Managing - Risk-Based Internal Audit
Plan questions with answers.
Planning is done by the CAE working with senior management and the board to understand: ANS - -
Organizational strategies.
-Key business objectives.
-Associated risks.
-Risk management processes.
The internal audit activity's plan of engagements must be based on a documented risk assessment,
undertaken at least ANS - annually. The input of senior management and the board must be considered
in this process
The internal audit activity typically reviews and corroborates the key risks that were identified by senior
management. ANS - -As Standard 2010.A1 indicates, this process must be undertaken at least annually.
-In some sectors, annually may not be frequently enough, requiring documented risk assessments to
take place much more frequently, such as every quarter.
-Risks are measured in terms of impact and likelihood.
The chief audit executive must identify and consider the expectations of ANS - senior management, the
board, and other stakeholders for internal audit opinions and conclusions.
The internal audit plan is developed using: ANS - -The expectations and requests of senior
management, the board, and other stakeholders.
-The internal audit activity's ability to rely on the work of other internal and external assurance
providers.
The chief audit executive should consider accepting proposed consulting engagements based on the
ANS - engagement's potential to improve management of risks, add value, and improve the
organization's operations. Accepted engagements must be included in the plan.
,Both internal and external risks must be examined and linked to specific objectives and business
processes to organize and prioritize the risks. ANS - -Internal risks may affect key products and services,
personnel, and systems.
-Relevant risk factors include the degree of change in risk since the area was last audited, the quality of
controls, and others.
-External risks may be related to competition, suppliers, or other industry issues.
-Relevant risk factors may include pending regulatory or legal changes and other political and economic
factors.
Impacts may be felt through organizational reputation in addition to typical financial impacts.
Once all information is gathered, the CAE develops an internal audit plan, which may include: ANS - -A
list of proposed audit engagements and specifications regarding whether the engagements are
assurance or consulting in nature.
-The rationale for selecting each proposed engagement.
-Objectives and scope of each proposed engagement.
-A list of initiatives or projects that result from the internal audit strategy but may not be directly related
to an internal audit.
Examples of initiatives or projects arising from internal audit strategy but that may not be directly
related to internal audit include things like ANS - monitoring an ethics hotline or conducting fraud
awareness training.
Once the plan is created, the CAE discusses it with the board, senior management, and other
stakeholders to ANS - create alignment among their priorities. The discussion will also acknowledge
material risk areas that are not addressed in the plan.
Not all organizations will use the term "audit universe." Generally speaking, however, the audit universe
includes: ANS - -Major functions.
-Operations.
-Operating units.
-Subsidiaries.
-Third parties.
-IT.
, -Business, service, and product lines.
The audit universe also includes ANS - -Any applicable areas (e.g., financial reporting or compliance)
that have a pervasive, organization-wide impact and fall under the internal audit "umbrella" from an
assurance coverage perspective.
-Relevant regulatory mandates in highly regulated industries.
-Independent compliance assessments of high-risk areas as mandated by government agency
examiners, even in the absence of specific laws and regulations requiring them.
The audit universe is not defined solely by ANS - operating entities, their overarching processes, and
their related functional activities. It also encompasses the organization's strategic plan and the controls
management has in place to mitigate risks, achieve organizational goals and objectives, and ensure that
stakeholder needs are being met.
Strategic plans are based on some degree of ANS - environmental analysis (environmental scanning)
that provides intelligence on what is and what will potentially be happening inside and outside the
organization.
Organizations may use a strengths, weaknesses, opportunities, and threats analysis (SWOT analysis) to
ANS - identify and classify elements that can help or hinder the organization or its strategic plans or
activities.
Strength and weakness reviews in SWOT analyses look at the ANS - organization's internal capabilities
(or lack thereof).
Opportunities and threats in a SWOT analysis are then focused mostly on external factors that can ANS -
impact organizational success for good or for ill (perhaps also considering some related internal
opportunities or risks).
Opportunity and threat reviews may look at the following factors: ANS - -Legal factors
-Regulatory factors
-Market forces, industry trends, and the competition
-Stakeholder groups
Plan questions with answers.
Planning is done by the CAE working with senior management and the board to understand: ANS - -
Organizational strategies.
-Key business objectives.
-Associated risks.
-Risk management processes.
The internal audit activity's plan of engagements must be based on a documented risk assessment,
undertaken at least ANS - annually. The input of senior management and the board must be considered
in this process
The internal audit activity typically reviews and corroborates the key risks that were identified by senior
management. ANS - -As Standard 2010.A1 indicates, this process must be undertaken at least annually.
-In some sectors, annually may not be frequently enough, requiring documented risk assessments to
take place much more frequently, such as every quarter.
-Risks are measured in terms of impact and likelihood.
The chief audit executive must identify and consider the expectations of ANS - senior management, the
board, and other stakeholders for internal audit opinions and conclusions.
The internal audit plan is developed using: ANS - -The expectations and requests of senior
management, the board, and other stakeholders.
-The internal audit activity's ability to rely on the work of other internal and external assurance
providers.
The chief audit executive should consider accepting proposed consulting engagements based on the
ANS - engagement's potential to improve management of risks, add value, and improve the
organization's operations. Accepted engagements must be included in the plan.
,Both internal and external risks must be examined and linked to specific objectives and business
processes to organize and prioritize the risks. ANS - -Internal risks may affect key products and services,
personnel, and systems.
-Relevant risk factors include the degree of change in risk since the area was last audited, the quality of
controls, and others.
-External risks may be related to competition, suppliers, or other industry issues.
-Relevant risk factors may include pending regulatory or legal changes and other political and economic
factors.
Impacts may be felt through organizational reputation in addition to typical financial impacts.
Once all information is gathered, the CAE develops an internal audit plan, which may include: ANS - -A
list of proposed audit engagements and specifications regarding whether the engagements are
assurance or consulting in nature.
-The rationale for selecting each proposed engagement.
-Objectives and scope of each proposed engagement.
-A list of initiatives or projects that result from the internal audit strategy but may not be directly related
to an internal audit.
Examples of initiatives or projects arising from internal audit strategy but that may not be directly
related to internal audit include things like ANS - monitoring an ethics hotline or conducting fraud
awareness training.
Once the plan is created, the CAE discusses it with the board, senior management, and other
stakeholders to ANS - create alignment among their priorities. The discussion will also acknowledge
material risk areas that are not addressed in the plan.
Not all organizations will use the term "audit universe." Generally speaking, however, the audit universe
includes: ANS - -Major functions.
-Operations.
-Operating units.
-Subsidiaries.
-Third parties.
-IT.
, -Business, service, and product lines.
The audit universe also includes ANS - -Any applicable areas (e.g., financial reporting or compliance)
that have a pervasive, organization-wide impact and fall under the internal audit "umbrella" from an
assurance coverage perspective.
-Relevant regulatory mandates in highly regulated industries.
-Independent compliance assessments of high-risk areas as mandated by government agency
examiners, even in the absence of specific laws and regulations requiring them.
The audit universe is not defined solely by ANS - operating entities, their overarching processes, and
their related functional activities. It also encompasses the organization's strategic plan and the controls
management has in place to mitigate risks, achieve organizational goals and objectives, and ensure that
stakeholder needs are being met.
Strategic plans are based on some degree of ANS - environmental analysis (environmental scanning)
that provides intelligence on what is and what will potentially be happening inside and outside the
organization.
Organizations may use a strengths, weaknesses, opportunities, and threats analysis (SWOT analysis) to
ANS - identify and classify elements that can help or hinder the organization or its strategic plans or
activities.
Strength and weakness reviews in SWOT analyses look at the ANS - organization's internal capabilities
(or lack thereof).
Opportunities and threats in a SWOT analysis are then focused mostly on external factors that can ANS -
impact organizational success for good or for ill (perhaps also considering some related internal
opportunities or risks).
Opportunity and threat reviews may look at the following factors: ANS - -Legal factors
-Regulatory factors
-Market forces, industry trends, and the competition
-Stakeholder groups
