Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is Internal Audit’s Role?

Published byVictoria Murphy Modified over 6 years ago

Similar presentations

Presentation on theme: "What is Internal Audit’s Role?"— Presentation transcript:

1 What is Internal Audit’s Role?
Risk Assessment What is Internal Audit’s Role?

2 Presented by Paragon Audit & Consulting
Learning Objectives Risk and the Importance of a Risk Assessment Discussion of the COSO Principles Key Steps in Performing a Risk Assessment Communicating the Risk Assessment to the Audit Committee DOs and DON’Ts Looking past the horizon Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

3 Risk and the Importance of a Risk Assessment
What is Risk? Risk is anything that slows down an organization in achieving its objectives Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

4 Risk and the Importance of a Risk Assessment
What is a Risk Assessment? A Risk Assessment involves the identification and analysis of relevant risks that threaten the achievement of an organization’s objectives, and to determine how those risks should be managed Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

5 Risk and the Importance of a Risk Assessment
Why is a Risk Assessment Important? Proactive approach to removing potential barriers threatening the success of an organization Helps an organization focus resources Required by COSO IIA Performance Standard 2010: the CAE should determine the priorities of the internal audit activity consistent with the organization’s goals, and based on a risk assessment Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

6 Discussion of the COSO Principles
1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies and Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

7 COSO Principles Focused on Risk Assessment
1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

8 COSO Principles Focused on Risk Assessment
1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

9 COSO Principles Focused on Risk Assessment
1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

10 COSO Principles Focused on Risk Assessment
1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

11 Principle 6: Specifies Suitable Objectives
The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Points of Focus Operations Objectives Reflects Management’s Choices Considers Tolerances for Risk Includes Operations and Financial Performance Goals Forms a Basis for Committing of Resources I noticed an interesting statistic when preparing this presentation. There are 27 points of focus in the risk assessment principle evaluation section of the COSO framework and over half of them, 15 are in the section on objectives. Presented by Paragon Audit & Consulting

12 Principle 6: Specifies Suitable Objectives
External Financial Reporting Objectives Complies with Applicable Accounting Standards Considers Materiality Reflects Entity Activities External Non-Financial Reporting Objectives Complies with Externally Established Standards and Frameworks Considers the Required Level of Precision Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

13 Principle 6: Specifies Suitable Objectives
Internal Reporting Objectives Reflects Management’s Choices Considers the Required Level of Precision Reflects Entity Activities Compliance Objectives Reflects External Laws and Regulations Considers Tolerances for Risk Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

14 Principle 7: Identifies and Analyzes Risk
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Points of Focus Includes Entity, Subsidiary, Division, Operating Unit, & Functional Levels Analyzes Internal and External Factors Involves Appropriate Levels of Management Estimates Significance of Risks Identified Determines How to Respond to Risks Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

15 Principle 8: Assesses Fraud Risk
The organization considers the potential for fraud in assessing risks to the achievement of objectives. Points of Focus Considers Various Types of Fraud Assesses Incentive and Pressures Assesses Opportunities Assesses Attitudes and Rationalizations Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

16 Principle 9: Identifies and Analyzes Significant Change
The organization identifies and assesses changes that could significantly impact the system of internal control. Points of Focus Assesses Changes in the External Environment Assesses Changes in the Business Model Assesses Changes in Leadership Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

17 Principle 10: Selects and Develops Control Activities
The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Points of Focus Integrates with Risk Assessment Control activities help ensure that risk responses that address and mitigate risks are carried out. Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

18 Key Steps in Performing a Risk Assessment
Phase One: Create an Audit Universe Map Note key process owners at the VP level Phase Two: Identify Objectives and Risks Interview key process owners and analyze data Phase Three: Rate and Rank Risks Will be used to create audit plan (Risk Response) For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Throughout the entire process: determine how the organization is complying with the COSO Framework Presented by Paragon Audit & Consulting

19 Key Steps in Performing a Risk Assessment
Phase One: Create an Audit Universe Map Recognizing the nature of the company, identify and document: All Business Units or Departments Key Processes Supporting IT Infrastructure Determine auditable entities and segment by (1) Business process, (2) Physical location, and (3) IT systems Discussions with management to understand emerging risks and to discuss prominent risk factors for each entity Presented by Paragon Audit & Consulting

20 Key Steps in Performing a Risk Assessment
Example of the audit universe Sales Retail Business Sales Operations Etc. Operations Planning Production Distribution Finance Accounting Procurement Real Estate IT Development Infrastructure For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

21 Key Steps in Performing a Risk Assessment
Phase Two: Identify Objectives and Risks Always start with the Organization’s Objectives Determine whether Objectives are in line with the organization’s mission and vision Interview employees and do some on-site observations Review key metrics, trends, processes and documentation Examine the quality of management Analyze the Risk Factors disclosed in the annual 10-K filing Review the external factors and recent problems identified at other companies For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

22 Key Steps in Performing a Risk Assessment
Phase Two: Identify Objectives and Risks (Continued) During discussions with Management, inquire about recent or upcoming changes in the following: Regulatory environment Technology Management Lines of business or business acquisitions/divestitures Risk Appetite Any known or projected economic factors For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

23 Top 10 Business Risks in 2016 (Allianz Study)
Study contacted through interviews with risk experts across 40 countries. More than one risk can be selected so all %s won’t add to 100% Presented by Paragon Audit & Consulting

24 Top 10 Business Risks in 2016 (Allianz Study)
For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

25 Key Steps in Performing a Risk Assessment
Phase Three: Rate and Rank Risks Complete interviews with the IA Team, Corporate Compliance, Senior Management and the External Auditors Identify current means by which management mitigates risks Document Key Inherent Risks, Mitigating Controls and the Residual Risks Design a measurement system for Likelihood and Impact of identified risks and give consideration to Vulnerability Work with Senior management to rate and rank key risks Compare risks across departments and normalize outliers Presented by Paragon Audit & Consulting

26 Key Steps in Performing a Risk Assessment
Draft rating and ranking measurements for impact and likelihood – Consider the following drivers Impact Financial Reputational Regulatory Employee Safety Staff Morale Likelihood Controls are weak or none existent Area and processes are complex Processes are highly manual High department turnover Department is new Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

27 Key Steps in Performing a Risk Assessment
Impact Drivers Likelihood Drivers Risk Financial Etc. Avg. Internal Controls Complex Process Accepting customers with poor credit 4 5 4.5 1 2 3 Sales comp. plan not meeting objectives Presented by Paragon Audit & Consulting

28 Key Steps in Performing a Risk Assessment
Presented by Paragon Audit & Consulting

29 Communicating the Risk Assessment to the Audit Committee
Present an overview of the risk assessment process by highlighting the key steps followed in the three Phases Phase One: Create an Audit Universe Map Phase Two: Identify Objectives and Risks Phase Three: Rate and Rank Risks Develop a summary of the most significant risks Categorize risks into financial, operational, and compliance Consider staying under 20 risk categories and discuss sub risks Consider using a heat map if not too busy One with Inherent risks and one with Residual risks Include risk response and linkage to the audit plan You could combine inherent and residual and show the movement to a safer part of the graph after applying controls Presented by Paragon Audit & Consulting

30 Communicating the Risk Assessment to the Audit Committee
External Factors Leaders Dept. Key Changes Key Metrics & Trends Board of Directors External Auditors Control Structure You could combine inherent and residual and show the movement to a safer part of the graph after applying controls Presented by Paragon Audit & Consulting

31 Key Steps in Performing a Risk Assessment
DOs DON’Ts Use risk self-assessment workshops to take advantage of the insights of other managers. Do not rely on surveys to capture initial thoughts about risks. Get consensus on measuring risks and risk tolerances. Ignore financial impact on the organization. Establish participants’ understanding of the effectiveness of controls and other risk responses used in the organization. Do not forget to consider the state of controls and other risk management practices in the organization. Work closely with leadership to understand strategy and key objectives. Perform the assessment in a vacuum, ignore key objectives only looking backwards at past problems. Communicate a high level clear summary of the Risk Assessment with the Audit Committee. Ignore input from the Audit Committee or give the Audit Committee too much detail about the risk assessment. Risk self-assessment workshops are usually led by an internal auditor with a Certification in Control Self-Assessment and is most successful when management is actively engaged in discussing risks and controls. This tends to shed a lot of light on how educated management is on risks and controls. It will give them a better understanding of their business, their risk and control environment, and usually gives rise to a better relationship with the internal audit and compliance team. Presented by Paragon Audit & Consulting

32 Looking Past the Horizon
COSO released the draft Enterprise Risk Management (ERM) – Aligning Risk with Strategy & Performance document for Public comments – Comments accepted through September 2016 Adopts a components and principles structure Simplifies the definition of ERM and renews focus on ERM integration Emphasizes relationship between risk and value Examines the role of culture Elevates discussion of strategy Enhances alignment between performance & ERM Links ERM into decision-making more explicitly Delineates between ERM and internal controls Redefines risk appetite (risk tolerance) Risk Assessment Down the horizon - biggest take away integrate risks upfront (strategy and objectives setting) and throughout the process of executing objectives - risk management should be understood by all departments not just IA and Risk Management   1. Similar to the COSO framework structure with principles and points of focus 2. Easier for people outside of risk management to understand & Integration of risk - think about risk as strategy and objectives are being set and manage risks up front and as objectives are executed 3. Value - opportunities  4. Culture - how strategies are chosen and risk response  5. Strategy - does it align with vision and mission 6. Aligns risks with performance  7. All organizations should understand risk management 8. Compliments the COSO framework but doesn't repeat a discussion of controls 9. Redefine risk appetite - level of risk acceptance for a given level of performance - the new focus is on performance Presented by Paragon Audit & Consulting

33 Appendix - Paragon Audit & Consulting
Global risk and compliance advisory firm founded in 2003 and headquartered in Denver Clients range from small privately held and nonprofit organizations to large government and SEC entities with revenue over $75B Services include Internal audit Sarbanes Oxley Quality Assessment Reviews Process improvement consulting services Majority of our professionals have between 15 and 30 years of experience in internal audit, IT audit, external audit, IT and Finance Very nimble firm with competitive pricing Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Download ppt "What is Internal Audit’s Role?"

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.

Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.

8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years. 220-3198 Risk Based Auditing.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.

Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.
Audit Planning and Analytical Procedures Chapter 8.

Audit Planning and Analytical Procedures Chapter 8.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Purpose of the Standards

Purpose of the Standards
Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.

Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.
Lecture 8 Understanding entity and its environment

Lecture 8 Understanding entity and its environment
COSO Framework Update IIA Columbus Chapter May 17, 2013

COSO Framework Update IIA Columbus Chapter May 17, 2013
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
Information Technology Audit

Information Technology Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Central Piedmont Community College Internal Audit.

Central Piedmont Community College Internal Audit.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

Similar presentations

Ads by Google