1. Food and Consumer Product Safety Authority Ministry of Economic Affairs, Agriculture and Innovation Rob de Heus Chris Hagen Internal Audit Department

2. 2 Introduction Starting point Control versus audit Definition of risk Risks examples Risk analysis Sources of risk groups Risk assessment Turning wheels for a risk-based audit approach Discussion

3. 3 Starting point Our suggestion: split up the document in  risk based planning of audits  risk based planning of controls Because: Planning of controls is part of the first and second line of defense; while audit is part of the third line of defense; The manager is responsible for planning of controls, the auditor for planning for audits; Audits aim at the planned and implemented controls. It’s just not the same!

4. 4 Control versus audit (1) first line the first line of the control environment is the business operations which perform day today risk mangement activity second line oversight functions in the company, such as finance, HR risk management set directions, define policy and provide assurance third line internal and external audit are the third line of defence, offering independent challenge to the levels of assurance provided by business operations and oversight functions.

5. 5 control first and second line Internal audit third line Control versus audit (2)

6. 6 Definition of risk In common parlance people use the term risk for:  Causes  Events  Uncertainties  Chances  Impact  Effects  Bottlenecks  Inadequate Controls Our suggestion: A risk is a threat / hazard / event / uncertainty with an underlying cause which causes an effect (or result). A risk is not the result or effect itself, because this approach does not give starting points for corrective actions. We can only do something about the causes and the events, but we can’t control or turn back the effects!

7. 7 Risks (example 1) cause impact change weighing event uncertainty effects/results / continuity/objectives Can you think of controls to cope with these issues? Yes No

8. 8 Risks (example 2) Climbing the Mount Everest broken material bad dress bad weather illness impact change weighing expedition member falls into the abyss objective is in danger there is food left claims publicity Can you think of controls to cope with these issues? Yes No

9. 9 Risk analysis Risk analysis consists of: Event identification (what threats / hazards / events / uncertainties can we identify?) Risk assessment (probability X impact) Our suggestion: Risk analysis is crucial for an adequate risk-based auditplan. We can start the RA with a closer view at al kind of risk sources (next sheets) after identification you can discuss the priority of each of the identified risk on the bases of impact and probability. This process of risk assessment shouldn’t be formalized

10. 10 Sources of risk groups (1) Environmental Risks risks outside the organization; social developments; supervisors; legislation; natural disasters; political developments; suppliers; competition Operational Risks risks in the management and control of the organization; lack of risk management; weak control environment; style of leadership; culture; structure of rewards Process Risks risks at the process level;inefficient process; insufficient trained staff; insufficient availability of resources; insufficient quality of the product; surplus of resources/staff Financial risks risks within the business with a financial nature

11. 11 Sources of risk groups (2) Information Risks the risk that wrong decisions are taken eg. insufficient or untimely information (it may be concerning operational, financial or strategic information); managers get too late information needed to steer; no progress information about projects; insufficient understanding of political developments to anticipate; information does not meet the need of information; prioritization based on false information; insufficient understanding of customers needs IT risks (include specific risks around IT systems) data integrity; continuity (backup recovery, physical security); privacy Integrity subject risks to the reputation of the organization; socially sensitive decisions; unlawful act; Fraud; unauthorized use; communication

12. 12 Risk assessment Broad Impact Probability High priority risks input for auditplan

13. 13 Turning wheels for a risk-based audit plan Year 1Year 5 Once Each year Broad Narrow Superficial Thorough Our suggestion: After identifying events and assessing the risks we can plan the audits on a base of 4 dimensions (turning wheels)

14. 14 DISCUSSION!