Financial Services Blog

The Importance of a Risk Based Audit Plan

This blog was co-authored by my colleagues Mackenzie Rooney, Manager – Financial Institutions, and Erica Kottabi, Principal – Financial Institutions.

What is your process to create your internal audit plan? Gone are the days of pulling together an internal audit plan on the fly basing your decision on a rotational schedule, auditable areas that had the most exceptions in the previous year, or what areas may fit into your budget. 

No matter the size of your institution, having a risk-based approach to drive your internal audit plan that evaluates your financial institution’s current and future operations while considering current industry risks and developments is a must have.  The risk-based audit approach is the foundation for an internal audit plan.  Not only are examiners expecting to see completion of an internal audit plan, but examiners are also expecting to see a risk-based approach on how you determined your coverage.  Exams are including language as to whether a risk-based plan has been developed with reasonable frequency and depth as well as whether the audit plan has been completed as planned.

What does a risk-based approach entail? A risk-based audit approach links the institution’s overall risk management framework to their internal audit plan, allowing internal audit to provide assurance the risk management processes are effectively managing their risks in relation to the institution’s risk appetite.

Using this approach to your internal audit plan, provides 5 key benefits:

  • Ensure the greatest risks are identified and addressed.
  • Ability to track risks and vulnerabilities to the organization in this changing environment while enabling auditors to respond more quickly.
  • Allows internal audit to add more value to the organization by focused efforts in risk areas impacting the organization
  • Consistent manner in how risks are communicated and evaluated throughout the organization starting with board level through the process owners.
  • Assists personnel in better understanding the risks to business operations.

Where do we start? The best way to get started is to identity the risk universe and then mapping the risks to your auditable units.  Auditable units are parts of the institution exposed to significant risks, including but not limited to projects, IT systems, business functions and departments, business processes/sub-processes and assets.  One common mistake is identifying only balance sheet accounts as auditable units, as this does not provide a comprehensive view of all business processes. When determining the auditable units, consider the following criteria:

  1. Whether the auditable unit contributes to the organizational goals;
  2. Is the auditable area going or planning to be changing based on future goals or system changes etc.
  3. Whether the auditable unit is large enough to have a noticeable impact on the organization; and
  4. Whether the auditable unit is important enough to justify the cost of the control.

Once all auditable units have been determined, the specific units’ risks can be identified and analyzed. The assessments typically analyze the risks inherent in each auditable unit, mitigating control processes, and any residual risks to the institution.  As the risks are assessed, it is important those performing the assessment have a thorough understanding of the auditable unit.  Discussions with your boards, institutions management and key process owners provides insight to issues and risks they may have experienced or acknowledge exist in the industry.  In addition to these discussions, questionnaires, prior audit/examination results, and industry hot topics should also be incorporated.  Additionally, consider the following:

  • Exposure analysis from the perspective of the primary assets of the institutions, such as physical, financial, human, and intangible.
  • Environmental analysis from the perspective of changes to external environments and the effects on management processes and controls.
  • How auditable unit, and related controls, could be defeated by fraud, collusion, or a natural disaster.

Having the above criteria top of mind as you assess risk, provides a well-rounded perspective to the assessment.  Often times each auditable unit is measured by impact and likelihood, however, there are several methodologies which can be used. 

  • Impact – If fraud or misstatement occurs, what is the impact to the institution?
    • Consider the impact of financial, reputational, regulatory, operational, credit, liquidity, etc. risks
  • Likelihood/Probability – What is the probability of fraud or misstatement?
    • Consider whether controls are weak or non-existent, processes are complex, and/or manual, turnover is significant, processes or programs were recently updated, etc.

Assessing a score methodology, most often using a rating scale of high, medium, or low, should be established with criteria for each rating.  Often this criterion can be quantitatively assessed, however, it is just as important to incorporate the qualitative factors.  Qualitative assessment is more of an art than a science and each institution may have a little different outlook on how this is applied.  An overall score can then be calculated which leads to a total risk rating for each auditable area. 

The results of the assessment will drive the frequency and often intensity of the audit coverage.  There are no hard-set rules in regard to how often your organization should perform an internal audit. Below are frequencies that are typically used within the industry:

  • High Risk: Annually
  • Moderate Risk: Every 12 – 24 months
  • Low Risk: Every 24 – 36 months

Although there may be changes throughout the year as you revisit the risk assessment, assigning a frequency allows your institutions to assess your internal and external needs and formulate a audit calendar. 

In conclusion, we have included some key reminders as you implement or enhance your risk-based audit plan:

  • Use a model you understand – Too often a model can be too complex or complicated, management, and even more importantly, the users, are not able to understand the inputs or the outcomes. 
  • Engage all Stakeholders – To ensure you have a more accurate assessment of each area, be sure to include all those involved in the process, as well as continuous engagement with those relevant stakeholders.  Do not forget to engage the board early and often!
  • This is a working document – The goal of this approach is for it to be a real-time view of the institution’s risk – update as changes internally and externally are identified. 

How Can We Help?

CLA continues to provide seamless, integrated capabilities to our clients. Whether you need help developing your risk assessment and audit plan, navigating your current risk assessment, require risk management or internal audit services, or need a trusted advisor, we are here to know you and to help you. Contact Us to learn more.

, Auditing/Accounting, Financial Services General, Internal Audit | 1 Comment »

  • 410-308-8153

Brittany has more than twelve years of experience and specializing in providing audit and accounting services to financial institutions. In addition to planning, managing and performing financial statement audits for institutions ranging in total assets from $10 million to $50 billion, she has performed engagements designed to test the adequacy of loan documentation and reserves, adherence to internal control policies, outsourced internal audit, and consulting engagements for various compliance requirements.

Comments

  • Denise M Aviles
  • April 19, 2022

Well-done Brittany! Thanks for writing this. I needed a refresher and this was just right!

Subscribe to Blog   

We’re committed to helping you stay on top of issues and requirements affecting financial services companies. Check back often to learn about industry updates, new regulations, technology innovations, and fresh ideas that may help you prepare for future challenges.