BarnOwl Info Sharing Insight: – Empowering Insight, Enhancing Governance: Mastering Risk and Control-Based Auditing (Part #1 – Audit Planning)

May 6, 2024

Presented by Stephen Helberg and Scott Goddard, Directors, GRCReady


Thank you very much Stephen and Scott for your most informative presentation on ‘Mastering Risk and Control-Based Auditing (part #1 on Audit Planning)’ at the BarnOwl info-sharing event held on 25th April 2024. Thank you too, to all those who attended the session.

Part #1 covers Audit Planning and part #2 scheduled for 27th June 2024 will cover ‘Audit Execution’.

Through practical examples and insightful discussions, Stephen showcases how a risk-based approach can transform your audits from mundane tasks to strategic drivers of organisational success.

Is your internal audit team grappling with audit fatigue? Are your audit stakeholders feeling disconnected or frustrated due to prolonged audit processes yielding minimal relevance?

Selecting the appropriate approach can elevate internal audit as a trusted advisor, championing good governance practices, fostering stakeholder engagement, and yielding more meaningful and actionable insights.

A risk-based audit methodology initiates with a comprehensive assessment of the risk landscape, serving as the foundation for the audit plan. In this approach, the primary objective is to address the organisation’s most critical risks.

While many audit departments claim to adopt a risk-based approach, often their audit plans are structured around departments, functions, or processes, primarily focusing on compliance with internal policies and external regulations.

A truly effective risk-based audit methodology commences with an evaluation of the organisation’s top risks and overarching business objectives. Subsequently, all audits within the plan should be tailored to mitigate these risks and provide valuable insights to senior management.

Risk-based audit plans hinge upon defining the organisation’s risk appetite, identifying inherent risks, and prioritising high-risk business processes. Alignment with the organisation’s risk profile, macro business processes, strategic objectives, and legal obligations is imperative. We delve deeper into understanding these essential “filters” during our discussion.




Evolution of the Profession

Pre 2020, the audit focus was on the core areas of financial and compliance with regulations such as SOX 404 and 302, King requirements and the ASX 7 and 4 requirements. Since early 2020, customer needs changed significantly to focus on strategic value; what does this mean and how do we make sure our audit plan is focusing on those risks and business initiatives that really matter?

Customer Survey and Board Audit and Risk Committee (BARC)

Some of the key take-outs from this feedback include:

  • At present there is too much overlap of assurance functions resulting in a strain on the business.
  • The scope of services is too narrow and should look at broader and strategic risks and facilitate best practice.
  • There is a lack of understanding of the CA’s role and scope.
  • Internal Audit need to demonstrate the value; how do we show IA is a good investment to the shareholders?

At one of the early Board Audit and Risk Committees of a large mining company a Director asked me:

  1. “How do we know that you are doing the right audits? and
  2. How do we know that every audit is executed properly?”

If we audit the wrong areas brilliantly with capable people or if we audit the right areas poorly, we are not providing the real value we could and should be.

Internal Audit role and position of Risk based auditing

In terms of the context on where risk-based auditing fits into the IA strategic plan, we take a look at the purpose of an IA function, and it is clear that the work we do is predicated on the organisation’s material business risks. This does not only imply that the audit program is only aligned to the risk profile, but there are a number of important “filters” if you like that should be applied to ensure you are planning to do the right audits.

There are nine (9) key performance areas which apply to any IA function. We have developed an extensive maturity assessment model which assesses all nine. The following is an example of a typical audit maturity assessment:


Do the right Audits unpacked / steps

The Internal Audit methodology is possibly the most important of the 9 key performance areas to get right. The IA methodology covers two key processes:

  1. Do the right audits and
  2. Do the audits right

This session will focus on: do the right audits. As per Sun Tzu, the ancient Chinese strategist: “Battles are won even before the army moves. It’s all about the strategy and the planning and preparation work”.

The process followed when preparing your audit plan for the next audit cycle is critical to the delivery of a valuable audit service. We have developed and followed, for a number of years, a structured approach consisting of 6 key steps.


Step 1 – Strategic Plan and business model mapping

First we analyse or map the company’s key objectives to the end-to-end macro business processes:

  • Identify the macro processes within the organisation which link to core activities.
  • Define each macro process and sub process at a high level and rank these by importance.
  • Analyse the top processes in more detail including Process Overview, Key Risks, Scope and Approach (select 2 to 3 business units and review), Value to Business.
  • Define the high-level risks for these processes and the potential audit scope.
  • Evaluate and prioritise the key processes based on process value (discounted for existing assurance) and the ease of executing an end-to-end review.
  • Finally, facilitate a workshop with key nominated executives and potentially the BARC members to prioritise those macro processes that have the most material impact of the organisation.

Step 2 – Risk Profile mapping

The next step is to map the draft audit projects to the organisation’s risk profile.

The example above shows an audit plan which aligns to current and planned strategic developments; in this case the company was planning to expand in more risky countries and the exploration process was thoroughly reviewed.

Step 3 – Consider Emerging Risks

Step 3 is to consider current and emerging risks impacting your organisation.

The example above is from the Audit Director Round Table, but many other professional service providers perform bi-annual or annual emerging risk studies for various industries.

Step 4 – Legal and Compliance obligations

Step 4 is to consider the material legal and compliance obligations relevant to your company.
The obligations and governance framework will ensure material obligations for the Group are defined and all governance and compliance processes are aligned at a Group level and cascaded into all areas of the organisation. The model will act as the basis for your Risk Management system and Combined Assurance process.

Step 5 – Reoccurring & systemic issues & follow up audit actions
The next main area to consider in your planning process, are prior year/s follow up reviews of high rated audit findings and systemic and/or re-occurring issues.

  • Identify systemic issues – analyse these further and in some cases highlight group level issues that exposed material deficiencies at a group level.
  • Reported individual audits – are not able to see systemic issues or trends.
  • These may indicate a larger issue at a group level that should be audited.

Step 6 – BARC and Management Requests

The last step is to accommodate the BARC and management requests. We are now in a position to prepare with confidence an audit plan which can be presented to the executives and the BARC as well as describe the process followed to get to the proposed plan.


This methodology demonstrates that a structured, logical and coordinated approach has been taken to ensure that we do the right audits. This approach provides confidence to your stakeholders that Internal Audit is a good investment and contributes actively to the value creation of the company.

In the next session (scheduled for 27th June 2024) we will look at the process and some practical examples to deliver consistently high quality audits.


Presentation and video links

Please see attached presentationhere, and the info sharing recording here.

Related links


Contact us

Cheryl Keller | BarnOwl |
Stephen Helberg| Director | GRCReady |
Scott Goddard | Director | GRCReady |


Thank you

Once again, thank you Stephen and Scott for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at:

Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software


About BarnOwl:


BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 organisations locally and internationally. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see for more information.


About our guest speakers