Road map to develop annual plan - Risk-based Auditing 2015

Identify and validate audit universe

Prioritize auditable

areas

Identify resource requirements

Obtain approval

INPUT PROCESS OUTPUT

 Risk universe

 Process universe

 Location universe

Validated audit universe

 Date and results of last audit

 Request by Management

 Other considerations

Prioritized auditable areas

 Available resources Draft audit plan

 Draft audit plan Approved audit plan

1. Identify and validate audit universe

INPUT PROCESS OUTPUT

 Risk universe

 Process universe

 Location universe

Validated audit universe

Audit Universe refers to risks and processes that could be targeted for the audit. Risks and processes may also be organized and referred to by locations.

1. Obtain different universe (e.g., risk universe, process universe and location universe) from stakeholders.

2. Map the risks in the processes.

3. Identify the location of the processes.

4. Present and validate audit universe to IA function, management and oversight committee.

Identify and validate audit universe

1. Obtain different universe such as:

a. Risk universe b. Process universe c. Location universe

Management, IA and committee risk

universe

Business units risk universe

Enterprise risk management

risk universe

Risk universe could be originated from entity level perspective down to business unit level.

1. Identify and validate audit universe

a. Sample Risk universe

1. Identify and validate audit universe

1. Obtain different universe such as:

a. Risk universe b. Process universe c. Location universe

Process universe is the list of processes within the Company that will be subjected for audit of IA function while location universe is the list of all the locations of the Company such as head office, regional office and international office.

b. Sample Process universe

1. Head office

2. Satellite or regional office 3. International office

c. Sample Location universe

2. Map the risks in the processes

Using the process universe, identify what are the risks associated to that specific process. Risks could be existing or emerging, internal or external and tangible or intangible. Note that not all risks are auditable.

Process/

Auditable areas

Risk

Regulatory Political Contract compliance Fraud Planning and budgeting

Sales and marketing x x x x

Customer service x

Project development x x

Human resource x

SAMPLE ONLY

1. Identify and validate audit universe

3. Identify the location of the processes.

Determine if the processes are existing in the different locations of the Company.

Process/

Auditable areas

Risk Location

Regulatory Political Contract compliance Fraud Planning and budgeting Head office Regional or satellite office International office

Sales and marketing x x x x x x x

Customer service x x

Project development x x x

Human resource x x x

SAMPLE ONLY

4. Present and validate audit universe to different business units, management and oversight committee.

1. Identify and validate audit universe

2. Prioritize auditable areas

Prioritize auditable areas

INPUT PROCESS OUTPUT

 Date and results of last audit

 Request by Management

 Other considerations

Prioritized auditable areas

The criteria for prioritizing the auditable areas may include but not limited to the following:

 Number and criticality of risks

 Number and complexity of the location

 Date and results of last audit

 Financial exposure

 Request by Management

 Major changes in operations

 Business complexity

 Probability that major improvement for the auditable area is needed

82 Legend:

H - High C - Complex CD - Cannot determine

M - Medium SC - Semi-complex

L - Low NC - Not complex

Note:

- Financial exposure may be based on the previous year's record SAMPLE ONLY ^Process\

Auditable areas

Risk Location Other consideration Priority

Regulatory Political Contract compliance Fraud Planning and budgeting Head office Regional or satellite office International office Number and criticality of risks Number and complexity of the location Date and results of last audit Financial exposure (in php) Request by management ERM top risk Major change in the operation Priority Not priority

Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x

2. Prioritize auditable areas

3. Identify resource requirements

Identify resource requirements

INPUT PROCESS OUTPUT

Available resources Draft audit plan

In determining the resource requirement of the engagements, IA function may consider the following:

1. Determine the initial type of engagement.

2. Identify the man hours needed to complete the engagement.

3. Check the skill requirements of the engagement.

4. Decide right mix to perform the engagement.

3. Identify resource requirements

1. Determine the initial type of engagement

Depending on the risk involved, IA shall assess the initial type of engagement to be performed in the corresponding processes and functions involved.

IA may perform one or combination of the following:

a) Compliance evaluation A review to determine the compliance of the

concerned business unit to the policies and procedures including its contents.

b) Performance evaluation

This evaluation pertains to the assessment of performance of personnel and/or third parties (e.g., contracts review).

c) Controls assessment

An assessment with the objective of determining the effectiveness of the control design and its operating application.

2. Identify the man hours needed to complete the engagement

Timeframe of the engagement may depend on the following:

 Initial type of engagement

 Previous experience

 Known changes (e.g., process owners, process, system)

Process\

Auditable areas ^Risk ^Location Other consideration ^Priority Type of

engagement Man hours needed

Sales and marketing x x x x x x x 4 (H) 3 (C) 2012 2 B Yes Yes Yes x x 480 hours Customer service x x 1 (M) 1 (C) 2010 2 B No No Yes x x 240 hours Project development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours

SAMPLE ONLY

3. Identify resource requirements

3. Check the skill requirements of the engagement

Skill set is critical in planning the engagement. It will depend on the initial type of the engagement including its scope and objective. Some of the considerations are as follows:

Facilitation skills

Risk management skills

Communication and change management skills

Industry knowledge Process skills

Knowledge of regulations affecting the organization Understanding of

information technology risks and processes

Effective presentation and report preparation

Operations skills

Financial or accounting

skills

Process\

Auditable areas Risk Location Other consideration Priorit

y Type of engagement Manhours

needed Skills requirement

Regulatory Political Contract compliance Fraud Planning and budgeting Head office Regional or satellite office International office Number and criticality of risks Number and complexity of the location Date and results of last audit Financial exposure Request by management ERM top risk Major change in the operation Priority Not priority Compliance evaluation Performance evaluation Controls assessment Skill set required

development x x x 2 (H) 1 (C) None 1B Yes Yes Yes x x x 600 hours Auditor III (350) Engineer (250) Human resource x x x 1 (H) 2 (SC) 2007 CD No No No x x 160 hours Auditor I (80)

Auditor II (80)

Total man hours for Auditor III 1800 hours

Total man hours for Auditor II 2000 hours

SAMPLE ONLY

3. Identify resource requirements

Note that some skills are not readily available within IA function. Hence, IA may consider outsourcing that to external parties or internal parties.

Outsource

4. Obtain approval

Obtain approval

INPUT PROCESS OUTPUT

Draft audit plan Approved audit plan

 Ensure audit plan documentation is complete, accurate and reviewed by CAE.

 Identify all approvals (e.g., Audit Committee, Board) necessary to confirm audit plan.

 Set-up meeting to present audit plan:

 Audit Committee Head or equivalent

 Oversight Committee or similar committee

DOCUMENT

RBPF framework

MONITOR DELIVER

PLAN ASSESS

UNDERSTAND

QUALITY ASSURANCE

► Co-develop expectations

► Understand the organization

► Assess the risks ^► Develop annual plan

► Perform the engagement

► Communicate the result

► Monitor the progress

► Communicate the result

► Supervise the engagement

► Quality and improvement program

1. Understand the process 2. Assess risks in the process

3. Assess process performance and control gaps 4. Validate process measures and control

5. Identify root causes and solutions

1. Understand the process

Conduct

In document Risk-based Auditing 2015 (Page 75-90)