Guide on

o Rissk Bassed Intternal

Aud
dit Plaan

DISCLAIMER:
The views expresseed in this Guidde are those of author(s). The Institute of
Charteered Accountants of India may
m not necesssarily subscriibe to the viewws
expresssed by the author(s).

Internal Aud
dit Standards Board
The Institute
e of Charttered Accountantts of Indiia
(Sett up by an
n Act of Parliament
P t)
Ne
ew Delhi
© The Institute of Chartered Accountants of India

All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system, or transmitted, in any form, or by any means, electronic
mechanical, photocopying, recording, or otherwise, without prior permission,
in writing, from the publisher.

Edition : February, 2015

Committee/Department : Internal Audit Standards Board

Email : [email protected]

Website : www.icai.org

Price : ` 250/- (Including CD)

ISBN No. : 978-81-8441-776-0

Published by : The Publication Department on behalf of the

Institute of Chartered Accountants of India,
ICAI Bhawan, Post Box No. 7100, Indraprastha
Marg, New Delhi - 110 002.

Printed by : Sahitya Bhawan Publications, Hospital Road,

Agra 282 003
February/2015/1,000
 Foreword
Recent economic events and increased regulatory scrutiny have impacted
the importance of understanding and managing the risks, which drive
uncertainty about the organizational success. Effective risk management
helps organizations to understand the risks they are exposed to, put controls
in place to counter threats, and also to effectively pursue their objectives. In
a nutshell, risk management is an important aspect of an organization’s
governance, management and operations.
In such a scenario, internal audit plays a very critical role by providing
assurance that all the risks related to the activities of the organization are
being identified, monitored and managed effectively. The Institute, from time
to time, has issued guidance to help the members enhance their skill base
and competencies in the area of risk management. This “Guide on Risk
based Internal Audit Plan” is being issued by the Internal Audit Standards
Board of the Institute of Chartered Accountants of India (ICAI) to provide
guidance on developing and implementing an effective Risk Based Internal
Audit Plan.
I would like to congratulate CA. Charanjot Singh Nanda, Chairman, Internal
Audit Standards Board and all the other members of the Board on issuance
of this publication which provides updated guidance on this important area.
The objective is to help internal auditors in embedding risk based approach
thereby enabling them to meet stakeholder’s expectations.
I am confident that this Guide would help our members to play a leading role
in promoting good risk management practices.

February, 2, 2015 CA. K Raghu

New Delhi President, ICAI
 Preface
In today’s complex regulatory and compliance environment, while capitalizing
on emerging opportunities, risk management assumes tremendous
importance. Risk management systems encompass the policies, culture,
processes, systems and other aspects of an organization that, taken together
facilitate its effective and efficient operation by enabling it to assess current
and emerging risks, respond appropriately to risks and significant control
failures and to safeguard it’s assets. Assessment of risks should support
better decision-taking, ensure that the board and management respond
promptly to risks when they arise, and ensure that shareholders and other
stakeholders are well informed about the principal risks and prospects of the
organization. Internal auditors undoubtedly play a leading role in helping their
organizations achieve an integrated, organization-wide approach to risk
management which ultimately helps to create, enhance, and protect
stakeholder value.
Considering the above, the Internal Audit Standards Board of the Institute is
issuing this “Guide on Risk Based Internal Audit Plan”. Accordingly, the
Board is withdrawing its pervious publication “Guide to Implementing
Enterprise Risk Management” issued in 2008. Internal auditors can through
risk based auditing provide feedback on the adequacy of internal control as
well as they can provide a source of information for monitoring risk. Further,
the cycle of continually assessing risk, efficiently planning audit activities,
and effectively performing, delivering, and reporting audit activities can result
in overall lower risk to the organization. This Guide comprehensively explains
the concepts of Risk Based Internal Audit Plan and provides a step-wise
approach to effectively implement the same in an organization. It includes
detailed guidance on risk appetite, understanding business environment,
preparing audit universe, risk identification, risk prioritization and rating,
assessing control environment, deriving residual risk rating and finally
developing internal audit plan. Further, for enhancing the understanding of
the readers, an illustrative case study including all the steps to prepare the
RBIAP has also been also provided in the guide.
At this juncture, I would like to place on record my sincere gratitude to
CA. Amit Gupta, CA. Mohit Gupta, Shri Anurag Agarwal and CA. Sameer
Mittal for sharing their experience and knowledge with us and preparing the
draft of this Guide.
I would like to express my immense gratitude to CA. K. Raghu, President,
ICAI and CA. Manoj Fadnis, Vice President, ICAI for their continuous support
and encouragement to the initiatives of the Board. I must also thank my
colleagues from the Council at the Internal Audit Standards Board, viz.,
CA. Shriniwas Y. Joshi, Vice Chairman, IASB, CA. Rajkumar S. Adukia,
CA. Prafulla Premsukh Chhajed, CA. Sanjeev K. Maheshwari, CA. Dhinal
Ashvinbhai Shah, CA. Shiwaji Bhikaji Zaware, CA. V. Murali, CA. S.
Santhanakrishnan, CA. Abhijit Bandyopadhyay, CA. Sanjiv Kumar
Chaudhary, CA. Atul Kumar Gupta, CA. Naveen N.D. Gupta, Shri Manoj
Kumar, Shri P. Sesh Kumar and Shri R.K. Jain for their vision and support. I
also wish to place on record my gratitude for the co-opted members on the
Board, viz., CA. R. Balakrishnan, CA. N. S. Ayyanagoudar, CA. Sunil H.
Talati, CA. J. Vedantha Ramanujam and CA. Milind Vijayvargia and special
invitees, CA. Nagesh D. Pinge and CA. Hardik Chokshi for their invaluable
guidance as also their dedication and support to various initiatives of the
Board. I also wish to express my thanks to CA. Jyoti Singh, Secretary,
Internal Audit Standards Board and her team of officers for their efforts and
inputs in finalizing this Guide.
I am sure that the members and other interested users will find this
publication useful in discharge of their professional obligations.

February 9, 2015 CA. Charanjot Singh Nanda

New Delhi Chairman, Internal Audit Standards Board

vi
 Contents
Foreword ............................................................................................................ iii
Preface ................................................................................................................ v
Chapter 1: Introduction ...................................................................................... 1
Objective .............................................................................................................. 1
Chapter 2: Need for Risk Based Internal Audit Plan ....................................... 2
Chapter 3: RBIAP Concepts .............................................................................. 5
Chapter 4: Responsibility for Developing RBIAP ............................................ 6
Chapter 5: RBIAP- Development and Implementation ............................... 7-45
Define Objective, Criteria and Risk Appetite......................................................... 8
Risk Categorization ............................................................................................ 10
Risk Assessment Criteria ................................................................................... 11
Criteria for Assessing Control Environment ........................................................ 11
Understanding the Business Environment and Processes ................................. 11
Prepare Audit Universe ...................................................................................... 13
Risk Assessment ................................................................................................ 19
Risk Identification ............................................................................................... 20
Risk Prioritization ................................................................................................ 20
Assess Control Environment .............................................................................. 27
Develop Internal Audit Plan ................................................................................ 35
Planning and Developing Internal Audit Plan ..................................................... 38
Implement and Update RBIAP ........................................................................... 40
Allocate Resources, Engagement Scheduling and Execution ............................ 42
Reassess Risk and Control Environment and Update RBIAP ............................ 43
Chapter 6: Case Study .............................................................................. 46-197

vii
viii
 Chapter 1
Introduction
1.1 Traditionally, internal auditing was understood as one time exercise
with limited documentation. Increase in the trend of frauds in the corporate
sector over the last couple of decades has shifted the pendulum towards the
need of a strong and robust internal auditing and internal control systems.
Regulators have also become more vigilant towards the requirement of
strong internal control system which resulted in the announcement of
statutory obligations viz., Sarbanes Oxley Act in USA, Clause 49 of Listing
Agreement as per SEBI and recently notified Companies Act, 2013 and rules
thereunder. This has put organizations under increasing pressure to identify
all the business risks they face and to explain how they manage them.
1.2 Risk-based Internal Auditing (RBIA) allows internal auditor to provide
assurance to the Board of Directors that risk management processes are
managing risks effectively, having regards to the risk appetite of the
organization. Risk-based internal auditing begins by reviewing the
organizational objectives, then considers the risks that impact on the
achievement of those objectives, and examines the methodologies in place
to mitigate those risks. The only defence auditors have in instances of
corporate failures is sufficient, appropriate audit evidence that proves their
innocence. This audit evidence will be the result of a well-planned and
performed audit. An audit plan, currently a risk-based audit plan, is therefore
a crucial component in the planning of an effective audit.

Objective
1.3 This guide provides guidance on developing and implementing an
effective Risk Based Internal Audit Plan in an organization. This guide would
be meant for the individuals who are already an internal auditor, preparing to
become one or responsible for overseeing and controlling the business
function(s).
 Chapter 2
Need for Risk Based Internal Audit
Plan
2.1 Preface to the Standards on Internal Audit, issued by the Institute of
Chartered Accountants of India defines the term “internal audit” as, “Internal
Audit is an independent management function, which involves a continuous
and critical appraisal of the functioning of an entity with an view to suggest
improvements thereto and add value to and strengthen the overall
governance mechanism of the entity, including the entity’s strategic risk
management and internal control system.”
Standard on Internal Audit (SIA) 1 “Planning an Internal Audit”, lays down
that the internal auditor should, in consultation with those charged with
governance, including the audit committee, develop and document a
plan for each internal audit engagement to help him conduct the
engagement in an efficient and timely manner.
2.2 Standard on Internal Audit (SIA) 13 “Enterprise Risk Management”
mentions that “The internal auditor will normally perform an annual risk
assessment of the enterprise, to develop a plan of audit engagements for the
subsequent period. This plan will be reviewed at various frequencies in
practice. This typically involves review of the various risk assessments
performed by the enterprise (e.g., strategic plans, competitive benchmarking,
etc.), consideration of prior audits, and interviews with a variety of senior
management. It is designed for identifying internal audit key areas and, not
for identifying, prioritizing, and managing risks directly for the enterprise. The
internal audit plan, which should be approved by the audit committee,
should be based on risk assessment as well as on issues highlighted
by the audit committee and senior management. The risk assessment
process should be of a continuous nature so as to identify not only
residual or existing risks, but also emerging risks. The risk assessment
should be conducted formally at least annually, but more often in
complex enterprises. To serve this objective, the internal auditor should
design the audit work plan by aligning it with the objectives and risks of
the enterprise and concentrate on those issues where assurance is
sought by those charged with governance.”
 Need for Risk Based Internal Audit Plan

2.3 Internal auditor is expected to review business processes and various

transactions to provide comfort to the management whether adequate
internal controls are in place considering the nature and size of business
operations. Considering the volume of the transaction and complexity of the
business processes, it would not be possible to check 100% of the business
transactions. The internal auditor usually, adopts sampling and judgment
based on past experience and knowledge. However, this leaves a risk of gap
in internal controls which may remain undetected. Accordingly, there is a
need for auditors to follow risk based internal audit approach.
2.4 There are many challenges being faced by the internal auditors in
performance of their duties. The major challenges include:
 Mismatch in the expectations from and output of the internal audit
function;
 Audit risk;
 Practical implementation of audit standards; and
 Uncertainties due to changing environment – internal as well as
external.
2.5 The internal audit function is, normally, expected to focus on areas of
high risk, including both inherent and residual risk. The internal audit activity
needs to identify areas of high inherent risk, high residual risks, and the key
control systems upon which the organization is most reliant.
 Audit risk – Audit risk refers to the risk that an auditor may issue
unqualified report due to the auditor's failure to detect material
misstatement either due to error or fraud. This risk is composed of
inherent risk (IR), control risk (CR) and detection risk (DR).
 Inherent risk – These risks are “all pervasive in nature” meaning they
are inherent in all business activities. Inherent risk is a risk in ‘raw
form’ before any risk treatment/ mitigation activity has been applied to
it.
 Residual risk – Residual risk is the level of risk that would remain
untreated despite all mitigation efforts.

3
Guide on
o Risk Based
d Internal Auditt Plan

The figgure below depicts

d the reelationship between the inherent risk and
residuaal risk.

2.6 Internal audit planning neeeds to make use u of the orgganizational riisk
managgement processs, where it haas been deveeloped by the organization. In
planninng an engagement, the inteernal auditor considers
c the significant rissks
of the activity and thhe means by whichw manageement mitigatees the risk to an
acceptable level. Thhe internal auuditor uses rissk assessmennt techniques in
developing the interrnal audit activvity’s plan and in determining priorities for f
allocating internal audit
a resourcees. Risk asseessment is ussed to examine
auditabble units and select
s areas foor review to bee included in the internal audit
activityy’s plan that haave the greateest risk exposuure.

4
 Chapter 3
RBIAP Concepts
3.1 Risk Based Internal Audit Plan (RBIAP) is an important tool that helps
internal auditor to respond to the challenges being faced by the internal
auditor, and also enhances the quality of the services that the internal audit
function provides. By following the structured approach for planning the
internal audit, it could be easily concluded that:
 A proper evaluation has been done to identify and assess the risk vis-
a-vis risk appetite of the company.
 Plan to respond to the risks are effective in managing inherent risks
within the risk appetite.
 Increased focus and rigorous response to risks where residual risks
are not in line with the risk appetite.
3.2 RBIAP is an approach to develop the internal audit plan in such a
manner that all the business processes covering both financial as well as
operational activities are reviewed by internal audit function within a defined
time cycle, generally, varying from 3 to 5 years. Also, ensuring that
appropriate consideration is made and adequate balance is ensured to the
following:
 Risk underlying the business process.
 Value that the internal audit can provide to the organization.
 Effort involved in conducting the internal audit for a particular business
process.

 Risk appetite of the organization.

 Coverage of all auditable areas within the defined time range.
 Chapter 4
Responsibility for Developing RBIAP
4.1 The need to manage risks has become recognised as an essential part
of good corporate governance practice. This has put organisations under
increasing pressure to identify all the business risks they face and to explain
how they manage them. In fact, the activities involved in managing risks have
been recognised as playing a central and essential role in maintaining a
sound system of internal control. While the responsibility for identifying and
managing risks belongs to management, one of the key roles of internal audit
is to provide assurance that those risks have been properly managed.
The Chief Internal Auditor, as designated by the audit committee, must
establish a risk-based plan to determine the priorities and focus areas of the
internal audit activity which are aligned to the business objectives and
organization’s goals. The prime responsibility of developing the Risk Based
Internal Audit Plan is with the Chief Internal Auditor. The Chief Internal
Auditor must prepare the RBIAP and review the same on annual basis in the
light of changing business environment, processes, technology, etc. having
impact on the prevailing risk for the Company and its control environment.
4.2 The RBAIP, thus, prepared by the Chief Internal Auditor must be
approved by the Audit Committee. Audit Committee assesses the
appropriateness of the process followed for development of the RBIAP to
ensure that due consideration is given to the following:
 Consideration of all major risk for the company
 Business objectives
 Risk appetite of the company
 Inputs from the key managerial persons of the company
 Changes in the operational and regulatory environment.
 Chapter 5
RBIAP — Development and
Implementation
5.1 The internal auditor takes into account the organization’s risk
management framework, including using risk appetite levels set by
management for the different activities or parts of the organization. If a
framework does not exist, the internal auditor uses his/her own judgment of
risks after consideration of input from senior management and the board.
The internal auditor must review and adjust the plan, as necessary, in
response to changes in the organization’s business, risks, operations,
programs, systems, and controls.
5.2 Risk based internal audit planning includes formal annual planning,
updating the plan before audit segments begin and periodic feedback from
management and the audit committee regarding report content expectations.
The internal audit scope is adjusted based on all of these factors and gives
the internal auditor a keen ability to understand and react quickly to
management and audit committee concerns regarding risk and audit
coverage. Thus, there are two phases of successful implementation of the
RBIAP. These include the following:
 Develop and approve RBIAP
 Implement and update RBIAP
5.3 Methodology for development of risk based internal audit plan can be
divided into following steps:
I Develop and Approve RBIAP
(i) Define objective, criteria and risk appetite
(ii) Understanding the business environment and processes
(iii) Prepare audit universe
(iv) Risk assessment
(a) Risk identification
(b) Risk prioritization and rating