Risk Assessment for Operations Auditing - Powerpoint Presentation PDF

RISK ASSESSMENTS OPERATIONS AUDTING MODULE 3 AGENDA 01 EXPECTATION 02 KEY RISK ASSESSMENT CONCEPTS 03 TOP DOWN RISK ASSESSMENT AND BOTTOMS RISKS ASSESSMENTS 04 ENGAGEMENT-LEVEL RISK CONSIDERATION 05 CONTINUOUS MONITORING RISK CONSIDERATION AGENDA 0 RISK ASSESSMENTS PROCESS 6 0 KEY TAKEAWAYS 7 0 APPENDIX: SAMPLE MATRICES 8 I. EXPECTATION A. INTERNAL AUDIT RISK ASSESSMENT B. ALL RISK-BASED AUDIT PROGRAMS EXPECTATION FUNDAMENTALS. INTERNAL AUDIT RISK ASSESSMENT ⮚Assessments typically analyze the risks inherent in a given business line or process, the mitigation control processes, and the resulting resdiual risk exposure to the institution. ⮚Assessment should be well documented and dynamic, reflecting changes to the system of intercal controls, infrastructure, work processes and new/ changed business lines or laws and regulations ⮚Risk assessment should consider control issues, risk tolerance and governance within the institution ⮚Assessments may be qualitative and include factors such as impact/ likelihoodof an event occuring. ⮚Should be formally documented and supported with written analysis of riks. ⮚Should include specific rationale for the overall auditable entity score. ⮚A high-level summary of risk assessment results should be provided to the audit committee and include the most significant risks facing the institution, as well as how those risks have been addressed in the audit plan EXPECTATION FUNDAMENTALS. ALL RISK-BASED AUDIT PROGRAMS SHOULD: ⮚Identify all of an institution’s business. product lines, service and functions ⮚Identity the activities and compliance issues within those businesses, product lines, services, and functions that should be audited. ⮚Include profiles of significante business units, departments and products that identify business and control risk and document the structure of risk management and internal control systems. ⮚Use a measurement of scoring system to rank and evaluate business control risks of significant business units, departments, and products. ⮚Include board or audit committe approval of risk assessments or the aggregate result thereof and annual riks-based audits plans ⮚Implment tha audit plan through planning, fieldwork and reporting ⮚Have systems that monitor risk assessments regularly and upate them at least annually for all-significant business units, departments, and products. II. KEY RISK ASSESSMENT CONCEPT KEY RISK ASSESSMENT CONCEPT RISK HIERARCHY. Key Risk Assessment Concepts RISK ANALYSIS 1. RISK IDENTIFICATION (“what is risk?”) - a description of the risk presented ⮚EXAMPLE: Risk of non-compliance with regulations. 2. RISK RATIONALE (“why does the risk exist?”)- what event(s) cause the risk to occur ⮚EXAMPLE: Risk of non-compliance with regulation due to reports of financial information required by regulatory agencies or tax authorities being incomplete, inaccurate, or untimely 3. IMPACT (“so what?”)- the extent to which, if realzied, the risk would affect the company; may be expressed in qualitative or quantitatve terms ⮚CONSIDERATIONS: financial effect, reputation impacts, abiilty to achieve key goals and objectives ⮚EXAMPLE: Risk of non-compliance due to reports of financial information required by regulatory agencies or tax authoritties being incomplete, inaccurate, or untimely, exposing the company to fines, penalties and sanctions. 4. LIKELIHOOD (“how often?”)- probability of the risk occuring over a defined time frame ⮚CONSIDERATION: often one year, also consider frequency or occurence. ⮚Example: Risk of non-compliance due to rerports of operatin and financial information required by regulatory agencies or tax authorities being incomplete, inaccurate, or untimely, exposing the company to fines, penalties and sanctions. The likelihood of Key Risk Assessment Concepts UNIVERSAL CONSIDERATIONS ⮚ Should include both quantitative and qualitative considerations. ⮚ Metric alone are not “analysis” -auditors need to understand the drivers and impact beyond just the metric (ex: what, why, so what and how often?) ⮚ Need both top-down and bottoms-up assessment aspects ⮚ Analysis may vary based on the level of assessments being performed (ex: line of business vs. Auditable Unit vs. Engagement) ⮚ Auditors should have a consistent frame of reference for risk measurement or scoring to rank and evaluate risk (ex: what differentiate high vs. moderate vs. low) ⮚ Incorporate forward-looking perpective; such as riks associated with corporate objectives, growthstrategies, new products, environmental and regulatory changes ⮚ Expanding risk assessments and documentation to include IT applications and associated IT risks ⮚ Ensuring that clear linkage exist between the auditable unitrisk assessments, Key Risk Assessment Concepts RISK ASSESSMENT FRAMEWORK III. TOP DOWN AND BOTTOMS RISKS ASSESSMENT Top Down Risk Assessment KEY CONSIDERATIONS ► Considers both internal and external risks ► Should include quantitative and qualitative considerations ► Helps gain an understanding of overall Enterprise-Level Risks ► Uncover issues that directly impact stakeholder value, with clear and explicit linkage to strategic issues of company ► Serve as a mechanism to understand the risk implications of the company’s strategy ► Ensure the most critical risks facing the company (that may not have been identified by the bottom-up risk assessment) are identified and incorporated into the audit plan ► May result in the performance of targeted audits, horizontal audits and special projects ► Internal Audit must provide an independent view of risk, but that view can and should be formed in collaboration with management Top Down Risk Assessment OVERVIEW Top Down Risk Assessment BUSINESS ENVIRONMENT IMPACT Top Down Risk Assessment DEFINING THE “ RISK THAT MATTER” Top Down Risk Assessment ANALYSIS CONSIDERATIONS Bottom Up Risk Assessment OVERVIEW Bottom Up Risk Assessment ANALYSIS CONSIDERATION ⮚ What are the key business risks within the area? ⮚ For each of those risks, what are the contributing factors and management concerns, issues, or gaps in management coverage? ⮚ How do risks identified relate to governance, risk management and oversight? ⮚ How does management evaluate the effectiveness of the process and related controls in managing risks? ⮚ Are there opportunities for improvement of process and/ or controls in managing the risk? IV. ENGAGEMENT-LEVEL RISK CONSIDERATION Engagement level risk assessment OVERVIEW Engagement Level Risk Assessment ANALYSIS CONSIDERATION ⮚ What are the key risks related to each business process? ⮚ For each of those risks, what are the contributing factors and management concerns, issues, or gaps in management coverage? ⮚ How do risks identified relate to auditable unit or top risks? ⮚ How does management evaluate the effectiveness of the process and related controls in managing risks? ⮚ Are there opportunities for improvement of process and/ or controls in managing the risk? V. CONTINUOUS MONITORING RISKS CONSIDERATIONS Continuous Monitoring Risk Assessment OVERVIEW Continuous Monitoring Risk Assessment ANALYSIS CONSIDERATION ⮚ Has the existing risk profile changed? ⮚ Have any new risks identified? ⮚ Have there been any significant changes to people, process, or systems? ⮚ Are activity/ risk trends consistent with expectations? VI. RISK ASSESSMENT PROCESS RISK ASSESSMENT PROCESS DETERMINING AND CATEGORISING THE AUDIT UNIVERSE 01 02 IDENTIFYING EVENTS THAT MAY GIVE RISE TO RISK AND OPPORTUNITIES ACCROS THE AUDIT UNIVERSE 03 SCORING EVENTS IN TERMS OF PROBABILITY AND IMPACT DEVELOPING GENERIC RISK FACTOR TO IDENTIFY AUDIT 04 PRIORITY OF AUDIT OBJECTS WITHIN THE AUDIT UNIVERSE 05 DEVELOPING AND MAINTAINING RISK-BASED AUDIT PLANS Actions required to implement risk based-planning Catergorising the audit universe AUDIT UNIVERSE ⮚the overall scope of internal audit function and the totality of auditable processes, function and locations THE ELEPHANT APPROACH - Cutting the audit universe down into small chunks ⮚Traditionally, auditable objects were categorized by organizational structure were definedfrom top down ⮚However, this may not be the most effective way to plan possbile audits. It is therefore also important to design audit coverage from horizontal or cross-functinal view of the organisation. ⮚Therefore the audit universe is a mix of a number of top down (vertical) and cross-functional (horizontal) Identifying Risk THE FOLLOWING ARE SOME COMMON OPERATIONAL RISKS THAT OPERATIONAL AUDITORS SHOULD CONSIDER DURING RISK ASSESSMENTS: THE FOLLOWING ARE SOME COMMON OPERATIONAL RISKS THAT OPERATIONAL AUDITORS SHOULD CONSIDER DURING RISK ASSESSMENTS: Scoring events SAMPLE MATRIX Developing Risk Factor Identifying Risk Factors Identifying Risk Factors Developing and Maintaing Risk Based Audit Plan Strategic Plan Annual Audit Plans Annual Audit Plans ANNUAL REVIEW OF STRATEGIC PLAN DEALING WITH ADDITIONAL REQUEST FOR AUDITS DURING THE YEAR Key takeaways ⮚ Risk assessment is NOT an annual, one-time event ⮚ Risk assessment consideration will differ based on the level of assessment (ex: top, auditable unit, engagement , and continuous monitoring) ⮚ Risk assessment is more than simple risk identification - must include robust analysis ⮚ Requires continous engagement with relevant stakeholders ⮚ Full written explanation of the AUdit Plan and the thought process applied ⮚ Risk assessment must be integrated into audit execution ⮚ Common riks definitions support risk “convergence” with other lines of defense ⮚ Audit’s risk assessment must be independent of business or enterprise risk assessments. Appendix A – Impact Scale (Note: This impact scale is a representative sample utilized to perform the internal audit risk assessment. The quantity of levels and definitions of each level may be modified to derive a more suitable scale based upon the maturity of the organization’s current risk assessment process). Appendix B – Likelihood and Control Scales 1 2 3 4 5 Likelihood Rare Infrequent Occasional Frequent Imminent Frequency In more than / every Within the next / every Within the next / every Within the next / every Within the next / every 5 years 3 to 5 years 1 to 3 years 1 year Quarter Control Rating Strong Reasonably Strong Adequate Marginally Adequate Weak or Nonexistent The control processes The control processes The control processes The control processes The control processes and management's and management's and management's and management's and management's mitigating activities are mitigating activities are mitigating activities allow mitigating activities allow mitigating activities do strong and allow for the more than adequate and for effective management for marginal not allow for the effective effective management of allow for the of the risk, thereby management of the risk; management of the risk, the risk, thereby management of the risk, partially reducing the there is minimal there is no reduction in significantly reducing the thereby reducing the frequency and/or impact reduction in the the frequency and/or frequency and/or impact frequency and/or impact of the risk event frequency and/or severity severity of the risk event. of the risk event. It does of the risk event; occurring. of the risk event. Major Description not mean that there is no however, there There are opportunities gaps and deficiencies exposure to risk or that incremental opportunities for improvement and/or have been identified. the risk has been for improvement and adding additional reduced to zero. therefore the control compensating controls to cannot be considered help mitigate the residual strong. risk. (Note: This likelihood and control effectiveness scales are representative samples utilized to perform the internal audit risk assessment. The quantity of levels and definitions of each level may be modified to derive a more suitable scale based upon the maturity of the organization’s current risk assessment process). Appendix C - Inherent Risk – Sample Matrix Inherent Risk Rating 5 Lo Modera Hig Critic Critic Immine w te h al al nt 4 Lo Modera Hig Hig Critic Freque w te h h al nt 3 Likelihood Very Lo Modera Hig Hig Occasio Low w te h h nal 2 Very Very Lo Modera Modera Infreque Low Low w te te nt 1 Very Very Lo Lo Modera Rar Low Low w w te e 1 2 3 4 5 ‐‐ Mino Modera Signific Seve Catastrop ‐ r te ant re hic Impa ct (Note: This inherent risk scale is a representative sample utilized to perform the internal audit risk assessment. This is a function of the impact and likelihood scales defined within “Appendices A and B”). Appendix D - Residual Risk – Sample Matrix (Note: This residual risk scale is a representative sample utilized to perform the internal audit risk assessment. This is a function of the control effectiveness and inherent scales defined within “Appendices B and C”). THANK YOU REFERENCE: Portman, Brian (2013), Perspective on Risk Assessment, Ernst & Young Internal Audit Community (2014), Risk Assessment in Audit Planning

Risk Assessment for Operations Auditing - Powerpoint Presentation PDF

Document Details

Tags

Related

Summary

Full Transcript