Continuous
Business
Risk Assessment
About BYU
• Private, Church-sponsored
• Founded 1875
• Three campuses
– Provo, Utah (30,000)
– Rexburg, Idaho (14,000)
– Laie, Hawaii (2,000)
• Internal Audit: 11 professionals,
– 10 associate (student) auditors
Why?
Our current risk assessment model is
• It no longer enables us to keep up with emerging risks in
a dynamic business environment;
• Assumes management/auditor omnipotence
• One year cycle time is just tooooo long to formally
address risks
• Relies on single method of harvesting risk information
(annual survey)
• No method for prioritizing work
• Annual audit plan becomes the “Hotel California” of audit
projects
• Risks working with blinders on.
Why?
• Comply with IIA Performance Standards
• Ensure alignment with University mission and
objectives
• Add value to our audit customers
Questions
• Are you following, unchanged, the audit plan
you developed for 2003?
“Most often used measures (of internal audit
effectiveness) are absolutely dysfunctional. I think
of one: you do your annual audit plan and commit
to the audit committee that you’re going to do X
number of these audits for the coming year.”
--Dr. James Roth
Internal Auditing
Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
Best Practices
•Extensive Staff Expertise
•Challenging Work Environment
•Organizational Alignment
•Participative, Qualitative, Real-time Risk
Assessment
•An Array of Audit Services
February 2003 Internal Auditor
Array of Audit Services
• Risk-based audits – working with management to identify the
business risks they face.
• Process audits – auditing an entire business process rather than
an organizational unit and looking for ways to improve the
process instead of simply trying to find control weaknesses.
• Pre-implementation reviews – participating on new-product or
system-development teams and/or reviewing the project at certain
defined milestones.
• Self-Assessment – hosting workshops, administering
questionnaires, and conducting structured interviews to address
soft controls.
• Internal-Control Education – formal training programs designed
and taught by internal auditors, as well as ad-hoc training, when
needed, during assurance or consulting projects.
Internal Audit Tools
• Control Self-Assessment Workshops
• Client-Relationship Management
– Relationship Development
– Client Training
• Control Model Mentoring
• Computer-Aided Exception Identification (Continuous
Auditing)
• Process Improvement Programs (Quality Improvement,
Continuous Improvement)
– Team Facilitation
– Improvement Models
Internal Audit Tools
• Process Mapping/Control Evaluation (SOx,
FCPA)
• Risk-based Auditing
• Maturity Model Evaluation/Implementation
• Management Review
• Risk Management Council
• Improvement Models
– Accountability
– Continuous Improvement
Continuous Business Risk
Assessment
Continuous Risk Assessment is a participative
process whereby we evaluate emerging risks on
a continuous, qualitative, real-time basis rather
than on an annual basis.
Participative
• Involve more than Internal Auditors
• Seek out managers and employees who know
and understand emerging risks.
Continuous
• Periodic vs. Annual
• As frequently as needed
• Various sources of information (meeting,
conference, workshop, survey, interview)
Qualitative
• Relies on professional judgment
• Includes political and strategic factors as well as
traditional measures
• Involves more than one opinion
Real-Time
• Results in changes to the audit schedule NOW
• Decisions made in close proximity to issue and
risk identification
Event
Identification
Risk Assessment
Process
Risk
Assessment
Risk
Response
Control Doc.
Mgt. Conf.
Mgt. Review
Risk Evaluation &
Response
Investigation
Audit
Process Imp.
Action Plan
Audit Population
Risk-Based
Audits &
Requested
Services
Strengthening
Control
Environment
Compliance
Monitoring
CBRA
Event/Project
Identification
Risk
Assessment
Risk
Response
Prioritize
Projects
Risk Information Sources
Event/Project
Identification
Client
Relationship Mgt
Risk
Response
Risk
Assessment
Prioritize
Projects
CI (CSA)
Workshops
Risk Assessment
Team
Mgt Requests
Quality
Improvement
Program
Risk
Database
Evaluate risk or
project proposal
Audit Results
Staff
Audit Committee
End
Action
General
Observations
Detailed Risk
Assessment
Report
Conduct Detailed
Risk Assessment
Risk Assessment
Team
Initiate project
(project type, tool,
objective, scope,
resources)
CBRA
Engagement
Plan
Risk Assessment
Team
Prioritize projects and
adjust audit schedule
Sep 2002
ID
Start
Finish
1
Task 1
9/26/2002
9/30/2002
3d
2
Task 2
Task Name
9/30/2002
10/3/2002
3d 4h
3
Task 3
9/26/2002
9/27/2002
2d
Oct 2002
Duration
26
4
Task 4
10/3/2002
10/7/2002
2d
5
Task 5
10/7/2002
10/8/2002
2d
6
7
8
9
10
11
12
13
14
15
16
17
End
27
28
29
30
1
2
3
4
5
6
7
8
9
Risk Tracking Log
•Access Database
•Three Screens
•Input Log
•Evaluation Screen
•Strategic Considerations
Audit Project Portfolio
•Excel
•Categorized
What We Get
• Increased capability to systematically respond to
business risks
• Increased ability to identify risks by expanding and
improving risk information harvesting methods
• Improved utilization of Internal Audit resources
• Compliance with IIA Performance Standards
• Overall, a more mature risk assessment process
Standards Summary
• Risk-based plan of engagements
• Develop at least annually
• Determine priorities consistent with
organization’s goals
• Consider input of senior management and
board
• Identify significant exposures to risk
• Consider consulting proposals
Impacts
• More time identifying, characterizing and
evaluating risks.
• Need more flexible audit schedule.
• Trust in consensus/professional opinion.
• Copy of slide presentation
• Access database template (Tracking Log)
• david_galloway@byu.edu
Continuous
Business
Risk Assessment