Scribd
Upload
4K views18 pages

Risk Based Audit Planning

The document outlines an audit program for creating a risk-based audit plan. It describes evaluating risks within the organization and their likelihood and significance. Risk factors are identified and evaluated, such as the size of the unit, changes in personnel or systems, and economic conditions. Risks are then rated as low, medium, or high priority. Audits are selected based on the risk evaluation. The program also considers requests from management and evaluates controls to meet objectives.

Uploaded by

harmandian
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLS, PDF, TXT or read online on Scribd
4K views18 pages

Risk Based Audit Planning

The document outlines an audit program for creating a risk-based audit plan. It describes evaluating risks within the organization and their likelihood and significance. Risk factors are identified and evaluated, such as the size of the unit, changes in personnel or systems, and economic conditions. Risks are then rated as low, medium, or high priority. Audits are selected based on the risk evaluation. The program also considers requests from management and evaluates controls to meet objectives.

Uploaded by

harmandian
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLS, PDF, TXT or read online on Scribd
You are on page 1/ 18

Audit Program for Creating a Risk Based Audit Plan

AUDIT PROCEDURES Ref.

Evaluate risks existing within the organization


1. Likelihood of risk occurring
2. Significance of the risk related to the organization

Risk-based auditing begins by reviewing the organizational objectives, then


considers the risks that impact on the achievement of those objectives, and
examines the methodologies in place to mitigate those risks.

Risks can be avoided, shared, or transferred rather than controlled. Risk-based


auditing also explicitly accepts that there will always be some risk that must be
accepted; but the acceptable amount must be kept within the limits established by
the Board and management.

Audit Services identifies risk factors and evaluates them. The evaluation of risk
factors includes, but is not limited to, discussions with management, observations
made during previous audits, and the past history of the unit. Some examples of risk
factors are:

Example 1 of Risk Factors


Size of the unit
Recent changes in accounting or administrative systems
Complexity of operations
Liquidity of assets
Recent changes in key personnel
Economic condition of the unit
Rapid growth or decline of the unit’s personnel
Time since last audit
Pressure on management to meet objectives
Level of employees’ moral

Example 2 of Risk Factors

the date and results of the last audit


financial exposure
potential loss and risk
requests by management
major changes in operations, programs, systems and controls
opportunities to achieve operating benefits
changes to and capabilities of audit staff.

Example 3 of Risk Factors


A. Financial Impact

1. Proposed revenues and expenses for fiscal year


2. Expenditures and revenue trend over last three years
3. Fund type
4. Negative fund balances
5. Value of fixed assets
6. Capital expenditures
7. Proposed budget cuts

B. Results of Prior Years Audit

1. Occurrence of fraud
2. Information obtained from external reviewers
3. Date of last audit

C. Changes in Organization and/or Management

1. Management and staff capabilities


2. High employee turnover or new management
3. Management accountability

D. Systems

1. Stability and reliability of information technology


2. Disaster recovery

E. Political and/or Economic Environment

1. Regulations of a specific program’s activities


2. Adverse criticism or public embarrassment

F. Impact of Not Providing Service

1. Central control responsibility


2. Complexity of operations
3. Dependency on centralized processing

Based on the evaluation, assign a “Risk Rating” (low, medium or high) and a
“Priority Level” of 1, 2 or 3 (with 1 being the highest priority).

Select audits based on the identification and evaluation of significant risk exposures
as mentioned above. By focusing on the risk, internal auditors are able to identify
controls that are absent or ineffective, as well as those that are no longer relevant.

Consider requests originating from other sources including the Board, the Audit
Committee, Administration or deparmental management.
Done Time Date Date Checked
By Spent Expected Finished Remarks By:
Audit Program

Audit Procedure Control Objective


Workpaper Performed Date
Risk if Objective Not Met Control Technique Reference By Expected
Date Budget Actual Document
Completed Hours Hours Reference Source Reviewed By
Remarks/Comments
AREA:

Process Control Objective Risk


Assertion Documentation W/P
Control Considerations E,A,C,V,P Description of control Ref.
Testing
Do controls meet
exceptions
objective?
Test noted? Resolution / remediation/ comments
Yes/No
W/P Ref Yes/No W/P Ref
Potential Risk Factors

Business strategic risks


IT strategic operations risk
Financial return
Competitive impact
Regulatory impact

Size of the unit


Recent changes in accounting or administrative systems
Complexity of operations
Liquidity of assets
Recent changes in key personnel
Economic condition of the unit
Rapid growth or decline of the unit’s personnel
Time since last audit
Pressure on management to meet objectives
Level of employees’ moral
Audit Program Area

Audit Procedure
Global Ref
No,
Control Objective Risks Control
Activity
Number
Control KeyControl? Frequency Owner Exceptions Type Document Mapping to
Description Reference Standards
AREA
DATE COMPLETED:
COMPLETED BY:
Question Yes No Comment
Finding Ref # Control Testing Finding
Management Response & Treatment

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy