Next steps RAWG

Risk assessment guideline for strategic and annual planning ◦ Identifying auditing universe ◦ Identification of risks◦ Categorization of possible risks ◦ Estimating likelihood and impact of risks ◦ Developing 3-year plans ◦ Annual plan

WHAT WE HAVE

Preparation for the audit engagement Drafting a plan for the audit engagement Appointing auditors for the engagement Identifying the goals of the engagement Executing the engagement Collecting audit evidence Developing a project and the final report

(conclusion) Post audit

WHAT HAPPENS AFTER PLANNING

Planning is just the overall direction of activity, a list of tasks and not a final decision on the audit engagement

At the preparation stage for the audit engagement the annual audit plan can change based on REEVALUATION OF RISKS

Is planning over at the stage of the annual plan?

1210.А2 to evaluate the risk of fraud 1210.А3 key information technology risks and controls 1220.А1 adequacy and effectiveness of

governance, risk management, and control processes

1220.А3 must be alert to the significant risks

Risks in IIA standards

The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;

The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model;

The opportunities for making significant improvements to the activity’s governance, risk management, and control processes.

Standard 2201 – Planning Considerations for audit engagements

2210.А1 — Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

2210.А2 — Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

Standard 2210 — Engagement Objectives

Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.

Standard 2060 — Reporting to Senior Management and the Board

The description of risk assessment or control methodology or of other criteria on which the opinion is based

Standard 2450 – Overall opinion

When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management…..

Standard 2600 — Communicating the Acceptance of Risks

Preliminary risk assessment at the stage of audit engagement planning

Risk assessment when goals are set and audit evidence is collected

Risk assessment at post-audit stage Assessment of fraud risks Assessment of IT risks etc. ….

Suggestions

Preparation throughout the year Collection and assessment of information on

risks Assessment of risks related to legal

documents adopted after the latest risk assessment

Identification of risks during consultations with senior management and first meeting

Preliminary risk assessment at the stage of audit engagement planning

Based on the results of preliminary risk assessment of the audit objects: developing an engagement plan

Identification of most risky transactions Setting the tasks for auditors and defining

the selection method (statistical, non-statistical, mixed)

Setting other tasks and their possible changes

Risk assessment when goals are set and audit evidence is collected

Risk assessment of collected evidence Defining priorities Risk assessment of tasks execution or

acceptance of risk by the leadership

Risk assessment at post-audit stage (Follow up)

How to calculate ◦ Major risks◦ Inherent risks◦ Residual risks ◦ Acceptable risks ◦ Risk appetite

Glossary of terms that need to be explained