Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing
Luca Brazi Luciano Pavarotti Luca Pacioli We all owe a debt to
Risk-based auditing is perhaps the only way for an audit organization to add value to management and fulfill its charter responsibility to the independent directors. YOU MUST BE ABLE TO RESPOND TO “SO WHAT?!” Overview
TYPES OF AUDITING OPERATIONAL PERFORMANCE COMPLIANCE FINANCIAL
IA done in a vacuum or devoid of the stakeholders concerns will not be accepted and you will find yourself in constant battle just to be heard. 2100: Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.
IPPF 2120: Risk Management Exposure,Fraud,Consulting,Knowledge,Limitations 2130: Control Adequacy and Effectiveness, Goals and Objectives, Consistency, Consulting,Knowledge gained
Activity: My Organization’s Strengths and Weaknesses – What are the strengths and best practices for the risk-assessment process in your organization? – What are the weaknesses and challenges to the risk-assessment process in your organization? – What is the current role of internal auditing in your organization? – What are the opportunities for internal auditing in your organization?
Should IA get involved in operations? If so it is not IA, but consulting. You may actually get a better reception if you are willing to role up your sleeves and get your hands dirty side by side with your clients. In this case you must evaluate your position with the entity as a provider of assurance or a provider of solution implementation. Corporate governance is the foundation of risk-based auditing and should be understood before proceeding.
Chicken or Egg: – Which comes first – Personnel or – Processes – Procedure or – Policy
Framework for Corporate Governance: – Compliance with legal or regulatory requirements – Internal control assessment and reporting – Enterprise risk management – Quality initiatives – Transparency and disclosure – Governance structures and processes
Inherent and Residual Risk Inherent risk – exist before applying control Residual risk – Does your organization understand the difference between inherent and residual risk? – Who owns risk? – Authorize, initiate, record, process, monitor
Effectiveness versus Control
Assumptions for Risk Management – All organizations exist to add value for stakeholders. – All organizations face uncertainty. – Value is created, preserved, or eroded by management decisions – ERM is an enabler of the management process. – It is interrelated to governance. – It is interrelated to performance management.
Benefits – Aligns risk appetite and strategy – Links growth, risk, and return – Enhances risk response decisions – Minimizes operational surprises and losses
CONTROL IA MUST ASSIST MANAGEMENT IN PROVIDING GOOD CONTROL Authorize Initiate Record Process Monitor
Components of Internal Control (and ERM) – Control (internal) environment – Objective setting (ERM) – Event identification (ERM) – Risk assessment – Risk response (ERM) – Control activities – Information and communication – Monitoring
Risk Management Factors Objectives aligned with organization’s strategy, vision, and values – Risks identified – Risks assessed considering impact and likelihood – Risk response, aligning risks with enterprise risk appetite – Change management – Forward-looking
Control Activities Factors – Preventative, directive, manual, computer, and management – Policies, principles, and procedures (The principles were not noted in the original COSO framework.) – Integrated with risk assessment
Information and Communications Factors Information – Strategic and integrated systems – Systems support strategic initiatives – Integration with operations Quality of information (e.g., data integrity, complete information, and information related to strategic objectives) – Communication – Internal – External
Monitoring Factors – Operational reports and MIS – External parties – Organizational structure – Self-assessments – Audits
Limitations – Provides no assurance that objectives will be met, only reasonable assurance that management will know level of achievement – Provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved
Limiting Factors – Judgment – Breakdowns – Overrides – Collusion – Cost versus benefits
The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: – Reliability and integrity of financial and operational information; – Effectiveness and efficiency of operations; – Accomplish objectives – Safeguarding of assets; and – Compliance with laws, regulations, and contracts.
Performing an Entitywide Risk Assessment – Inventory the business processes, activities, or organizations that account for all organizational risks. – Determine impact of inherent risk. – Determine likelihood of inherent risk. – Weigh the risk factors. – Assign relative risk score. – Gain consensus from the audit committee.
Glossary Business Process – GAO A collection of related, structured activities — a chain of events — that produce a specific service or product for a particular customer or customers.
Glossary Business Process – Anonymous A series of actions that is definable, repeatable, and measurable that supports the organization’s objectives.
Developing an Audit Plan (2200) – Inventory the business processes or activities. – Establish risk factors that apply to all processes or activities. – Risk rank the auditable universe. – Assign workload estimates to each unit. – Assign any coverage rules. – Develop full coverage plan.
Developing an Audit Plan (2000) – Consider resources. – Identify gaps. – Commit to constrained resources plan. – Gain consensus from audit committee and management.
Performing the Engagement (2300) – Reassess the risk assumptions of the auditable unit. – Understand the business process and its objectives. – Identify the risks to the objectives. – Measure and prioritize risks. – Identify controls and evaluate the design. – Develop audit objectives and program.
Definition of Objective – Attributes: Clearly defined deliverable or outcome Includes the business event that triggers the process States inputs and outputs Includes business decisions that are part of the event response May indicate flow of material or information between process steps
Risks – Risk is any event occurring that will have an impact on the achievement of objectives and is measured in terms of impact and likelihood. – Examples?
Risk Management – Avoid – Transfer – Accept – Reduce to acceptable level via controls
Evaluating Controls – Adequacy: Determine whether the process, as designed, provides reasonable assurance (operational auditing). – Effectiveness: Determine whether the process is functioning as intended (transactional testing).
Rules of Engagement Personnel trumps policy and procedure Economics trumps personnel, rules, regulations, policy and procedure
Internal Audit Questionnaire Who, What, When, Where, How and Why Authorizes Initiates Records Processes Monitors
IA Self Assessment 1. Can they trust you to deliver what you promised? 2. Do you truly care about helping them and their business succeed? 3. Do you understand their business and their industry? 4. Do you understand their current situation — including their issues and goals? 5. How have you helped clients overcome similar problems or achieve similar goals? 6. Will you be proactive in the relationship? 7. Will you provide ongoing new insight or strictly a commodity-type service? 8. How often will they see the team's leader? 9. Who will actually be doing the work? 10.Will the service team change frequently?