Introductions of CAE and audit team. Today, we are going to discuss our Internal Audit Department’s LongTerm Audit Plan including how we will decide what to audit and when and conclude with placing our most important conclusions into an easy to understand RiskAssessment Matrix.
The Internal Audit Department follows the Institute of Internal Auditor’s (IIA) International Standards for the Professional Practice of Internal Auditing (Standards). Included in these Standards is the requirement for the CAE to (read from screen) and this includes (read from screen).
The Internal Audit Department’s LongTerm Plan (3 to 5 years) will be developed using riskbased techniques and in consultation with Senior Management and the Board.
The Internal Audit Department will follow a fourstep approach to prepare the longterm audit plan including (read from screen). We will consider each of these steps one by one with application to our organization.
The first step, (read from screen) is determining all areas available to be audited within the organization. This is done by dividing the organization into auditable activities or units.
There are three main approaches to dividing our organization, which is by particular functions (accounting, H/R, transportation, manufacturing etc.), particular organizations (divisions, plants, cost centers, profit centers or investment centres) or by project which covers all specific activities within a project.
The key to using one of the above or a combination of all three approaches (as our organization does) is to ensure that every activity in the organization is under an auditable unit and has the potential to be audited,which fulfills the completeness requirement.
This second step is key for our organization. To quote the Chair of our Audit Committee, “we are in a risky business and careful longterm and contingency planning is essential to our success.”
Three factors are considered for risk assessment – Likelihood, impact and controllability
The first, Likelihood that a weakness will occur, includes the consideration of inherent risk and internal control risk.
“Inherent risk is the potential of an event to go wrong in a function or an activity that would impair the organizations ability to meet its objectives.” Inherent risk includes internal and external factors.
Inherent Risk is combined with Internal Control Risk, which is “the risk that internal controls may not be able to prevent, detect, or control the occurrence of a threat.”
The Internal Audit Department “makes on overall assessment, and based on [our] knowledge of the company, rates the likelihood of significant control risks as high, medium or low.”
This becomes the “likelihood of occurrence” rating.
The second risk assessment factor that the Internal Audit Department considers is the impact of a weakness. We consider the above factors (read from screen) to enable the full consideration of a weakness impact magnitude to our organization. A rating of low, medium or high will be given to rate the impact.
The third risk assessment factor that the Internal Audit Department considers is the ability for internal controls to effectively control the weakness. A rating of low, medium or high will be given, with a high rating meaning that “management can control risks in this area through the use of effective internal controls” and therefore an audit and recommendations is warranted.
Combining the low, medium or high rating of each potential audit area using an assessment of likelihood, impact and controllability means that the Internal Audit Department can develop a long term audit plan and work down the list starting with highest risk areas.
The high risk areas will be audited annually, medium risk every three to five years and low risk may be audited every five years or greater or not at all.
The long term audit plan will be reviewed continuously with regular