Developing a risk-based audit plan
24 April 2024A risk-based approach to internal audit will inevitably broaden the internal audit scope, covering emerging strategic, operational, financial and compliance risks, and related processes.
Creating value with Internal Audit
Results from an internal audit poll conducted by TriFinance clearly highlight a trend among Chief Audit Executives to broaden their scope as they strive to create more value within their organizations.
In the current disruptive and highly volatile business environment, we see Chief Audit Executives support business leaders by identifying ánd auditing emerging risks to help organizations build general resilience and achieve strategic objectives.
However, leadership and boards sometimes remain skeptical of the added value an internal auditor can bring in identifying, assessing and mitigating emerging risks associated with the current business disruptions. This is especially true for organizations where the Internal Audit function fulfills a traditional role as an assurance provider, primarily focused on assessing process compliance.
To support the position of internal audit as a strategic business advisor instead of a police officer and implement a risk-based audit approach, internal audit needs to start with the development of a risk-based audit plan.
A risk-based audit plan will support internal audit in addressing the risks the organization faces today, including future challenges. It will anticipate emerging risks and provide insights that will help management achieve a competitive advantage, starting with the following three steps.
The initial step in implementing a risk-based audit plan is the ongoing identification of emerging strategic, operational, financial, and compliance risks. These risks should be periodically identified and assessed through various means.
Annemie Pelgrims, Expert Practice Leader Risk, TriFinance
# 1 Identify emerging risks
The initial step in implementing a risk-based audit plan is the ongoing identification of emerging strategic, operational, financial, and compliance risks. These risks should be periodically identified and assessed through various means, including
- interviews with business leaders, to inquire about (i) strategic challenges, (ii) business developments, (iii) management changes, (iv) launched large projects, (v) areas in their line of responsibility which they have limited oversight on and (vi) risks they see within different countries and business units;
- information gathered from company-wide meetings;
- results from advanced data analytics used across the internal audit lifecycle, such as continuous control monitoring dashboards;
- risks described in competitors’ annual reports;
- top risks highlighted in the global survey of the Institute of Internal Auditors (IIA);
- insights from the World Economic forum.
# 2 Implement a rolling risk assessment
The development and implementation of a risk-based internal audit plan requires a rolling risk assessment in which Internal Audit periodically assesses both existing and emerging risks across various parameters, including concerns raised by business leaders, other assurance providers (such as the risk manager), and Audit Committee members.
In addition to mapping business concerns to existing and emerging risks, leading Internal Audit functions consider (i) the year of the most recent audit, (ii) the number of high and medium rated audit issues, (iii) the possibility of fraud, (iv) risk materiality, and (v) the outcome of the enterprise risk assessment.
A rolling risk assessment is performed on a quarterly basis, often resulting in revised rankings of the organization's top risks and necessitating adjustments to the audit plan accordingly.
# 3 Align risk assessment approach and results with Enterprise Risk Management
During the rolling risk assessment, the internal auditor will collaborate with the enterprise risk manager to review the results of the enterprise risk assessment and the status of the defined action plans created to mitigate key enterprise-wide risks.
To facilitate this alignment exercise, it is considered best practice that both Internal Audit and Enterprise Risk Management utilize the same risk register.
By sharing a common risk register, both functions can effectively identify emerging risks and seamlessly align their respective risk assessment exercises. This ensures that insights from the risk assessment process are harmonized and easily integrated into both internal audit and enterprise risk management practices.
Internal Audit as a strategic business advisor
Internal Audit functions that continuously identify and assess strategic, operational, financial, and compliance risks are well-positioned to develop and implement a risk-based audit plan.
This approach, which is characterized by high-impact internal audits, will contribute significantly to the perception of Internal Audit as a strategic business advisor.
Related content
-
Blog
#takeaways EPM webinar 3: How CCH® Tagetik Solutions can support your EPM journey
-
Article
E-invoicing mandate 2026: What Belgian businesses need to know
-
Article
Effective management of non-financial and compliance risk: a strategic approach
-
Reference case
Data management: securing a banking license
-
Blog
From AI to … IA? How intelligent analytics is transforming Enterprise Performance Management
-
Article
How AI is reshaping financial planning and budgeting processes
-
Freelance opportunities
Freelance Senior Network Engineer
-
Career as Consultant
Data Engineering Manager
-
Career as Consultant
Enterprise Performance Management Consultant
-
Career as Consultant
Senior performance management consultant
-
Career as Consultant
Operations consultant - Insurance
-
Career as Consultant
Data Analyst - Banking/Insurance