A critique on use of "Risk Based Audit Framework" as an audit planning tool

A critique on use of "Risk Based Audit Framework" as an audit planning tool

Risk Based Audit Framework
Risk-Based Audit Framework
An internal audit plan is a collection of activities undertaken by internal auditors to satisfy organisation's assurance objective. Audit planning involves balancing upstream and downstream processes in developing audit scope linking to an organisation's risk profile. A good audit plan can be described as one which positively impacts organisation's operational environment.
Risk-based internal audit (RBIA) framework is a widely popular tool in internal audit fraternity. RBIA focuses on inherent vulnerabilities of an organization's control environment and provides a systematic framework to internal auditors. RBIA framework involves selecting organization's vulnerabilities, measuring likelihood and impact of vulnerabilities, formulating testing strategies to assess the management of vulnerabilities and then executing tests and reporting to board if vulnerabilities were poorly managed. 

Even if this is done correctly, which is probably an overly optimistic view, RBIA framework ignores unapparent vulnerabilities manifested in an organization's operating environment.

IIA's definition of internal audit can be used to validate this point, it states "internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations".

Risk-based audit framework enthusiasts argue that providing assurance on risk management processes operating within an organization's control environment satisfies IIA's definition. This is, however, an ambiguous interpretation of the problem as principles of value and improving operations are not conditioned only with risks.
IIA defines RBIA as "a methodology that links internal auditing to an organization's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite". 
This limitation of RBIA framework does not render it entirely unsuitable for developing an objective audit plan, and it is an effective tool in delivering its focused value i.e. vulnerabilities in an organization's control environment. Internal auditors' should realize this limitation is deliberate, and not an oversight.

When it comes to internal audit's value model, the audit plan should provide objective assurance to an organization on its operational environment, beyond risk management processes operating within organization's control environment. By including "adding value" and "improving an organization's operations" principles into audit plan, internal auditors should zoom out from "only risk focus" i.e. control environment, and look at the big picture (including risk focus) i.e. operational environment.
Internal auditors' can create a composite audit plan by linking audit scope to an organization's operational environment, and provide assurance on the big picture. As a starting point expanding audit scope, in addition to risk focus, by including strategy, financial efficiency and management structure into audit plan positively impact an organization. Internal audit value model based on operational environment delivers greater value through holistic assurance strategy using a composite audit plan.

(if you are interested in this subject, I recommend you to read Broken Windows - An Ignored Perspective on Control Environment which provides a systematic approach for auditing control environment by redefining risk focus)

The article was originally written and posted by Majid Mumtazand was republished at our website with his permission

Post a Comment

Previous Post Next Post