Topic 2: Use of the Framework

The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the CAE uses his/her judgment of risks after consultation with senior management and the board.

Management and Staff Information-Gathering Techniques

Interviews

• A structured discussion between 2 parties: one representing internal auditing and other representing a potential engagement client of information source about business risks.
• Intended to solicit and unbiased view from the individual being interviewed.
• Typically a precursor to focus groups and surveys.

Focus group

• Small group of current managers or employees are invited to participate in a structured discussion facilitated by a representative of the internal audit function.

Questionnaires & Surveys

• A way to quantify management and employee attitudes and perceptions. 

Qualitative date are subjective or soft measures focusing on perceptions and attitudes. Can be derived from interviews, focus groups, observations and meetings. 

Quantitative data are measures derives from concrete, objective criteria which can be derived from studies, reports and surveys.

Types of Organizational Risks 

• Strategic risks
• Project/program/process risks
• Operations risks

Risk measurement evaluates the potential impact of the risks based on the probability of risk occurrence - the likelihood the risk will result in a consequence that could materially impact the organization's ability to achieve goals and objectives. Risk measurement approaches includes:

• Probability estimates
• Risk factor measures
• Weighed matrices

Risk prioritization uses various ranking methods to rank risks and establish the relative strength of each risk and the potential consequence of each. Methods include:

• Absolute ranking - ranks risk management scores and places them in order of magnitude.
• Relative ranking - group risk measurement scores into natural clusters and assigns relative values such as low, medium or high.
• Matrices ranking - further analyzes the matrices used to measure risks and consequences and places them in quadrants of low, medium or high. 

Risk can be managed in a number of different ways including:

• Acceptance - identifying ways to manage the risk such as establishing contingency plans.
• Avoidance - identifying ways to prevent risk exposure
• Transfer - sharing or transferring the risk to insurance or to other parties
• Control - establishing internal controls for reducing the potential negative impact of risk and uncertainty or training employees in how to recognize potential risks and respond to prevent damage and reduce the effect. 

The CAE needs to make decisions for applying relative resources based on the significance of risk and exposure. In validating the risk priorities, factors to establish the priority of engagements include financial impact, asset liquidity, management competence, quality of internal controls, degree of change or stability, time of last audit engagement, complexity, employee and government relations.