9.5 Design of risk based internal audit plan

Designing a risk-based internal audit plan involves systematically identifying and prioritizing the key risks faced by an organization and aligning the internal audit activities to address those risks. Here are the steps involved in designing a risk-based internal audit plan:

1. Risk Assessment: Conduct a comprehensive risk assessment to identify and understand the risks that the organization faces. This involves gathering information from various sources, such as interviews with management, reviewing industry trends, analyzing historical data, and considering the impact of regulatory changes. The risks can be categorized into different types, such as strategic, operational, financial, and compliance risks.
2. Risk Prioritization: Evaluate and prioritize the identified risks based on their significance and potential impact on the organization’s objectives. This can be done by considering factors such as the likelihood of occurrence, the potential magnitude of the impact, the inherent risk level, and the risk appetite of the organization. This prioritization helps determine the focus areas for internal audit activities.
3. Audit Universe: Develop an audit universe, which is a comprehensive list of auditable entities, processes, and activities within the organization. This includes identifying various business units, departments, and key functions that will be subject to internal audit review. The audit universe provides a structured framework for organizing the internal audit plan.
4. Risk-Based Scoping: Based on the risk assessment and prioritization, determine the scope of each audit engagement. Consider the risks associated with each auditable entity and the level of assurance needed. This may involve selecting specific processes, functions, or locations to be included in the internal audit plan. The scoping should be aligned with the organization’s strategic objectives and risk appetite.
5. Resource Allocation: Allocate the necessary resources, including staffing, budget, and technology, to support the execution of the internal audit plan. Consider the skills and expertise required to address the identified risks and ensure that the internal audit team has the necessary capabilities to perform the audits effectively.
6. Audit Plan Development: Develop a detailed internal audit plan that outlines the specific audits to be conducted, the objectives of each audit, the timing, and the expected deliverables. The plan should reflect the risk priorities, the scope of the audits, and any resource constraints. It should also consider the need for ongoing monitoring and follow-up activities to track the implementation of recommendations.
7. Continuous Review and Update: Regularly review and update the internal audit plan to address emerging risks, changes in the business environment, or any significant events that may impact the organization’s risk profile. The internal audit plan should remain flexible and responsive to changes in the organization’s risk landscape.