Post by nShrestha on Dec 31, 2013 14:11:43 GMT 5.75
Risk based internal auditing (RBIA) is the methodology which the Internal Audit Department uses to provide assurance that risks are being managed to within the organisation’s risk appetite. Risk Based Internal Auditing concentrated on the high risk areas of the business and auditing procedures applied in those areas to ensure that internal controls are managing the risk to acceptable level. Risk Based Internal auditing provides an independent and objective auditor's opinion to an organisation’s management as to whether its risks are being managed to acceptable levels. Risk based internal auditing is a style of auditing which focuses upon the analysis and management of risk.
The Institute of Internal Auditors (IIA) defines Risk Based Internal Auditing (RBIA) as a methodology that links internal audit to an organisation's overall risk management framework. RBIA allows internal auditing to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
Prerequisites of RBIA
Risk Based Internal Auditing procedures
Risk Based Internal Audit can be implemented by following four procedures.
Risk Identification
In risk identification stage entire risk in the business operation conducted to achieve the objectives of the organization should be identified by the manager or by the independent expert. Through this procedure organization can identify the shortcoming or various risk of the entire business functions conducted in the organization. Risk identification can be done through various methods, Some of are as follows;
Risk assessment and Analysis
Risk Assessment can be defined as identification and analysis of relevant risks to achievement of the objective, forming a basis for determining how the risk should be managed[9]. In Risk assessment two types of analyses are conducted.
Qualitative Risk Analysis - is a subjective approach to organizing and prioritizing risks.
Quantitative Risk Analysis - attempts to numerically assess the probability and impact of the identified risks.
3. Risk Response
Based on risk assessment management can take following four response against the identified risk.
Accept: The exposure of risk may be acceptable; hence management accept the exposure without taking any action. But the management has to Monitor the risk for the increment in exposure of risk.
Control: Reduce the risk through contingency plan, diversification, hedging etc.
Share: Some risks are transferred to insurance company or other organization to manage the exposure of such risk within the risk appetite. Like. Insurance, Risk transfer
Terminate: Some risks can be controlled by terminating the activity. Get out of situation
4. Risk Monitoring and Control
The Institute of Internal Auditors (IIA) defines Risk Based Internal Auditing (RBIA) as a methodology that links internal audit to an organisation's overall risk management framework. RBIA allows internal auditing to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
Prerequisites of RBIA
- The board (BoD) has approved the risk appetite.
- Company knows all its significant inherent risks, that is, all those above its risk appetite
- Company has evaluated these risks so that they can be prioritised in order of the threat they represent.
- Company has defined its risk appetite such that inherent and residual risks
- That the board has set appropriate policies on internal control.
- That the management has been properly trained to identify and evaluate risks, and to design, operate and monitor the system of internal control which implements the policies adopted by the board
Risk Based Internal Auditing procedures
Risk Based Internal Audit can be implemented by following four procedures.
Risk Identification
In risk identification stage entire risk in the business operation conducted to achieve the objectives of the organization should be identified by the manager or by the independent expert. Through this procedure organization can identify the shortcoming or various risk of the entire business functions conducted in the organization. Risk identification can be done through various methods, Some of are as follows;
- Reviewing Documents
- Brainstorming
- Delphi method
- SWOT analysis
- Interview
- Flowchart
Risk assessment and Analysis
Risk Assessment can be defined as identification and analysis of relevant risks to achievement of the objective, forming a basis for determining how the risk should be managed[9]. In Risk assessment two types of analyses are conducted.
Qualitative Risk Analysis - is a subjective approach to organizing and prioritizing risks.
Quantitative Risk Analysis - attempts to numerically assess the probability and impact of the identified risks.
3. Risk Response
Based on risk assessment management can take following four response against the identified risk.
Accept: The exposure of risk may be acceptable; hence management accept the exposure without taking any action. But the management has to Monitor the risk for the increment in exposure of risk.
Control: Reduce the risk through contingency plan, diversification, hedging etc.
Share: Some risks are transferred to insurance company or other organization to manage the exposure of such risk within the risk appetite. Like. Insurance, Risk transfer
Terminate: Some risks can be controlled by terminating the activity. Get out of situation
4. Risk Monitoring and Control
- Risk Register Updates
- Recommended change requests
- Recommended corrective actions
- Recommended preventive actions
- Risk response plan updates
- Process management plan updates