2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Managing the Internal Audit Function
Risk-Based Audit Plan
Identify Internal Audit Resource
Requirements
Reporting to Senior Management and the
Board
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Internal Audit Activitys Audit Plan
Audit universe
Input from senior management and the board
Assessed risk and exposures
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Internal Audit Activitys Audit Plan Responsibility: Chief audit executive The chief audit executive must establish a riskbased plan to determine the priorities of the internal audit activity, consistent with the organizations goals.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Risk Models Based on risk factors such as (but not limited to):
quality of and adherence to controls
degree of change timing and results of last engagement Impact Likelihood Materiality asset liquidity management competence complexity, and employee and government relations
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Risk register (impact likelihood) Addresses: (a)significant risks, (b)inherent and residual risk ratings, (c)key controls, and (d)mitigating factors.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Risk register
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Risk register
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Audit risk the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.
Exist independently of the
audit engagement
Misapplication of engagement procedures
Inverse relationship between inherent risk & control risk
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
Audit risk Inherent risk the susceptibility of an assertion . . . to a misstatement that could be material . . . before consideration of any related controls. Control risk the risk that a misstatement that could occur in an assertion . . . and that could be material . . . will not be prevented, or detected and corrected, on a timely basis by the entitys internal control. Detection risk the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material . . . .
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Risk-Based Audit Plan
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Identify Internal Audit Resource
Requirements 1. Managing internal audit resources 2. Outsourcing the internal audit activity The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Identify Internal Audit Resource
Requirements
The CAE is primarily responsible for the
sufficiency and management of resources, including communication of needs and status to senior management and the board.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Identify Internal Audit Resource
Requirements Resources may include employees, service providers, financial support, and IT-based audit methods. Resource planning considers a) The audit universe, b) Relevant risk levels, c) The internal audit plan, d) Coverage expectations, and e) An estimate of unanticipated activities
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Identify Internal Audit Resource
Requirements 1. Managing internal audit resources 2. Outsourcing the internal audit activity When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Reporting To Senior Management And
The Board 1. The CAEs Duty to Report 2. Communication and Approval The chief audit executive must report periodically to senior management and the board on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Reporting To Senior Management And
The Board The CAE annually submits (a) A summary of the internal audit plan, (b) A summary of the work schedule, (c) A summary of the staffing plan, and (d) A summary of the financial budget. (e) all significant interim changes. (f) the scope of work and any limitations on it should be disclosed.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Reporting To Senior Management And
The Board 1. The CAEs Duty to Report 2. Communication and Approval The chief audit executive must communicate the internal audit activitys plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.
2014 Deloitte Touche Tohmatsu Limited. All rights reserve
Questions?
2014 Deloitte Touche Tohmatsu Limited. All rights reserve