The International Standards for the Professional Practice of Internal Auditing (Standards) and Board Policy CFC (Local) require the Chief Internal Auditor develop an annual risk-based Audit Plan to determine the priorities of the Internal Audit Department. Board Policy CFC (Local) requires the Audit Plan be submitted to the EPISD’s Board of Trustees for approval.
The Audit Plan establishes the framework for the activity of the Internal Audit Department. In accordance with Standard 2010, the annual Audit Plan is:
- Consistent with the District’s goals and priorities,
- Based on a documented risk assessment undertaken annually,
- Considers the input of senior management and the Board, and
- Dynamic and flexible to ensure Internal Audit can be responsive to changes from unforeseen issues and events during the year.
A risk assessment serves as a tool used by Internal Audit to develop the annual Audit Plan since it will help us identify and prioritize the potential areas of high risk, so that focus is placed on the auditable activities of greatest significance. As required by the IIA Standards, input from District Leadership and the Board of Trustees is considered in this process.
The first step in the risk assessment is to define the “audit universe,” which includes the auditable units in the District. Auditable units included in the risk assessment are those that:
- Contribute to the District’s goals,
- Are sufficiently large to noticeably impact the District, and
- Are sufficiently important to justify the cost of a control.
After the audit universe is defined, Internal Audit measures the risk of the auditable units based on likelihood and impact risk factors. The level of risk varies from department to department, program to program, and unit to unit. The definition of risk for an organization can be broken down into four elements:
- Strategic Risks: Relates to doing the wrong things.
- Operating Risks: Relates to doing the right things the wrong way.
- Financial Risks: Relates to losing financial resources or incurring unacceptable costs.
- Compliance Risks: Relates to non-compliance with District policies/regulations or state/federal laws.
The likelihood and impact risk factors are reviewed on an annual basis to ensure they are relevant and effective in helping determine the strategic, operating, financial, and compliance risks of the District.