Risk-Based Internal Audit (RBIA)

after update plan
assess risk continuosly
develop by CAE and report to AC
RBIA(framework ia process)
(3) performing engagement(implement the plan)
collection the data/evidence
documentation (prepared by internal auditor, review by management ia)
(1) strategic audit planning
(2) engagement planning(development)
(4) evaluation/conclusion
(5) reporting (communication)
(6) follow up
1.
understand objective (industry & organization)
2.
consider IPPF
4.
update ia vission & mission (to ensure allign with stakeholder expectation)
5.
define critical success factor
3.
understand stakeholder expectation
6.
perform SWOT
7.
identify key initiaitves
AC responsible to look into the planning to ensure align with objective
know comp vission, mission, who the competitors
CAE must ensure planning develop the standard, code of ethics
CAE must communicate directly to stakeholder. Expectation always change depends on situations
CAE will confirm and document (compile) the expectation
positioning, process, people
identifying objective, strategies, structure
create/revisi audit universe
(3).
coordinating with other providers
(1).
understand organization
review key document
consulting with key stakeholder
(2).
identify, assess, prioritize risk
1.
understanding bus. objective, strategies, risk
2.
linking
3.
documenting risk
4.
risk assessment approach
specific-risk approach (consider bottom-up: identify specific auditable unit in audit universe)
risk-by-process approach (consider by bus. process as auditable unit)
risk-factor approach (consider top-down: look at high level that common across in auditable unit)
5.
measuring risk
(4).
estimating resources
communicate the risk to let the comp know about the risk
consider inherent risk and residual risk (CAE must document the reasons of residual risk)
CAE determine resources need to implement the plan: poeple(labour hours,skill). technology(tools & technique),funding(budget need)
CAE need to maintain skill & knowledge to fulfill expectation
(5).
draft ia plan
(6).
propose plan & solicating feedback
(7).
communicate to finalize the plan, approval
update the plan
interview -> verify -> pbservation -> reperform ->questionnaire -> analytical procedure -> CAATs -> physical inspection -> review report -> confirmation
evaluation & conclusion process(recommendation)
criteria
process
monitor proces to follow the effect of recommendation
factor consider
154 2