Risk Assessment for Efficiency and Impact Niki Raggi and Corrie Stokes, Austin, Texas.

Slides:



Advertisements
Similar presentations
Evaluation at NRCan: Information for Program Managers Strategic Evaluation Division Science & Policy Integration July 2012.
Advertisements

North Carolina Office of the State Auditor Honesty Integrity Professionalism.
Internal Audit Who? What? When? How? Why? In brief...
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)
Security Controls – What Works
Revitalization of the Long Beach City Auditor’s Office Presented to the Downtown Lions Club of Long Beach September 8, 2006 Laura Doud, City Auditor, Long.
IS Audit Function Knowledge
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Internal and Governmental Financial Auditing and.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Quality evaluation and improvement for Internal Audit
Internal Audits, Governmental Audits, and Fraud Examinations
Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.
Purpose of the Standards
Lecture 8 Understanding entity and its environment
The Camp Audit “Keep your friends close and your auditor closer”
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Information Technology Audit
Internal Auditing and Outsourcing
The Yellow Book: What You Need to Know
NSAA IT Conference Outsourcing Audit Services: Virginia’s Privatization Study _____________________________________ October.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
An Educational Computer Based Training Program CBTCBT.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Chapter 7 Preparation for the Audit ACCT620 Internal Auditing Otto Chang Professor of Accounting.
Quote for today “Sometimes the questions are complicated and the answers are simple” - ?? ????? “Sometimes the questions are complicated and the answers.
Internal Control in a Financial Statement Audit
Assessment of human resources employed in debt contracting Progress Report Mr. Tevita Bolanavanua Acting Auditor General Office of the Auditor General.
Portfolio Committee Presentation Government printing Works Audit and Compliance 07 May 2013 Presented by: Chief Executive Officer.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Internal and Governmental Financial Auditing and Operational Auditing.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley Internal and Governmental Financial Auditing and Operational Auditing.
9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
BPK Strategic Planning: Briefing for Denpasar Regional Office Leadership Team Craig Anderson Ahmed Fajarprana August 11-12, 2005.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Gulana Hajiyeva Environmental Specialist World Bank Moscow Safeguards Training, May 30 – June 1, 2012.
RAWG.  Risk assessment guideline for strategic and annual planning ◦ Identifying auditing universe ◦ Identification of risks ◦ Categorization of possible.
Chapter 21 Internal, Operational, and Compliance Auditing McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
OIG’S Audit Process Diane Kozinski Auditor. 2 MISSION STATEMENT OF OIG To serve the American Worker and Taxpayer by conducting audits, investigations,
1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.
Audit Planning Process
1 American Recovery and Reinvestment Act of 2009: Challenges Facing the Department of Transportation and the Office of Inspector General’s Strategy for.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
What is a Performance Audit or Performance Auditing?
Elementary School Administration and Management GADS 671 Section 55 and 56.
United States Agency for International Development Bureau for Global Health Office of Population and Reproductive Health Policy Update.
1 Performance Auditing ICAS & IRAS Officers NAAA 21 Jan 2016.
Ombudsman Western Australia Serving Parliament – Serving Western Australians Evaluation in the Western Australian Ombudsman’s Office Kim Lazenby & Jane.
An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Page 1 Portfolio Committee on Water and Environmental Affairs 14 July 2009.
A risk assessment is the process of identifying potential hazards an organization may face and analyzing methods of response if exposure occurs.
Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
An exposure to COMPLIANCE AUDIT By- Vishal Chawre DAG(A/c & VLC) O/o AG(A&E), Nagpur.
Module 9: Transition and Exit Strategy ASEAN Training of Trainers (TOT) on Disaster Recovery.
Cowlitz County, WA Accounting Function Review
Session objectives After completing this session you will:
Update on the Latest Developments in Government Auditing Standards
Internal and Governmental Financial Auditing and Operational Auditing
Organizational Risk Assessment: Austin’s Strategic Audit Plan
INTRODUCTION TO Compliance audit METHODOLGY and CAM
Update on the Developments in Government Auditing Standards
Update on the Developments in Government Auditing Standards
Internal Audit Who? What? When? How? Why? In brief . . .
Good practices for risk assessment and control activities
Presentation transcript:

Risk Assessment for Efficiency and Impact Niki Raggi and Corrie Stokes, Austin, Texas

Session Objectives 0 Cover Austin’s current approach (and recent changes) to using risk assessment to maximize audit efficiency and impact 0 Discuss real-life examples of project risk assessment in the City of Austin 0 Share the templates used to document this work 2

Our Definition Risk assessment is a process used to determine the most significant and vulnerable aspects of the audited area, both for the annual plan and within an audit project 3

Risk Assessment in GAGAS 0 In planning the audit, auditors should assess significance and audit risk and apply these assessments in defining the audit objectives... (6.07) 0 Auditors should obtain an understanding of the …visibility, sensitivity, and relevant risks associated with the program under audit (6.13) 0 Review should determine if the audit plan adequately addresses relevant risks (6.52) 4 Lady GAGAS

Background: About Austin’s Office of the City Auditor 0 City Auditor appointed by Council for a 5-year term 0 26 permanent staff, divided into two units: Audit Services (4 managers, 14 auditors): 0 Conduct planned performance audits and respond to special requests from Council (~30 per year) Integrity Services (1 manager, 3 investigators) 0 Conduct investigations of allegations of fraud, waste, and abuse by City employees or contractors (~60 cases each year) 0 Conduct risk response and other integrity projects as time permits 5

Background: OCA Evolution 1990Existing internal audit department transitioned to a performance audit shop reporting to Council 2009Turnover of 80% of the management team Council hires new City Auditor who brings a different approach/perspective, for example: 0 “We did 80 audits per year where I came from!” 0 “Audit reports should be no more than 5 pages” 2010New City Auditor forms new management team and conducts an “Initial Assessment” which resulted in identifying several areas for improvement: 0 Projects could be managed better 0 Reports not always timely 0 Reports often lengthy and not reader-friendly 6

Background: OCA Planning and Audit Process AT THE PROJECT LEVEL Planning Phase: Focus on key processes and related key risks and perform a formal Risk Assessment, to identify focus for fieldwork Fieldwork Phase: Continue to focus on what really matters What’s the “so what”? Are we adding value? Reporting Phase: Articulate essential messages to convey high risks and defer unaddressed risks for further study ANNUALLY Strategic Audit Plan: Environmental scan and review other sources of risks to identify risks that may affect the City ONGOING RISK ASSESSMENT 7

Changes to OCA’s Risk Assessment Process Change #2: Give Management credit for managing high risks Change #1: Start audits with targeted risks from the Annual Planning Process Change #4: Focus on key risks in the key processes only Change #3: Defer unaudited high risks for future work/consideration Change #5: Standardize the planning process through templates and steps AT THE PROJECT LEVEL ANNUALLY ONGOING RISK ASSESSMENT 8

Change 1: start audits with targeted risk from Annual Planning process Pre-2010: 0 Developed an annual audit plan with general audit topic areas and broad objectives 0 Used significant resources to conduct a 3-year comprehensive risk assessment of all City activities 9

Change 1: Start audits with targeted risk from Annual Planning process 10 Post-2010: Audits are identified annually through the Strategic Audit Plan

Change 2: Give management credit for managing high risks 0 Pre-2010 Example: 0 Despite management managing high risks, we continued to review all aspects of the remittance process 0 Result: 2800 hours spent 10 mostly wimpy recommendations aggravated management 11

Change 2: give management credit for managing high risks 0 Post-2010 Example: 0 Recognized that high risks were being management in alignment with best practices and ended our work 0 Result: 360 hours spent 0 recommendations credit to management/goodwill 12

Change 3: Defer unaudited high risks for future work/consideration 0 Pre-2010: 0 Did not have a formal process for disposing of risks 0 Tended to try to cover any and all risks identified (concerned that we wouldn’t be back to an area for a long time) 0 Post-2010: 0 Use an issues log on each project 0 Incorporate “referrals” into integrity work and next audit plan 13

Change 4: focus on the key risks in the key processes only 0 Pre-2010: 0 Trained and skilled in risk assessment 0 Started with very broad objectives 0 Did not limit risk assessment to key processes 0 Did not always limit fieldwork to a subset of risks Benchmarks Best Practices Interviews Reported Performance Prior Audits/ Evaluations Similar Audits by Other Entities Contracts/ Agreements Budget & Financial Information Laws/ Regulations Organizational Charts Data from Available Systems Policies & Procedures RISK & VULNERABILITY ASSESSMENT OBJECTIVE(S), SCOPE, & METHODOLOGIES FOR FIELDWORK 14

2009 One Stop Shop Audit 0 Monster Risk/ Vulnerability Matrix 15 Change 4: Focus on the key risks in the key processes only

Post-2010: 0 Start with a more focused objective/issue 0 Approach planning by identifying the key processes related to the audit objective then focusing on the key risks within those processes 0 Ongoing risk assessment in addition to a formal risk assessment at the end of planning 16 Change 4: focus on the key risks in the key processes only

Affordable Housing Audit 0 Broad preliminary objective 0 Planning phase of 1,400 hours 0 Fieldwork objective still broad 0 77 pages reports 0 12 recommendations 0 Total project took 3,000 hours Affordable Housing Audit 0 More focused preliminary objective 0 Planning phase of 600 hours 0 Identified two highest risk areas 0 14 pages report 0 2 recommendations 0 Total project took 1,150 hours Exercise: find the finding! What support or assistance is provided to organizations developing affordable housing to increase probability of success? How well has rental housing development assistance performed in the last 6 years? Determine if key performance and financial controls are in place for bond and grant funded housing projects Evaluate whether A&D and RHDA programs had procedures in place to ensure that:  HUD and City program guidelines for long-term monitoring are complied with and;  GO Bond goals are being met. 17 Change 4: Focus on the key risks in the key processes only

Change 5: Standardize the planning process through planning steps and templates Pre-2010: Spending too much time on: 0 Reinventing how to perform planning steps for every audit 0 Reinventing how to document every step each time it was performed 18

Change 5: Standardize the planning process through planning steps and templates Planning Step Examples of Planning Procedures Examples of Planning Tasks 1Why are we doing this audit? Gain a general understanding of the audit’s purpose Review annual audit plan and meet with others who surfaced the risk 2 What do we already know about the audited entity? Identify, gather, and review prior work related to the audit objectives Review prior audits on topic areas; identify prior recommendations 3 What are the available criteria we could use? Research and identify criteria related to the audit objectives Review relevant laws, regulations, contracts 4 What do we know about the area that we are auditing? Gather information about the topic area to identify relevant key processes Review business plans, org charts, etc.; identity key data sources and key IT systems 5 What are the key risks related to the audit objective? Gather information about key risks associated with the topic area; evaluate potential sources of evidence Consider risk of fraud, waste, and abuse; analyze documentation and conduct interviews 6 What are the key controls over the key risks identified above? Using the key risks as a framework, gather information about key controls Perform walkthroughs and observations of relevant processes 7 How can we add value?Conduct an overall assessment of risks and controls Summarize and rank information gathered on risks and controls; identify fieldwork objectives 19

Change 5: Standardize the planning process through planning steps and templates Planning Step QuestionExamples of Planning TasksExamples of Templates 1Why are we doing this audit? Review annual audit plan and meet with others who surfaced the risk Kick-off meeting 2 What do we already know about the audited entity? Review prior audits on topic areas; identify prior recommendations Prior audits form 3 What are the available criteria we could use? Review relevant laws, regulations, contractsCriteria matrix 4 What do we know about the area that we are auditing? Review business plans, org charts, etc.; identity key data sources and key IT systems Data reliability form 5 What are the key risks related to the audit objective? Consider risk of fraud, waste, and abuse; analyze documentation and conduct interviews Fraud brainstorming Interview matrix 6 What are the key controls over the key risks identified above? Perform walkthroughs and observations of relevant processes R/V Matrix 7 How can we add value?Summarize and rank information gathered on risks and controls; identify fieldwork objectives End of Planning Memo 20

OCA’s Risk Assessment Process in Action Customer Care & Billing Audit II: Background 0 In 2009, City contracted with IBM for $52 M 0 Billing system collects payments for all City utilities 0 Payments collected are approximately $2 B per year Planning June-August 2009 Assessment August January 2010 Design/Build/Test January 2010-June 2011 Acceptance June- August 2011 Deployment August - October 2011 CC&B Audit II CC&B Audit I 21

22

CC & B II – Risk and Vulnerability Assessment 23

24

Recap/Lessons Learned Change 1: start with targeted risks in your annual plan identifying audits is an art not a science Change 2: give management credit for managing high risks its okay to walk away Change 3: defer unaudited high risks for future consideration you don’t have to audit everything at once Change 4: focus on key risks in the key processes only focus on what really matters (“where’s the beef?”) Change 5: standardize the planning process don’t reinvent the wheel; save your creativity for fieldwork 25

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.