Vous êtes sur la page 1sur 6


Step 1 Step 2 Step 3 Step 4

Risk- Based Planning Process Engagement Planning Conducting the Engagement Monitoring Progress


RATIONALE FOR RISK BASED PLANNING: BASIS : INTERNATIONAL STANDARD FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING ( ISPPIA) Standard 2010 The Chief Audit Executive MUST establish Risk-Based plans To determine the priorities of the internal audit activity Consistent with the organizational goals

WHY RISK- BASED PLANNING? Internal Audit Resources are limited and expensive With so many auditable areas, Internal Audit can focus on improving the systems of internal controls which are supposed to mitigate the HIGH risks.



Determine the Organizations :

Vision & Mission (Overriding purpose of the organization) Strategies and External Forces Control Environment Culture and systems


a. RISK IDENTIFICATION is the process of identifying the risks that may hinder the achievement of the organizations objectives. b. RISK ANALYSIS is the process where risks are measured/assessed using: a. Impact/Exposure the potential loss derived from a threat. Exposure can take the form of a quantitative monetary measure and/or qualitative/intangible value. b. Likelihood probability of a risk happening c. Vulnerability a weakness in the flow of business systems that exposes an organization to a loss. c. RISK PRIORITIZATION is the process where the risks are given expected values. This value can be the bases to determine which risks are more critical to manage and deserve more attention. The higher the Expected Value means the higher the risk. This is computed as: EXPECTED VALUE = LIKELIHOOD x IMPACT


EXPECTED VALUE RISK Classification 1.0 4.0 Low Risk RISK APPETITE Acceptable (A) No action is required; can be managed by routine procedures and operations. 5.0 8.0 Moderate Risk Supplementary Issue (SI) Action is advisable if resources are available; can be managed by specific monitoring response procedures. RECOMMENDATION



High Risk

Issue (I)

Action is required to manage the risk; management responsibility should be specified




Unacceptable (U)

Immediate action is required to manage the risk.

d. RISK RESPONSE is the process of determining how the risk identified, measured and prioritized should be responded to by management. Below are the types of risk responses: TOLERATE TREAT TRANSFER TAKE ADVANTAGE TERMINATE Accept or retain the risk Control or reduce the risk Ensure, share, outsource or contract out the risk Exploit the risk by offering services or products to manage it. Avoid, eliminate or exit the activity or transaction that creates the risk

3. RESOURCE MANAGEMENT BASIS STANDARD 2030 The CAE must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan. Resource management should be: Appropriate the mix of knowledge, skills and other competencies needed to perform the audit plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Effective - resources are effectively deployed when used in a way that optimizes achievement of the approved plan

4. COORDINATE ASSURANCE SERVICES BASIS STANDARD 2050 The Chief Audit Executive should share information and coordinate activities with internal and external providers of relevant assurance & consulting services to ensure proper coverage and minimize duplication of efforts.

5. DOCUMENT AUDIT PLANNING BASIS STANDARD 2010.A2 The CAE must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.

STANDARD 2010.C1 The CAE should consider accepting proposed consulting engagements based on the engagements potential to improve management of risks, add value, and improve the organizations operations. Accepted engagements must be included in the plan. TYPES OF DOCUMENTATION AUDIT PLAN: 1. LONG RANGE SCHEDULE OR ANNUAL AUDIT PLAN 2. STAFFING PLAN 3. FINANCIAL BUDGET