Developing a risk-based audit plan

24 April 2024
Annemie Pelgrims Expert Practice Leader Risk Connect on Linkedin

A risk-based approach to internal audit will inevitably broaden the internal audit scope, covering emerging strategic, operational, financial and compliance risks, and related processes.

Creating value with Internal Audit

Results from an internal audit poll conducted by TriFinance clearly highlight a trend among Chief Audit Executives to broaden their scope as they strive to create more value within their organizations.

In the current disruptive and highly volatile business environment, we see Chief Audit Executives support business leaders by identifying ánd auditing emerging risks to help organizations build general resilience and achieve strategic objectives. 

However, leadership and boards sometimes remain skeptical of the added value an internal auditor can bring in identifying, assessing and mitigating emerging risks associated with the current business disruptions. This is especially true for organizations where the Internal Audit function fulfills a traditional role as an assurance provider, primarily focused on assessing process compliance.

To support the position of internal audit as a strategic business advisor instead of a police officer and implement a risk-based audit approach, internal audit needs to start with the development of a risk-based audit plan.

A risk-based audit plan will support internal audit in addressing the risks the organization faces today, including future challenges. It will anticipate emerging risks and provide insights that will help management achieve a competitive advantage, starting with the following three steps.

The initial step in implementing a risk-based audit plan is the ongoing identification of emerging strategic, operational, financial, and compliance risks. These risks should be periodically identified and assessed through various means.

Annemie Pelgrims, Expert Practice Leader Risk, TriFinance

# 1 Identify emerging risks

The initial step in implementing a risk-based audit plan is the ongoing identification of emerging strategic, operational, financial, and compliance risks. These risks should be periodically identified and assessed through various means, including

  • interviews with business leaders, to inquire about (i) strategic challenges, (ii) business developments, (iii) management changes, (iv) launched large projects, (v) areas in their line of responsibility which they have limited oversight on and (vi) risks they see within different countries and business units;
  • information gathered from company-wide meetings;
  • results from advanced data analytics used across the internal audit lifecycle, such as continuous control monitoring dashboards;
  • risks described in competitors’ annual reports;
  • top risks highlighted in the global survey of the Institute of Internal Auditors (IIA);
  • insights from the World Economic forum.

# 2 Implement a rolling risk assessment

The development and implementation of a risk-based internal audit plan requires a rolling risk assessment in which Internal Audit periodically assesses both existing and emerging risks across various parameters, including concerns raised by business leaders, other assurance providers (such as the risk manager), and Audit Committee members.

In addition to mapping business concerns to existing and emerging risks, leading Internal Audit functions consider (i) the year of the most recent audit, (ii) the number of high and medium rated audit issues, (iii) the possibility of fraud, (iv) risk materiality, and (v) the outcome of the enterprise risk assessment.

A rolling risk assessment is performed on a quarterly basis, often resulting in revised rankings of the organization's top risks and necessitating adjustments to the audit plan accordingly.

# 3 Align risk assessment approach and results with Enterprise Risk Management

During the rolling risk assessment, the internal auditor will collaborate with the enterprise risk manager to review the results of the enterprise risk assessment and the status of the defined action plans created to mitigate key enterprise-wide risks.

To facilitate this alignment exercise, it is considered best practice that both Internal Audit and Enterprise Risk Management utilize the same risk register. 

By sharing a common risk register, both functions can effectively identify emerging risks and seamlessly align their respective risk assessment exercises. This ensures that insights from the risk assessment process are harmonized and easily integrated into both internal audit and enterprise risk management practices.

Internal Audit as a strategic business advisor

Internal Audit functions that continuously identify and assess strategic, operational, financial, and compliance risks are well-positioned to develop and implement a risk-based audit plan. 

This approach, which is characterized by high-impact internal audits, will contribute significantly to the perception of Internal Audit as a strategic business advisor.