E.1 Practive Review and Internal Audit’s Risk Based Plan Policy

Practice Review and Internal Audit’s Risk Based Plan

  1. PRIA’s risk based plan is goal-oriented and defines scope of work over a three year period.  The plan includes specific internal audit intended to be undertaken in the next year.

  2. In developing the risk based plan, PRIA has adopted the following criteria:

    • Scheduling of activities identified in the plan must be realistic.

    • Completion of planned activities must be achievable.

    • Audit cycle for each activity must be completed.

    • The plan must remain flexible to changing risks.

  3. The Chief Audit Executive is responsible for developing the risk-based plan. The methodology for the completion of the plan shall consider the following:

    • The Office’s integrated  risk management framework

    • The Office’s  identification and management of its strategic objectives and whether strategic risks and new initiatives are managed to an acceptable level

    • Input from key stakeholders (Audit Committee members, senior management, service level leaders) on audit priorities that may impact members, retirees, employers, or the organization

    • Staffing resource availability and capability

    • Audits planned by other internal and external assurance providers, to minimize the potential duplication of effort and to maximize the amount of coverage achieved

    • Emerging issues resulting from the continuous update of the Office’s risk profile

    • Engagements that focus on key risks, economy or efficiency of operations

    • Areas identified as potent candidates for continuous auditing, leveraging the Office’s risk management framework

    • Consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve operations

    • Common risk area profiles which could result in an enterprise audit across service areas with similar risk factors

 Development

  1. The risk based  plan is to include the following information:

    • Introduction, Mission, and Purpose

    • Audit Prioritization Process

    • Coordinated Audit Coverage (with Other Assurance Providers)

    • Preliminary Audit Scope by Service area and Audit Universe Area

    • Types of Assurance Audits or Consulting Activities

Review and Comment

Review Requirements

  1. The risk based plan will be reviewed quarterly to determine:

    • changes in the organization’s risk profile;

    • any significant variations to the original plan arising from the under- or overassessment of the time required for audit projects;

    • effects of unforeseen events that have significantly impacted the timetabling of audit projects;

    • rescheduling due to the effect of staff changes;

    • percentage of internal audit’s audit effort devoted to assurance and consulting engagements; and

    • other metrics developed in coordination with the audit committee (e.g., percentages of audit plan completed, budget to actual expenses).

  2. Amendments to the annual audit plan arising as a result of the quarterly review shall be presented by the Chief Audit Executive to the Audit Committee.

  3. The Audit Committee recommends the approval of the risk based plan to the Auditor General who approves the plan.  The Audit Committee also recommends the approval of any amendments to the plan to the Auditor General, who approves amendments to the plan.

Communication and Distribution

  1. The risk based plan will be submitted to the Audit Committee in the spring of each year for recommended approval.

  2. The risk based plan will be available on the Office’s extranet site for public access.

  3. PRIA’s risk based plan is available to external auditors upon request.

Last modified:
2018-02-20