This action might not be possible to undo. Are you sure you want to continue?
Presented to the European Internal Audit Conference October 8, 2004
Richard F. Chambers, CIA, CGAP, CFE
Background – why internal auditors assess risk Traditional audit planning Benefits and objectives of riskbased planning
A process for risk-based audit planning
The TVA OIG model for planning based on risk Risk-based engagement planning
Overview: Why Assess Risk?
For annual audit planning to target high impact areas to allocate scarce resources When planning/executing audits frame objectives establish scope
Overview: Why Assess Risk?
When providing consulting services
To advise management
on corrective actions
Purpose of Annual Audit Planning Provide a guide for the organization Justification/support for audit resources Means of engaging management and board in establishing priorities and identifying areas in risk and control Source: Sawyer’s Internal Auditing .
Purpose of Annual Audit Planning Provides a basis for measuring accomplishments Provides indication to external auditors and others of planned audit coverage Helps ensure audit resources are directed to top priorities Source: Sawyer’s Internal Auditing .
Traditional Methods of Audit Planning Audit cycle Audit universe Management requests Statutes. regulations. or other requirements Auditors’ experience and expertise .
Value of Risk-Based Audit Planning Yields disciplined analytical approach to evaluating the audit universe Highlights potential risks in organization that might otherwise be unknown Fosters dedicated audit coverage to high-risk areas Allocates resources where pay-back is greatest Provides a tool for management to gauge or assess enterprise risk .
.Key Definitions Risk: The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk assessment: A systemic process for assessing and integrating professional judgments about probable adverse conditions and/or events. Risk management: The culture. processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
the internal auditor can draw on this…When there is no such framework. the internal auditor’s work will provide valuable information about the organization’s risk to top management.Remember! “Management is responsible for identifying risk and for the internal control environment…When an organization has a standard risk assessment framework in place.” Source: A Guide to the Use of Risk Management Within the Internal Audit Process ©2002 – The IIA – Australia .
The Objective of Risk-Based Planning: H Target audit resources where risk is greatest! L Probability H Source: A Guide to the Use of Risk Management Within the Internal Audit Process ©2002 – The IIA – Australia .
.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment. undertaken at least annually.Audit Standards and Risk-based Plans 2010.
operations. .A1 – Based on the results of the risk assessment.Audit Standards and Risk-based Plans 2120. the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance. and information systems.
Sort the auditable units by total risk score 5. Identify and weight risk factors 3. Develop the annual audit plan based on the ranked audit universe . Define the audit universe 2. Establish a mechanism and score risk factors for auditable units 4.A Risk Assessment Process for Annual Audit Planning 1.
Requests from senior management 4. Business or organizational processes 3. Requests from the Board of Directors 5. Potential audits based on experience or instincts .Step 1: Defining the Audit Universe 1. Regulatory or statutory requirements 6. Distinct units or functions of the enterprise 2.
Step 2: Identifying and Weighting Risk Factors 1. Exercise judgment based on nature of enterprise and prior experience 2. Ensure weights reflect relative significance Common Risk Factors Previous audit results Time since last audit Materiality and liquidity Confidentiality System maturity Complexity of the system Employee turnover Competence of management Performance indicators Public relations . Limit number of factors 3.
Step 3: Establish a Mechanism and Score Risk Factors Should address impact and probability May be adjectival or numeric Design and apply “objective” criteria for assigning scores Ensure consistency of application The most challenging step in the process .
Steps 4 & 5: Sort Units by Scores and Develop the Plan Step 4 is largely mechanical – but should be carefully reviewed Look of inconsistencies during staff reviews – personal agendas can surface The plan should be based largely – but not exclusively – on the results Flexible audit plans are invariably more successful in meeting organizational needs .
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model A systemic process designed to yield a comprehensive risk assessment Used to allocate audit resources of the Office of Inspector General Focuses on TVA processes as well as programs • core business processes • enabling processes .
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Overview of Audit Planning Process Interviewed key managers Reviewed planning documents Reviewed historical data Reviewed audit requests from other stakeholders .
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Overview of Audit Planning Process (continued) Identified audit areas Assessed project risk factors • Materiality • Impact on operations • Public sensitivity Assigned probability factor Adjusted risk factor scores .
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Planning Model PROBABILITY MATERIALITY Impact on Enterprise Operations Visibility and Sensitivity .
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Materiality Audit Area over $100 million Audit Area $10 million to $100 million Audit Area less than $10 million Points 8-10 4-7 1-3 .
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Impact on Operations Significant impact on core business Significant impact on specific program moderate impact on core business Negligible impact on specific program or core business Points 8-10 4-7 1-3 .
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Public Sensitivity Likely to result in public or congressional interest May result in public or congressional interest Unlikely to result in public or congressional interest Points 8-10 4-7 1-3 .
0 0.4-0.1-0.7 0.3 .8-1.Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Probability Factors Probability of Risk High probability of significant issues Moderate probability of significant issues and high probability of improvement needed Low probability of significant issues and moderate to low probability of improvement needed Points 0.
3 8.2 5.6 0.1 .0 13.Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Example of Risk Assessment Potential Audit Subject Security of Office Equipment Environmental Compliance Executive Compensation 4 7 3 7 7 5 5 8 9 16 22 17 0.5 0.
” Source: The IIA Research Foundations ©1998 .Beyond Annual Planning: Assessing Risk in Audit Engagement Planning “Applying the concepts from risk-based auditing to the assessment of risk at the individual audit level requires the auditor to mentally shift gears from focusing on controls in the audit process to focusing on risk.
A1 – When planning the engagement. the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. .Audit Standards and Risk-based Plans 2210.
Risk-Based Audit Engagements: 1 6 Develop Audit Objectives & Program Understand Processes and Objectives 2 Identify Risks 5 Evaluate and Prioritize Risks 3 4 Evaluate Controls and Estimate Probability Measure Potential Impacts Source: A IIA Seminar – Assessing Business Risk: The Gateway to Effective Results ©2002 .
Presentation Summary Internal auditors assess risk for a variety of reasons Traditional audit planning has emphasized cycles and repeat engagements Risk-based audit planning is mandated by IIA standards and offers multiple advantages A risk-based audit planning process contains multiple steps TVA OIG plans based on risk Beyond risk assessment in annual planning – riskbased engagement planning .
2004 By Richard F.f.chambers@us.QUESTIONS? Richard. CFE .pwc.com Presented October 8. CIA. Chambers. CGAP.
2% 101 to 500 Over 500 41.5% 20.How Many Audit Activities are In Your Universe? Less than 20 21 to 50 51 to 100 4.8% 21.7% 11.8% Source: Global Audit Information Network Flash Survey .
How Many Risk Assessment Rating Factors Do You Use? Less than 10 11 to 20 21 to 50 Over 50 76.5% 2.5% 0.4% Source: Global Audit Information Network Flash Survey .7% 20.
3% 34.0% Organization Units or Locations Major Contracts or Programs Other 55.0% 23.8% 68.Approaches to Identifying Auditable Units Functional Areas or Departments Business Processes Products or Service Lines 71.0% 10.0% Source: Global Audit Information Network Flash Survey .
9% 50.we don't use a formal model Commercial In-house model 14.5% 6.4% Source: Global Audit Information Network Flash Survey .What Type of Risk Model do You Use? N/A .2% Simple spreadsheet 28.
when we develop the annual audit plan Quarterly Semi-annual Ongoing (e.How Many Times Per Year Do You Update the Model? Once . after audits are completed. etc. based on client contacts.g..) 63% 6% 7% 24% Source: Global Audit Information Network Flash Survey .
8% 37.6% Source: Global Audit Information Network Flash Survey .6% 15.How Long Does it Take to Create an Organization-wide Risk Assessment? Less than 80 hours 81 to 160 hours 161 to 240 hours 31.5% 3.6% 2.0% 241 to 480 hours 481 to 960 hours Over 960 hours 9.
internal auditing independently completes the risk assessment.g. in Engagement Level Risk Assessments? Fully involved (e.. they actively participate in the risk assessment process..) Somewhat involved 30.2% 54.9% Source: Global Audit Information Network Flash Survey . or Risk Owners. etc.How Involved Are Clients. etc.9% Not involved (e.g.) 14.
3% Source: Global Audit Information Network Flash Survey .1% 25.6% 2.0% 10.What Percent of the Audit Budget Comprises the Engagement Level Risk Assessment ? 10% or less 11% to 20% 21% to 30% Over 31% 62.
3% Source: Global Audit Information Network Flash Survey .3% 5.4% 37.How Much Value do Engagement Level Risk Assessments Add to the Audit Process? A lot Some Limited 57.
5% 31.3% Source: Global Audit Information Network Flash Survey .Do You Perform a Risk Assessment at the Engagement Level? Yes Sometimes 53.3% No 15.