Embed Size (px)
Citation preview
BUILDING THE RISK BASED AUDIT PLANSPEAKERS:CAROLYN SAINT, VICE PRESIDENT, INTERNAL AUDIT, 7-ELEVENPATRICK POTTER, GRC STRATEGIST, RSAMELISSA BAYER, PROCESS & STRATEGIC EXCELLENCE AND GOVERNANCE, RISK MANAGEMENT & ASSURANCE LEADER, BANK OF AMERICACAROLE SWITZER, PRESIDENT, OCEG
OCEG WEBINAR SERIESSeptember 18, 2014
Discussion Participants
Patrick Potter, GRC Strategist,
RSA
Carolyn Saint, Vice President,
Internal Audit, 7-Eleven
Carole Switzer, President,
OCEG
Melissa Bayer, Process
& Strategic Excellence and Governance,
Risk Management &
Assurance Leader, Bank of
America
Housekeeping
Download slides at http://www.oceg.org/event/building-the-risk-based-audit-plan/
Answer all 3 polls Certificates of completion (only for OCEG
Premium/Enterprise members and All-Access Pass holders)
Evaluation survey at the close of the webinar
Archive at Recorded Events on OCEG site
Learning Objectives
Define how to use risk and compliance capabilities to improve and define audit plans and processes
Identify example key risk indicators (KRIs) and key compliance indicators (KCIs) that may impact audit priorities or timing
Develop a maturity lifecycle for risk based audit planning
The role of internal audit, especially in large, geographically diverse organizations has become more complex. What are the greatest challenges in developing a meaningful entity-wide audit plan today?
Panelist Question #1
Carole SwitzerCarolyn SaintPatrick PotterMelissa Bayer
POLL #1
How do you go about defining and prioritizing the auditable entities in your organization?
Panelist Question #2
Carole SwitzerCarolyn SaintPatrick PotterMelissa Bayer
1. PLAN Align audit objectives with the organization's strategic and operating objectives.
STAKEHOLDER AUDITREQUIREMENTS
We can use real-timeexecutive reporting to
We need to consider risk,regulatory scrutiny and resourceavailability before we decide thetiming and sequence of ourassurance activities.
We are going into threenew countries this year,and there's an acquisitioncoming up.
We are planning globalaudit of anti-corruptioncapabilities. What else doyou think should have a fullglobal review this year?
OBJECTIVES
REGION
OPERATIONS
RISKS
SYSTEMS
AUDITERPHRCOMPLIANCE
STARTBY DEFINING OBJECTIVES&STRATEGIC APPROACHESTOGETHER EXECUTIVE PRIORITIES
What emergingbusiness issuesand risks shouldbe considered?
FEEDBACK LOOPTO PLANNING
We need to be sure we align ouraudit plan with our performance,risk and compliance objectivesand strategies.
We should considerregulations, standardsand best practices as weset up our schedule andpriorities, while makingsure they align with ourbusiness objectives.
excerpt from OCEG GRCIllustratedSeries, useby permission only. ©2014 OCEG.org
Audit, Risk and Compliance need acommon and interrelated view of theorganization's processes, resources,IT and products to properly evaluaterisk and priorities.
DEFINE THE ORGANIZATION
ALIGN ASSESSMENT ACTIVITIES
Review historic assessments of risk, performanceand compliance and conduct additional analysistogether with process owners in each area.
PRIORITIZE SCOPE & SCHEDULE
Determine audit priorities based on potentialimpact on objectives and coordinate scheduledaudits to reduce impact on operations.
AUDIT RISKBUSINESSOWNER COMPLIANCE
COLLABORATE & COORDINATE
Establish common risk and assurancemethodologies and involve all relevantroles in each step of the process.Establish a common technologyapproach that allows each to add andaccess relevant and timely information.
AUDIT RISK COMPLIANCEBUSINESSOWNER
PRIORITIES
SCHEDULE
How do you coordinate activities to reduce audit burden on the business but still get the best results?
Panelist Question #3
Carole SwitzerCarolyn SaintPatrick PotterMelissa Bayer
2. DO Coordinate dynamic risk evaluation, continuous control monitoring, and assurance work
By working as a team we'llget better results in this audit.
DYNAMIC RISK &CONTROL MONITORING
PERFORM AUDITS & COOORINATE RESULTS
Ensure that audit and compliance are able to "divideand conquer" necessary audit and assessment tasks,and work together on more intricate issues.
By doingcontinuous controlmonitoring andreviewing keymetrics, we candirect or eliminateassurance work.
excerpt from OCEG GRCIllustr
ALIGNINGASSURANCEACTIVITIESRemoving boundaries between audit andother assurance groups can lead to manybenefits:VVisibilityUnderstanding each other’s activitiesand priorities leads to higher valueopportunities for alignment.EEffi ciencyInefficiencies come to light that areaddressed by process improvement and standardization.AAccountabilityAreas that were previously fallingthrough the cracks are identified;enabling the organization to assignaccountability at all levels, from risksto processes to findings.CCollaborationThe old proverb “many hands make lightwork” comes into play as opportunitiesto better divide and conquer emerge.
excerpt from OCEG GRCIllustratedSeries,useby permission only
How does technology enable the best audit performance and use of the audit results?
Panelist Question #4
Carole SwitzerCarolyn SaintPatrick PotterMelissa Bayer
Here's the reportfor your meeting withthe audit committee.
AUDITMANAGEMENTPORTAL
AUDIT PLAN PERFORMANCE
AUDIT PLAN DETAILS
AUDIT ENTITY MAPS
3. CHECK Manageaudit results, issuesand remediation plans through one coordinated approach to drivethebest prioritization, resource utilization, follow up, and reporting to executive management.
ANALYZE & ACT ON FINDINGS
system automatically with different viewsfor different users and for monitoring.
MONITOR PROGRESS
recommendations.
REPORT
Automate reporting and developcustom reports for different needs
affecting objectives, strategy andaudit planning are reported tomanagement with thoseresponsibilities
POLL #2
What are some common mistakes to address in your planning?
Panelist Question #5
Carole SwitzerCarolyn SaintPatrick PotterMelissa Bayer
COMMONMISTAKES
Establishing a purelyrotational approach forevery area of audit
Equally distributingavailable resourceswithout prioritizing
Failing to consider scheduling burdens or to create a unified audit plan
Designing an audit that does not tie to specificobjectives and related risks
Auditing what you know, not what is important basedon risk assessments
Limiting audits based onavailable resources ratherthan asking for more
$
PLAN
RISKS
excerpt from OCEG GRCIllustratedSeries,useby permission only
Are you a PAID member of OCEG who is interested in receiving CPE credit for this event? A. Yes, I am a PAID OCEG member and
would like to receive a Certificate of Completion for this event
B. No, I am not a PAID OCEG member
POLL #3
Questions?
