Operational Audits and Risk Based Auditing
advertisement
OPERATIONAL AUDITS AND RISK BASED AUDITING Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM Resorts International Agenda • Introductions • Objectives • Overview of Risk and Risk Assessment • Risk Assessment Framework • Impact on the Profession • Questions What Would You Like to Accomplish? • What are the concerns or questions you have? • What are the roadblocks to risk assessment you are facing? • What would help you better assess risk today? • What would you like to be doing differently? Ten To-Dos for Audit Committees #6: Make sure Internal Audit is properly focused and fully utilized. Help refine internal audit’s role—and focus internal audit’s activities on key areas of risk, as well as risk management generally… Source: KPMG Audit Committee Institute CBOK 2010: Change in Focus of Internal Audit in Next Five Years Operational Audits Corporate Governance Enterprise Risk Management Strategic Reviews Ethics Audits Migration to IFRS Compliance Audits Audits of Financial Risk Fraud Investigations Evaluations of Internal Controls Forbes Insights Survey On behalf of Ernst & Young However… • IA helps the organization achieve business objectives? • Strong link between IA and enterprise risk functions? • Process improvement recommendations are implemented? • IA plays an important role in gathering business intelligence and sharing leading practices? • IA acts as a business advisor as evidenced by requests from the business for assistance? • IA attracts future leaders and high potential talent from the business? 44% 43% 42% 38% 36% 32% Forbes Insights Survey On behalf of Ernst & Young Are you receiving the performance you expect from your internal audit investment? Do you believe there is an opportunity to improve your organization’s internal audit function? 87% Yes 74% Yes … we are spending too much. 2010 State of the Internal Audit Profession PwC Survey The 2010 survey data supports the notion that internal audit departments have made significant change and that they have the right priorities, but that there is still a critical performance gap in achieving the key attributes of high-performing internal audit functions. Some of this may be due to a critical dilemma we observe in the field in discussions we have had with CFOs and audit committee members. They often have a sense that their internal audit function could and should deliver more value, but they are unsure as to what that is or how they should do it. REAL WORLD RISK ASSESSMENT Risk Assessment Felix Baumgartner Risk Assessment Erik Weihenmayer Risk Assessment Cynthia Cooper Risk Assessment AUDIT RISK ASSESSMENT: WHAT IS IT? Table Discussion What Does Risk Assessment Mean in Your Organization? Audit Risk Assessment • Audit risk assessment is a stage in the audit planning process. • Audit risk assessment is part of the series of controls which are used to manage the integrity of an audit, and to determine when and how audits should be conducted, and by whom. • Audit risk consists of several components. The first is 1. the likelihood that a material misstatement will be made. 2. the risk that the misstatement will not be caught by internal controls, and 3. the misstatement will not be caught by an auditor. Audit Risk Assessment • Risk assessments performed by internal auditors are entirely different risk assessment performed by independent auditors. • Risk Assessments use various elements: • Changes in volume, management, technology and other factors • Knowledge of the business and experience • Time since the last audit and known issues • Potential of loss • Requests of management • Financial exposure WHY ASSESS RISK? Why Assess Risk? Business Universe Why Assess Risk? Risk Ranked Business Universe Why Assess Risk? Risk Ranked Business Universe Likelihood Why Assess Risk? Available Resources 16,000 hr Audit Needs 82,000 hr NOW WHAT? Impact Likelihood Why Assess Risk? Available Resources 16,000 hr Audit Needs 82,000 hr NOW WHAT? Impact Table Discussion What is new in your organization today when compared to one year ago? What are our goals? Helping you RIGHT SIZE your audits by… • Aligning Internal Auditing with the organization’s priorities • • • • and expectations. Identifying and assessing risks. Determining the right scope of an audit. Optimizing audit effort to more effectively achieve audit objectives. Seeing below the surface and getting at what’s important. What are our goals? Helping you RIGHT SIZE your audits by… • Aligning Internal Auditing with the organization’s priorities and expectations. • Identifying and assessing risks. • Determining the right scope of an audit. • Optimizing audit effort to more effectively achieve audit objectives. Risk ... What is it? • The possibility that an event will occur and adversely affect the achievement of objectives. (COSO definition) • The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. (IIA Standards—glossary definition) • Risk is anything that could impact the achievement of objectives – not only negative impacts but also the risk of missed opportunities. Risk …What Type of Risk Is It? • Hazard Risk is the risk associated with negative occurrences, and could include issues surrounding regulatory noncompliance, fraud or waste, significant accounting errors, or damage to the Company’s image. • Uncertainty is the risk associated with not meeting shareholder, employee, supplier, regulator, creditor, analyst, or others’ expectations, and can be impacted by both Hazard Risk and Opportunity Risk. • Opportunity Risk is the risk associated with failing to exploit opportunities smartly, and could include not pursuing a viable growth strategy, pursuing a flawed growth strategy, or not managing opportunities as effectively as anticipated. Risk …What Type of Risk Is It? Hazard Uncertainty Opportunity What is the goal of Risk Assessment? Risk Assessment should… • Consider internal as well as external factors that could impact the achievement of objectives. • Analyze the risks and provide a basis for managing them. • Allow auditors to focus their efforts based upon RISK to be more efficient. • Include consideration of the technology supporting business processes and objectives. • Be adapted to fit the pace of change in the organization and the world. IIA Standards: Risk Management 2010—Planning (per International Internal Audit Standards Board, September 2012) The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Interpretation: The CAE is responsible for developing a risk-based plan. The CAE takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior management and the board. The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. IIA Standards: Risk Management 2010—Planning The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. • 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems. • 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud. • 2120.C1 – During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. • 2120.C2 – Internal auditors must incorporate knowledge of risks gained form consulting engagements into their evaluation of the organization’s risk management processes. • 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. Signs for a Risk Makeover 1. 2. 3. 4. 5. 6. 7. Audit plan is restricted to what “IA can audit today” vs. what “IA should audit tomorrow.” Audit plan includes repetitive, low-value audits. SOX and administrative time make up a significant part of the audit plan. Audit plan is not updated frequently enough to adapt to the changing risk profile or new initiatives. Internal audit and senior management have very different views on risk priorities. Key processes, programs, and initiatives are not linked to the Company’s strategic objectives. Audit plan excludes coverage of emerging risks or catastrophic “Black Swan” events that could impact the company’s reputation. Risk Assessment Framework 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results. Understand the Control Environment 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results. Understand the Control Environment • Understand Business Objectives • Understand strategy, goals, objectives and organizational structure • Review prior audit reports, issues, deficiencies • Identify significant changes to operations or control environment Business Audit or Department Company-wide Function Unit Level Bottom-up Approach Traditional Approach: Based on stakeholder interviews and analysis. Focus is on coverage of risk areas, locations, and operations. RISK: Interviews usually not focused on obtaining the right level of information. AUDIT PLAN Identify Risks within Auditable Business Units Define Auditable Business Units Top-down Approach Identify Management’s Objectives Top-Down Approach: Coverage is driven by issues that directly impact business objectives with a clear link to strategy. Understand Relevant Inherent Risks (Strategic, Financial, Operational, Operations, Compliance) Evaluate Impact on Management’s Objectives AUDIT PLAN Understand the Control Environment 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results. Risk Categories Assess Relevant Risks 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results. Assess Relevant Risks Rate the likelihood of the Risk occurring Rate the Impact of the Risk should it occur Calculate the Risk Risk Likelihood • For identified transactions or operating areas, exercise judgment about the likelihood of the risk occurring. • Is the likelihood Remote … Probable … Certain. • Conclude whether the nature of the risk, it potential magnitude, and the likelihood of it actually occurring represents a key risk requiring special audit consideration. • Don’t forget Emerging Risks. Risk Impact • Is the impact Negligible … Significant … Severe • Is the Risk preventable … controllable … manageable? Rating Scale Scale HIGH MEDIUM LOW Impact Likelihood An incident of noncompliance and/or the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on operations, assets, or people. Without regard to the effects of compliance controls or mitigation strategy, it is highly likely (over 75%) and capable of happening in the next 24 months. An incident of noncompliance and/or the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on operations, assets, or people. Without regard to the effects of compliance controls or mitigation strategy, it is likely (25% – 75%) and capable of happening in the next 24 months. An incident of noncompliance and/or the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on operations, assets, or people. Without regard to the effects of compliance controls or mitigation strategy, it is remotely possible (less than 25%) or may not be capable of happening in the next 24 months. Impact Risk Heat Map Severe (5) 5 15 25 Significant (3) 3 9 15 Negligible (1) 1 3 5 Probable (3) Almost Definite (5) Remote (1) Likelihood Impact and Likelihood High Risk Impact Medium Risk MITIGATE & CONTROL SHARE RISK Low Risk Medium Risk ACCEPT RISK CONTROL RISK Likelihood Group Brainstorming • Business Operations • Procedures • Regulations • Management • People • Financial Performance • Technology • Previous Issues 5 Minutes: Brainstorm as many examples of risks for each category. Debrief Business Operations Procedures Complexity of the operation Process breakdowns Changes in the operation Segregation of duties Changes in financial projections Appropriateness of corrective action Nonstandard practices Departure from standards Debrief Regulations Management Compliance standards Structure change Changes Management’s risk appetite Monitoring and enforcement Attitude toward controls and procedures Relationship with regulators Tone at the top Debrief People Financial Performance Competency Pressure to meet expectations Sufficient numbers Debt covenants Delegation of authority Changes in operating margins Extensive use of consultants Accounting standards Debrief Technology Previous Issues Stability Identified by internal audit Reliability Identified by independent auditors Back up and recovery Identified by regulators Access controls Self-reported issues Risk Based Audit Strategy 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results. Risk Planning Framework Perform Business Analysis Perform Value Driver Analysis Evaluate Risk Prioritize Risks Define / Refine Scope Use All Available Inputs Other? Other? Health & Safety Other? Other? Compliance Legal Internal Audit Other? Other? External Audit SOX Risk Mgmt Other? Other? Other? Other? Other? Risks: 15 most often cited risks (PwC Study) Economic Uncertainty Talent & Labor New Product Introductions Regulations & Government Policy Reputation & Brand Fraud & Ethics Competition Commercial Market Shifts Business Continuity Financial Markets Energy & Commodity Costs Mergers, Acquisitions, & Joint Ventures Data Privacy & Security Government Spending & Taxation Large Programs
