Risk Based Internal Audit (RBIA) A step by step approach

Welcome to this series on Risk Based Internal Audits. I would not claim that the ideas are stunningly original but can state with some conviction that what have been suggested here are tested, easily implementable, relevant to the topic and as simple as RBIA can get. In this edition, we will try to understand some basics of RBIAwith specific focus on Risk, Risk families, Control Designs and their types and Operating effectiveness of planted controls

I will for the purpose of this series not focus on references to IIA, ERM, Sarbanes Oxley, PCOAB, COBIT objectives etc. These terms however merit knowledge for any serious practitioner of RBIA.

There is a notion that RBIA is relevant only for large organisations on complex ERP transaction management systems. In our experience using a RBIA approach to smaller organisations helps to heighten management awareness and build better control foundations.

What is risk?

Risk is defined as the uncertainty of an event occurring that could have an impact on the achievement of the entity’s objectives. It would be pertinent to note here that there are many classifications of risks and these should not be confused with each other. One may appreciate that these are different ways of stratifying and understanding Risk. Also, it would be important to appreciate that risks can only be minimised by a control framework but never completely eliminated. Hence the need for assessments and audits on a continual basis

Inherent Risk, Residual Risk and Fraud Risk

Inherent Risks are risks that are posed to an entity if there are no controls. For example, cash can be lost. This is an inherent risk. Residual risk is the risk that remains after controls are taken into account. Controls such as dual custody of cash, daily cash verification minimise residual risk. Of course in all this we should also remember fraud risk which exists if both persons handling dual custody collude. The good control for fraud risk will be surprise verification by the internal auditor or members of the management.