Audit Methodology

Risk-Based Auditing

Our definition

Risk-based internal auditing (RBIA) is a methodology that links internal auditing to an organization’s overall risk management framework. RBIA allows internal auditing to provide assurance to the board that the management are managing risks effectively, in relation to the set risk appetite.

Definition of Risk

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Definition of Controls

Internal controls are practices that protect or make more efficient use of the University's assets. They are the kind of things you already do, because they are generally just good business practices. Internal controls can involve anything from protecting computer files with passwords, to making sure that the door is locked when everyone has gone home.

Typically, management is responsible for developing an appropriate system of internal controls, but every employee is responsible for following and applying those practices. They may sometimes seem unimportant by themselves, but taken as a whole, they can have a major impact on the University's operations. Internal controls can be preventive, detective or corrective in nature:

Preventive controls are designed to discourage or prevent errors or irregularities from occurring. They are more cost-effective than detective controls. Job descriptions, required authorization signatures, data entry checks, physical control over assets to prevent their improper use and credit checks are all examples of preventive controls.

Detective controls are designed to search for and identify errors after they have occurred. They are more expensive than preventive controls, but still are essential, since they measure the effectiveness of preventive controls and are the only way to effectively control certain types of errors. Account reviews and reconciliations, observations of payroll distribution, periodic physical inventory counts, passwords, transaction edits and internal auditing are all examples of detective controls.

Corrective controls are designed to prevent the recurrence of errors. They begin when errors occur and keep the "spotlight" on the problem until management can solve the problem or correct the defect. Budget variance reports and quality circle teams are examples of corrective controls.

Internal auditors evaluate the effectiveness of an operation's internal controls by first gathering information about how a unit operates, identifying points at which errors or inefficiencies are possible, and identifying system controls designed to prevent or detect such errors. Then, they test the application and performance of those controls to assess how well they work. You can evaluate controls in your department's operations by following the same process.

Control Activities

Control activities are those specific policies and procedures that help ensure management objectives are achieved. They include a wide range of activities that occur throughout the University, by supervisory and frontline personnel. This is not an all-inclusive list, but here are some examples of common control activities:

Segregation of Duties

Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For instance, responsibilities for authorizing transactions, recording them and handling the related asset should be divided.

Physical Controls

Equipment, inventories, cash and other assets should be secured physically, and periodically counted and compared with amounts shown on control records. Access should be restricted to those with authority to handle them.