RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

(1)

R ÎSK B ÂSED A ÛDITING : A V ÂLUE A ^DD P ^ROPOSITION

Participant Guide

(2)

About This Course

(3)

Adding Value for Risk-based Auditing

Seminar Description

In this seminar, we will focus on:

• The foundation for risk-based auditing.

• Specific risk-based assessment methodologies, components, and best practices.

• Applying the knowledge to specific situations.

(4)

About This Course

Seminar Objectives

By the end of this session, you will have had an opportunity to:

• Identify relationships between strategy, corporate governance, risk management, and controls.

• Identify key business processes and objectives.

• Produce a risk assessment.

• Produce a risk-based assurance plan.

• Describe entitywide controls and their relevance to the plan.

• Plan a risk-based engagement.

• Network with peers.

(5)

Seminar Topics

The following topics will be covered during the seminar:

• Role of internal auditing

• Corporate governance

• Risk management

• Control and (risk) frameworks

• Entitywide risk assessment

• Risk-based audit engagement

(6)

About This Course

Participant Introductions

Introduce yourself to your team members using the following guide:

• Your name and job title.

• Your organization and its “industry.”

• Your experience in internal auditing.

• Related work experience.

• What you want gain from this seminar.

• Something interesting about you that reveals your risk appetite.

(7)

Working Agreement

Much of the success of this course depends on creating an effective learning environment and process. To create this environment and process we want to have a Working Agreement.

Our agreement follows the acronym PROCESS.

We agree to demonstrate:

P = Participation – This seminar is highly participatory. By agreeing to actively participate in discussions and exercises participants will get the greatest benefit from the program.

R = Respect – There will be times when we will “agree to disagree” on the significance of issues, possible solutions and best practices. We agree show respect by actively listening to other viewpoints and not “forcing” our views on other participants.

O = Openness – We will share our experiences and provide constructive feedback. By agreeing to such openness, participants can expand their perspectives and build their skills.

C = Confidentiality – Confidential matters should not be discussed outside class. Be aware that information of this kind may have consequences for others.

E = Enthusiasm – Be enthusiastic about this learning experience!!!

S = Sensitivity – Participants should be sensitive to the feelings and perspectives of others.

S = Sense of fun – This seminar should be an enjoyable experience for the participants and the leader. If we approach the discussions and exercises, and other learning tools in the right frame of mind, we will not only have more fun but will also learn more.

(8)

About This Course

Ideas and Insights

As you go through the seminar, use the space at the end of each unit to record ideas and insights for your own use and to share with others in the seminar.

(9)

Quiz

True or false:

1. U.S. organizations are required to have internal audit departments under the U.S.

Sarbanes-Oxley Act of 2002.

2. Internal audit departments must comply with the International Standards for the Professional Practice of Internal Auditing (Standards).

3. The Sarbanes-Oxley Act’s primary focus is on improving corporate governance and transparency.

Multiple choice:

4. Risk-based auditing can best be described as:

A. A best practice.

B. Mandated under the Standards.

C. Required by the Sarbanes-Oxley Act..

D. All of the above.

E. A and B only

(10)

About This Course

Quiz Answers

True or false:

1. False 2. False 3. True Multiple choice:

4. E: A and B only

(11)

(12)

Role of Internal Auditing

www.theiia.org/training - 2 -

Introduction

Overview

Risk-based auditing is perhaps the only way for an audit organization to add value to management and fulfill its charter responsibility to the independent directors.

Objectives

By the end of this unit, you should be able to:

• Identify the value of internal auditing.

• Define internal auditing.

• Describe the internal audit standards.

• Discuss risk-based auditing in organizations.

Resources

Readings and Resources

IIA Position Statement: Risk-based Internal Auditing

(13)

Understanding the Value of Internal Auditing

Value of Internal Auditing

When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate

governance, and ongoing business process improvement.

— Jim LaTorre, PwC

(14)

Definition of Internal Auditing

Mandatory Guidance

Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

(15)

Internal Audit Standards

The Standards

2100: Nature of Work

The internal audit activity must evaluate and contribute to the improvement of

governance, risk management, and control processes using a systematic and disciplined approach.

(16)

Activities

Activity: My Organization's Approach to Risk-based Auditing

Instructions:

On your own, spend a few minutes using the worksheet below to determine the degree of satisfaction with your organization’s approach to risk-based auditing.

Elements Don’t Know Satisfied Neutral Dissatisfied

Annual

enterprisewide risk assessment By management By audit with the

involvement of management With

involvement of audit

committee Audit engagement risk assessment Evaluation tools Client involvement Corporate governance is assured

Ethics program is assured Risk

management is assured

(17)

Internal audit activity maps to enterprise strategy Skills and attitudes of auditors Audit plan is risk-based

Elements Don’t Know Satisfied Neutral Dissatisfied

(18)

Activity: My Organization’s Strengths and Weaknesses

Activity

Referring to your individual exercise responses, discuss the four questions below, select a spokesperson, and be prepared to report to the class.

What are the strengths and best practices for the risk-assessment process in your organization?

What are the weaknesses and challenges to the risk-assessment process in your organization?

What is the current role of internal auditing in your organization?

What are the opportunities for internal auditing in your organization?

(19)

Reading: Risk-based Internal Auditing Position Statement

Resources

Take a few minutes to read the “Risk-based Internal Auditing” position statement.

(20)

Unit Conclusion

Summary

You have completed the lesson “Role of Internal Auditing.” Here are some key points:

• When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate governance, and ongoing business process improvement.

• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an

organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and

governance processes.

• The internal audit activity must evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.

• You examined your organization’s approach to risk-based auditing and looked at the strengths and weakness of the risk-assessment process.

(21)

Participant Expectations, Ideas, and Insights

Record actions you can take in your organization to implement the topics discussed in this unit.

(22)

Corporate Governance

(23)

Introduction

Overview

Corporate governance is the foundation of risk-based auditing and should be understood before proceeding.

Objectives

• Define corporate governance.

• Identify Performance Standard 2110: Governance.

• Identify the various aspects of corporate governance.

• Identify Assurance Performance Standard 2110.A1 and the elements of a good ethics program.

• Identify the areas an internal audit must assess, evaluate, and report on to assure corporate governance.

Resources

• Position Paper: Organizational Governance: Guidance for Internal Auditors

• The Case Study

(24)

Corporate Governance

Definition of Corporate Governance

Governance

The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

(25)

Governance Standard

Performance Standard 2110: Governance

2110: Governance

The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization;

• Ensuring effective organizational performance management and accountability;

• Communicating risk and control information to appropriate areas of the organization;

and

• Coordinating the activities of and communicating information among the board, external and internal auditors, and management.

(26)

Framework for Corporate Governance

Framework

(27)

Ethics

Assurance Performance Standard 2110.A1

2110.A1: Evaluation of ethics program

The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

(28)

Elements of a Good Ethics Program

• Linked to core values

• Reliant on the integrity of the people who create, administer, and monitor

• Dependent on tone at the top

• Dependent on an engaged board of directors

• Transparent to all stakeholders

(29)

Activity: Ethics Assurance in My Organization

Activity

Instructions

Discuss how you are assuring the ethics-related objectives, programs, and activities at your organizations.

Record any strengths and best practices:

Record any weaknesses and challenges:

Select a spokesperson and report to the class.

(30)

Corporate Governance

Assurance of Corporate Governance

Performing audit work to assure corporate governance requires assessing, evaluating, and reporting on the following areas:

• Governance structures, policies, charters

• Organization culture, ethics, and values

• Activities of audit committee

• Risk management structures and policies

• Internal audit processes and organization

• Fraud control and policy

• Compensation policies and processes

• Strategic planning and decision making

• Disclosure structure, process, rigor

• Enterprise Web page content

• Measurements

(31)

Case Study Activity: Community Medical Services Centers (CMSC)

Case Study

Instructions

• Review the company background information in the case study.

• Discuss the elements of good corporate governance.

• Discuss the gaps in effective corporate governance.

• Select a spokesperson and debrief the class.

(32)

Activity: Corporate Governance in My Organization

Activity

List the elements of corporate governance that are evident at your organization.

Identify what opportunities there are to broaden the role of internal auditing in corporate governance.

(33)

Unit Conclusion

Summary

You have completed the lesson “Corporate Governance.” Here are some key points:

• Corporate governance is the combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

• The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of these objectives:

promoting appropriate ethics and values within the organization, ensuring effective organizational performance management and accountability, effectively

communicating risk and control information to appropriate areas of the organization, and effectively coordinating the activities of and communicating information among the board, and external and internal auditors and management.

• Corporate governance consists of: compliance with legal or regulatory requirements, internal control assessment and reporting, enterprise risk management, quality initiatives, transparency and disclosure, and governance structures and processes.

• Assurance Performance Standard 2130.A1 requires that internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics- related objectives, programs, and activities. A good ethics program is linked to core values, reliant on integrity of the people who create, administer, and monitor the program, transparent to all stakeholders, and dependent on the tone at the top and on an engaged board.

• The areas an internal audit must assess, evaluate, and report on to assure corporate governance are: governance structures, policies, and charters; organization culture, ethics, and values; activities of the audit committee; risk management structures and policies; internal audit processes and organization; fraud control and policy;

compensation policies and processes; strategic planning and decision making;

disclosure structure, process, and rigor; enterprise Web page content; and measurements.

(34)

Implications

• The corporate governance process must be in the audit universe and assured.

• Business conduct or ethics programs must be in the audit universe and assured.

• All audit engagements must consider governance, ethics, and potential for fraud.

(35)

Participant Expectations, Ideas, and Insights

(36)

Risk Management

(37)

Introduction

Overview

If we are still performing audit assurance work according to the old models, we will miss a great deal of opportunity to demonstrate the value of an independent and objective audit function that is capable of and willing to examine governance and risk management gaps.

Objectives

• Define enterprise risk management (ERM) and risk.

• Identify the difference between inherent and residual risk.

• Identify the assumptions of risk management.

• Identify the benefits of risk management.

• Identify the categories of risk.

• Identify the areas the internal audit activity must assess, evaluate, and report on to assure corporate governance.

Resources

• The IIA’s Position Paper, The Role of Internal Auditing in Enterprisewide Risk Management

• The Case Study

(38)

Risk Management

ERM and Risk

ERM Definition

Definition

Enterprise Risk Management

Enterprise risk management is a process, affected by an entity’s board of directors, management, and other personnel, applied in a strategy setting across the

organization. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives.

— COSO ERM

(39)

Risk Definition

Risk

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

(40)

Risk Management

Types of Risk

Inherent and Residual Risk

Residual Risk

The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.

Definition

Inherent Risk

Inherent risk is the underlying risk before any controls are applied to mitigate the risk.

(41)

Risk Management Assumptions

Assumptions for Risk Management

• All organizations exist to add value for stakeholders.

• All organizations face uncertainty.

• Value is created, preserved, or eroded by management decisions.

• ERM is an enabler of the management process.

• It is interrelated to governance.

• It is interrelated to performance management.

(42)

Risk Management

Benefits of Risk Management

Benefits

• Aligns risk appetite and strategy

• Links growth, risk, and return

• Enhances risk response decisions

• Minimizes operational surprises and losses

(43)

Categories of Risk

Internal Audit Standards

Performance Standard 2120

2120: Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Interpretation:

Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:

• Organizational objectives support and align with the organization’s mission;

• Significant risks are identified and assessed;

• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and

• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness.

Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

(45)

Case Study Activity: CMSC Strategy and Risks

Case Study

Note: There is no formal ERM at CMSC.

Instructions

• Review the CMSC strategy in the case study.

• In your group, identify the risks to this strategy and assign them to the four categories of risk.

Broad Risks to CMSC Strategy Risk Category

(46)

Risk Management

Activity: Risks in My Organization

Activity

What are the risks that are unique to your industry, organization, or geography?

Are all strategic risks identified and known to internal auditing? If not, which risks are unknown?

Are all strategic risks mapped to the audit plan?

What are the opportunities for internal auditing in the area of enterprise risk management in your organization?

(47)

Unit Conclusion

Summary

You have completed the lesson “Risk Management.” Here are some key points:

• Enterprise risk management is a process, affected by an entity’s board of directors, management, and other personnel, applied in a strategy setting across the organization.

The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives. Risk is measured in terms of impact and likelihood.

• Inherent risk is the underlying risk before any controls are applied to mitigate the risk.

Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to risk.

• Risk management assumes that: all organizations exist to add value for stakeholders;

all organizations face uncertainty; value is created, preserved, or eroded by management decisions; and ERM is an enabler of the management process, interrelated to governance, and interrelated to performance management.

• Risk management aligns risk appetite and strategy, links growth, risk, and return, enhances risk response decisions, and minimizes operational surprises and losses.

• The categories of risk are strategic, operational, financial, and compliance.

• The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

(48)

Risk Management

Implications

• Risk management is a critical business process and must be in the auditable universe.

• Risk management is linked to strategy, vision, and values and interdependent on governance.

(49)

Participant Expectations, Ideas, and Insights

(50)

Control (and Risk)

Frameworks

(51)

Introduction

Overview

How many of your organizations have deployed COSO or COSO ERM?

Objectives

• Define Performance Standard 2130: Control.

• Identify the elements of COSO control and ERM frameworks.

• Identify the internal control environment factors, risk management factors, control activity factors, information and communication factors, and monitoring factors.

• Identify the limitations of internal control and limiting factors.

• Identify roles and responsibilities in internal control.

(52)

Control (and Risk) Frameworks

Internal Audit Standard

Performance Standard 2130: Control

2130: Control

The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

(53)

COSO Control and ERM Frameworks

Report on Fraudulent Financial Reporting

Treadway Commission Committee of Sponsoring Organizations (COSO)

• American Accounting Association (AAA)

• American Institute of Certified Public Accountants (AICPA)

• Financial Executives Institute (FEI)

• Institute of Internal Auditors (IIA)

• Institute of Management Accountants (IMA)

(54)

Definition of Internal Control

Definition

Internal Control

Internal control is a process affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations

• Reliability of reporting

• Compliance with applicable laws and regulations - COSO

(55)

Components of Internal Control (and ERM)

• Control (internal) environment

• Objective setting (ERM)

• Event identification (ERM)

• Risk assessment

• Risk response (ERM)

• Control activities

• Information and communication

• Monitoring

(56)

COSO Pyramid

(57)

COSO ERM Cube

(58)

Factors and Points of Focus

Internal Control Environment Factors (with Points of Focus)

Integrity and Ethical Values

Codes of conduct and other policies. “Tone at the top.”

Dealings with employees, suppliers, and customers.

Appropriate remedial action. Management’s attitude towards control intervention and override. Pressure to meet goals (e.g., short-term goals and compensation targets).

Commitment to Competence Job Descriptions.

Analyses of knowledge and skills.

Boards and Audit Committees Independence (questions management)

Use of focused Board Committees. Knowledge and experience of directors. Frequency and timeliness of meetings with CFO, CAE, etc.

Sufficiency and timeliness of information, including sensitive information and investigations.

Oversight in executive compensation. Role in “tone at the top.”

Management’s Philosophy and Style

Nature of business risks accepted. Personnel turnover in key areas. Management’s attitude toward and concerns about financial reporting and safeguarding assets.

Frequency of interaction between senior and operating management. Attitudes and actions displayed in financial reporting.

Organizational Structure

Appropriate organizational structure (e.g., information flow).

Key managers understand their responsibilities and have adequate knowledge and experience.

Appropriate reporting relationships. Organizational structure is modified in light of changed conditions.

Sufficient numbers of supervisors to employees exist.

Authority and Responsibility

Assignment of responsibility and delegation of authority provide for accountability and control.

Appropriate control-related standards exist. Sufficient numbers of skilled employees exist.

(59)

Appropriate balance between getting the job done and management involvement (i.e., employees have the right level of empowerment to correct problems and implement improvements).

Human Resources Policies and Procedures

Hiring, training, promotion, compensation. Awareness of responsibilities and expectations.

Background checks.

Performance evaluations/salary increases. Links to integrity and ethics (e.g., remedial actions, compensation).

Risk Management’s Philosophy and Appetite

Aggressive attitude, level of attention to detail, statements about risks and acceptable losses, strategic and annual planning efforts, use of feasibility studies.

(60)

Risk Management Factors

• Objectives aligned with organization’s strategy, vision, and values

• Risks identified

• Risks assessed considering impact and likelihood

• Risk response, aligning risks with enterprise risk appetite

• Change management

• Forward-looking

(61)

Control Activities Factors

• Preventative, directive, manual, computer, and management

• Policies, principles, and procedures

(The principles were not noted in the original COSO framework.)

• Integrated with risk assessment

(62)

Information and Communications Factors

Information

• Strategic and integrated systems

• Systems support strategic initiatives

• Integration with operations

Quality of information (e.g., data integrity, complete information, and information related to strategic objectives)

• Communication

• Internal

• External

(63)

Monitoring Factors

• Operational reports and MIS

• External parties

• Organizational structure

• Self-assessments

• Audits

(64)

Limitations of Internal Control

Limitations

• Provides no assurance that objectives will be met, only reasonable assurance that management will know level of achievement

• Provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved

(65)

Limiting Factors

The factors that override control activities are:

• Judgment.

• Breakdowns.

• Overrides.

• Collusion.

• Cost versus benefits.

(66)

Roles and Responsibilities

Who is Responsible?

Roles and Responsibilities

• Management owns controls.

• Management can empower others and see this as a partnership.

• Management cannot say they did not know.

• All personnel have control responsibility for their area.

• The board of directors is responsible for oversight and guidance.

• Internal auditing evaluates effectiveness.

(67)

Activity: COSO and ERM Discussion

Activity

Instructions

Consider the COSO Control and ERM Frameworks.

Discuss the following questions:

• Why do you think the COSO Control Framework was not widely embraced in 1991?

• Has your organization implemented COSO or COSO ERM? If not, what will it take to make this happen?

• How should the COSO ERM Framework be implemented?

Select a spokesperson and debrief the class.

(68)

Activity: Change the Vocabulary

Activity

Instructions

Pick five terms related to risk-based assessment and define them in easy language for others in your organization.

• From internal environment to: leadership, human resources

• From risk assessment to: strategic planning

• From control activities to: process excellence, technology, continuous improvement

• From information and communication to: technology, human resources, leadership

• From monitoring to: metrics, measurements

(69)

Unit Conclusion

Summary

You have completed the lesson on “Control and Risk Frameworks.” Here are some key points:

• The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous

improvement.

• Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the

achievement of objectives in the effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. Enterprise risk management (ERM) is part of internal control and the components of internal control and ERM are: control (internal) environment, objective setting (ERM), event

identification (ERM), risk assessment, risk response (ERM), control activities, information and communication, and monitoring. The COSO pyramid and COSO ERM cube are good ways to visualize internal control and ERM.

• Internal control environment factors include integrity and ethical values, commitment to competence, the board of directors and audit committee, management’s philosophy and style, the organizational structure, assignment of authority and responsibility, and human resource policies and practices. Other factors impacting internal control are risk management, control activities, information and communications, and monitoring factors.

• Internal control provides no assurance that objectives will be met, only reasonable assurance that management will know a level of achievement. Internal control provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved. Internal control is limited by judgment, breakdowns, overrides, collusion, and cost versus benefits.

• Within internal control, management owns controls, all personnel have control responsibility for their area, the board of directors is responsible for oversight and guidance, and the internal audit activity evaluates effectiveness of controls.

(70)

Implications

• Internal auditing must make the link between COSO frameworks, process excellence, and continuous improvement.

• Internal auditing must translate the language of control to language of management.

(71)

Participant Expectations, Ideas, and Insights

(72)

Entitywide Risk Assessment

(73)

Introduction

Overview

Internal auditing includes developing business processes and an audit plan. This unit will explore both aspects of internal auditing.

Objectives

• Identify Assurance Performance Standard 2130.A1.

• Identify the process for performing an entitywide risk assessment.

• Define business process.

• Identify the process of developing an audit plan.

Resources

Readings and Resources The Case Study

(74)

Entitywide Risk Assessment

Internal Audit Standard

Assurance Performance Standard 2130.A1

2130.A1: Evaluating adequacy and effectiveness of controls The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

• Reliability and integrity of financial and operational information;

• Effectiveness and efficiency of operations and programs;

• Safeguarding of assets; and

• Compliance with laws, regulations, policies, procedures, and contracts.

(75)

Entitywide Risk Assessment

Performing an Entitywide Risk Assessment

• Inventory the business processes, activities, or organizations that account for all organizational risks.

The risk assessment should lead to an audit universe that probably will have units that have not been assured by internal auditing. The how, when, and why decision will come later after there is consensus within the organization that all known risks have been catalogued.

• Determine impact of inherent risk.

• Determine likelihood of inherent risk.

Some organizations will assess the impact and likelihood in separate steps using a matrix with two axes: impact and likelihood.

Some organizations will assess the impact and likelihood in a combined step.

• Weight the risk factors.

• Assign relative risk score.

• Gain consensus from the audit committee.

(76)

Business Process

Business Process Definition

Definition

Business Process — GAO

A collection of related, structured activities — a chain of events — that produce a specific service or product for a particular customer or customers.

Definition

Business Process — Anonymous A series of actions that is definable, repeatable, and measurable that supports the organization’s objectives.

(77)

Case Study Activity: Business Processes

Case Study

Review the case study.

In your groups, determine the critical business processes essential to manage the risks to CMSC’s strategy.

• What are the three most significant (strategic) business processes?

• Which business processes are the most fraud sensitive?

(78)

Audit Plan

Developing an Audit Plan

• Inventory the business processes or activities.

• Establish risk factors that apply to all processes or activities.

• Risk rank the auditable universe.

• Assign workload estimates to each unit.

• Assign any coverage rules.

• Develop full coverage plan.

• Consider resources.

• Identify gaps.

• Commit to constrained resources plan.

• Gain consensus from audit committee and management.

(79)

Typical Risk Universe and Audit Plan

Example:

• An auditable unit is defined as the intersection of a business process and an organization.

• All auditable units have six identical risk factors with ratings of from one to seven.

• All business processes have the following three risk factors:

• Strategic importance (scored 1 through 7)

• Financial impact (scored 1 through 7)

• Image and reputation (scored 1 through 7)

• All organizations have the following three risk factors:

• Control environment (scored 1 through 7)

• Organizational stability (scored 1 through 7)

• Fraud sensitivity (scored 1 through 7)

• Scores are totaled for all six factors for all auditable units; each auditable unit has a potential risk score ranging from 6 to 42.

• Units with scores of 36 to 42 are assured annually.

• Units with scores of 30 to 35 are assured every 24 months.

• Units with scores of 24 to 29 are assured every 36 months.

• Units with scores of 6 to 23 are assured on a risk basis.

(80)

Activity: Resources Discussion

Activity

• What is the impact if you do not have appropriate resources?

• Do you match the plan to resources?

• What do you do about the gap?

• How do you manage audits that go over planned time?

• How do you address fraud risks in the audit plan?

(81)

Unit Conclusion

Summary

You have completed the lesson “Entitywide Risk Assessment.” Here are some key points:

• Enterprise risk management is a process, affected by an entity’s board of directors, management, and other personnel. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems.

• The process of performing an entitywide risk assessment includes these steps:

inventory the business processes, activities, or organizations that account for all organizational risks; determine the impact and likelihood of inherent risk; weigh the risk factors; assign relative risk score; and gain agreement from the audit committee.

• Business process has been defined as a collection of related, structured activities — a chain of events — that produces a specific service or product for a particular customer or customers.

• An audit plan should inventory the business processes or activities, establish risk factors that apply to all processes or activities, risk rank the auditable universe, assign workload estimates to each unit, assign any coverage rules, develop a full coverage plan, consider resources, identify gaps, commit to constrained resources plan, and gain consensus from audit committee and management.

(82)

Participant Expectations, Ideas, and Insights

(83)

(84)

Risk-based Audit Engagement

Introduction

Overview

This unit will discuss the risks to business processes, setting up controls to manage those risks, and reporting on the results of risk-based assurance activities.

Objectives

• Identify the process of performing a risk-based engagement.

• Identify the attributes of a business process definition or objective.

• Identify the risk-to-business processes and risk events.

• Identify the four common ways to manage risk.

• Identify the definition of controls, the type of controls, and evaluation methods for controls.

• Identify internal audit standards 2210, 2210.A1, 2210.A2, 2210.A3, and 2240.

• Identify the guidelines for reporting the results of a risk-based audit engagement.

Resources

Readings and Resources The Case Study

(85)

The Engagement

Performing the Engagement

• Reassess the risk assumptions of the auditable unit.

Validate that the process in fact has sufficient risk to warrant assuring in this audit cycle.

• Understand the business process and its objectives.

• Identify the risks to the objectives.

Usually, the client will do this in conjunction with their own process documentation.

• Measure and prioritize risks.

• Identify controls and evaluate the design.

• Develop audit objectives and program.

(86)

Business Process Objective

Definition of Objective

• Attributes:

• Clearly defined deliverable or outcome

• Includes the business event that triggers the process

• States inputs and outputs

• Includes business decisions that are part of the event response

• May indicate flow of material or information between process steps Example:

General accounting objective: To record and report all financial transactions timely, accurately, and in accordance with GAAP and all applicable laws and regulations. Moreover, the information should be sufficiently concise, relevant, reliable, and comparable (period-to- period) to ensure ease of use by all stakeholders. The process begins with the receipt of any financial transaction and concludes when executive management and the board has accepted the results.

(87)

Case Study Activity: Objective Statement

Case Study

In your group, write a business process objective statement for the human resources process.

Use the attributes noted in your participant guide.

Select a spokesperson and be prepared to report.

(88)

Risks to Business Processes

Risks

Risk

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

General accounting risks:

• Material misstatements of financial records

• Regulatory challenges

• Tax errors

• Not understood by stakeholders

• Reputation

• Unauthorized or unapproved entries

(89)

Identifying Risk Events

• What could go wrong?

• Who could we fail?

• Where are we vulnerable?

• What resources do we need to protect?

• What must go right for us to succeed?

• How could our operations be disrupted?

• How do we know if we are achieving our objectives?

• What information must we rely on?

• What decisions require the most judgment?

• What activities are the most complex?

• What activities are regulated?

• What is our greatest legal exposure?

• How could someone convert assets?

• How successful will be at managing change?

• How will we retain critical resources?

(90)

Managing Risk

Risk Management

These are four common ways to manage risk:

1. Avoid the risk (e.g., decide not to offer the product or service because the risk is higher than the organization’s risk appetite, not to enter a new geographic market due the lack of cultural knowledge or highly corrupt environment, or not to proceed with an acquisition as a result of due diligence that shows excessive legal liability).

2. Transfer the risk (e.g., find a partner to enter a new geographic market or purchase insurance).

3. Accept the risk because it is within the known risk appetite and cost of controls exceeds the benefit.

4. Reduce the risk by controls is the usual approach but with the caveat that an

appropriate cost benefit analysis should be performed to ensure that excessive controls don’t lead to a lost-opportunity risk.

(91)

Case Study Activity: Business Process Objectives

Case Study

• Review the human resources business process for which you wrote the process objective statement.

• In your group, identify the risks to meeting those business process objectives.

• Determine which are strategic, operational, financial, or compliance.

• Determine the likelihood and impact using a high, medium, and low scale.

• Select a spokesperson and be prepared to report.

(92)

Worksheet: Risks to the Business Process

Likelihood Impact Score

Strategic Risks

Operational Risks

Reporting Risks

Compliance Risks

(93)

Identifying Controls

Control Definition

Control

Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

(94)

Types of Controls

• Directive: Controls that encourage desirable events to occur.

• Preventative: Controls that prevent undesirable events from occurring.

• Detective: Controls that detect undesirable events that have already occurred.

• Mitigating: Controls that compensate for a missing or costly control.

(95)

Evaluating Controls

• Adequacy: Determine whether the process, as designed, provides reasonable assurance (operational auditing).

• Effectiveness: Determine whether the process is functioning as intended (transactional testing).

(96)

Internal Audit Standards

2210: Engagement Objectives

2210: Engagement Objectives

Objectives must be established for each engagement.

2210.A1: Preliminary assessment of risk

Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

2210.A2: Probability of significant errors and other exposures Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

(97)

2210.A3: Setting criteria to evaluate controls

Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria.

2240: Engagement Work Program

Internal auditors must develop and document work programs that achieve the engagement objectives.

(98)

Case Study Activity: Entitywide and Activity-level Controls

Activity

1. Review the risks to the human resources hiring sub-process that you identified in the case study.

2. Refer to the case study.

3. Identify two or three entity wide controls you would expect to manage the risks to this process.

1.

2.

3.

4. Identify two or three activity-level controls you would expect to manage the high-risk areas you have identified.

1.

2.

3.

5. Identify one control to manage a medium- to low-risk area.

6. Determine the audit tests you would perform.

7. Agree on at least two tests you would not perform in a risk-based engagement.

8. Select a spokesperson and be prepared to report.

(99)

Worksheets: Controls to Manage the Risks

Controls Test Approach Entitywide Controls

1) 2) 3)

Activity-level Controls 1)

2) 3)

4)

(100)

Reporting the Results

Reporting the Results of Risk-based Audit Activity

• Needs assessment: Used to determine the level of the report’s readers, who the audience for the report is, and what level of detail is needed in the report.

• Reporting should be timely.

• Use language of risk rather than control and compliance: Adding value versus the old stereotypes of control and compliance.

• Management actions: Risk-based audit engagements are only complete when:

• Management understands the residual risks they need to mitigate.

• Deficiencies have been mitigated.

• The audit committee has accepted management’s actions as appropriate.

(101)

Unit Conclusion

Summary

You have completed the lesson “Risk-based Audit Engagement.” Here are some key points:

• Performing a risk-based engagement requires internal auditing to reassess the risk assumptions of the auditable unit, understand the business process and its objectives, identify the risks to the objectives, measure and prioritize risks, identify controls and evaluate the design, and develop audit objectives and a program.

• The attributes of a business process definition or objective are that it is has a clearly defined deliverable or outcome, includes the business event that triggers the process, states inputs and outputs, includes business decisions that are part of the event response, and may indicate flow of material or information between process steps.

• Risk is any event occurring that will have an impact on the achievement of objectives and is measured in terms of impact and likelihood. One of the best tools for internal auditing in identifying risk events is to ask questions.

• The four common ways to manage risk are: avoid, transfer, accept, and reduce to acceptable level via controls.

• A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.

Controls fall into four categories: directive, preventative, detective, and mitigating.

Controls are evaluated on their adequacy and effectiveness.

• Standard 2210 states that objectives must be established for each engagement.

Standard 2240 states that internal auditors must develop and document work programs that achieve the engagement objectives.

• A needs assessment should be performed to determine which readers want what level of detail. A risk-based auditing engagement has not been concluded until management has bought into the residual risk that needs remediation, has remediated the deficiency, and the audit committee has accepted management’s remediation as being appropriate.

(102)

Implications

• Audit engagements start with understanding the business process and its risks.

• Audit engagements end when the audit committee is satisfied with management’s resolution.

• Various risks need to be scored and assessed.

• Not all risks warrant testing.

(103)

Participant Expectations, Ideas, and Insights

(104)

Seminar Conclusion

(105)

Introduction

Overview

This unit will help you recall the key concepts and techniques we have discussed. It is also intended to enable you to plan how to use what you have learned when you return to work.

Objectives

After completing this lesson, you should be able to:

• Discuss any open items or expectations and identify your plans and next steps.

• Restate major concepts and skills learned during the seminar.

(106)

Seminar Conclusion

Putting It All Together

Seminar Objectives Revisited

By the end of this session, you will have had an opportunity to:

• Identify relationships between strategy, corporate governance, risk management, and controls.

• Identify key business processes and objectives.

• Produce a risk assessment.

• Produce a risk-based assurance plan.

• Describe entitywide controls and their relevance to the plan.

• Plan a risk-based engagement.

• Network with peers.

(107)

Activity: Roundtable Discussion

Activity

• What percentage of your time is spent on planning vs. field work and reporting?

• How have you marketed the internal audit function in your organization?

• Is the internal audit function in your organization demand driven?

• What is internal audit’s reputation in your organization?

(108)

Seminar Conclusion

Implications

• There are more key processes than internal auditing can assure on a timely schedule.

• There are more risks to process objectives than policies and procedures can manage.

• There are many controls that are not cost-effective.

• There are valuable entity-level controls that are effective and can reduce process (activity-level) controls.

• Internal audit adds exponentially more value by assuring governance, risk management, and controls that have the greatest impact on strategy.

(109)

Plan for Action

Review the topics that were discussed during the program.

Select concepts and techniques that you learned or re-emphasized that will help you accomplish the challenges you face. Be specific as to how you will use the information you have learned.

(110)

Seminar Conclusion

Wrap-up

Thank you for your participation!

(111)

(112)

Case Study: Adding Value for Risk-based Auditing

Community Medical Service Center

Company Background

Community Medical Services Centers (CMSC) entered the healthcare industry seven years ago.

CMSC’s founder and principal owner, Jimmy Grey Stockton, grew up in a small North Carolina town. He is concerned that many of these communities no longer have adequate medical services because their local hospital has closed or cut back on services. As a result of this concern, Mr. Stockton attracted 60 investors and created a public but closely held corporation. Ten of the investors serve on the board of directors. Mr. Stockton serves as chief executive officer (CEO) and chairman. The corporate office is located in Carthage, NC. CMSC has now grown to 12 outlets.

Mr. Stockton is from a family of health professionals. His father was, for many years, the only family practitioner in the small town where he grew up. His mother was a nurse in the community. Jimmy Grey, after military service, became a physical therapist through a program at the community college and started a practice associated with an orthopedic clinic in a neighboring town. This practice was highly successful and led to acquisitions of related healthcare services in surrounding counties.

As the need for capital grew beyond family and friends, CMSC went public with an initial public offering (IPO) five years ago.

The board of directors is composed of ten original investors in addition to Jimmy Grey. They are:

• Dr. Marjorie Fisk, MD, internist

• Dr. Jim Golden, DVD, veterinarian

• Dr. Bernard Miller, OD, anesthesiologist

• Ms. Meriwether Petigru, real estate broker and owner of Sand Hills Realty

• Mr. Chester Pinkny, CEO and Chairman of First Bank of the South

• Mr. Lad Powell, retired attorney whose previous law firm acts as counsel to CMSC

• Mr. Bruce Ray, CPA, partner in a local public accounting firm

• Mr. Larry Scoggins, real estate developer and entrepreneur

• Lt. Col. Tommy Lee White, USMC retired

• Mr. Hunter Winfrey, owner of Hunter’s Fish Camp

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide