BLOG

The Institute of Internal Auditor’s (IIA) International Professional Practices Framework (IPPF) defines Internal Audit as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. More simply stated, Internal Audit is a process of assessing risk, identifying controls to mitigate those risks, testing those internal controls for adequacy and effectiveness, and ensuring appropriate corrective action is undertaken when needed.

A company-wide risk assessment is the initial step in developing a comprehensive risk-based audit plan. Numerous methods with varying degrees of complexity exist for assessing risk, however, the best approach is often the most straightforward. Based on a series of risk factors to be evaluated - assess and assign each operational or departmental area a risk rating of high, moderate, or low.  An effective risk assessment process includes the following steps:

• Catalog potential audit areas:

• Identify areas of audit focus, such as compliance, servicing, underwriting, secondary marketing, information technology, etc.
• Organizational charts are useful resources for this process.

• Assess risk:

• Compile existing policies, procedures, prior audit exam reports, financial reports, and related supporting information to identify risks and assess the control environment mitigating those risks.

• Assign a risk rating:

• Risk rate operational or departmental areas from highest to lowest.
• Risk ratings should be clearly defined and documented.

• Develop the audit plan:

• Based on the assigned risk ratings, develop or modify the audit plan to evaluate the highest risk areas on a more frequent basis.

• Update your risk assessment as risks change:

• The risk assessment should be updated each time your risk changes, but annually at a minimum.
•  Consider the effect on your risk assessment and make the appropriate changes when:
• Strategies change or are redefined
• New products are added,
• Significant turnover is experienced
• Other changes effecting your risk environment take place

The risk assessment will inform the development of a multi-year audit plan. A multi-year approach is recommended, as areas identified as higher risk should be audited more frequently, while lower risk areas can be audited less frequently, depending on management’s risk appetite. The audit plan should identify the frequency an operational or departmental area will be audited and each time the risk assessment is updated, the audit plan should be evaluated and revised, if necessary.

Audit plans should be approved by the board of directors/audit committee and executive management each year. Significant changes in the plan or its scope should also be communicated to the board and executive management. Remember to document the approval of the plan in board or committee meeting minutes.