Risk based

internal auditing
– an introduction
Slides of figures
and appendices

©David M Griffiths

©David M Griffiths www.internalaudit.biz

Risk based internal auditing – an introduction
slides of figures and appendices

• The following slides are those used in the

book Risk based internal auditing – an
introduction available from
www.internalaudit .biz
• The slides of figures are:
– 1 Internal auditing objectives
– 2 Grid for significance risks
– 3 Stages of an audit
– 4 RBIA documentation
– 5 Processes involved in stage 2
– 6 Grid for frequency of audits
– 7 Factors to reduce inherent risk scores risks
– 8 Processes involved in stage 3
– 9 Grid for significance of residual risks

• Slides of appendices are

– A Internal auditing objectives
– B Hierarchy of objectives, risks and controls
– C Process map
– E Grid for risk workshop
– J Stages of an internal audit
– Other appendices are on the excel spreadsheet RBIA introduction excel v3

©David M Griffiths www.internalaudit.biz

Internal auditing objectives
(Figure 1 and appendix A)

The Internal auditing

management provides an independent and
of an objective opinion to an
organisation organisation’s management as to
have whether its risks are being managed
to acceptable levels.

The main aim of internal

auditing is to assist the
Objectives organisation to achieve its
objectives

An
internal control
is a process which
manages a risk

A
risk
is a set of
circumstances
that hinder the
achievement of
objectives

©David M Griffiths www.internalaudit.biz

 2 Grid for significance of risks
Probable (4) Almost certain (5)

5
Supplementary
10 15 IR 20 25
Issue Issue Unacceptable Unacceptable Unacceptable

4 8 12 16 20
Likelihood of risk

Internal control
Supplementary
Acceptable Issue Issue Unacceptable Unacceptable
Possible (3)

3 6 9 12 15
Supplementary
Acceptable Issue Issue Issue Unacceptable
Unlikely (2)

2 4 6 8 10
Supplementary Supplementary
Acceptable Acceptable Issue Issue Issue

1 2 3 4 5
Rare(1)

Acceptable Acceptable
RR
Acceptable Acceptable Issue

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of risk
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required

Risk appetite, as defined by the board

IR = Inherent Risk RR = Residual Risk

Fig.2 Grid showing the significance of risks

©David M Griffiths www.internalaudit.biz

3 Stages of an audit

Management's
Risk Register
(if available)

Risk Naive Risk Enabled

Assess risk
Risk Aware maturity Risk Managed Stage 1

Risk Defined

Management's
Facilitate risk Risk Register Use organisation's
identification (amended) risks

Audit universe Assign risks to

audits

Stage 2

Risk and audit

Audit Committee
universe Audit plan
report
(RAU)

Individual audit

Audit report
Stage 3

Feedback results
into RAU

Fig 3 Stages of an audit

©David M Griffiths www.internalaudit.biz

4 RBIA documentation

risk and audit audit databases

universe
objectives objectives

risks risks

scores scores

controls controls

last audits tests

Audit
audit
Committee
reports
report

Fig. 4 RBIA documentation

©David M Griffiths www.internalaudit.biz

5 Processes involved in stage 2
Risk Register
(audited)

Risks within the risk Risks on which

appetite assurance is provided
by others

Filter risks
Risks not requiring an
Risks which will be
audit in this period
tolerated

Risks on which
assurance is
required

Categorise risks

Audit Universe
Link risks to
audits

Risk and Audit Select risks to

Universe be covered

Alllocate
resources to
audits

Audit Committee
Audit plan
report

©David M Griffiths Fig 5 www.internalaudit.biz

Processes involved in Stage 2
 6 Grid for frequency of audits
Probable (4) Almost certain (5)

5 10
15 20 25
Every three Every two
Every year Every year Every year
years years
Likelihood of inherent risk

4 8 12
16 20
Every three Every two
Never years years
Every year Every year
Possible (3)

3 6 9 12
15
Every three Every two Every two
Never years years years
Every year
Unlikely (2)

2 4 6 8 10
Every three Every three Every two
Never Never years years years

1 2 3 4 5
Rare(1)

Every three
Never Never Never Never years

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of inherent risk

Fig. 6 Grid for the frequency of audits

©David M Griffiths www.internalaudit.biz

7 Factors to reduce inherent risk scores risks
3 years

0.75 1 1
Time since last audit
2 years

0.5 0.75 1
1 year

0.25 0.5 0.75

Green Amber Red

Audit result
Fig. 7 Factors to reduce inherent risk scores

©David M Griffiths www.internalaudit.biz

 8 Processes involved in stage 3

Audit plan

Define draft audit

scope

Examine the risk

management process
for the area audited

Conclude on risk
maturity for the
area audited

Decide on audit
approach

Meetings to determine
Agreed scope
objectives, risks and
agree scope

Obtain relevant
documentation on
processes

Set up an audit database

Risk and audit universe to record the audit
details, or update the Audit
Risk and Audit Universe database
©David M Griffiths www.internalaudit.biz
 9 Grid for significance of residual risks
Probable (4) Almost certain (5)

5 10 15 20 25
Supplementary
Issue Issue Unacceptable Unacceptable Unacceptable
Likelihood of residual risk

4 8 12 16 20
Supplementary
Acceptable Issue Issue Unacceptable Unacceptable
Possible (3)

3 6 9 12 15
Supplementary
Acceptable Issue Issue Issue Unacceptable
Unlikely (2)

2 4 6 8 10
Supplementary Supplementary
Acceptable Acceptable Issue Issue Issue

1 2 3 4 5
Rare(1)

Supplementary
Acceptable Acceptable Acceptable Acceptable Issue

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of residual risk

Unacceptable: Immediate action required to control the risk
Issue: Action required to control the risk
Supplementary issue: Action is advisable if it is cost-effective
Acceptable: No action required

Risk appetite, as defined by the board

Fig. 9 Grid for the significance of residual risks

©David M Griffiths www.internalaudit.biz

 Hierarchy of objectives, risks and controls
(Appendix B)

Objective level 1 Relieve famine in

central Africa

risks

No clear Unable to Do not have

Unable to
strategy as predict where the staff and
Unable to deliver the
to how to and when systems to
obtain food food to the
achieve our famines will support the
starving
objective occur operation

Objective level 2
Devise a Establish
Set up a Set up Establish
strategy for delivery
system which agreements functions to
the next five systems to
enables us to with donors deliver food
support the
years to
predict to obtain when and where field
deliver our
famine areas food it is required operations
objectives

Establish a supply chain to

ensure prompt delivery of
food to the highest priority
area
risks

Unable to Insufficient Do not know

Lorries
obtain lorries to Insufficient Roads are where food is
break impassable required
space on transport drivers
down most urgently
ships grain

Objective level 3
Establish Decide how
contacts future needs Identify
Set up Set up
with are to be Lorries to how to
possible strategy for
shipping met, by be properly recruit at
companies local carrier alternativ prioritizing
maintained short
to anticipate or own e routes camps
notice
problems lorries

©David M Griffiths www.internalaudit.biz

 Objectives map
(appendix C)

objective Relieve famine in

central Africa

Level 2 objectives

2 3
Set up a Set up 4
1
system which agreements Establish 5
Devise a
enables us to with donors delivery Establish
strategy for
predict to obtain systems to functions to
the next five
famine areas food deliver food support the
years to
when and field
deliver our
where it is operations
objectives
required

1.1 1.2 1.3 1.4

Agree a Communicate Deliver Update
strategy strategy strategy strategy

Level 3 objectives

4.1 4.2
4.5
Establish Decide how 4.4
4.3 Set up 4.6
contacts with future needs Identify how
Lorries to be possible Set up strategy
shipping are to be to recruit
properly alternative for prioritizing
companies to met, by local drivers at
maintained routes for camps
anticipate carrier or own short notice
delivery
problems lorries

5.2 5.3 5.5

5.4 5.6
5.1 Provide Provide Provide
Provide legal Provide human
Raise money financial transaction information
services resources
advice processing technology

©David M Griffiths www.internalaudit.biz

 Grid for risk workshop
(appendix E) Probable (4) Almost certain (5)

5 10 2 15 20
1 25
5
Supplementary
Issue Issue Unacceptable Unacceptable Unacceptable

4 8 12 16 20
Likelihood of risk

Supplementary
Acceptable Issue Issue Unacceptable Unacceptable
Possible (3)

3 6 9 12 15
6
Supplementary
Acceptable Issue Issue Issue Unacceptable
Unlikely (2)

2 4 6 8 10
Supplementary Supplementary
Acceptable Acceptable Issue Issue Issue

1 2 3 3 4 5 4
Rare(1)

Acceptable Acceptable Acceptable Acceptable Issue

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Consequence of risk

©David M Griffiths www.internalaudit.biz

Stages of an internal audit (appendix J)

The Internal auditing

management Internal auditing: provides an
of an independent and objective opinion to
organisation an organisation’s management as to
have whether its risks are being managed
to acceptable levels.

Objectives
1

The
4 audit

An
internal control
is a process which 3
manages a risk

A
risk 2
is a set of
circumstances
that hinder the Significant risks generate
achievement of
objectives the audit plan
©David M Griffiths www.internalaudit.biz