Risk based auditing

RISK BASED AUDITING Tunde Elijah Kelani

First of all… EXPECTATION ON THE COURSE

Can we agree? ATTENDANCE AND PUNCTUALITY- 10% CLASS PARTICIPATION -25% PRACTICAL DEMONSTRATION -15% TAKE-HOME ASSIGNMENTS-10% YOU HAVE TO DELIVER ON 6 IN-CLASS WORK ASSESSMENTS PROJECTS ASSESSMENT AND GRADING REQUIREMENTS

Training Outline YOU ARE EXPECTED TO FOCUS WITHOUT GIVING WAY TO DISTRACTIONS. THIS IS A CLASS AND NOT THE CONVENTIONAL TRAINING. AVOID PHONE CALLS, TEXTING, MAILING OR CHATTING WHILE IN SESSION SO THAT YOUR GRADES ARE NOT AFFECTED AS AN INDIVIDUAL OR AS A TEAM MEMBER PLEASE DO NOT BE DISTRACTED

INTRODUCTION Risk based auditing is a methodology that enables internal audit to assess the adequacy of the assurance framework and the reliability of assurance sources. It requires internal audit to be strategically and operationally linked to the business risk and assurance frameworks. Here are the outcomes for participants on the programme : Apply the key concepts of RBIA to your organisation Link the organisation’s risk management framework to each stage of RBIA Determine risk maturity and apply the relevant approach Understand how internal audit fits into your organisation’s assurance framework and undertake an assurance mapping exercise Apply a risk based methodology to internal audit assignments Provide meaningful assurance statements to your audit committee and board

IDENTIFY THE VALUE OF INTERNAL AUDITING Today, more than ever, the question of Value has taken on critical importance in every organization. In an increasingly global economy with increasingly tougher competition, all business activities have to look to contribute more value. The Value of Internal Audit is reflected in an improvement in internal control and the risks that face organizations, an improvement that leads to a reduction in those risks to acceptable levels. In other words, from a starting point of a significant inherent risk, to arrive at a situation where the residual risk is tolerable.

VAI = Value of Internal Audit; Ri = Inherent Risk; Rr = Residual Risk RAI = Internal Audit Resources V AI = Ri -Rr …………………. R AI Finally, the Value of Internal Audit is achieved through the efficient use of the resources available: people and tools. As in all activities, the Value of Internal Audit depends to a large extent on people, or in other words, good leadership and good work teams. Both leadership and the teams depend on the general and specific preparation of the people involved.

In becoming a more essential advisor to the C-suite and the Audit Committee, Internal Audit should be involved in any strategic business investment to grow or improve the organization where a missed risk could hurt share price, market capitalization or earnings. The following represent large-scale change programs where the Internal Audit function can play a significant role:

This is one of the most risk-heavy initiatives any organization can undertake, and Internal Audit should be involved in all the key steps throughout the M&A process. It can conduct a review of the company’s readiness to go through a merger or an acquisition. It can also make sure that the value is being preserved. If the company sets a stock price in a merger or acquisition, how does it know that it is getting the right value for the price that it is paying? If the Internal Audit function understands the process, it can alert the business to potential risks and monitor associated controls. Furthermore, Internal Audit may assist in the assimilation of the newly acquired or merged entity by ensuring proper control monitoring of new or changed processes, systems and policies. Finally, Internal Audit can monitor the process employed to realize synergies from the combination. Mergers and acquisitions

There is a tremendous amount of risk associated with an enterprise-wide systems implementation. Internal Audit should have a seat at the table from the beginning to help identify the risks and to provide controls consultation. A common role for Internal Audit in such implementations is as an active, full-time member of the Program Management Office (PMO) Technology implementation

Any major process transformation (supply chain, procurement, finance) requires evaluation of the current state, determination of the future state, a plan for implementation and a means of measuring success. Internal Audit can provide risk and controls consultation to determine the readiness for the process improvement, levels of progress, and measurements for success and overall value to the organization. Process improvement

Business process outsourcing The outsourcing of any major process, from payroll to IT, holds a number of inherent risks. How does an organization know that it has the right arrangement in place at the front end? Is the business ready to enter into the arrangement? Does the organization have the right processes in place to measure whether it is getting all of the benefits it is seeking from the arrangement? Internal Audit can play a role in responding to all of these issues

Real estate and construction While risk management is a key consideration for organizations undertaking real estate or construction projects, few have complete visibility into the risks across every element of the construction lifecycle. Internal Audit can provide valuable input to help the organization avoid such issues as scope creep, design flaws, unrealistic timelines, cost overruns, vendor mismanagement and change management concerns

New product development A company has placed a big bet on a market-changing product, but has it done enough planning and due diligence to know that it is going to be a success? Has it prepared for all possible risks and contingencies? Internal Audit can provide the right risk and controls analysis to help the company avoid recurring product delays and cost overruns that could damage the company’s reputation and hurt its share price.

Expanding footprint Expanding a company’s footprint isn’t only about moving into new geographies that may present language, cultural or statutory requirement issues. It’s also about understanding the impacts on distribution channels and supply chains. Internal Audit has already likely had to deal with these issues and can play an important role in using existing risk methodology to review the company’s readiness for expansion.

Three steps to Internal Audit transformation

What is Internal Auditing? An internal audit is the examination, monitoring and analysis of activities related to a company's operations, including its business structure, employee behavior and information systems Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations

An internal audit begins by an auditor assessing current processes and procedures. The auditor then analyzes and compares the results to internal control objectives. He determines whether the results comply with internal policies and procedures as well as state and federal laws. Finally, the auditor compiles and presents an audit report to the business owner. Internal Audit Procedure

IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. RBIA is at the cutting edge of internal audit practice. As a result, it is an area that is evolving rapidly and where there is still little consensus about the best way to implement it. It is more difficult to manage than traditional methodologies. Monitoring progress against an annual plan that is constantly changing is a challenge. Setting targets and appraising staff may become more complex.

Risk-based auditing in organizations. Every organisation is different, with a different attitude to risk, different structure, different processes and different language. Experienced internal auditors need to adapt these ideas to the structures, processes and language of their organisation in order to implement RBIA. RBIA seeks at every stage to reinforce the responsibilities of management and the board for managing risk.

Risk-based auditing in organizations. If the risk management framework is not very strong or does not exist, the organisation is not ready for RBIA. More importantly, it means that the organisation's system of internal control is poor. Internal auditors in such an organisation should promote good risk management practice to improve the system of internal control. Where RBIA is new to an organisation , the head of internal audit will need to market the concept to management and win their support, particularly since it may mean a change for them in the way that they think about risk.

Corporate Governance Corporate governance is the system of rules, practices and processes by which a company is directed and controlled. Corporate governance essentially involves balancing the interests of a company's many stakeholders , such as shareholders, management, customers, suppliers, financiers, government and the community. Since corporate governance also provides the framework for attaining a company's objectives, it encompasses practically every sphere of management, from action plans and internal controls to performance measurement and corporate disclosure .

Corporate Governance Governance refers specifically to the set of rules, controls, policies and resolutions put in place to dictate corporate behavior. Proxy advisors and shareholders are important stakeholders who indirectly affect governance The board of directors is the primary direct stakeholder influencing corporate governance. Directors are elected by shareholders or appointed by other board members, and they represent shareholders of the company.

Corporate Governance The responsibilities of the board include setting the company’s strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship . Corporate governance is therefore about what the board of a company does and how it sets the values of the company, and it is to be distinguished from the day to day operational management of the company by full-time executives.

Identify Performance Standard 2110: Governance Standard 2110 specifically identifies the internal audit activity’s responsibility for assessing and making appropriate recommendations to improve the organization’s governance processes for: Making strategic and operational decisions – To evaluate an organization’s governance processes for making strategic and operational decisions, the internal audit activity may review past audit reports as well as board meeting minutes, the board policy manual, or related governance documents, which can help provide an understanding of how such decisions are discussed and ultimately made. In addition, interviews with departmental heads may reveal what processes led to strategic and operational decisions

Performance Standard 2110: Governance Overseeing risk management and control – To determine how an organization provides oversight of its risk management and control activities, the internal audit activity typically reviews the process for conducting the annual risk assessment. The internal audit activity may also review minutes from meetings wherein risk management strategy was discussed, as well as previously conducted risk assessments, and may interview key risk management personnel such as compliance, risk, and finance officers.

Performance Standard 2110: Governance Overseeing risk management and control – To determine how an organization provides oversight of its risk management and control activities, the internal audit activity typically reviews the process for conducting the annual risk assessment. The internal audit activity may also review minutes from meetings wherein risk management strategy was discussed, as well as previously conducted risk assessments, and may interview key risk management personnel such as compliance, risk, and finance officers. The information obtained can be compared to benchmarking and industry trends to ensure all relevant risks have been considered

Performance Standard 2110: Governance Promoting appropriate ethics and values within the organization – To assess how an organization promotes ethics and values, both internally and among its external business partners, the internal audit activity reviews the organization’s related objectives, programs, and activities. These could include mission and value statements, a code of conduct, hiring and training processes, an anti-fraud and whistleblowing policy, and a hotline and investigation process. Surveys and interviews may be used to gauge whether the organization’s efforts result in sufficient awareness of its ethical standards and values

Performance Standard 2110: Governance Ensuring effective organizational performance management and accountability – To evaluate how an organization ensures effective performance management and accountability, the internal audit activity could review the organization’s policies and processes related to staff compensation, objective setting, and performance evaluation. Communicating risk and control information to appropriate areas of the organization – To appraise how well an organization communicates risk and control information to appropriate areas, the internal audit activity could access internal reports, newsletters, relevant memos and emails, and staff meeting minutes to determine whether information regarding risks and controls is complete, accurate, and distributed timely

Performance Standard 2110: Governance Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management – To assess an organization’s ability to coordinate activities and communicate information among the various parties, the internal audit activity could identify the meetings that include these groups (e.g., board, audit committee, and finance committee) and determine how frequently they occur. Members of the internal audit activity may attend the meetings as participants or observers, and they may review the meeting minutes, work plans, and reports distributed among the groups to learn how these parties coordinate activities and communicate with each other

In the post-SOX era, Corporate Governance further evolved to the integrated aspects of meeting both compliance requirements and promoting a strategic business imperative. There are three aspects: shareholder aspect, stakeholder aspect, and an integrated aspect. Shareholder Aspect This aspect is based on the premise that shareholders provide capital to the corporations that exists for their benefit. Stakeholder Aspect Stakeholders are now becoming more engaged in a company performance on a variety of economic, governance, ethical, social and environment issues. Integrated Aspect Modern corporate governance emphasizes BOTH financial aspects of increasing shareholders value AND an integrated approach that considers the rights and interests of all stakeholders. Aspects of Corporate Governance

Corporate Governance Structure Corporate governance is based on three interrelated components: corporate governance principles, functions and mechanisms.

Corporate Governance Principles HONESTY. C orporate communications with both internal and external audiences, including public financial reports, should be accurate, fair, transparent, and trustworthy RESIELNCE. A resilient corporate governance structure is sustainable and enduring in the sense that it will easily recuperate from setbacks and abuses. RESPONSIVENESS. Effective corporate governance responsive to the interests and desires of all stakeholders, as well as responsive to emerging initiatives, and changes in political, regulatory, social, and environmental issues. TRANSPARENCY. Transparency means that the company is not hiding relevant information, and disclosures are fair, accurate, and reliable.

What are the other principles corporate governance structure should be developed on?

They are the following: - Value-adding philosophy - Ethical conduct - Accountability - Shareholder democracy and fairness - Integrity of the financial reporting - Transparency - Independence

Corporate Governance Functions

Corporate Governance Functions OVERSIGHT FUNCTION. The board of directors should provide strategic advice to management and oversee managerial performance, yet avoid micromanaging. MANAGERIAL FUNCTION. The effectiveness of this function depends on the alignment of management’s interests with those of shareholders. COMPLIANCE FUNCTION. The set of laws, regulations, rules, standards, and best practices developed by state and federal legislators, regulators, standard-setting bodies, and professional organizations to create a compliance framework for public companies in which to operate and achieve their goals. INTERNAL AUDIT FUNCTION. Assurance and consulting services to the company in the areas of operational efficiency, risk management, internal controls, financial reporting, and governance processes. LEGAL AND FINANCIAL ADVISORY FUNDTIONS. Legal advice and assists the company, its directors, officers, and employees in complying with applicable laws and other legal obligations and fiduciary duties. EXTERNAL AUDIT FUNCTION. External auditors lend credibility to the company’s financial reports and thus add value to its corporate governance through their integrated audit of both internal control over financial reporting and financial statements. MONITORING FUNCTION. Shareholders, particularly institutional shareholders, empowered to elect and, if warranted, remove directors.

. Corporate Governance Mechanisms The corporate governance structure is shaped by internal and external governance mechanisms, as well as policy interventions through regulations. Both internal and external corporate governance mechanisms of the company have evolved over time to monitor, bond and control management.

Examples of internal governance mechanisms: - board of directors, particularly - independent directors - audit committee - management - internal controls - internal audit functions

Examples of external mechanisms: - market for corporate control - capital market - labor market - federal and state statutes - court decisions - shareholders proposals - best practices of investors activists

Identify the areas an internal audit must assess, evaluate, and report on to assure adequate corporate governance. Promote appropriate ethics and value within the organization Ensuring effective organization performance Management and accountability Communicating risk and control information to appropriate areas of the organization Coordinating the activities of and communicating information among board, external and internal auditors and management

Enterprise risk management ( ERM or E.R.M. ) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management , which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress . ERM AND RISK

Risk is the potential of gaining or losing something of value. [1] Values (such as physical health , social status , emotional well-being, or financial wealth) can be gained or lost when taking risk resulting from a given action or inaction, foreseen or unforeseen. Risk can also be defined as the intentional interaction with uncertainty . [2] Uncertainty is a potential, unpredictable, and uncontrollable outcome; risk is a consequence of action taken in spite of uncertainty Risk involves the chance an investment 's actual return will differ from the expected return. Risk includes the possibility of losing some or all of the original investment. ERM AND RISK

T he difference between inherent and residual risk Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls) Residual Risk: The risk that remains after controls are taken into account (the net risk or risk after controls ). The difference between the inherent and residual risk may be imagined or visualized as water flowing through a filter. Inherent risk is above the filter, which constitutes management controls. A smaller pool of residual risk remains. Inherent risk is established only after the entity’s key objectives have been defined, and steps have been taken to identify what could go wrong to prevent the entity from achieving those objectives. In addition to impact and likelihood, management considers the nature of the risk, whether the risk results from fraud, natural events such as storms, or complex or unusual business transactions

T he difference between inherent and residual risk Example: Fire in a production facility which may have catastrophic consequences is an inherent risk for the organization. Management puts controls in place to mitigate this risk like installing fire extinguishers, sprinklers, preparing emergency evacuation plan etc. These controls will help reduce the damage in the event of fire but in no way they can remove the danger completely. What remains there after taking all these controls into account is a residual risk . We, internal auditors, evaluate the adequacy and effectiveness of these controls in order bring down residual risk to a level accepted by the board ( risk appetite ).

Risk is the by-product of Assumptions and Constraints. The entire process of Risk Identification is the examination and review of what we assume is going to happen during the life of the project (Assumptions), and what are the limitations that could cause impact the project, either in execution or expected results (Constraints ) RISK MANAGEMENT AND ASSUMPTION

It ensures Compliance Identify system and provider weaknesses before an adverse event occurs Mitigation or reduction of potential loss after an event has occurred Provides a framework to gather data that can be used to improve patient outcomes Reduce number, type and severity of adverse events. Benefit of Risk Management

Categories of Risk The risk faced by an organization should be categorized in relation to what they do. However there are number of commonly used categories. Which includes: Strategic Operational/Technology Financial People Regulatory Governance

Categories of Risk

Performance Standard 2120 2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include: Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets. Compliance with laws, regulations, and contracts. 2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization . 2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.

2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria . 2120.C1 - During consulting engagements, internal auditors should address controls consistent with the engagement's objectives and be alert to the existence of any significant control weaknesses . 2120.C2 - Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.

The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement . 2130.A1 - The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the: Achievement of the organization's strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts . 2130.C1 - Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization's control processes. Define Performance Standard 2130: Control

As outlined by COSO, the framework provides eight components for use when evaluating ERM: 1. Internal Environment The internal environment sets the foundation for how risk is viewed and addressed by an entity’s people, including risk philosophy and risk appetite, integrity, ethical values, and the environment in which they operate. 2. Objective-Setting Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Identify the elements of COSO control and ERM frameworks

3. Event Identification Internal and external events affecting the achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. 4. Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. 5. Risk Response Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Identify the elements of COSO control and ERM frameworks

6. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. 7. Information and Communication Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity. 8. Monitoring The entire ERM process is monitored, and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both. . Identify the elements of COSO control and ERM frameworks

Internal control is a process, effected by the entity's BOD, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations. WHAT IS INTERNAL CONTROL?

COMPONENT OF INTERNAL CONTROL The five components of internal control include 1) the control environment 2) risk assessment 3) control activities 4) accounting information & communication system 5) monitoring

Factors that make up an organizations control environment are : a. communication and enforcement of the integrity an ethical values of the personnel who are responsible for creating, administering, and monitoring controls. b. Commitment to competence - management should be committed to hiring employees with appropriate levels of education and experience. c. Effectiveness of its BOD or its audit committee. d. Management philosophy and operating style. e. Organizational structure f. Responsibilities of Finance and Accounting Departments g. Assignment of Authority and Responsibility h. Human Resource Policies and Procedures.

types of control activities and describe how each type contributes to effective internal control . Performance Reviews- provides management with an overall indication of whether personnel at various levels are effectively pursuing the objectives of the organization . Segregation of duties Information processing controls- Proper authorization of all types of transaction Physical controls - Include physical security over both records and other assets. No one department or person should handle all aspects of a transaction from beginning to end.

PERFORMANCE STANDARD 2130.A1

A business process has also been defined as a set of activities and tasks that, once completed, will accomplish an organizational goal. The process must involve clearly defined inputs and a single output. These inputs are made up of all of the factors which contribute (either directly or indirectly) to the added value of a service or product. These factors can be categorized into management processes, operational processes and supporting business processes. What is Business Process

A business process is a series of steps performed by a group of stakeholders to achieve a concrete goal. These steps are often repeated many times, sometimes by multiple users and ideally in a standardized and optimized way. A business process can be manual or automated. If manual, the process is achieved without the aid of an automation or assisting technology. If automated, a technology aid has been put into place which assists users in implementing the process in a more accurate, standardized or optimized manner.

DEVELOPING AN AUDIT PLAN Determine audit subject. Identify the area to be audited (e.g., business function, system, physical location). Define audit objective. Identify the purpose of the audit. For example, an objective might be to determine whether program source code changes occur in a well-defined and controlled environment. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous example (program changes), the scope statement might limit the review to a single application, system or a limited period of time

DEVELOPING AN AUDIT PLAN Perform preaudit planning. Conduct a risk assessment, which is critical in setting the final scope of a risk-based audit. For other types of audits (e.g., compliance), conducting a risk assessment is a good practice because the results can help the IS audit team to justify the engagement and further refine the scope and preplanning focus. Interview the auditee to inquire about activities or areas of concern that should be included in the scope of the engagement. Identify regulatory compliance requirements. Once the subject, objective and scope are defined, the audit team can identify the resources that will be needed to perform the audit work.

DEVELOPING AN AUDIT PLAN Determine steps for data gathering. At this stage of the audit process, the audit team should have enough information to identify and select the audit approach or strategy and start developing the audit program. Some of the specific activities in this step are: Identify and obtain departmental policies, standards and guidelines for review. Identify any regulatory compliance requirements. Identify a list of individuals to interview. Identify methods (including tools) to perform the evaluation. Develop audit tools and methodology to test and verify controls. Develop test scripts. Identify criteria for evaluating the test. Define a methodology to evaluate that the test and its results are accurate (and repeatable if necessary).

Business Process Management (BPM) What is it? Body of principles, methods and tools to design, analyze, execute and monitor and continuously manage business processes

What is a Business Process?

fault-report-to-resolution process “ My washing machine won ’ t work! ” VALUE Customer Warranty? Parts Store Client Engagement Technician Customer Call Centre Customer © Michael Rosemann

Processes and Outcomes Every process leads to one or several outcomes, positive or negative Positive outcomes deliver value Negative outcomes reduce value Fault-to-resolution process Fault repaired without technician intervention Fault repaired with minor technician intervention Fault repaired and fully covered by warranty Fault repaired and partly covered by warranty Fault repaired but not covered by warranty Fault not repaired (customer withdrew request)

Your turn Think of a process in your organization: Is it order-to-cash, procure-to-pay, fault-to-resolution… Who is/are the customer(s)? What value does this process deliver to its customer? Who are the key actors of the process? List at least 3 outcomes of the process.

Why BPM? The Technology Perspective Information Technology Process Change Yields Yields Business Value Index Group (1982) Enables

Why BPM? The Technology Perspective “ The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency. ”

Why BPM? The Management Perspective Roger Tregear: Practice Processes, BPTrends, July 2012

Why BPM? Roger Tregear: Practice Processes, BPTrends, July 2012

Why BPM?

A well-defined business process benefits a company in three dimensions: productivity, process, and people. Because the performance of a particular enterprise is the sum of the performance of its processes, well-defined business processes contribute to a well-managed company . Productivity, process, and people are interdependent and synergistic. As people learn more about the process and become more proficient in the process, productivity will increase, further increasing the morale of the work force. Higher morale leads to motivated employees, which lead to higher productivity. BENEFIT OF A WELL DEFINED BUSINESS PROCESS

Six steps are needed to improve a business process: Identify the process to be improved. Choose , organize, and train the team. Map the process. Analyze and redesign the process. Implement the process redesign. Continually improve the process.

WHAT IS RISK ANALYSIS? Risk Analysis is a process that helps you identify and manage potential problems that could undermine key business initiatives or projects. To carry out a Risk Analysis, you must first identify the possible threats that you face, and then estimate the likelihood that these threats will materialize. Risk Analysis can be complex, as you'll need to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts, and other relevant information. However , it's an essential planning tool, and one that could save time, money, and reputations.

Risk analysis is useful in many situations: When you're planning projects, to help you anticipate and neutralize possible problems. When you're deciding whether or not to move forward with a project. When you're improving safety and managing potential risks in the workplace. When you're preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters. When you're planning for changes in your environment, such as new competitors coming into the market, or changes to government policy. When to use Risk Analysis

HOW TO USE RISK ANALYSIS Identify Threats The first step in Risk Analysis is to identify the existing and possible threats that you might face. These can come from many different sources. For instance, they could be Human – Illness, death, injury, or other loss of a key individual. Operational – Disruption to supplies and operations, loss of access to essential assets, or failures in distribution. Reputational – Loss of customer or employee confidence, or damage to market reputation. Procedural – Failures of accountability, internal systems, or controls, or from fraud. Project – Going over budget, taking too long on key tasks, or experiencing issues with product or service quality. Financial – Business failure, stock market fluctuations, interest rate changes, or non-availability of funding. Technical – Advances in technology, or from technical failure. Natural – Weather, natural disasters, or disease. Political – Changes in tax, public opinion, government policy, or foreign influence. Structural – Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed

Estimate Risk Once you've identified the threats you're facing, you need to calculate out both the likelihood of these threats being realized, and their possible impact. One way of doing this is to make your best estimate of the probability of the event occurring, and then to multiply this by the amount it will cost you to set things right if it happens. This gives you a value for the risk: Risk Value = Probability of Event x Cost of Event As a simple example, imagine that you've identified a risk that your rent may increase substantially. You think that there's an 80 percent chance of this happening within the next year, because your landlord has recently increased rents for other businesses. If this happens, it will cost your business an extra $500,000 over the next year.

HOW TO MANAGE RISK Avoid the Risk Share the Risk Accept the Risk Control the Risk Preventative action involves aiming to prevent a high-risk situation from happening. It includes health and safety training, firewall protection on corporate servers, and cross-training your team . Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur. Detective actions include double-checking finance reports, conducting safety testing before a product is released, or installing sensors to detect product defects

Identify risks to your business The first step in preparing a risk management plan is to identify potential risks to your business. Understanding the scope of possible risks will help you develop realistic, cost-effective strategies for dealing with them . It's important that you think broadly when considering types of risks for your business, rather than just looking at obvious concerns (e.g. fire, theft, market competition).

Before you begin identifying risks , you need to assess your business. Think about your critical business activities, including your key services, resources and staff, and things that could affect them, such as power failures, natural disaster and illness Ask 'what if?' questions Thoroughly review your business plan and ask as many 'what if?' questions as you can. Ask yourself what if : you lost power supply? you had no access to the internet? key documents were destroyed? your premises was damaged or you were unable to access it? one of your best staff members quit? your suppliers went out of business ? the area your business is in suffered from a natural disaster ? the services you need, such as roads and communications, were closed? Assessing your business

Brainstorm Brainstorming with different people, such as your accountant, financial adviser, staff, suppliers and other interested parties, will help you get many different perspectives on risks to your business . Analyse other events Think about other events that have, or could have, affected your business. What were the outcomes of those events? Could they happen again? Think about what possible future events could affect your business Assess your processes Use flow charts, checklists and inspections to assess your work processes. Identify each step in your processes and think about the associated risks. Consider the worst case scenario Thinking about the worst things that could happen to your business can help you deal with smaller risks. The worst case scenario could be the result of several risks happening at once

Control is a broad concept that means different things to different people. The IIA definition, according to the International Standards glossary is : Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. CONTROL

CONTROL PROCESSES These are the daily routines, checks and balances that make the organization function. The IIA definition of control processes is: The policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.

CONTROL ENVIRONMENT Control environment The control environment refers to the way the board and senior management set the tone of the organization. It is part of the organization's culture, influencing how risk is viewed and the 'control consciousness' of its people. It is an expression of the 'way things are done '. Every organization operates differently, as is revealed by their organizational ethics, values, structure, reporting lines, authority, rules and the documentation of policy.

Performance Standards describe the nature of internal audit activities and provide criteria against which the performance of these services can be evaluated.

2000 2010 2020 2030 2040 2050 2060 2070 2100 2110 2120 2130 2200 2201 2220 2230 2240 2300 2310 2320 2330 2340 2400 2410 2420 2421 2440 2450 2500 2600

2210 – Engagement Objectives Objectives must be established for each engagement. 2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

2210.A3 – Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished.

If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management and/or the board to develop appropriate evaluation criteria.

2240 – Engagement Work Program Internal auditors must develop and document work programs that achieve the engagement objectives. 2240.C1 – Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement

Overview of Planning Audit planning is a continuous process; the audit plan may need to be adjusted as new information is obtained Risk assessment is integrated throughout, including assessing fraud risk Steps in planning Establishing the audit strategy Planning the audit resources Develop the audit plan Communication on planning

Obtaining Clients Submit a proposal Contact the audit committee Make fee arrangements Communicate with the predecessor auditor Topics Disagreements over accounting principles Predecessor’s understanding of reason for change of auditors Other Overall procedure is important for evaluation of management integrity

The Audit Process--Steps After obtaining a client, the audit process includes: 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report

Stages of an Audit--Diagram

1. Plan the Audit Establish an understanding with the client This is ordinarily accomplished through use of an engagement letter Related, determine that The firm meets professional independence requirements There are no issues relating to management integrity The client understands the terms of the engagement

Items Included in Engagement Letters Name of the entity Management responsibilities Financial statements Establishing effective internal control over financial reporting Compliance with laws and regulations Making records available to the auditors Providing written representations at end of the audit, including that adjustments discovered by the auditors and not recorded to the financials are not material Auditor responsibilities Conducting an audit in accordance with GAAS Obtaining an understanding of internal control to plan audit and to determine the nature, timing and extent of procedures Making communications required by GAAS

Engagement Letters--Optional Items Arrangements regarding Conduct of the audit (e.g., timing, client assistance) Use of specialists or internal auditors Obtaining information from predecessor auditors Fees and billing Other services to be provided, such as examination of internal control over financial reporting Limitation of or other arrangements regarding liability of auditors or client Conditions under which access to the auditors’ working papers may be granted to others

Audit Planning—Overall Develop an overall audit strategy and an audit plan Plan use of client’s staff Plan involvement of other CPAs Arrange for specialists On first year audits: Communicate with predecessor auditors Establish opening balances on the financial statements

2. Obtain an Understanding of the Client and its Environment Perform risk assessment procedures, including Inquiries of management and others within the entity Analytical procedures Observation and inspection relating to client activities, operations, documents, reports and premises. Other procedures, such as inquiries of others outside the company (e.g., legal counsel, valuation experts) and reviewing information from external sources such as analysts, banks, rating organizations, journals.

Understanding the Client’s Business—Nature of the Client Competitive position Organizational structure Accounting policies and procedures Ownership Capital structure Product and service lines Critical business processes Internal control

Understanding the Client’s Business, Industry, Regulatory, and Other Factors Competitive environment Supplier and customer relationships Technology developments Major laws and regulations Economic conditions Attractiveness of the industry Barriers to entry Strength of competitors Bargaining power of suppliers of raw materials and labor Bargaining power of customers

Understanding the Client’s Business—Objectives, Strategies & Business Risks Objectives—Overall plans Operating and financial strategies—Operational actions to achieve objectives Business risks—Threats to achieving objectives

Understanding the Client’s Business—Measuring and Reviewing Performance Budgets Key performance indicators Variance analysis Segment performance reports Balanced scorecard External parties

Understanding the Client’s Business – Internal Control Need knowledge and understanding of how a client’s internal control works: What controls exists Who performs them How various types of transactions are processed and recorded What accounting records and supporting documentation exist

Determining Materiality Use professional judgment and based on reasonable person Considers both Quantitative and qualitative factors Materiality used in Planning the audit At the overall financial statement level Allocate to individual accounts Evaluating audit findings

3. Assess the Risks of Material Misstatement and Design Further Audit Procedures Overall approach What could go wrong? How likely is it that it will go wrong? What are the likely amounts involved? Particularly consider Inherent risks Risks of material misstatement due to fraud (fraud risks) Design further audit procedures

Assessing Fraud Risks Two types Fraudulent financial reporting (management fraud) Misappropriation of assets (defalcations) Procedures to assess fraud risks Discussion among engagement team Inquiries of management and other personnel Planning analytical procedures Considering fraud risk factors Incentives Opportunity Attitude

Assessing Fraud Risks – Identifying Fraud Risks Considerations in identifying fraud risks Type Significance Likelihood that it will result in a material misstatement Pervasiveness

Responding to Fraud Risks Overall response Professional skepticism and audit evidence Assigning personnel and supervision Accounting principles Predictability of auditing procedures Alterations in audit procedures More reliable evidence Shifting timing to year end Increasing sample sizes Response to the possibility of management override Examining journal entries Review accounting estimates for biases Evaluating the business rationale for significant unusual transactions

Consideration of Fraud Throughout the Audit Evaluating the results of audit tests Discovery of fraud Communication to appropriate level of management If fraud involves senior management or material misstatement communicate to audit committee

Design further audit procedures Types Tests of controls Analytical procedures Tests of details of transactions and balances Audit procedures Inspection Observation Inquiry Confirmation Recalculation Reperformance

Design further audit procedures Further audit procedures should include Substantive procedures for all relevant assertions Tests of controls when the auditors’ risk assessment includes an expectation that controls are operating effectively, or when substantive procedures alone are not sufficient Procedures should be linked with the assessed risks of material misstatement at the relevant assertion level Overall responses when assessed risks of material misstatement are high Heightened professional skepticism Assigning more experienced staff Assigning staff with specialized skills Providing more supervision

Audit Documentation Audit Documentation Risk assessment Discussion of the audit team, elements of understanding, assessment of risk of material misstatement and risks identified Procedure results Overall responses, nature, timing and extent of further audit procedures, linkage of procedures with assessed risks, results of audit procedures, conclusions reached about operating effectiveness of controls, significant risk identified, circumstances in which substantive procedures alone will not provide sufficient evidence Consideration of fraud Similar to risk assessment as document discussion, procedures used to identify fraud risks, fraud risk and response, any other conditions that caused fraud-related procedures and communications with management or audit committee.

Audit Trail A trail of evidence that links source documents, journal entries and ledger entries Auditor may follow the audit trail in either of two directions related to the direction of testing Test for existence or occurrence Test for completeness

Direction of Audit Testing

Transaction cycles Auditors’ consideration of internal control is often organized around client’s major transaction cycles (examples) Revenue cycle Acquisition cycle Conversion cycle Payroll cycle Investing cycle Financing cycle

Transactions Affecting Accounts Receivable

Audit Program Systems portion Deals with client’s internal control Evidence of test of controls and assessing control risk Substantive test portion Deals with financial statement account balances Indirect and direct verification of income statement accounts

Indirect Verification of Income Statement Accounts

Objectives of Substantive Programs for Asset Accounts Establish the existence of assets Establish that the company has rights to the assets Establish the completeness of recorded assets Verify the cutoff of transactions Determine the appropriate valuation of the assets and accuracy of related transactions Determine the appropriate financial statement presentation and disclosure of the assets

Relationship of Financial Statement Assertions to the Audit

Relationships among Audit Objectives, Risks of Material Misstatement, and Audit Procedures

Overall Audit Strategy Big picture of the audit; auditors can do this before they do audit procedures based on Experience in and knowledge of the industry Information gained through client acceptance process Previous audit engagements, such as quarterly reviews Components of the audit strategy Scope of the engagement Timing Materiality and risk Fraud risk

Audit Strategy: Scope of the Engagement What are deliverables for this particular client? How much and what type of work does the auditor need to do? When and where does the work need to be done? How should the work be scaled to fit the size, environment and complexity of the audit client?

Audit Strategy: Scope of the Engagement Client attributes that affect scope: Accounting presentation Is the presentation US GAAP, IFRS, GASB, statutory based, other? Entity structure Is it public or privately owned? Is it a parent or subsidiary? Does it have multiple locations, and if so what is the materiality at the other locations? Information technology Complexity of the system? Entity level and application controls? Client outsourcing How important are outsourced services? How will audit address the service provider? Work of others How will this affect the nature, timing and extent of audit procedures? First year vs. continuing audits

Audit Strategy: Timing Client events that create audit deadlines Key dates for communication with management, Audit Committee and Board of Directors SEC deadlines for filing quarterly and annually Date at which other auditors will supply or need audit reports Requirements of other regulators Are audit resources (human resources) available in the right combinations at the right times?

Audit Strategy: Materiality and Risk Materiality …the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probably that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatements

Audit Strategy: Materiality and Risk Auditors assess materiality based on whether the issue would influence the economic decisions of users with certain qualifications Appropriate knowledge Willingness to study the financial statements Understand the concept of materiality Understand measurement issues like estimates and judgments Will make appropriate economic decisions using the financial statements

Audit Strategy: Materiality and Risk Top Down Approach What amount is material at the financial statement level? What accounts and disclosures are significant to the financial statements? What assertions are relevant to the significant accounts and disclosures? What could go wrong to cause a material misstatement or omission related to each relevant assertion in each significant account or disclosure? Is there a control in place that is intended to prevent that event (the risk) from occurring or that will detect it on a timely basis? If yes, is the control designed sufficiently well that (if it operates effectively) it will prevent or detect the risk? If yes, does the control operate well enough (effectively) to prevent or detect the risk? Are there any material misstatements or omissions in any significant accounts or disclosures?

Audit Strategy: Materiality and Risk Materiality includes both quantitative and qualitative aspects; something might not be material from a quantitative perspective but have qualitative characteristics that make it material regardless of amount. Management fraud is an example of something that is material regardless of amount. Significant risks are risks in the business that are important enough to require special audit consideration. When auditing a non-public company that does not require an ICFR opinion the auditor may not choose to rely on internal controls when planning tests of balances. Even in that situation, the auditor must identify and assess the impact of significant risks.

Planning the Audit Resources Assignments of the audit team Timing of audit work High-risk areas Engagement budget

Audit Resources: Assignments The work must be planned and any assistants must be properly supervised; required by auditing standards and quality control standards Supervision includes instruction and review The firm should match jobs to individuals based on difficulty and complexity of the job and experience and expertise of the individual How much time of people at which levels does the audit require? Sometimes there is a trade-off – a person with greater skills can perform the task faster and better, will require less instruction and the review will be easier

Develop the Audit Plan Nature, timing and extent of audit procedures Top down approach Different types of audit procedures

Audit Plan: Nature, Timing and Extent First the auditor has to know: Management assertions (which requires knowing which accounts are important), materiality, risk, timing driven by client specifics Terms are used a lot; meaning is simple: Nature is type of test, control or substantive, and which specific audit procedures is to be performed Timing is when it is to be performed; considerations are having audit resources available, evidence availability, being able to test the period for which evidence is needed Extent is quantity of testing to be performed

Communication on Planning After initial audit planning, auditor may meet with management Auditor may provide an overview of the plan for the audit Auditor provides general information about scope and timing, but not a level of detail that would compromise the audit’s effectiveness

Overview of Planning Exhibit 6-9

Risk based auditing

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Risk based auditing

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77