Audit Risk Assessment Model Risk-Based Audit Audit Risk Assessment Model (Excel model included in last slide) 14/11/61
Audit Risk Model AUDIT RISK MODEL Purpose to prioritize audit schedule for creation of audit plan. All risks are relative but can be compared by combining three key factors with equal overall weighting : Inherent Risk (IR) Size of the risk or exposure. Control Risk (CR) Likelihood that risk will materialize and Detection Risk (DR) Probability of detection if risk materialize 14/11/61
Risk-Based Planning - Step Create audit universe by dividing functions or systems into auditable area Whole business population must be covered and division approach is consistent Evaluate risks in each function or system throughout the universe to create score for IR, CR, and DR Sub-categories in IR, CR, and DR are given different weightings to reflect their relative importance Combine overall score to create overall result which can be ranked alongside results for all other functions or systems 14/11/61
Risk Factors Inherent Risk (IR) Parameters relating to the size of the exposure or risk A = Combined value of annual income and expenditure B = Number of employees involved C = Impact on the organization D = Volume of transactions per month 14/11/61
Risk Factors Control Risk (CR) Parameters relating to the likelihood of the risk materializing F = Impact of Management and Staff G = Third Party Sensitivity H = Standard of Internal Control J = Likelihood of Occurrence 14/11/61
Risk Factors Detection Risk (DR) Parameters relating to the probability of unwanted consequences being detected if they do materialize. K = Likely effectiveness of audit L = Duration of the audit M = Length of time since last audit N = Effectiveness of other assurance providers 14/11/61
Aggregate Risk Score FORMULA USED FOR CALCULATION OF RISK FACTOR INHERENT CONTROL DETECTION (2A + B + 3C + D) X (2F + G + 3H + 3J) X (K + 2L + 2M+ 2N) 35 45 35 THE RESULT IS MULTIPLIED BY 200 14/11/61
Audit Interval ASSESSMENT OF RESULTS SCORE >80 E - Top Priority 60 - 79 H - Critical topic for review 40 - 59 M - Important to tackle 20 - 39 L - Lower priority but still valid audit topic <19 N - Audit probably unnecessary 14/11/61
Aggregate Risk Factor 14/11/61
Audit Risk Priority 14/11/61
Long-term Audit Plan 14/11/61
Audit Resource Planning 14/11/61
Risk Scoring Sheet 14/11/61
Risk Scoring Sheet 14/11/61
Risk Scoring Sheet 14/11/61
Inherent Risk (IR) A - Combined value of annual income and expenditure (Baht) or value of business it supports Up to 10M Between 10M - 40M Between 40M - 200M Between 200M - 400M Over 400M 14/11/61
Inherent Risk (IR) B - Number of employees involved / persons able to access Up to 10 11 to 30 31 to 50 51 to 100 Over 100 14/11/61
Inherent Risk (IR) C - Impact on the organization "Insignificant: Low financial loss, no disruption to capability, no impact on community standing" "Minor: Medium financial loss, minor disruption to capability, minor impact on community standing" "Moderate: High financial loss, some ongoing disruption to capability, modest impact on community standing" "Major: Major financial loss, ongoing disruption to capability, major impact on community standing" "Catastrophic: Mission critical financial loss, permanent disruption to capability, and ruinous impact on community standing" 14/11/61
Inherent Risk (IR) D - Volume of business transactions or user activities (per month) fewer than 500 501 to 2500 2501 to 5000 5001 to 15,000 over 15,000 14/11/61
Control Risk (CR) F - Impact of management and staff / IT staff and users a) Quality of Management b) Extent of Staff Turnover c) Length of time operation has been within the business d) Degree of expressed concern by management e) Management's attitude to risk taking f) Morale of Staff 14/11/61
Control Risk (CR) F - Impact of management and staff / IT staff and users Top quality management and staff with low turnover of both, in an operation which has been in existence for more than three years and about which no known concern is being expressed High quality management and staff Medium quality management and staff Below average quality management and staff Poor management and staff with high turnover of both, in an operation which has been in existence for less than three months and about which a great number of concerns is being expressed 14/11/61
Control Risk (CR) G - Third party / outsourced service provider sensitivity a) Tax Implications b) Extent of Regulatory Requirements c) Legal Implications / privacy / fraud d) Service delivery and availability There are no tax, legal, regulatory or other third party implications Low sensitivity Moderate High sensitivity Very significant third party sensitivity is present 14/11/61
Control Risk (CR) H - Standard of internal control a) Means of authority to commit (e.g. none, sole, sole with review, dual, committee) b) Extent of losses c) Scope for intentional manipulation d) Vulnerability to fraud e) Degree of technical sophistication of systems f) Extent to which standard systems are being used g) Extent to which operating manuals are complied with h) Extent of recent reorganizations and system changes i) Known factors which should ring warning bells j) Reliability of last internal control review k) Extent of weakness highlighted in last internal control review l) Strength of accounting systems m) Extent of formal procedures n) Other IT security and controls 14/11/61
Control Risk (CR) H - Standard of internal control "Excellent: with no known significant re-organizations or systems changes; little known scope for intentional manipulation" "Above Average: with standard systems in use throughout" Sound Known or suspected to be weak Known or suspected to be very unsound 14/11/61
Control Risk (CR) J - "Likelihood of occurrence - related to the level of Impact on the organization of Factor C (Relative Probability %)" "Rare: The risk/ loss events may occur only in exceptional circumstances ( 0% - 3%)" "Unlikely: The risk/ loss events could occur at some time ( +3% - 30%)" "Possible: The risk/ loss events might occur at some time ( +30% - 60%)" "Likely: The risk/ loss events will probably occur in most circumstances ( +60 % - 97% )" "Almost Certain: The risk/ loss events are expected to occur in most circumstances ( + 97% )" 14/11/61
Detection Risk (DR) K - Likely effectiveness of audit a) Willingness and ability of client to react positively to results of audit b) Extent to which relevant specialist skills are available to internal audit c) Ability to conduct a competent audit d) The degree of need for thorough audit follow-up e) The quality of internal audit systems documentation f) Knowledge of business and experience of staff g) Involvement and availability of management 14/11/61
Detection Risk (DR) K - Likely effectiveness of audit There are significant constraints that are likely to preclude doing an effective audit i.e. a function with novices, high turnover of experienced staff, with a little knowledge of the business together with poor line management Likely to have some constraint to effective audit Medium constraint to effective audit Unlikely constraint to effective audit There are no significant constraints that are likely to preclude doing an effective audit i.e. a well-established function with fully experienced and trained staff with a good knowledge of the business together with receptive and focused line management 14/11/61
Detection Risk (DR) L - Duration of the audit Over 70 days 41 to 70 days 21 to 40 days 10 to 20 days Less than 10 days 14/11/61
Detection Risk (DR) M - Length of time since the last review Less than 12 mo or closely observed or involved during implementation phase Between 12 and 18 mo Between 18 and 24 mo Between 24 and 36 mo More than 36 mo or never audited 14/11/61
Detection Risk (DR) N - Effectiveness of other assurance providers Regular internal, QA and other audits with no significant findings Regular internal, QA and other audits with some significant findings No other audit work completed Regular internal, QA and other audits with many significant findings Continual significant problems identified by assurance reviews 14/11/61
Q&A PAIRAT SRIVILAIRIT, CIA CCSA CFSA CBA CISA CISSP CFE FSVP Head of Internal Audit TISCO Financial Group Public Company Limited Mobile : +668 1903 1457 Office : +66 2633 7821 Email : pairat@tisco.co.th 14/11/61