Rbi a Introduction Powerpoint v 3

8/11/2019 Rbi a Introduction Powerpoint v 3

1/15


2/15

David M Griffiths www.internalaudit.biz

Risk based internal aud it ing an int roduct ion

slides of figures and appendices

The following slides are those used in thebook Risk based internal auditing anintroduction available from

www.internalaudit .biz

The slides of figures are:

1 Internal auditing objectives

2 Grid for significance risks

3 Stages of an audit

4 RBIA documentation

5 Processes involved in stage 2

6 Grid for frequency of audits

7 Factors to reduce inherent risk scores risks 8 Processes involved in stage 3

9 Grid for significance of residual risks

Slides of appendices are

A Internal auditing objectives

B Hierarchy of objectives, risks and controls C Process map

E Grid for risk workshop

J Stages of an internal audit

Other appendices are on the excel spreadsheet RBIA introduction excel v3
http://www.internalaudit.biz/http://www.internalaudit.biz/


3/15


Internal auditing objectives(Figure 1 and appendix A)

The main aim of internalauditing is to assist theorganisation to achieve its

objectives

The

managementof an

organisationhave

Objectives

Aninternal controlis a process which

manages a risk

Arisk

is a set ofcircumstancesthat hinder theachievement of

objectives

Internal auditingprovides an independent and

objective opinion to an

organisations management as to

whether its risks are being managed

to acceptable levels.


4/15


2 Grid for significance of risks

Unacceptable: Immediate action required to manage the risk

Issue: Action required to manage the risk

Supplementaryissue: Action is advisable if resources are available

Acceptable: No action required

Rare(1)

Unlikely(2)

Possible(3)

Probable(4)Almostcertain(5)

2

Acceptable

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Likelihoodo

frisk

Consequence of risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Risk appetite, as defined by the board

IR

RR

IR = Inherent Risk RR = Residual Risk

Internal

control

Fig.2Grid showing the significance of risks


5/15

3 Stages of an audit


Assess risk

maturity

Feedback results

into RAU

Individual audit

Management's

Risk Register

(if available)

Audit plan

Audit report

Risk Naive Risk Enabled

Risk Managed

Risk Defined

Risk Aware

Use organisation's

risks

Facilitate risk

identification

Audit Committee

report

Stage 2

Stage 1

Audit universe

Management's

Risk Register

(amended)

Assign risks to

audits

Risk and audit

universe

(RAU)

Stage 3

Fig 3 Stages of an audit


6/15


4 RBIA documentation

Fig. 4RBIA documentation

risks

last audits

scores

controls

AuditCommittee

report

universe

risks

tests

scores

controls

auditreports

risk and audit

audit databases

risks

last audits

scores

controls

AuditCommittee

report

risks

tests

scores

controls

auditreports

objectives objectives


7/15



Risks which will be

tolerated

Risks on which

assurance is provided

by others

Risk and Audit

Universe

Filter risks

Audit plan

Risks on which

assurance is

required

Risks within the risk

appetite

Risk Register

(audited)

Categorise risks

Risks not requiring an

audit in this period

Link risks to

audits

Select risks to

be covered

Alllocate

resources to

audits

Audit Universe

Audit Committee

report

Fig 5 Processes involved in Stage 2


8/15


6 Grid for frequency of audits

Rare(1)

Unlikely(2)

Possible(3)


2

Never


Likelihoodofinh

erentrisk

Consequence of inherent risk

16Every year

3

Never

2

Never

1

Never

5Every three

years

3

Never

5Every three

years

4

Never

4

Never

4

Never

6Every three

years

6Every three

years

9Every two

years

12Every two

years

8Every three

years

8Every three

years

12Every two

years

10Every two

years

10Every two

years

15Every year

20Every year

15Every year

20Every year

25Every year

Fig. 6Grid for the frequency of audits


9/15


7 Factors to reduce inherent risk scores risks

0.75 1 1

0.5 0.75 1

0.25 0.5 0.75

Green Amber Red

1

year

2years

3years

Timesincelas

taudit

Audit result

Fig. 7Factors to reduce inherent risk scores


10/15



Define draft audit

scope

Set up an audit databaseto record the audit

details, or update the

Risk and Audit Universe

Agreed scope

Audit plan

Meetings to determine

objectives, risks and

agree scope

Obtain relevant

documentation on

processes

Audit

database

Examine the risk

management process

for the area audited

Decide on audit

approach

Conclude on risk

maturity for the

area audited

Risk and audit universe


11/15


9 Grid for significance of residual risks

Unacceptable: Immediate action required to control the risk

Issue: Action required to control the risk

Supplementaryissue: Action is advisable if it is cost-effective

Acceptable: No action required

Rare(1)

Unlikely(2)

Possible(3)


2

Acceptable


Likelihoodofres

idualrisk

Consequence of residual risk

16Unacceptable

3

Acceptable

2

Acceptable

1

Acceptable

5Supplementary

Issue

3

Acceptable

5Supplementary

Issue

4

Acceptable

4

Acceptable

4

Acceptable

6Supplementary

Issue

6Supplementary

Issue

9

Issue

12

Issue

8Supplementary

Issue

8Supplementary

Issue

12

Issue

10

Issue

10

Issue15

Unacceptable

20Unacceptable

15Unacceptable

20Unacceptable

25Unacceptable

Risk appetite, as defined by the board

Fig. 9Grid for the significance of residual risks


12/15


Hierarchy of objectives, risks and controls(Appendix B)

Devise astrategy forthe next five

years todeliver ourobjectives

Relieve famine incentral Africa

No clearstrategy asto how to

achieve our

objective

Unable topredict where

and whenfamines will

occur

Unable toobtain food

Unable todeliver thefood to the

starving

Do not havethe staff andsystems tosupport the

operation

Set up asystem whichenables us to

predictfamine areas

Set upagreementswith donorsto obtain

food

Establishdelivery

systems todeliver food

when and whereit is required

Establishfunctions tosupport the

fieldoperations

Insufficient

lorries totransport

grain

Lorriesbreakdown

Do not know

where food isrequired

most urgently

Unable to

obtainspace on

ships

Insufficientdrivers

Roads areimpassable

Establish a supply chain toensure prompt delivery offood to the highest priority

area

Decide howfuture needs

are to bemet, by

local carrier

or ownlorries

Lorries tobe properlymaintained

Set upstrategy forprioritizing

camps

Establishcontacts

withshipping

companies

to anticipateproblems

Identifyhow to

recruit atshort

notice

Set uppossible

alternative routes

risks

Objective level 1

risks

Objective level 3

Objective level 2


13/15


Objectives map(appendix C)

Relieve famine in

central Africa

1Devise a

strategy forthe next five

years todeliver ourobjectives

2Set up a

system whichenables us to

predict

famine areas

3Set up

agreementswith donorsto obtain

food

4Establishdelivery

systems todeliver foodwhen andwhere it isrequired

5Establish

functions tosupport the

fieldoperations

4.2Decide howfuture needs

are to be

met, by localcarrier or own

lorries

4.6Set up strategyfor prioritizing

camps

4.1Establish

contacts withshipping

companies toanticipateproblems

4.4Identify how

to recruit

drivers atshort notice

4.5Set up

possiblealternativeroutes fordelivery

objective

1.2Communicate

strategy

1.3Deliver

strategy

1.1Agree a

strategy

1.4Update

strategy

5.2Provide

financialadvice

5.3Provide

transactionprocessing

5.6

Provide humanresources

5.1

Raise money

5.4

Provide legalservices

5.5Provide

informationtechnology

Level 2 objectives

4.3Lorries to be

properlymaintained

Level 3 objectives


14/15


15/15


Stages of an internal audit (appendix J)

The

managementof an

organisationhave

Objectives

Aninternal control

is a process whichmanages a risk

Arisk

is a set ofcircumstances

that hinder theachievement of

objectives

Significant risks generatethe audit plan

Internal auditingInternal auditing: provides an

independent and objective opinion to

an organisations management as to

whether its risks are being managed

to acceptable levels.

5

1

4

3

2

Theaudit

Documents

Rbi a Introduction Powerpoint v 3