Risk based internal auditing - an introduction slides of ...

Risk based internal auditing - an introduction slides of ...

Risk based internal auditing an introduction Slides of figures and appendices David M Griffiths David M Griffiths www.internalaudit.biz Risk based internal auditing an introduction slides of figures and appendices The following slides are those used in the book Risk based internal auditing an introduction available from www.internalaudit .biz The slides of figures are: 1 2 3 4 5 6 7 8 9 Internal auditing objectives Grid for significance risks Stages of an audit RBIA documentation Processes involved in stage 2 Grid for frequency of audits Factors to reduce inherent risk scores risks Processes involved in stage 3 Grid for significance of residual risks Slides of appendices are A Internal auditing objectives B Hierarchy of objectives, risks and controls C Process map E Grid for risk workshop J Stages of an internal audit Other appendices are on the excel spreadsheet RBIA introduction excel v3 David M Griffiths www.internalaudit.biz Internal auditing objectives (Figure 1 and appendix A) The management of an organisation have Objectives

Internal auditing provides an independent and objective opinion to an organisations management as to whether its risks are being managed to acceptable levels. The main aim of internal auditing is to assist the organisation to achieve its objectives An internal control is a process which manages a risk A risk is a set of circumstances that hinder the achievement of objectives David M Griffiths www.internalaudit.biz 4 Acceptable Supplementary Issue 15 IR 25 Unacceptable Unacceptable Unacceptable 12 Issue 16 20 Unacceptable Unacceptable Possible (3) 10 Issue 3 Acceptable Supplementary Issue 9 Issue 12 Issue 15 Unlikely (2) Probable (4) Almost certain (5) 5 Supplementary Issue 20

2 Acceptable 4 Acceptable 6 8 Supplementary Issue Supplementary Issue 10 Issue 1 Acceptable 2 Acceptable 3 Acceptable 4 Acceptable 5 Issue Rare(1) 8 Internal control Likelihood of risk 2 Grid for significance of risks 6 Insignificant (1) RR Minor (2) Moderate (3) Major (4) Unacceptable Catastrophic (5) Consequence of risk Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required Risk appetite, as defined by the board IR = Inherent Risk RR = Residual Risk Fig.2 Grid showing the significance of risks David M Griffiths www.internalaudit.biz 3 Stages of an audit Management's Risk Register (if available) Risk Enabled Risk Naive Risk Aware

Assess risk maturity Risk Managed Stage 1 Risk Defined Facilitate risk identification Audit universe Management's Risk Register (amended) Use organisation's risks Assign risks to audits Stage 2 Risk and audit universe (RAU) Audit plan Audit Committee report Individual audit Audit report Feedback results into RAU Fig 3 Stages of an audit David M Griffiths www.internalaudit.biz Stage 3 4 RBIA documentation risk and audit universe audit databases objectives objectives risks risks scores scores controls controls last audits tests Audit Committee report audit reports Fig. 4 RBIA documentation David M Griffiths

www.internalaudit.biz 5 Processes involved in stage 2 Risk Register (audited) Risks on which assurance is provided by others Risks within the risk appetite Filter risks Risks not requiring an audit in this period Risks which will be tolerated Risks on which assurance is required Categorise risks Audit Universe Link risks to audits Risk and Audit Universe Select risks to be covered Alllocate resources to audits Audit plan David M Griffiths Fig 5 www.internalaudit.biz Processes involved in Stage 2 Audit Committee report Probable (4) Almost certain (5) 15 20 25 Every year Every year Every year 8 12 Every three years Every two years Possible (3) 10 Every two years 3 Never 6

9 12 Every three years Every two years Every two years Every year Unlikely (2) 5 Every three years 4 Never 2 Never 4 Never 6 8 10 Every three years Every three years Every two years 1 Never 2 Never 3 Never 4 Never Every three years Major (4) Catastrophic (5) Rare(1) Likelihood of inherent risk 6 Grid for frequency of audits Insignificant (1) Minor (2) Moderate (3) 16 20 Every year Every year 15 5

Consequence of inherent risk Fig. 6 Grid for the frequency of audits David M Griffiths www.internalaudit.biz 3 years 0.75 1 1 2 years 0.5 0.75 1 0.25 0.5 0.75 1 year Time since last audit 7 Factors to reduce inherent risk scores risks Green Amber Red Audit result Fig. 7 Factors to reduce inherent risk scores David M Griffiths www.internalaudit.biz 8 Processes involved in stage 3 Audit plan Define draft audit scope Examine the risk management process for the area audited Conclude on risk maturity for the area audited Decide on audit approach Meetings to determine objectives, risks and agree scope Agreed scope Obtain relevant documentation on processes Risk and audit universe David M Griffiths Set up an audit database to record the audit details, or update the Risk and Audit Universe www.internalaudit.biz Audit

database 4 Acceptable Supplementary Issue 20 25 Unacceptable Unacceptable Unacceptable 12 Issue 16 20 Unacceptable Unacceptable Possible (3) 10 Issue 3 Acceptable Supplementary Issue 9 Issue 12 Issue 15 Unlikely (2) Probable (4) Almost certain (5) 5 Supplementary Issue 15 2 Acceptable 4 Acceptable 6 8 Supplementary Issue Supplementary Issue 10 Issue 1 Acceptable 2 Acceptable 3 Acceptable 4

Acceptable Supplementary Issue Rare(1) Likelihood of residual risk 9 Grid for significance of residual risks 8 6 Insignificant (1) Minor (2) Moderate (3) Major (4) Unacceptable 5 Catastrophic (5) Consequence of residual risk Unacceptable: Immediate action required to control the risk Issue: Action required to control the risk Supplementary issue: Action is advisable if it is cost-effective Acceptable: No action required Risk appetite, as defined by the board Fig. 9 Grid for the significance of residual risks David M Griffiths www.internalaudit.biz Hierarchy of objectives, risks and controls (Appendix B) Objective level 1 Relieve famine in central Africa risks No clear strategy as to how to achieve our objective Unable to predict where and when famines will occur Unable to obtain food Unable to deliver the food to the starving Do not have the staff and systems to support the operation Set up agreements with donors to obtain food Establish delivery systems to deliver food when and where

it is required Establish functions to support the field operations Objective level 2 Devise a strategy for the next five years to deliver our objectives Set up a system which enables us to predict famine areas Establish a supply chain to ensure prompt delivery of food to the highest priority area risks Unable to obtain space on ships Insufficient lorries to transport grain Lorries break down Insufficient drivers Roads are impassable Do not know where food is required most urgently Identify how to recruit at short notice Set up possible alternativ e routes Set up strategy for prioritizing camps Objective level 3 Establish contacts with shipping companies to anticipate problems Decide how future needs are to be met, by local carrier or own lorries

David M Griffiths Lorries to be properly maintained www.internalaudit.biz Objectives map (appendix C) objective Relieve famine in central Africa Level 2 objectives 1 Devise a strategy for the next five years to deliver our objectives 1.1 Agree a strategy 2 Set up a system which enables us to predict famine areas 1.2 Communicate strategy 3 Set up agreements with donors to obtain food 1.3 Deliver strategy 1.4 Update strategy 4.3 Lorries to be properly maintained 4.4 Identify how to recruit drivers at short notice 4 Establish delivery systems to deliver food when and where it is required 5 Establish functions to support the field operations Level 3 objectives 4.1 Establish contacts with

shipping companies to anticipate problems 5.1 Raise money 4.2 Decide how future needs are to be met, by local carrier or own lorries 5.2 Provide financial advice David M Griffiths 5.3 Provide transaction processing 5.4 Provide legal services www.internalaudit.biz 4.5 Set up possible alternative routes for delivery 5.5 Provide information technology 4.6 Set up strategy for prioritizing camps 5.6 Provide human resources Grid for risk workshop 4 Acceptable Supplementary Issue 2 1 Unacceptable Unacceptable 12 Issue 16 20 Unacceptable Unacceptable 3 Acceptable Supplementary Issue

9 Issue 12 Issue 15 2 Acceptable 4 Acceptable 6 8 Supplementary Issue Supplementary Issue 10 Issue 1 Acceptable 2 3 Acceptable 3 Acceptable 4 Acceptable 5 4 Issue Insignificant (1) 8 6 Minor (2) Moderate (3) Major (4) Consequence of risk David M Griffiths www.internalaudit.biz 25 5 20 Possible (3) 10 Issue Unlikely (2) Probable (4) Almost certain (5) 5 Supplementary Issue 15 Rare(1) Likelihood of risk (appendix E)

Unacceptable 6 Unacceptable Catastrophic (5) Stages of an internal audit (appendix J) Internal auditing The management Internal auditing: provides an independent and objective opinion to an organisations management as to whether its risks are being managed to acceptable levels. of an organisation have 5 As su Objectives 4 1 re st ha t ris k sa re mi tig Dete rmin es p roce ss ate d to a na cc ep ta ble lev el es a nd th eir o bjec tives Reports where risks are not sufficiently mitigated by controls An internal control is a process which manages a risk

A risk is a set of circumstances that hinder the achievement of objectives David M Griffiths 3 2 Tes ks or W rols cont e h t ts th wi e th s es n i s bu isks the r g n i t a mitig to k ris it fy n ide g rin e ind sh Significant risks generate the audit plan www.internalaudit.biz e th es ss e oc pr The audit

Recently Viewed Presentations

  • Plant Pigment Chromatography and Photosynthesis

    Plant Pigment Chromatography and Photosynthesis

    Palisade Mesophyll: elongated parenchyma cells, upper part of leaf. Spongy Mesophyll: loosely arranged parenchyma cells, contains air spaces for Co2 and oxygen to flow through, larger spaces around stomata. Lower Epidermis: similar structure to the upper epidermis
  • Students' Misconceptions of Academic Librarians: Forming the ...

    Students' Misconceptions of Academic Librarians: Forming the ...

    Example: Trinity College Library "How the Information Service can help your organisation: …will provide information needed by your organisation swiftly and efficiently, whether it is a quick-reference enquiry dealt with on the telephone or an in-depth search using TCD library's...
  • Geometric Routing, Embeddings and Hyperbolic Spaces

    Geometric Routing, Embeddings and Hyperbolic Spaces

    MIT. Outline of talk - a little for everybody. ... The problem & summary of prior work. New applications = new open problems [M'06] Hyperbolic geometry (crash course) Greedy (ordinal) embeddings. Prior and related work. Lower bounds (on Minkowski and...
  • Monetary Macroeconomic Modeling Steve Keen www.debtdeflation.com/blo gs Kickstarter:

    Monetary Macroeconomic Modeling Steve Keen www.debtdeflation.com/blo gs Kickstarter:

    From the Great Moderation to the Lesser Depression. Crisis not anticipated by DSGE models: OECD Economic Outlook June 2007 "the current economic situation is in many ways better than what we have experienced in years… Our central forecast remains indeed...
  • Click to add title - Oregon

    Click to add title - Oregon

    1 expository or persuasive. 1 any mode (expository, persuasive or narrative - personal or fictional) Score of 4 or higher in 4 traits on Official Scoring Guide. In March 2012, the State Board of Education approved a change to the...
  • Radiation Badge Training Overview of Training  Why monitoring

    Radiation Badge Training Overview of Training Why monitoring

    Staff who are involved with radiographic x-ray units and radioactive material sources (other than fluoroscopy), or who wear badges for routine surveillance are typically provided with 1 badge. The Whole Body Radiation Badge is typically worn on the shirt, facing...
  • Experimental Evaluation of Co-existent LTE-U and Wi-Fi on

    Experimental Evaluation of Co-existent LTE-U and Wi-Fi on

    Proposed operation of LTE in unlicensed band (LTE-U) : possible coexistence with Wi-Fi networks. Coexistence leads to interference. Objectives: Experimental evaluation of Wi-Fi in the presence of LTE-U. To characterize the Wi-Fi throughput. To help to construct a solution for...
  • Southwest Climate  Bimodal and Unimodal rainfall  Winter precipitation

    Southwest Climate Bimodal and Unimodal rainfall Winter precipitation

    Southwest Climate Bimodal and Unimodal rainfall Winter precipitation Pacific frontal storms El Niño Summer monsoons Arid Foresummer What SW climate (precipitation) means