Management, compliance & auditing

Best practices for conducting a risk-based internal audit

Pedro Tavares
November 30, 2018 by
Pedro Tavares

Over the last few years, cyber-crimes have grown in number and in the ways cybercriminals exploit them. Due to this, the need to manage risks has been recognized by organizations and adopted as a crucial part of a good governance best practice.

A Risk-Based Internal Audit (RBIA) is focused on the organization's response to the risks they face in achieving their goals and objectives. An RBIA differs from other types of audits as it is based on the business goals and their associated risks. With this approach, internal auditors gain other responsibilities — now they not only manage the control activities, but also add an important contribution in the development of the risk management processes by defining the organization’s universe of risk.

This article focuses on RBIA and describes a method to select the high-risk fields via risk assessment as a focal point. This provides time and cost saving in the audit because other controls with minor impacts to the business risk are placed in a different “bag.”

Benefits of conducting an RBIA

Writing in the European Journal of Accounting Auditing and Finance Research, Dr. Vahit Ferhan Benli and Duygu Celayir summed up the idea of a risk-based internal audit: “RBIA is an audit approach on the basis of determining the risk profiles of the businesses, shaping the audit progress according to the risk profile of the business and allocating the audit resources according to this profile to improve the efficiency of the audit.”

The RBIA is an approach that enables the internal audit review to become more efficient and focused on the business needs and, consequently, a service under analysis. In this sense, management will benefit from greater input into the “shape” of the audit review, ensuring that key concerns and significant risks are considered within the scope of the audit.

Risk management is a challenging landscape that requires adaptation of auditors, as every organization has a different attitude towards risk, different structures, processes and languages. For this reason, an RBIA seeks to reinforce all the responsibilities of risk management and establish a strong and well-designed risk management framework.

Business plans are changed daily, and this represents a big challenge for RBIA, as there is no consensus on the best approach to implement it. Because of this, it is more difficult to manage RBIA than traditional IA approaches (a subject discussed below).

To define a right risk management process and conduct a RDIA, it is crucial to understand the business needs in order to define internal controls that can reduce risks at an acceptable level — the risk appetite of the organization.

According to David Griffiths in “Risk-Based Internal Auditing: Three views on compliance,” in order to conduct an effective RBIA directors need to ensure that the risk management framework includes the following:

  • Directors have identified and evaluated the risks that threaten the objectives of the organization and have developed an internal control system to reduce this threat to below the risk appetite, or report to the board where this is not possible
  • The inherent risks are recorded and assessed in some way, allowing them to be classified in order of threat
  • The board has approved a risk appetite for the organization on such a basis that risks can be easily identified as being above, or below, the risk appetite
  • The responsibility for providing assurance on the risk management framework is defined. This will include defining the responsibilities of management, external audit, internal audit and any other functions that provide assurance, such as HR, Finance, Loss Prevention and the department of Health and Safety

The way to score risks is to attribute a level (e.g., high, medium and low) to the consequence and likelihood of the risk.

According to CA Shiva Chaudhari in “A Guide to Risk-Based Internal Audit System in Banks,” there are immediate benefits when a RBIA is used. Table 1 depicts some of those benefits.

Table 1: Benefits of an RBIA

  Strategic Benefits ● Easier adaptation to changing conditions by developing a consistent and comprehensive approach for risk management ● Provides a better understanding and management of the risks

  Performance-Related Benefits ● Increases the risks of opportunity by reducing negative risks ● Provides the risks to be identified correctly and the existing management and internal control to ensure the best performance

  Management of Unexpected Events ● Creates the ability to give the correct answer to unexpected demands and challenges in the face of deviations from targets ● Easier to understand the risks waiting for the business and their actual effects

RBIA versus traditional internal audit

RBIA is an approach that requires extensive knowledge of the business and its risks, so it is often defined as being quite complex. Table 2 below presents a comparison between an RBIA and the traditional approach of internal audits (IA).

Table 2: RBIA versus traditional internal audit (IA)

Traditional IA Approach Risk Based IA Approach

Audit plan is based on the audit cycle Audit plan is based on the results of the business risk evaluation. Risky areas are covered first and more frequently

Important risks might not be covered during the audit plan Provides assurance that important risks are being managed properly

Focuses on deficiencies in controls and cases of non-compliance with policies and procedures Focuses on risks that are not properly controlled and overly-controlled

IA resources are spread over all business activities More efficient use of IA resources by concentrating on risk areas

Business risks are not being mapped The importance of risks is established during the risk assessment phase and in agreement between IA

Disagreement with the business management over the action plans leading to delays in implementation Facilitates consensus with line management on the needed action plans thus improving timely the implementation of corrective measures

RBIA stages

The implementation of an RBIA is generally done in three stages, which are described below.

Stage 1: Assessing risk maturity

In this stage, an overview is obtained from administration and board regarding the assessment, management and risk monitoring. This procedure is an indicator of the reliability of the risk for audit planning purposes.

Stage 2: Periodic audit planning

An audit is planned for a specific period (typically annual) where all areas on which the board requires objective assurance are identified and prioritized. Here, the risk management processes, the management of key risks and the recording and reporting of risks (audit results) are included.

Stage 3: Individual audit assignments

At this stage, individual risk-based assignments to provide assurance on part of the risk management framework are executed: For instance, on the mitigation of individual or groups of risks.

Conclusion

Economic and social life have expanded in unexpected ways recently, and the volume of business has expanded greatly to match them. This means more and greater risks. Controlling each process in terms of both time and resources has been an arduous task, and this has raised the costs of audits.

For this reason, organizations should consider implementing RBIA processes to protect their assets from unnecessary risks, as it provides a 360º vision of the business. The key for success is always related to the first analysis performed, typically by internal auditors that analyze business goals, business objectives and their associated risks in order to conduct the IA in the best way.

To conclude, businesses are becoming more complex and gigantic and a careful analysis of potential risks is needed in order to save organizations from unexpected threats which may interfere with their daily operations.

Sources

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.