View
21
Download
1
Category
Preview:
Citation preview
INTERNAL CONTROLS AND RISK
AASHTO AUDIT SUBCOMMITTEE Annual Meeting Charleston, WV July 21-24, 2013
Presented by
Bryan L. Wood, CPA Customized Audit Training
1
True or False 1. When management installs proper “internal controls” including all elements of
COSO, (Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring) the internal audit process is enhanced tremendously.
2. It is permissible to recommend the elimination of ineffective and redundant internal controls.
3. The real responsibility for assessing “risk” is management’s.
4. Risk is constantly changing.
5. The assessment of risk should be performed on a continuous basis whenever possible.
6. Achievement of operations’ objectives is not always within the entity’s control.
2
GROUND RULE QUESTIONS
• INTERNAL CONTROLS: – What are they? – Who controls them? – Do we have enough? Too many? Too few? – Are they automated or manual? – Does management understand their responsibility
for internal controls? – Is “someone” actually held accountable for the
controls?
3
GROUND RULE QUESTIONS
• RISK: – What is risk? What is risk assessment? – Who defines risk and performs the risk
assessment? – How often is a risk assessment performed? – Can Risk Assessment be performed continuously? – Is there an accountability for the performance of
the risk assessment ?
4
5
Definition of Internal Control • Internal Control is broadly defined as a process, effected by
an entity’s Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: – Effectiveness and efficiency of operations (O) – Reliability of financial reporting (F) – Compliance with applicable laws and regulations (C) – Safeguarding of assets (S)
Definition of Risk
• DOT Risk: The possibility of spending taxpayers’ money inefficiently and being accounted for improperly.
• Audit Risk: The possibility of the audit department not reviewing the right areas in a timely manner or performing the audit incompetently .
• Is there any difference between these two definitions?
6
Definition of Risk Assessment
• The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and management’s determination of an acceptable level of risk.
7
8
Risk Assessment
• Identify Potential Risks • Create Risk Assessment Worksheet – Example on next
slide. • Brainstorm potential risks
• Assess risks by likelihood and impact Rank risks • Determine any controls that exist over the risks identified
• Evaluate the design of the control system in place • Determine any other mitigating factors that lessen the effect
of the risks identified
9
10
Risk Assessment • Identify Potential Risks
• Likelihood: probability of a threat • Often likelihood can be measured as a percentage.
• Impact: to have an effect upon • Often impact can be measured in dollars.
• Audit Procedures should be created for coverage of critical and highly rated items.
• Audit procedures generally do not need to be performed for low rated items.
Did you know: Sometimes it’s the potential loss
or consequence that makes some items more “risky” than
others.
Determining Risk
11
12
• Consider Fraud Risks in Risk
Assessment • Is it a requirement that all auditors
consider the risk of fraud and be aware of potential red flags of fraud associated with area being audited?
Risk Assessment - Fraud Consideration
RISK ASSESSMENT
and its relationship to
CONTINUOUS AUDITING
13
Analyzing The Role of Audit In Relationship To The Business Entity
• Auditors must synchronize themselves with the business entity – Know how it works.
• The auditors primary responsibility is to audit the business entity which should act as the primary driver
• The business entity is generally driven by data therefore data should drive the audit process
14
Analyzing The Roles of Audit In Relationship To The Business
15
ERM of the Organization
Audit Planning and Risk Assessment
ERM of the Organization
Audit Planning and Risk Assessment
Risk Model and Continuous Auditing
16
ERM Model For Organization –”BRAIN”
Continuous Auditing Methodology
Audit Planning and Risk Assessment
Setting The Tone For A Data Centric Audit Process: Core Structure Analysis
• A data centric audit process is dependent upon a data driven risk assessment
• Data driven risk assessment depends the ability
to assess risks in all parts of the enterprise
17
Understanding Data and Its Use
• Auditors should know how to employ fundamental tools and methodologies to accomplish data mining and its uses
• Auditors should use the key data mined for any and all audit related tasks
• The objective of the exercise is audit efficiency and
effectiveness and not massaging tons of data
18
Defining The Key Audit Disciplines • Key audit disciplines are:
– The ability to understand and interpret data – Determining the key audit uses for data
• Risk assessment • Audit focus • Minimization of testing: or • Automation of the testing 100% of population • 24/7 oversight and virtual auditing • Business focused visual audit reports • Measurement of audit contributions • Creating and using multi-purpose audit tools
19
The Audit Spectrum: Today To The Future
20
Testing by Sample/Selection
Static Fixed Point
Near Time Testing by
Data Interrogation
Reactive Selection
Real Time Oversight/
Governance
Dynamic/Fluid
Dangerous Very Progressive ART-The Ultimate
Traditional vs. Data Focused Continuous Audit Process
• Traditional: – Subjective risk assessment for annual plan – Program driven audit process – Rotational audit coverage – Random; Sampling based audit testing – Narrative based documentation – Narrative reporting format; findings not solution
based
21
Traditional vs. Data Focused Continuous Audit Process
• Data Focused Continuous Audit Process: – Data driven risk assessment for annual plan – Custom designed audit process – Risk driven audit coverage – Specifically focused audit testing: if required – Business data; based documentation – Data focused, solution based audit format
22
Continuous Auditing
• Risk model is baseline for organization and is data centric
• Audit risk model is extracted directly from BRAIN and is data based
• Continuous auditing is linked directly to the risk models which then define the activities of the audit/consulting function
23
Virtual Audit Process
• Continuous auditing can migrate from Auditing Near Time (ANT) to Auditing Real Time (ART)
• The difference is in the tools and how much automation is employed
• To move to a virtual audit process involves vision,
strategy and high level management support
24
An Example
Risk Based Oversight: A Framework for Ensuring Compliance with the FAR
(Federal Acquisition Regulation) Cost Principles
25
Risk Based Oversight: A Framework for Ensuring Compliance with the FAR (Federal Acquisition Regulation)
Cost Principles
• INTRODUCTION: Each State Department of Transportation (DOT) maintains a set of procedures that dictates how it conducts business covering the various functions and responsibilities of that agency. The audit function within the State DOT is one component of many within that set of procedures. Recent events have increased the expectations for written procedures pertaining to the audit function, especially those that relate to oversight of Architectural and Engineering (A/E) consultant professional service agreements.
26
Risk Based Oversight: A Framework for Ensuring Compliance with the FAR (Federal Acquisition
Regulation) Cost Principles
• The Federal Highway Administration (FHWA) recognizes that State DOT audit groups must employ a “risk-based oversight” approach to effectively ensure compliance with the Federal Acquisition Regulation (FAR) cost principles among the population of A/E firms performing consultant services, especially given the limited resources at their disposal.
27
Risk Based Oversight: A Framework for Ensuring Compliance with the FAR (Federal Acquisition
Regulation) Cost Principles
• For many State DOTs, it will not be feasible to perform audits or cognizant CPA work paper reviews for all A/E firms that perform work and are located in their home states; however, the onus remains on State DOTs to obtain reasonable assurance that the rates submitted by A/E firms are FAR compliant. Accordingly, to accept rates without performing an audit or cognizant work paper review, the State DOTs must perform a risk analysis.
28
Now can I tell you what really bothers me?
29
Personal Profile
• I have been an auditor for 41 years. • I have tried to maintain the highest auditing
standards within the profession. • 20 years ago I started teaching auditing
concepts. And
I’M CONCERNED
30
We, as auditors, are not able to bring about enough
CHANGE
31
Is it us?
Or
Is it them?
32
Two Books Worth Reading
• “Change Anything” • “Influencer”
– Books by:
• Kerry Patterson • Joseph Grenny • David Maxfield • Ron McMillan • Al Switzler
33
I will go on the premise that we, as auditors, are the first who need to
change!
34
“CHANGE ANYTHING”
• From the preface of the book…..a promise!
• “If you apply certain principles and tactics we outline (in this book), you can rapidly, profoundly and sustainably change your own behavior….and dramatically improve results in most any area of life.
35
Conclusion • We can’t change the world or our profession
overnight, but if we sharpen the tools of our trade, we can begin to bring about change to our profession and environment.
• Knowledge is power and the more we know, the more we can assist in improving internal controls and risk assessments for our agencies.
36
Questions ? ?
Contact Information for Customized Audit Training, LLC
Bryan L. Wood, CPA – Principal
Donna J. Hillenbrand – Marketing Director
info@customizedaudittraining.com
website: www.customizedaudittraining.com
Address: 7836 West Sahara Avenue Las Vegas, NV 89117
Tele: Bryan: (530) 545-0206; Donna:(530) 318-9491 37
Recommended