Register now or log in to join your professional community.
In making risk based audit plan, we reply on the results of the assessment of inherent risk and plan our further tests accordingly.
The inherent risk (IR) score should drive the risk-based audit schedule. This is because the IR is the risk to the organization if there were no control environment mitigating risk. The areas with highest inherent risk should generally have mitigating controls in place reducing the residual risk (RR) to an acceptable level. It is paramount that controls in place be tested to ensure they are designed adequately and operating as intended to justify the documented RR.
Scenario 1 – an organization that relies on the RR (Incorrect):
There primary business function is Lending and the IR is High but due to the robust internal control environment they have mitigated the risk to Low. If they plan the audit schedule based on RR it will be audited every 3 years; High Risk = 1 Year, Medium Risk = 2 Year, and Low Risk = 3 Year audit rotation. This would expose the organization to potential problems if the controls in place are not being tested frequently as it may not be discovered until they are tested that they are not operating as intended.
Scenario 1 – an organization that relies on the IR (Correct):
There primary business function is Lending and the IR is High but due to the robust internal control environment they have mitigated the risk to Low. If they plan the audit schedule based on IR it will be audited every year; High Risk = 1 Year, Medium Risk = 2 Year, and Low Risk = 3 Year audit rotation. The testing completed should focus on the controls that are in place that mitigate the risk to an acceptable level. This adds value to the organization as the focus is to ensure the controls are designed and operating as intended to offset the IR. The areas of the organization that have less IR don’t need as many controls or audited/tested as frequently.
Hi Asadullah,
Inherent risk is one that is addressed in one's risk management plan & can be managed. Residual risk is something which after having a mitigating plan for inherent risks is still left unhedged. So a risk based audit plan should have a mitigation plan for Inherent Risk but the residual risk is common to the market place in that sense it is not 100% addressable.
For Instance, If am investing in a Stock I have to provide for the inherent nature of the stock like - Industrial trends, news on the COS, market view etc. while the beta factor will be the risk common to all like market risks, interest rate risks, government sudden change in policies etc. Such risks cannot be completely foreseen & common to entire market, hence the inherent risks needs to be addressed while the residual risks cannot be addressed.
Incase if you feel am incorrect please address!
Thank you Imran for your answer. But given that Internal Auditors have limited resources, wouldn't it be better if we take residual risk as as basis of our Internal Audit Plan? Inherent risk is important but it's the residual risk we, internal auditors, want to bring in line with the risk appetite of the organization. What do you say?