How To Plan a Risk Based Audit
advertisement
Blended Training Step VI Steps I, II, III Monitor viewership and identify areas for further training. Conventional training. Step V Step IV Content accessed on demand. Video summaries produced & distributed. Robert L. Mainardi, CFSA, CRMA, MBA, Six Sigma 215.760.1130 robert@mainardicompany.com mainardicompany.com How To Plan a Risk Based Audit Robert L. Mainardi President & Founder Mainardi & Company Educating Professionals Topics Identifying business process objectives Key client communication and partnership Define risk and how to rate the likelihood and significance Techniques to manage identified risks Educating Professionals Topics Define control and learn to identify, design and evaluate them Understand control types Identify control techniques and their advantages and disadvantages Link objectives, risks, and controls to plan the audit Educating Professionals Business Objective Honest Assessments What is the business objective? Where does it come from? Is it easily identified? Educating Professionals Business Objective Defined Represents the purpose • Not the mission statement • Not the task(s) Challenging client discussion Educating Professionals Critical Phases Stage Gates Planning Fieldwork Reporting Follow Up (Action Plans) Educating Professionals Critical Phases Planning Understanding the Business Documenting Risk & Controls Developing the Test Approach Educating Professionals Planning Phase Understanding the Business Developing Business Knowledge Understanding the “Rules” Identifying Key Systems Educating Professionals Understand the Business Developing Business Knowledge Independent research Previous audit activity and results External exams and results Outstanding action items Educating Professionals Understand the Business Developing Business Knowledge SIPOC Walkthroughs Process maps Educating Professionals Business Knowledge SIPOC Suppliers Inputs Process Outputs Clients Kicks off process Feeds the process Execution Product of Recipient process Educating Professionals Understand the Business Understanding the “Rules” Policies and procedures Current communication network Established “work-arounds” Transaction requirements New laws and regulations Educating Professionals Understand the Business Identifying Key Systems Technology requirements Identifying operating systems Origin of data in the systems Import/export process Third party agreements Educating Professionals Risk & Controls Requirements Understanding risk Communication with the process owner Risk & control matrix development Educating Professionals Risk Definition Risk Measurement Likelihood Significance (impact) Educating Professionals Assessing Risk Four Phases of Risk Assessment Risk Identification Risk Measurement Risk Prioritization Risk Management Educating Professionals Phase Definitions Risk Identification Identifying and classifying business risks and their characteristics Risk Measurement Measuring the severity of consequences and likelihood of the risk occurring. Educating Professionals Phase Definitions Risk Prioritization Determining which risks are more critical to the organization and its achievement of objectives. Risk Management Ensuring control procedures adequately address the risks identified. Educating Professionals Risk Identification Ask: What could keep the business unit from achieving its objectives? Barrier Obstacle Hurdle Educating Professionals Risk Measurement True Measures A formal scale must be created to measure the risks. The scale can be numerical or qualitative (H, M, L). The key is to remain consistent in your application of the scores assigned. Educating Professionals Risk Prioritization Risk Ranking The prioritization of risks depends on the combination of the severity of the consequences and the likelihood of the risk event occurring. Educating Professionals Risk Management Addressing Risk Accept the risk Minimize the risk Transfer the risk Reject the risk Educating Professionals Definition of Control Control Any action taken by management to enhance the likelihood that established objectives will be achieved Results from proper planning, organizing, and directing by management Educating Professionals Definition of Control Control Types: Preventative Detective Directive Mitigating Educating Professionals Definition of Control Control Types: Active Passive Formal (hard) Informal (soft) Educating Professionals Hard Controls Examples: Policies and Procedures Laws and Regulations Organization Structure Formal Processes Formal Approval Process Educating Professionals Soft Controls Examples: Leadership Trust and Shared Values Communication Competence Accountability Educating Professionals Control Limits Enemies of Internal Control: People Time Judgment Overrides/work-arounds Educating Professionals Documenting the RA Control Matrix Process objective Risk & ratings Existing controls Testing approach Educating Professionals The Test Approach Testing Objectives Why is the testing being performed Single or multiple objectives Clearly communicated & understood Focused Feasible Educating Professionals The Test Approach Program Development Identification of significant risks Objective-based Value focused testing Recipe for test step details Educating Professionals The Test Approach Scope Timeframe Specific inclusions Detailed exclusions Data availability Educating Professionals The Test Approach Criteria & Attributes Testing guidelines Processing standard Requesting supporting docs Determine acceptable performance Educating Professionals Audit Execution Final Steps Executing the plan Communicating the results Finalizing the project Survey/action item follow up Educating Professionals Questions? Robert L. Mainardi, CFSA, CRMA, MBA, Six Sigma 215.760.1130 Robert@mainardicompany.com Mainardicompany.com Educating Professionals © Mainardi & Company
