Upload
agnes-moody
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
From risk to planningMaking the bridge from risks to audit plans
Richard MaggsAstana September 2014
RiskAudit plans must be risk based
The chief audit executive must establish risk-based plans to determine the priorities of the internal audit. IIA Standard 2010
The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. IIA Standard 2010.A1
The last RAWG meeting considered risk assessment
This meeting will focus on preparing strategic and annual plans
Key definitions for risk based planning
The objective is of risk-based planning is to ensure that the Auditor examines subjects of highest risk to the achievement of the organisation’s objectives
Audit plans must be developed through a process that identifies and prioritizes potential audit topics
The audit universe is the entire population of potential audit topics
The risks or opportunities have to be assessed and decisions taken on other risk factors that may influence the priority to be given to each element of the audit universe (audit objects).
Recap on five steps in guide
Determining and categorising the audit universe. (See chapter 2 of RAAP)
Identifying individual events that may give rise to risks and opportunities across the audit universe. (See chapter 3 of RAAP)
Scoring events in terms of probability and impact (taking into account management actions to mitigate risk) to identify the level of residual risk. (See chapter 3 of RAAP)
Building risk-based audit plans by using generic risk factors and scoring criteria for each factor to determine the audit priority of all audit objects within the audit universe. (See chapter 4 of RAAP)
Presenting the results of risk-based planning by writing and updating strategic and annual work plans. (See chapter 5 of RAAP)
Audit risk assessmentAudit risk assessment is part of planning and a
process where auditors consider (i) individual events and the risks and opportunities these
represent to the achievement of the objectives of elements of the audit universe and
(ii) generic risk factors that help prioritize work to areas of highest risk.
The purpose of audit risk assessment is to ensure that audit resources are addressed to the audit of areas of highest risk to the Organisation.
Audit risk assessment is different from risk management undertaken by managers. See Table 1 in RAAP guide.
Why do we need a bridge from risks to plans?
There may be hundreds of individual risks
Risk is not the only factor that influences the decision to carry out an audit. Others include:MaterialityComplexity of transactionsControls
The auditor is interested in residual risk which must take into account effectiveness of controls.
Inherent Risk minus controls = Residual Risk
Recap on audit Universe 1The phrase “audit universe” is a simple way of
referring to the totality of all things that an internal auditor could separately examine.
The universe consists of the totality of “auditable objects” which is a way of identifying a describing discrete part of the business, system or process, which can be separately audited.
Auditable objects need to be large enough to justify an audit and small enough to be manageable.
Recap on audit Universe 2 Traditionally, auditable objects were categorised by organisational
structure - a “vertical” analysis. Here an auditable object equated with one or a number of organisational units.
But its also important to design audit coverage from a horizontal or cross-functional view of the entity - that is ‘horizontal’ audits based on entire business processes.
The top five categorisations used by IA are: Organisational structure (Departments, Divisions, Units, Stand-
alone Projects); Common processes (Payments, Receipts, Asset Management,
Procurement, Contracting, Inventory, Human Resource Management) Location (Headquarters, Regional offices, Local offices) Operational programmes Service lines
Selecting audits from the audit universe
The objective of this stage of the process to determine what needs to be audited from within the audit universe.
We build risk based audit plans by applying risk factors to each element of the audit universe. It may help to think of “risk factors” as” selection factors” Keep the number of risk factors to between 4
and 8. Too few risk factors will limit the effectiveness of the exercise; too many will increase the time it takes to and will not produce substantially better results
Choose risk factors that make the most sense for the Organisation you are auditing.
Common risk (selection) factors
Financial materiality
Complexity of activities.
Control environment
Reputational sensitivity.
Inherent risk
Extent of change.
Confidence in Management.
Fraud potential.
Political sensitivity.
Time since last audit.
ProcessDevelop a set of criteria to score and therefore rank
the relative need to audit each of the possible audit objects within the audit universe
Consider adding a weighting factor as not all risk(selection) factors are equally important
Make sure that risk index scores and priorities are reasonable. (a) Calculate the theoretical maximum before setting
the index priorities and (b) be prepared to change the index priorities if the
results are obviously unrealistic (for example if every audit is show as high priority).
Example – scoring factors
Example – weighting factors
Final CommentThe process of moving from individual risk
assessment to selection subjects for audit can be confusing as there is no direct link between assessing individual risks
This is a transition issue that arises because of the lack of good risk management in Government Ministries and Agencies
Consider carrying out internal audits which encourage management to have more effective risk management processes