Audit Risk Analysis and Other Considerations April 11, 2018 Lisa Grace, Chief Audit Executive

Agenda Introduction Internal Audit IIA Standard Overview COSO Overview Internal Audit Application Questions Agenda

What is the purpose of Internal Audit?

Internal Audit Definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Governed by the IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) COSO is the control framework often utilized by Internal Audit (and to ensure Standards are met … usually used by External Audit as well)

IIA Standard Overview

Attribute and Performance Standards Attribute Standards: Address the attributes of the organization and the internal audit individuals 1000 Purpose, Authority, Responsibility 1010 Charter 1100 Independence and Objectivity 1110 Organizational Independence 1120 Individual Objectivity 1130 Impairment of Independence and Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency 1220 Due Professional Care 1230 Continuing Professional Development 1300 Quality Assurance Program 1310 Requirements 1320 Reporting Performance Standards: Address the nature of auditing and quality criteria to measure the audit activity 2000 Managing the Internal Audit Activity 2010 Planning 2100 Nature of Work 2120 Risk Management 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2300 Performing the Engagement 2400 Communicating Results 2500 Monitoring Progress 2600 Communicating the Acceptance of Risk

2000 Managing the Internal Audit Activity 2010 Planning: The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Interpretation: To develop the risk-based plan, the CAE consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks and risk management process. The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems and controls. 2010.A1 – The Internal Audit Plan must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

2100 Nature of Work 2100 Nature of Work: The internal audit activity must evaluate and contribute to the improvement of the organization’s goverance, risk management, and control processes using a systematic, disciplined and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact.

2200 Engagement Planning 2020 Engagement Planning: Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing and resource allocations. The plan must consider the organization’s strategies, objectives and risks related to the engagement. 2201 Planning Considerations - In planning the engagement, internal audits must consider: The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance. The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activity’s governance risk management, and control processes compared to a relevant framework or model. The opportunity for making significant improvements in the activity’s governance, risk management and control processes.

2200 Engagement Planning 2210 Engagement Objectives – Objectives must be established for each engagement 2201.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assesment. 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing engagement objectives. 2210.A3 – Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished If adequate, internal audit must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evalution criteria.

COSO Overview

COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations (American Accounting Association, American Institute of CPAs, Financial Executives International, The Institute of Internal Auditors and the Association of Accountants and Financial Processional in Business) and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.  Emphasizes the importance of management judgment in designing, implementing and conducting internal control and in assessing its effectiveness Applies to operations, reporting and compliance Comprised of five components: Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring All 5 components have to be in place and operating to support an effective control environment

COSO Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people.   Risk Assessment Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. Monitoring Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. (Ongoing and evaluating or a combination)

COSO – Risk Assessment Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Principle Point of focus 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. RA 6.5 Complies with applicable accounting standards RA 6.6 Considers materiality RA 6.7 Reflects entity activities 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. RA 7.1 Includes entity, subsidiary, division, operating unit, and functional levels RA 7.2 Analyzes internal and external factors RA 7.3 Involves appropriate levels of management RA 7.4 Estimates significance of risks identified RA 7.5 Determines how to respond to risk 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. RA 8.1 Considers various types of fraud RA 8.2 Assesses incentive and pressures RA 8.3 Assesses opportunities RA 8.4 Assesses attitudes and rationalization 9. The organization identifies and assesses changes that could significantly impact the system of internal control. RA 9.1 Assesses changes in the external environment RA 9.2 Assesses changes in the business model RA 9.3 Assesses changes in leadership

Internal Audit Application

Risk Assessment Risk assessment is a systematic process for identifying and evaluating possible risks that could affect the organization in a negative manner as it pursues its goals and objectives. Such risks can be identified in the external environment (i.e. economic trends, regulatory landscape and competition) and within an organization’s internal structure (i.e. people, process, policy and infrastructure).  

Risk Assessment – Phase I Phase I: Understand the University & Define the Audit Universe The objective of Phase I is to establish the audit universe by appropriately defining auditable units. Auditable units will be defined at sufficient granularity to identify all auditable units with unique risks and controls. Specifically, an auditable unit is a distinct process or function that could be audited by the University Audit department. Examples of processes: Patch Management Vendor Management PCard Examples of functions: Police Department Health Services Payroll (Could be both) NCAA Compliance    An audible unit does not map to one specific audit. There could many audits over one specific auditable unit. Example: NCAA Compliance

Risk Assessment – Phase II Phase II: Define Risk Measures and Scale Risk Factor Description SIGNIFICANCE Relevance in achieving overall Mission and Strategic Objectives. FINANCIAL IMPACT OF CONTROL FAILURE The risk of financial statement misstatement OR the potential financial loss based on a control failure or inadequately designed process and controls. LIKELIHOOD OF CONTROL FAILURE The likelihood of financial statement misstatement OR the potential financial loss based on a control failure, inadequately designed controls or override of controls. MANAGEMENT OVERSIGHT The degree and adequacy of management oversight and governance as well as the degree of judgement required. ADEQUACY OF INTERNAL CONTROLS The maturity level of the process related to defined process documentation, policies, procedures, and adequacy and effectiveness of internal controls including the ability to detect opportunities to override controls. HUMAN RESOURCES Level (knowledge and experience) and adequacy of staff, extent of turnover. OPERATIONS / COMPLEXITY The difficulty or complexity of a process, the volume of transactions, potential for errors in processing, recording or reporting and the potential for fraudulent activity. LEGAL / REGULATORY The regulatory and legal exposure the university has related to the process. Risk arising from changes in laws, non-compliance with laws and rules, unfavorable judgements resulting in damage payments or voiding of contracts. The extent and impact of government or other regulation including the geographic regions the organization interacts. CHANGES Frequency and breadth of changes in the environment, recent process changes, system upgrades or system implementations, extent of growth. LEVEL OF EXTERNAL OVERSIGHT Frequency and breadth of coverage from independent external agencies or firms.

Risk Assessment Phase II: Define Risk Measures and Scale The risk assessment rates risk on a scale of 1 to 5 with 1 indicating the lowest level of risk and 5 indicating the highest level of risk. Example:   The definition of each rating is also where the specific components of COSO can be addressed Risk Factor Rating Scale SIGNIFICANCE 1 Process has little to no impact on the achievement of organization’s mission and strategic objectives. 2 Process is minimally linked to the achievement of organization’s mission and strategic objectives. 3 Process is moderately linked to the achievement of organization’s mission and strategic objectives. 4 Process is highly linked to the achievement of organization’s mission and strategic objectives. 5 Process is critical to the achievement of organization’s mission and strategic objectives.

Risk Assessment – Phase III Phase III: Identify and Measure Risk Phase III encompasses the identification of stakeholders and collection of risk information. IDENTIFICATION OF STAKEHOLDERS: The objective of this phase is to appropriately identify those individuals who are best suited and have the most knowledge to effectively assess the level of risk and maturity of process within each auditable unit. Examples: Executive Leadership Senior Management Key Stakeholders Internal Audit RISK COLLECTION: Information on risks will be collected annually via two primary channels: (1) Comprehensive survey (2) Interviews The objective of this phase is to collect the most comprehensive and objective assessment of risk from stakeholders in a consistent and expedient manner. Risks will be formally assessed annually; however, significant changes to the environment may necessitate an interim risk assessment.     

Risk Assessment – Phase IV Phase IV: Prioritize Risks Phase IV encompasses the weighting and calculation of risk information collected in Phase III and the prioritization and classification of the auditable units. The objective of this phase is to appropriately group auditable units by their assessed risk. RISK WEIGHTING AND CALCULATION: The results of Phase III are used to calculate a risk score for each auditable unit.   Step 1: Weightings are applied to the 10 risk factors to ensure the most critical factors are weighted more. The risk score for each auditable unit is calculated weighting the risk and summarizing the weighted scores for all risk factors. For example, a risk measure with a weight factor of 200% is included in the Risk Score twice where a risk measure with a weight factor of 100% is only included once. Step 2: Determine how the different stakeholders are weighted to come up with an average risk score. For example, Audit may be rated 50% and the other stakeholders averaged together to make up the second half. Important – Build in room for professional judgement.   

Risk Assessment – Phase V Phase V: Approve and Report Risk Assessment The Risk Assessment results will be summarized and reported annually (or more frequently if an interim assessment is required).   The risk assessment will be reviewed and approved by the appropriate governing bodies.   

Inherent vs Residual Risk Inherent Risk is the risk arising out of circumstances existing in a process or environment in the absence of any controls or actions that might be in place to mitigate or reduce risk. Residual Risk is the risk related to a process or environment subsequent to the application controls or actions put in place to mitigate inherent risk. INHERENT RISK CONTROLS RESIDUAL RISK The Risk Assessment process utilizes risk measures both Inherent and Residual Risk.

Inherent vs Residual Risk INHERENT RISK RM 1: Significance RM 2: Financial Impact RM 7: Operations RM 8: Legal Regulatory RM 9: Changes RESIDUAL RISK RM 3: Likelihood of Control Failure RM 4: Management Oversight RM 5: Adequacy of Internal Controls RM 6: Human Resources RM 10: External Oversight High Inherent & High Residual Risk: Process is critical to the achievement of organizational goals. Sufficient information is not available to assess the effectiveness of controls or control assessment does not indicate that controls are effective at reducing the high inherent risk level. High Inherent Risk: Process is critical to the achievement of organizational goals. Because effectiveness of internal control is “point in time”, even high inherent risk processes with low residual risk should be audited regularly. High Residual Risk: Controls and processes are not effective. Process may not be mature. The risk of control failure is likely. Significant improvement can be made in an area with HIGH residual risk.

Audit Methodology

Internal Audit Application IIA Standards and COSO

2010: The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. {Phase 1-IV} The results of Phase IV drive the creation of the Audit Plan based on predefined audit cadence using the risk rating. 2010.A1 – The Internal Audit Plan must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. {Phase III and Phase V} Risk Assessment  

COSO – Risk Assessment Principle Point of focus IA Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. RA 6.5 Complies with applicable accounting standards RM 8: Legal/Regulatory RA 6.6 Considers materiality RM 2: Financial Impact of Control Failure RA 6.7 Reflects entity activities RM1: Significance 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. RA 7.1 Includes entity, subsidiary, division, operating unit, and functional levels Risk Assessment Phase 1 (Identify Auditable Units) RA 7.2 Analyzes internal and external factors Multiple Factors for Internal RM 8: Regulatory/Legal (External) RA 7.3 Involves appropriate levels of management Risk Assessment Phase 3 (Identify Stakeholders) RA 7.4 Estimates significance of risks identified RM2: Financial Impact of Control Failure RM3: Likelihood of Control Failure RA 7.5 Determines how to respond to risk Risk Assessment Phase 4: Prioritize Risk Risk Assessment Phase 5: Approve and Report 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. RA 8.1 Considers various types of fraud RM 5: Adequacy of Internal Controls RM 6: Human Resources RM 7: Operations Complexity RA 8.2 Assesses incentive and pressures RM 4: Mgmt Oversight RM 7: Operations Complexity RA 8.3 Assesses opportunities RA 8.4 Assesses attitudes and rationalization

COSO – Risk Assessment Principle Point of focus IA Risk Assessment 9. The organization identifies and assesses changes that could significantly impact the system of internal control. RA 9.1 Assesses changes in the external environment RM 8: Legal Regulatory RM 9: Changes RA 9.2 Assesses changes in the business model RM 6: Human Resources RA 9.3 Assesses changes in leadership

2100 Nature of Work: The internal audit activity must evaluate and contribute to the improvement of the organization’s goverance, risk management, and control processes using a systematic, disciplined and risk-based approach. Audit Methodology As part of R&C: Each objective includes associated risks Each risk is assessed for impact and likelihood Each control is assessed to determine if control is designed to mitigate risk: robustness, frequency, threshold, triggers for follow up, IPE, qualifications of control owner Each control is mapped to the appropriate COSO component Remember: All 5 components have to be in place and operating to support an effective control environment

2020 Engagement Planning: Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing and resource allocations. The plan must consider the organization’s strategies, objectives and risks related to the engagement. Audit Methodology As part of Planning: Known risks/concerns are captured as part of the formal project plan. Project risks and mitigating actions are captured as part of the formal project plan.

Audit Methodology 2210 Engagement Objectives – Objectives must be established for each engagement 2201.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assesment. Planning: Audit Announcement 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing engagement objectives. Planning: Audit Announcement and then refined based on UTB 2210.A3 – Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished If adequate, internal audit must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evalution criteria. Testing

Questions?