Risk based internal auditing * an introduction slides of figures and
advertisement
Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths ©David M Griffiths www.internalaudit.biz Risk based internal auditing – an introduction slides of figures and appendices • The following slides are those used in the book Risk based internal auditing – an introduction available from www.internalaudit .biz • The slides of figures are: – – – – – – – – – 1 2 3 4 5 6 7 8 9 Internal auditing objectives Grid for significance risks Stages of an audit RBIA documentation Processes involved in stage 2 Grid for frequency of audits Factors to reduce inherent risk scores risks Processes involved in stage 3 Grid for significance of residual risks • Slides of appendices are – – – – – A Internal auditing objectives B Hierarchy of objectives, risks and controls C Process map E Grid for risk workshop J Stages of an internal audit – Other appendices are on the excel spreadsheet RBIA introduction excel v3 ©David M Griffiths www.internalaudit.biz Internal auditing objectives (Figure 1 and appendix A) The management of an organisation have Objectives Internal auditing provides an independent and objective opinion to an organisation’s management as to whether its risks are being managed to acceptable levels. The main aim of internal auditing is to assist the organisation to achieve its objectives An internal control is a process which manages a risk A risk is a set of circumstances that hinder the achievement of objectives ©David M Griffiths www.internalaudit.biz Probable (4) Almost certain (5) 4 Acceptable Supplementary Issue Possible (3) IR 10 Issue 3 Acceptable Supplementary Issue 9 Issue Unlikely (2) 5 Supplementary Issue 2 Acceptable 4 Acceptable 6 8 Supplementary Issue Supplementary Issue 10 Issue 1 Acceptable 2 Acceptable 3 Acceptable 4 Acceptable 5 Issue Rare(1) 8 6 Insignificant (1) Minor (2) 15 20 25 Unacceptable Unacceptable Unacceptable 12 Issue 16 20 Unacceptable Unacceptable 12 Issue 15 Internal control Likelihood of risk 2 Grid for significance of risks RR Moderate (3) Major (4) Unacceptable Catastrophic (5) Consequence of risk Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required Risk appetite, as defined by the board IR = Inherent Risk RR = Residual Risk Fig.2 Grid showing the significance of risks ©David M Griffiths www.internalaudit.biz 3 Stages of an audit Management's Risk Register (if available) Risk Enabled Risk Naive Risk Aware Assess risk maturity Risk Managed Stage 1 Risk Defined Facilitate risk identification Audit universe Management's Risk Register (amended) Use organisation's risks Assign risks to audits Stage 2 Risk and audit universe (RAU) Audit plan Audit Committee report Individual audit Audit report Feedback results into RAU Fig 3 Stages of an audit ©David M Griffiths www.internalaudit.biz Stage 3 4 RBIA documentation risk and audit universe audit databases objectives objectives risks risks scores scores controls controls last audits tests Audit Committee report audit reports Fig. 4 RBIA documentation ©David M Griffiths www.internalaudit.biz 5 Processes involved in stage 2 Risk Register (audited) Risks on which assurance is provided by others Risks within the risk appetite Filter risks Risks not requiring an audit in this period Risks which will be tolerated Risks on which assurance is required Categorise risks Audit Universe Link risks to audits Risk and Audit Universe Select risks to be covered Alllocate resources to audits Audit plan ©David M Griffiths Fig 5 www.internalaudit.biz Processes involved in Stage 2 Audit Committee report 10 Every two years 4 Never 8 12 Every three years Every two years Possible (3) 3 Never 6 9 12 Every three years Every two years Every two years Unlikely (2) Probable (4) Almost certain (5) 5 Every three years 2 Never 4 Never 6 8 10 Every three years Every three years Every two years 1 Never 2 Never 3 Never 4 Never Every three years Rare(1) Likelihood of inherent risk 6 Grid for frequency of audits Insignificant (1) Minor (2) 15 20 25 Every year Every year Every year Moderate (3) 16 20 Every year Every year Major (4) 15 Every year 5 Catastrophic (5) Consequence of inherent risk Fig. 6 Grid for the frequency of audits ©David M Griffiths www.internalaudit.biz 3 years 0.75 1 1 2 years 0.5 0.75 1 0.25 0.5 0.75 1 year Time since last audit 7 Factors to reduce inherent risk scores risks Green Amber Red Audit result Fig. 7 Factors to reduce inherent risk scores ©David M Griffiths www.internalaudit.biz 8 Processes involved in stage 3 Audit plan Define draft audit scope Examine the risk management process for the area audited Conclude on risk maturity for the area audited Decide on audit approach Meetings to determine objectives, risks and agree scope Agreed scope Obtain relevant documentation on processes Risk and audit universe ©David M Griffiths Set up an audit database to record the audit details, or update the Risk and Audit Universe www.internalaudit.biz Audit database 4 Acceptable Supplementary Issue 15 20 25 Unacceptable Unacceptable 12 Issue 16 20 Unacceptable Unacceptable Possible (3) 10 Issue 3 Acceptable Supplementary Issue 9 Issue 12 Issue Unacceptable Unlikely (2) Probable (4) Almost certain (5) 5 Supplementary Issue Unacceptable 2 Acceptable 4 Acceptable 6 8 Supplementary Issue Supplementary Issue 10 Issue 1 Acceptable 2 Acceptable 3 Acceptable 4 Acceptable Supplementary Issue Rare(1) Likelihood of residual risk 9 Grid for significance of residual risks 8 6 Insignificant (1) Minor (2) Moderate (3) Major (4) 15 5 Catastrophic (5) Consequence of residual risk Unacceptable: Immediate action required to control the risk Issue: Action required to control the risk Supplementary issue: Action is advisable if it is cost-effective Acceptable: No action required Risk appetite, as defined by the board Fig. 9 Grid for the significance of residual risks ©David M Griffiths www.internalaudit.biz Hierarchy of objectives, risks and controls (Appendix B) Objective level 1 Relieve famine in central Africa risks No clear strategy as to how to achieve our objective Unable to predict where and when famines will occur Unable to obtain food Unable to deliver the food to the starving Do not have the staff and systems to support the operation Set up agreements with donors to obtain food Establish delivery systems to deliver food when and where it is required Establish functions to support the field operations Objective level 2 Devise a strategy for the next five years to deliver our objectives Set up a system which enables us to predict famine areas Establish a supply chain to ensure prompt delivery of food to the highest priority area risks Unable to obtain space on ships Insufficient lorries to transport grain Lorries break down Insufficient drivers Roads are impassable Do not know where food is required most urgently Identify how to recruit at short notice Set up possible alternativ e routes Set up strategy for prioritizing camps Objective level 3 Establish contacts with shipping companies to anticipate problems Decide how future needs are to be met, by local carrier or own lorries ©David M Griffiths Lorries to be properly maintained www.internalaudit.biz Objectives map (appendix C) objective Relieve famine in central Africa Level 2 objectives 1 Devise a strategy for the next five years to deliver our objectives 1.1 Agree a strategy 2 Set up a system which enables us to predict famine areas 1.2 Communicate strategy 3 Set up agreements with donors to obtain food 1.3 Deliver strategy 4 Establish delivery systems to deliver food when and where it is required 5 Establish functions to support the field operations 1.4 Update strategy Level 3 objectives 4.1 Establish contacts with shipping companies to anticipate problems 5.1 Raise money 4.2 Decide how future needs are to be met, by local carrier or own lorries 5.2 Provide financial advice ©David M Griffiths 4.3 Lorries to be properly maintained 5.3 Provide transaction processing 4.4 Identify how to recruit drivers at short notice 5.4 Provide legal services www.internalaudit.biz 4.5 Set up possible alternative routes for delivery 5.5 Provide information technology 4.6 Set up strategy for prioritizing camps 5.6 Provide human resources Grid for risk workshop 4 Acceptable Supplementary Issue 2 1 Unacceptable Unacceptable 12 Issue 16 20 Unacceptable Unacceptable 3 Acceptable Supplementary Issue 9 Issue 12 Issue 15 2 Acceptable 4 Acceptable 6 8 Supplementary Issue Supplementary Issue 10 Issue 1 Acceptable 2 3 Acceptable 3 Acceptable 4 Acceptable 5 4 Issue Insignificant (1) 8 6 Minor (2) Moderate (3) Major (4) Consequence of risk ©David M Griffiths www.internalaudit.biz 25 5 20 Possible (3) 10 Issue Unlikely (2) Probable (4) Almost certain (5) 5 Supplementary Issue 15 Rare(1) Likelihood of risk (appendix E) Unacceptable 6 Unacceptable Catastrophic (5) Stages of an internal audit (appendix J) The Internal auditing of an organisation have Internal auditing: provides an independent and objective opinion to an organisation’s management as to whether its risks are being managed to acceptable levels. management 5 Objectives 1 The audit 4 An internal control is a process which manages a risk A risk is a set of circumstances that hinder the achievement of objectives ©David M Griffiths 3 2 Significant risks generate the audit plan www.internalaudit.biz
