the objectives of elements of the audit
universe and (ii) generic risk factors that help prioritize work to areas of highest risk. The purpose of audit risk
assessment is to ensure that scare audit resources are addressed to the audit of areas of highest risk to the
organization.

No one can assess risk, if objectives are not clear. If it is not clear what an element of the audit universe is trying to
achieve you cannot carry out a risk assessment. Be sure you understand the objectives of different elements of
the audit universe before trying to identify likely events that impact these objectives and the inherent and residual
risks involved.

While risk management is a logical process, many public sector organizations do not address risk management in a
consistent and structured way and do not have effective internal control. In this situation auditors must make
their own judgements about risk within the organization. In other words: the auditor must assess risks to the
achievement of the organization’s objectives even if management do not.

A conceptual framework for risk-based audit planning

To develop a risk-based plan the auditor needs to consider two aspects of risk:

(a) individual events/risks and how these may impact the achievement of the organization’s objective; and

2|Page
(b) generic risk factors that may suggest a higher or lower level of risk and which can be used to determine the
priority that should be given to a single audit within the audit universe.

Where an organization has already put in place risk management processes the auditor can examine risk registers
to see what individual risks have been identified by management and the action being taken to address these.
Where there is no risk management process in place the auditor will need to identify possible events that may
generate risks and assess these in terms of impact and probability.

The basic conceptual framework for risk-based audit planning therefore has five distinct stages:
1. Determining and categorizing the audit universe.
2.Identifying individual events that may give rise to risks and opportunities across the audit universe.
3. Scoring events in terms of probability and impact (taking into account management actions to mitigate risk) to
identify the level of residual risk
4.Building risk-based audit plans by using generic risk factors and scoring criteria for each factor to determine the
audit priority of all audit objects within the audit universe.
5. Presenting the results of risk-based planning by writing and updating strategic and annual work plans.

Taking into account Entity Risk Management processes

The planning process must consider the extent to which management have already assessed risk and what
common elements of this assessment the auditor can use. Table 1 below compares the common elements of risk
management with a typical risk assessment process in audit planning

3|Page
From the table it is clear that there is a significant overlap between the first two stages of risk management and
the second and third stages of audit planning risk assessment.

The main difference is that managers need to assess inherent risks so that they can determine and put in place
risk mitigation actions (including controls). The auditor however needs to assess residual risk (which is the risk
that remains after the effectiveness of internal controls are taken into account) to determine areas that are high
priority for examination.

A simple example illustrates the relationship between inherent risk control activities and residual risk: If you cross
the street, there are a nearly infinite number of inherent risks. One of the inherent risks with a high probability
and large impact would be getting hit by a car. So to mitigate this risk we implement the control of looking left
and right to check for oncoming traffic before crossing the road. But this will not eliminate every possible risk and
residual risks remain. For example, you could still be hit by a meteor because you did not look up!

The reason for this is obvious. With limited resources the auditor wants to concentrate audit work on areas
where the risk exposure to the organization is highest. If inherent risk is very high but there are good controls in
place then the residual risk may be low and not therefore worthy of examination.

The actions required to implement risk-based planning

The table below shows the key actions required to implement the conceptual framework for risk-based planning
and how this would differ for organizations with or without risk management systems in place.

4|Page