Discover the IIA’s recommended approach for choosing which audits to include in an audit plan. Learn why a risk-based methodology considering key operations is ideal.
Table of Contents
Question
The chief audit executive is completing the audit plan. According to IIA guidance, which of the following is the best method of selecting the audits to be completed?
A. A rotational audit plan with core audits being done every two to four years.
B. A risk-based audit plan that also covers important operational areas.
C. An audit plan based upon the previous audit results and findings.
D. An audit plan based upon responses from management on key risk areas.
Answer
According to the IIA’s guidance, the best method for the chief audit executive to select which audits to include in the audit plan is:
B. A risk-based audit plan that also covers important operational areas.
Explanation
The IIA advocates for a risk-based approach to audit planning. This means the audit plan should focus on the areas of highest risk to the organization. The chief audit executive should consider factors such as the likelihood and potential impact of risks materializing in each area. This allows the audit function to concentrate its limited resources on the most critical risks.
However, the IIA also specifies that a risk-based audit plan should cover key operational areas, even if they are not necessarily the highest risk. Important operational areas are those that are essential to the organization achieving its objectives. Failing to review these areas periodically could allow control weaknesses or inefficiencies to go unidentified.
The other options are not as aligned with IIA standards and guidance:
A. While having a rotational element and covering core areas every few years may be part of the audit plan, it should not be the primary basis for the plan. The audit plan must be adaptive to changes in risk.
C. Prior audit results are an input into the risk assessment, but should not be the main determinant of the audit plan. The risk profile may have changed since previous audits were conducted.
D. Management’s views on risks should definitely be considered as part of the risk assessment process. However, the audit function must maintain independence and objectivity. It should not simply defer to management on which areas to audit.
In summary, a risk-based audit plan that covers essential operations is the best practice approach according to the IIA. It enables the audit function to address the most significant threats and add value to the organization.
IIA-CIA-Part2 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IIA-CIA-Part2 exam and earn IIA-CIA-Part2 certification.