Business Assurance Service An explanation of risk based auditing and reporting Anthony Garnett, Head of BAS February 2008.

Slides:

Advertisements

Similar presentations

HELPING THE NATION SPEND WISELY Performance audit and evaluation: common ground with Internal Audit ? The UK National Audit Office experience Jeremy Lonsdale.

Advertisements

Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths

Debt Management Strategy: Governance and Transparency

Alignment of COBIT to Botswana IT Audit Methodology

Development of internal control: methodology and responsibility

Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths V3.2 ©David M Griffithswww.internalaudit.biz.

OECD STUDY ON GOOD PUBLIC GOVERNANCE: THE ROLE OF SAIS Ishat Reza Portfolio Manager (Audit and Internal Control), OECD Meeting of the INTOSAI Subcommittee.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths

By Saurabh Sardesai October 2014.

Auditing A Risk-Based Approach To Conducting A Quality Audit

Office of Inspector General (OIG) Internal Audit

YJB TOOLKITS: Disproportionality YJB owner: Sue Walker Dept: Performance May (2011) Version 1.0.

Purpose of the Standards

PAINTING THE FULL PICTURE

Subject (i.e., name of audit) To:(Executive In charge of area audited – typically vp or dean-level – name (including middle initial), title, business unit)

NCCSAD Advisory Board1 Research Objective Two Alignment Methodologies Diane M. Browder, PhD Claudia Flowers, PhD University of North Carolina at Charlotte.

QAD's Customer Engagement Dan Blake Consultancy Development Director, QAD QAD Explore 2012.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.

Policy and Procedure Inspector Christian Ellis. Policy Statement About Policy It is best practice to have up to date, clear and standardised policies.

Addressing Unofficial Withdrawals and Federal Financial Aid Compliance Addressing Unofficial Withdrawals and Federal Financial Aid Compliance February.

Professional Certificate – Managing Public Accounts Committees Ian “Ren” Rennie.

Clockwork Operations: Student Achievement Within A Collaborative Environment Charles A. Burbridge, Chief Financial Officer and Nader Sohrab, Comptroller.

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.

Management & Development of Complex Projects Course Code - 706

Certificate IV in Project Management Introduction to Project Management Course Number Qualification Code BSB41507.

Conceptualizing & Initializing the IT Project

Risk Management For the Board of The Law Society 16 February 2005.

Addressing methodological challenges: measuring resilience + international coherence Juliet Field Climate and Environment Dept.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

Stakeholder consultations Kyiv May 13, Why stakeholder consultations? To help improve project design and implementation To inform people about changes.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

Audit Planning Process

The UNIVERSITY of GREENWICH 1 October 2009 L8a Audit and assurance J. E. Spencer-Wood Auditing and assurance Lecture 8a Internal audit.

Risk Management - “Local Government Pitfalls.” IMFO – Sustainability Workshop Risk Management 30 March

Project Risk Management Planning Stage

Internal Auditing Effectiveness

Fundamentals of Governance: Parliament and Government Understanding and Demonstrating Assessment Criteria Facilitator: Tony Cash.

Monitoring, review and audit.

Key Functions & Responsibilities (from the old governance document) – Coordinates the program-level adaptive management system and assists the GITs in.

Risk Management and the Audit Plan abc CIPFA in the Midlands Audit Training Seminar Wednesday 24th November 2004 Tina Spiers.

Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.

Steps in the Transition to an Impact- Focused Audit Function Modifying Procedures, Audit Practices, and Reports to Address Risk Gert van der Linde, World.

ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

12/06/20161 ObjectiveProcess Risk Inherent Risk – risk of not achieving objectives Inherent risk Inherent risk – before the assessment of any controls.

Risk Differentiation in LFA Deliverables LFA Finance Training October-November 2013.

EIAScreening6(Gajaseni, 2007)1 II. Scoping. EIAScreening6(Gajaseni, 2007)2 Scoping Definition: is a process of interaction between the interested public,

Briefing for Heads of units

Strategic Information Initiatives

Solihull Review of Urgent Care Programme Approach And Governance 2013

Well Trained International

planning AICPA auditing standards state:

IIASA Governance Review

Data Architecture World Class Operations - Impact Workshop.

What Constitutes a “Triggering Event?”

Archived File The file below has been archived for historical reference purposes only. The content and links are no longer maintained and may be outdated.

Internal Audit & Enterprise Risk Management

INTRODUCTION TO Compliance audit METHODOLGY and CAM

Following Up on Internal Audit Reports Workshop on IIA Standard 2500

Alignment of COBIT to Botswana IT Audit Methodology

Loyola’s Performance Management Process For Employees

Change Assurance Update

Week Ten – IT Audit Reporting

Loyola’s Performance Management Process For Employees

COBIT 5 and GRC Date.

Good practices for risk assessment and control activities

Presentation transcript:

Business Assurance Service An explanation of risk based auditing and reporting Anthony Garnett, Head of BAS February 2008

∂ Risk based internal auditing PoliciesAuditReporting ObjectivesRisksAuditReporting Starts with policies and agreed procedures Considers what management have stated should occur Rules based Focused on compliance and conformance Policeman role Focuses on discrete systems (may risk prioritise systems) Sample testing of ‘transactions’ Historically focused on financial processes Reports based on reporting exceptions Reports operationally focused Reports at low level Identify minor issues Easy to respond to as focus on discrete systems and departments Conclusions based in levels of compliance / operation of controls Starts with objectives as agreed by management. Where no clear objectives have been agreed (absence of a policy or strategy) imputed objectives are considered Role is not to challenge objectives Objectives cover many systems, processes and departments Consider risks that flow from objectives Will use management’s own risk assessment where one is present (this is not the case at the University for most areas) Audit will perform a risk assessment identifying the risks and scoring risks Audit work considers risks to objectives and will look for expected controls / mitigating actions The work will follow the risk, so if a risk is managed across a number of departments the audit will consider how to assess this and work across the departments Audit is qualitative and based on professional judgement. Audit covers all processes and systems across the institution Audit asks not just ‘is the University doing things right [compliance / operation of controls], but is it doing the right things [effectiveness / design of controls]’ Report identifies risks and makes suggestions for management to consider to mitigate identified risks Risks prioritised at strategic and operational level. Qualitative and professional judgement applied to risk grading and conclusions Reports become a dialogue and are co-produced with management Recommendations are not prescriptive but are suggestions Traditional Internal Audit Risk Based Internal Audit

∂ Report format Clear risk grading based on net risk exposure to the University from the current arrangements in place over the process or system reviewed Clear tracking of the report based upon the dates agreed with management in the scope. Note that for BAS KPIs the protocol will be used to report on these as these measure stage-to-stage performance Clear version control Clear UEC and process owner sponsor, as agreed in the scope

∂ Report format 2 page executive summary Clear opinion on the adequacy of controls as operated (compliance) and as designed (effectiveness against objectives) Risk grading given (maps to front of report) based upon the net risk exposure taking into account current controls in place Summary of the risks identified within the report categorised by the size of the risk. Also a one line italicised summary of the agreed University action. Top three categories only. Grading of recommendations by the size of the risk. Categorisation below. Risk Priorities University-wide significant strategic risk – This is a risk that significantly impacts on the achievement of one or many of the University’s strategic objectives. University-wide important strategic risk – This is a risk that has an important impact on the achievement of one or many of the University’s strategic objectives. University operational significant risk – This is a risk that significantly impacts on an operational department or process and on the achievement of one or many University operational objectives. University operational important risk – This is a risk that has an important impact on an operational department or process and on the achievement of one or many University operational objectives.

∂ Report format Report points linked under themes that align to either management responsibility or linked areas of operation Risk grading given to each risk and colour coded to scale (on previous page) to enable quick navigation of report Suggested recommendations to address the risks identified. This may refer to appendices where best practice ideas or benchmarking is provided Space to record planned University actions. This includes a due date and assigned person responsible for the action. The four potential University responses to actions listed below: Delivery protocol Include in report Type University response to risk identified University response to suggested recommendation 1Agree with riskAgree with recommendation as stated 2Agree with risk Note the recommendation but propose an alternative on cost or other grounds 3Agree with risk Consider risk is acceptable and propose no action 4Disagree with risk Disagree with action identified and propose no action 

∂ Report format Risk map illustrates a selection of risks considered by the audit to the University’s objectives for the process audited. The aggregate net risk should align to the risk grading of the report.