RISK FRAMEWORK
Vincent Onwuka

WHAT?
◦ Internal Auditing is an Independent, objective assurance and advisory activity
designed to add value and improve an organization’s operations. It helps and
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management,
internal controls and governance processes.
◦ {The Institute of Internal Auditors, USA}
◦ The definition of I/A provides comprehensive guidelines for the framework of internal audit. It should always be kept in mind
while I/A work is being carried out.

WHY?
◦ The Main Objectives of I/A are:
◦ To provide assurance on the adequacy, efficiency and effectiveness of the whole control environment,
◦ Advise at an early stage in the implementation of any system developments, amendments to processes, making recommendations in
the formation of policies, procedures and controls and
◦ Noting deviations from organizational policies, procedures and controls and recommending actions to mitigate the risks arising out of
such deviations.
◦ Further I/A provides:
◦ Assurance that the organizations values are preserved, and
◦ That rules, laws and regulations are complied with in their letter and spirit
◦ To ensure that financial statements and other information are accurate and reliable and
◦ That human, financial and other resources are managed efficiently and effectively
◦ Wider anti-fraud and anti-corruption framework
◦ Both feedback and feed forward controls

TYPES
◦ Following types of audits make the framework of I/A:
◦ Compliance Audit: To ensure compliance with rules, regulations and laws applicable to drugstoc.
◦ Operational Audit: To ensure efficient and effective conduct of operations of drugstoc
◦ Information System Audit: To ensure proper functioning of the information system throughout the life of business
activities
◦ Performance Audit: To ensure the efficient use of resources to obtain the objectives of drugstoc
◦ Environmental Audits: To ensure compliance with the environmental laws and regulations.
◦ Special Assignments: relate to investigations on fraud and corruption, or any other special service.

THE STANDARDS
◦ Internal auditors carryout their work in accordance with the given set of rules, guidelines, regulations and standards. These standards
are provided by the Institute of Internal Auditors, are known as, International Standards for the Professional Practice of Internal Auditing
(the standards). The standards provide guidance on assurance and advisory activities of an internal auditor.
◦ The application of these standards is mandatory for internal auditors during their work.
◦ Following are the types of the standards:
◦ Attribute standards: pertain to Drugstoc and team/staff performing the audit work
◦ Performance Standards: are about the nature of internal auditing and provide quality criteria for the performance of the work.
◦ Implementation Standards: provide guidance for each attribute or performance standard to be applicable to assurance (A) or Advisory
(A) activity.

AUTHORITY
◦ Internal audit is fully authorized to:
◦ Have complete and unrestricted access to records, personnel, and physical properties/assets relevant to the performance of I/A
engagement.
◦ Delegate duties, allocate resources, select team, determine scope of work, budget time & cost and select required
techniques/procedures to accomplish objectives.
◦ Obtain necessary assistance of personnel in auditee departments and other specialized services within or outside the
organization.

SCOPE
◦ The scope of the internal Auditing encompasses, but not limited to, the examination and evaluation of the adequacy and
effectiveness of the organizations governance, risk management, and internal process as well as the quality of performance in
carrying out assigned responsibilities to achieve the organization’s stated goals and objectives.
◦ This scope of I/A generally includes the following:
Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such
information.
Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which
could have a significant impact on the organization
Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets
Evaluating the effectiveness and efficiency with which resources are employed.

ANNUAL AUDIT PLAN
◦ In cooperation with executive management, the following is performed:
Conduct a preliminary risk assessment (with Risk team) by utilizing interview or best strategy
Gather Top management input on the assessment.
Prepare a Draft Risk Based Annual Audit Plan
Obtain the formal approval of the Audit Committee or the Board.
The plan is subject to reviews during the course of audit work to ensure that the focus continues to be on the higher risk areas. In
addition, the need to conduct special assignments requested from the Audit Committee and senior management may also require
the deferral of planned audit work.

PLANNING
◦ Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and
whether the operations or programs are being carried out as planned.
◦ Monitoring and evaluating governance processes
◦ Monitoring and evaluating the effectiveness of the organization’s risk management processes
◦ Evaluating the quality of performance of external auditors and the degree of coordination required with internal audit work
◦ Performing consulting and advisory related to governance, risk management and control as appropriate for drugstoc
◦ Reporting periodically on the internal audit activity’s purpose, authority, responsibility and performance relative to its plan
◦ Reporting significant risk exposures and control issues, including fraud risks, governance issues and other matters needed or
requested.

PERFORM AUDIT FIELDWORK
1. Carry out fieldwork as indicated in the annual audit plan
2. Obtain cooperation from management and staff as necessary to identify, obtain documentation and conduct interviews, etc.
3. Conduct fieldwork with minimal disruption to operations of drugstoc.

REPORT RESULTS
◦ Share important and sensitive findings with responsible managers upon verification
◦ Make notes of comments/responses of the management/personnel on all observations
discussed with them.
◦ Prepare a first draft of the final report and discuss with responsible managers after the audit

FINAL REPORT
1. Issue final report to the management.
2. Prepare checklist of issues to be discussed with the management in the next period audit
3. Write down comments of management on the audit report

O b j e c t i v e s & G o a l s
DrugStoc E-Hub
Limited
13
 This plan is designed to cover all areas of Drugstoc business operations and to significantly reduce to acceptable level the exposure of the
organization to all risks that are characterized with the sector. These risks include operational risks, credit risks, reputational risk, IT risk,
legal/compliance risk
 Risk-Based Internal Audit is essential to evaluate risk management practices, internal control systems and compliance with both corporate and
regulatory policies with the aim of bringing to the attention of management and areas of vulnerability and facilitating improvements where
necessary.
 Our Focus
Operational Risk
► Internal and external fraud.
► Employment practices and workplace
safety
► Errors.
► Income/ expense leakages.
► Loss/damage of physical asset.
► Incomplete documentation.
► Non-adherence to policies and
procedures.
Information Technology
► Back up/ offsite storage.
► Disaster recovery and contingency.
► Business continuity plan.
► Access restriction.
► IT Strategic plan.
► Mandate/Report/ minutes of IT
steering committee.
► IT equipment- storage facilities &
condition.
► Complaints Register review and
Review of support services.
Credit Risk
► Customers’ unwillingness to pay due to
character deficiency.
► Death of a customer.
► Customers not having the capacity to
repay loans.
Liquidity Risk
► Negative impact of the creation of new
business/product.
► Bad loans
► Loss of revenue
Reputation, Compliance
Risk
► Tax, CIT
► Annual returns
► Non-adherence to laws and regulatory
guides.
► Customers surveys, feedbacks
mechanisms, complaints resolutions
Financial Risk
► Capital Adequacy
► Accounting and Reporting
► Cash management
► Transaction postings/GL proof

14