Risk Based Internal Audit Plan - A Practical Approach

Rashid Mehmood , Last updated: 18 February 2013  

The internal auditor’s role has become more important ever since before and the legislators, regulators and top business executives realize the importance of auditors in the governance and performance equation. Therefore, the auditors in any type of business are required to develop an essential understanding, capabilities and tools needed to prepare credible and defensible audit plan. Enterprise risks are increasing exponentially while the ability to manage these risks is not keeping pace. Increasingly, companies are looking to risk assessment as a way to identify and assess risks either across the organization as a whole or within specific aspects of the business. For internal audit departments, risk assessment is a key element in the development of the annual risk-based internal audit plan. The identification, prioritization and sourcing of key organizational risks is critical to ensuring that internal audit resources are allocated to the areas that matter most. A risk based audit planning helps auditors to plan the audit process so that it makes a dynamic contribution to better governance, robust risk management, and more reliable controls.

There is lot of books available as a guiding tool to prepare the risk based audit plan and all material given in the books seems to be theoretical and defines the methodologies to prepare and implement the risk based audit plan. The new auditors face difficulty to use the risk based approach to prepare their plan and often auditing books do not serve the purpose and there is a need to see the practical structure to design the risk based audit plan.

In this article I have considered the practical approach to provide guidance to the junior or new auditors in profession. I believe that this article will be helpful for them to prepare a well structured risk based audit plan and to implement it effectively to achieve their goals.

First of all we need to understand what is the risk based audit, it is defined by the auditing professionals as a process of identifying the areas of the financial statements and processes where there is a high risk of material misstatement and concentrate audit efforts in those areas, caused by either high inherent or control risk in addition to identifying the areas with lower-risk to perform less extensive procedures.

In particular the risk based audit plan:

· Summarize the current assessment of risk management, controls and governance process.

· Includes a list of organizational activity and core management controls that could be considered    for the audit.

· Demonstrate the areas with higher risk.

· Provide, over a certain period, assurance on important aspects of the risk management, controls and governance process.

In order to meet the above the risk based audit planning can be divided into two steps:

1. Risk assessment process

2. Execution of risk based audit plan

Risk Assessment Process:

A “risk assessment” is an effort to identify, measure and prioritize risks facing an organization in order to focus the internal audit activities in auditable areas with higher significance.

Key risk Assessment Steps:

1. Identify key risks

2. Define audit universe

3. Perform risk planning

4. Develop internal audit plan

5. Present the plan

6. Schedule the resources

How to prepare Risk Based Audit Plan – Practical guidelines

After having understood properly the above mentioned purpose of the risk based audit plan, assessment process and risk assessment steps, the auditor is required to prepare the physical audit plan. The subsequent paragraphs and text can be used to structure the risk based audit plan, however, it must be noted that this is not regarded as the best practice to prepare the audit plan rather it gives you a set of instructions and guidelines to achieve your goal towards preparation and implementation of risk based audit plan.

Contents of Risk Based Audit Plan

1. Foreword from Chief Internal Audit

2. Executive summary

3. Entity level control monitoring

4. Overview of planning

5. Recommended audits for the current year

6. Completed audit in last year

7. Recommendation status


1. Foreword from Chief Internal Auditor

It contains preliminary working and benefits of the preparation and implementation of the risk based audit plan. It explains that why the risk based audit plan is need of the hour.

2.  Executive summary

It provides the summarized details of the planning process, departments, processes, officials involved in risk assessment, proposed audits and basis of selection of the auditable area each from the balance sheet and from operations i.e. sales, procurement, production, human resource, health and safety, costing, estimation and bidding etc etc.

3.  Entity level control monitoring

Basically it is a control matrix and analysis of the existence of the desired controls over the auditable areas. Practically this is the first step of designing of risk based audit plan and may not required to be presented to the management and it can be used as tool by the internal auditors only. The entity level control monitoring should preferably be prepared in Excel spread sheet by using the following structure in columns of the spread sheet:

Column A:

control attribute = you may use the COSO attributes or defined company’s objective. e.g. Reporting can be one of the objective and it should be part of the first column.

Column B:

Point of Focus on control objective e.g. if the reporting is control attribute then one of the control objective can be “reporting protocols are appropriate and followed by staff”.

Column C:

Does this control exist = you will use Yes/ No to respond to the above mentioned control objective.

Column D:

Desired Control: in case the answer in Column C is NO then define the desired control in the column D which will improve the system of internal controls.

Column E:

Addendum: give information in this column if the controls are added or modified during the year relating to this particular control objective.

Column F:

Appropriateness of Control: if the answer in Column C is YES, decide in this column whether the control is properly designed or not.

Column G:

Control Owner: write the name of the process owner e.g. reporting (financial ) – CFO, reporting (legal) – Legal consoler etc

Column H:

Test of procedure = describe the audit testing to verify the established control over particular activity.

Column I:

Working paper reference: refer the working paper used to verify the existence of control.

Column J:

Conclusion: give your conclusion regarding the effectiveness of the existing control or recommend if it is otherwise.

Column K:

Deficiency = explain the deficient condition if the conclusion is negative.

Column L:

Management Action Plan: Give the recommendation to management and agree for the action plan to improve the internal control system.

4.  Overview of Planning:

An overview of the planning contains the following:

A.  Process Map

The first step of physical audit planning is to establish the process map, obtain all information from the established policies and procedures of the company and conduct interviews with the process owners followed by a walk through test and draw a process flow chart to understand the working and steps to complete one activity under one process. Identify the control weaknesses at each individual step of the process.

B. Risk Register:

Prepare the risk register to identify the risks associated with all auditable activities. The risk register should be prepared in Excel spread sheet and the following format can be used to design the risk register:

Column 1





Organizational objective


Business Unit


Process description

Define the objective relating to particular process under audit

Decide strategy for the test of controls and control itself

Define the business unit under audit

Define the process under audit e.g. procurement, production or etc

Ensure the objectives have been communicated to all concerned staff effectively and in clear manner.

Column 6




Key risk

Risk source

Process owner

Inherent risk

Cons 9(1)

Like 9(2)

Score 9(3)

Identify the risk associated with the process. e.g. in procurement there is a risk of double payment to the vendor

Identify the risk source i.e. internal or external risk. E.g. changed in legislation is external risk which can affect the process and its function.

Describe the process owner. Normally the department head of the process under audit.

Use scale 1-5 to score the risk

Use scale 1-5 to score the risk

Multiply 9(1) BY 9(2) to calculate the magnitude of risk.

Column 10



Column 13 - Residual risk

Control Example

Monitoring example

Potential issue

Cons 13(1)

Like 13(2)

Score 13(3)

Control score

Define the desired control or identify the existing control

Define the monitoring process of the effectiveness of the existing control

Describe any potential risk associated with the existing control

Use scale 1-5 to score the risk

Use scale 1-5 to score the risk

Multiply 13(1) BY 13(2) to calculate the magnitude of risk.

Score 9(3) minus score 13 (3)

C.  Scoring the risks:

Evaluate each risk and use scale of 1-5 to weight the risk and to measure its magnitude. The following table can be used as guideline to prepare the risk score:

If the consequence when the risk occurs is:

OR the likelihood of the risk occurring is:

Then the measure is defined to be:

A catastrophic impact on the organization, threatening its existence

Almost certain

Catastrophic (5)

To prevent the organization achieving all, or a major part, of its objectives for a long time.


Major (4)

To stop the organization achieving its objectives for a limited period.


Moderate (3)

To stop the organization achieving its objectives for a limited period.


Minor (2)

To cause minor inconvenience, not affecting the achievement of objectives


Insignificant (1)

After scoring the all risks associated with all auditable areas generate the result by focusing the magnitude of risks as calculated above. 

1.  Recommended Audits for the current year

Based on the risks as calculated above prioritize the auditable processes and plan the audit in Excel spread sheet. The following structure can be used as guidelines to prepare the audit plan for the current year.

Column A: Business Unit

Column B: Process under audit

Column C: Significance based on the risk magnitude as calculated above.

Column D: planned in the month.

Column E: Expected date of start of the audit

Column F: Tentative audit completion date

Column G: Allocated man hours

Column H: Review hours

Column I: Reporting time required (i.e. number of days/ hours)

Column J: Resources required

Column K: Budgeted cost of the audit of process

Column L: Total time budget

Column M: Actual time consumed to complete the audit

Column N: Last audit date and report date

Column O: Number of recommendations in last audit.

2.  Completed audits in last year.

In order to explain the completed audits in last year, the above mentioned structure can be used.

3. Recommendation status:

Explain the recommendations status at the last relating to the completed audits in the last year and give the current status of the implemented, in process and not-implemented audit recommendations. In order to provide the comprehensive information relating to the recommendations status following format can be used:

Business unit


Audit observation


Target date



Define the business unit

Define the process audited in last year

Give the title of audit observations. E.g.

Observation 1

Observation 2

And so on

Against each audit observation give the recommendations given in the last audit report.

Define the target date as agreed by the process owner to implement the audit recommendation

Define the status of the recommendation either it is:


In process, or

Not implemented

Define the official responsible to implement the recommendation. Usually the process owner.

The internal auditors new in profession or the students can use the above structure to prepare the risk based internal audit plan and to make it easy to understand and use practically, I have eliminated some details from the whole process so that the new auditors and especially the students can understand and adopt this approach easily.

The reader’s comments and suggestions are always welcome and appreciated. The readers can also write for any clarification if required relating to this article.

Published by

Rashid Mehmood
(Group Chief Financial Officer at Al Kaki Hospitality Group Saudi Arabia )
Category Audit   Report

13 Likes   129361 Views


Related Articles