Risk based internal auditing * an introduction slides of figures and

advertisement
Risk based
internal auditing
– an introduction
Slides of figures
and appendices
©David M Griffiths
©David M Griffiths
www.internalaudit.biz
Risk based internal auditing – an introduction
slides of figures and appendices
• The following slides are those used in the
book Risk based internal auditing – an
introduction available from
www.internalaudit .biz
• The slides of figures are:
–
–
–
–
–
–
–
–
–
1
2
3
4
5
6
7
8
9
Internal auditing objectives
Grid for significance risks
Stages of an audit
RBIA documentation
Processes involved in stage 2
Grid for frequency of audits
Factors to reduce inherent risk scores risks
Processes involved in stage 3
Grid for significance of residual risks
• Slides of appendices are
–
–
–
–
–
A Internal auditing objectives
B Hierarchy of objectives, risks and controls
C Process map
E Grid for risk workshop
J Stages of an internal audit
–
Other appendices are on the excel spreadsheet RBIA introduction excel v3
©David M Griffiths
www.internalaudit.biz
Internal auditing objectives
(Figure 1 and appendix A)
The
management
of an
organisation
have
Objectives
Internal auditing
provides an independent and
objective opinion to an
organisation’s management as to
whether its risks are being managed
to acceptable levels.
The main aim of internal
auditing is to assist the
organisation to achieve its
objectives
An
internal control
is a process which
manages a risk
A
risk
is a set of
circumstances
that hinder the
achievement of
objectives
©David M Griffiths
www.internalaudit.biz
Probable (4) Almost certain (5)
4
Acceptable
Supplementary
Issue
Possible (3)
IR
10
Issue
3
Acceptable
Supplementary
Issue
9
Issue
Unlikely (2)
5
Supplementary
Issue
2
Acceptable
4
Acceptable
6
8
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
5
Issue
Rare(1)
8
6
Insignificant (1)
Minor (2)
15
20
25
Unacceptable
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
12
Issue
15
Internal control
Likelihood of risk
2 Grid for significance of risks
RR
Moderate (3)
Major (4)
Unacceptable
Catastrophic (5)
Consequence of risk
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required
Risk appetite, as defined by the board
IR = Inherent Risk
RR = Residual Risk
Fig.2 Grid showing the significance of risks
©David M Griffiths
www.internalaudit.biz
3 Stages of an audit
Management's
Risk Register
(if available)
Risk Enabled
Risk Naive
Risk Aware
Assess risk
maturity
Risk Managed
Stage 1
Risk Defined
Facilitate risk
identification
Audit universe
Management's
Risk Register
(amended)
Use organisation's
risks
Assign risks to
audits
Stage 2
Risk and audit
universe
(RAU)
Audit plan
Audit Committee
report
Individual audit
Audit report
Feedback results
into RAU
Fig 3 Stages of an audit
©David M Griffiths
www.internalaudit.biz
Stage 3
4 RBIA documentation
risk and audit
universe
audit databases
objectives
objectives
risks
risks
scores
scores
controls
controls
last audits
tests
Audit
Committee
report
audit
reports
Fig. 4 RBIA documentation
©David M Griffiths
www.internalaudit.biz
5 Processes involved in stage 2
Risk Register
(audited)
Risks on which
assurance is provided
by others
Risks within the risk
appetite
Filter risks
Risks not requiring an
audit in this period
Risks which will be
tolerated
Risks on which
assurance is
required
Categorise risks
Audit Universe
Link risks to
audits
Risk and Audit
Universe
Select risks to
be covered
Alllocate
resources to
audits
Audit plan
©David M Griffiths
Fig 5
www.internalaudit.biz
Processes
involved in Stage 2
Audit Committee
report
10
Every two
years
4
Never
8
12
Every three
years
Every two
years
Possible (3)
3
Never
6
9
12
Every three
years
Every two
years
Every two
years
Unlikely (2)
Probable (4) Almost certain (5)
5
Every three
years
2
Never
4
Never
6
8
10
Every three
years
Every three
years
Every two
years
1
Never
2
Never
3
Never
4
Never
Every three
years
Rare(1)
Likelihood of inherent risk
6 Grid for frequency of audits
Insignificant (1)
Minor (2)
15
20
25
Every year
Every year
Every year
Moderate (3)
16
20
Every year
Every year
Major (4)
15
Every year
5
Catastrophic (5)
Consequence of inherent risk
Fig. 6 Grid for the frequency of audits
©David M Griffiths
www.internalaudit.biz
3 years
0.75
1
1
2 years
0.5
0.75
1
0.25
0.5
0.75
1 year
Time since last audit
7 Factors to reduce inherent risk scores risks
Green
Amber
Red
Audit result
Fig. 7 Factors to reduce inherent risk scores
©David M Griffiths
www.internalaudit.biz
8 Processes involved in stage 3
Audit plan
Define draft audit
scope
Examine the risk
management process
for the area audited
Conclude on risk
maturity for the
area audited
Decide on audit
approach
Meetings to determine
objectives, risks and
agree scope
Agreed scope
Obtain relevant
documentation on
processes
Risk and audit universe
©David M Griffiths
Set up an audit database
to record the audit
details, or update the
Risk and Audit Universe
www.internalaudit.biz
Audit
database
4
Acceptable
Supplementary
Issue
15
20
25
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
Possible (3)
10
Issue
3
Acceptable
Supplementary
Issue
9
Issue
12
Issue
Unacceptable
Unlikely (2)
Probable (4) Almost certain (5)
5
Supplementary
Issue
Unacceptable
2
Acceptable
4
Acceptable
6
8
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
Supplementary
Issue
Rare(1)
Likelihood of residual risk
9 Grid for significance of residual risks
8
6
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
15
5
Catastrophic (5)
Consequence of residual risk
Unacceptable: Immediate action required to control the risk
Issue: Action required to control the risk
Supplementary issue: Action is advisable if it is cost-effective
Acceptable: No action required
Risk appetite, as defined by the board
Fig. 9 Grid for the significance of residual risks
©David M Griffiths
www.internalaudit.biz
Hierarchy of objectives, risks and controls
(Appendix B)
Objective level 1
Relieve famine in
central Africa
Risks level 1
No clear
strategy as
to how to
achieve our
objective
Unable to
predict where
and when
famines will
occur
Set up a
system which
enables us to
predict
famine areas
Unable to
obtain food
Unable to
deliver the
food to the
starving
Do not have
the staff and
systems to
support the
operation
Set up
agreements
with donors
to obtain
food
Establish a
supply chain to
ensure prompt
delivery of food
to the highest
priority area
Establish
functions to
support the
field
operations
Objective level 2
Devise a
strategy for
the next five
years to
deliver our
objectives
Don't distribute food
efficiently and
effectively
Risks Level 2
Objective level 3
Insufficient
lorries to
transport
grain
Fuel not
available
for lorries
Arrange land
transport
Lorries
break
down
Insufficient
drivers
Roads are
impassable
Do not know
where food is
required
most urgently
Lorries to
be properly
maintained
Identify
how to
recruit at
short
notice
Set up
possible
alternative
routes
Set up
strategy for
prioritizing
camps
Internal controls
Decide how
future needs
are to be
met, by
local carrier
or own
lorries
Attempt to
buy in
stocks
©David M Griffiths
www.internalaudit.biz
Objectives map
(appendix C)
objective
Relieve famine in
central Africa
Level 2 objectives
1
Devise a
strategy for
the next five
years to
deliver our
objectives
2
Set up a
system which
enables us to
predict
famine areas
3
Set up
agreements
with donors
to obtain
food
4
Establish
delivery
systems to
deliver food
when and
where it is
required
5
Establish
functions to
support the
field
operations
Level 3 objectives
1.1
The trustees
of the charity
define the
future aims
and plans
1.2
Tell all staff
about the
strategy
1.3
The strategy
is converted
into targets
and action for
all staff
1.4
Aims and
plans to be
regularly
updated
4.1
Arrange sea
transport
5.1
Raise money
5.2
Provide
financial
advice
©David M Griffiths
5.3
Provide
transaction
processing
4.2
Arrange land
transport
5.4
Provide legal
services
www.internalaudit.biz
5.5
Provide
information
technology
5.6
Provide human
resources
Grid for risk workshop
4
Acceptable
Supplementary
Issue
2
1
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
3
Acceptable
Supplementary
Issue
9
Issue
12
Issue
15
2
Acceptable
4
Acceptable
6
8
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2 3
Acceptable
3
Acceptable
4
Acceptable
5 4
Issue
Insignificant (1)
8
6
Minor (2)
Moderate (3)
Major (4)
Consequence of risk
©David M Griffiths
www.internalaudit.biz
25
5
20
Possible (3)
10
Issue
Unlikely (2)
Probable (4) Almost certain (5)
5
Supplementary
Issue
15
Rare(1)
Likelihood of risk
(appendix E)
Unacceptable
6
Unacceptable
Catastrophic (5)
Stages of an internal audit (appendix J)
The
Internal auditing
of an
organisation
have
Internal auditing: provides an
independent and objective opinion to
an organisation’s management as to
whether its risks are being managed
to acceptable levels.
management
5
Objectives
1
The
audit
4
An
internal control
is a process which
manages a risk
A
risk
is a set of
circumstances
that hinder the
achievement of
objectives
©David M Griffiths
3
2
Significant risks generate
the audit plan
www.internalaudit.biz
Download