Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths www.internalaudit.biz.

Published byMagnus Tracy Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths www.internalaudit.biz."— Presentation transcript:

1 Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths www.internalaudit.biz

2 ©David M Griffithswww.internalaudit.biz Risk based internal auditing – an introduction slides of figures and appendices The following slides are those used in the book Risk based internal auditing – an introduction available from www.internalaudit.biz The slides of figures are: –1 Internal auditing objectives –2 Grid for significance risks –3 Stages of an audit –4 RBIA documentation –5 Processes involved in stage 2 –6 Grid for frequency of audits –7 Factors to reduce inherent risk scores risks –8 Processes involved in stage 3 –9 Grid for significance of residual risks Slides of appendices are –A Internal auditing objectives –B Hierarchy of objectives, risks and controls –C Process map –E Grid for risk workshop –J Stages of an internal audit –Other appendices are on the excel spreadsheet RBIA introduction excel v3

3 ©David M Griffithswww.internalaudit.biz Internal auditing objectives (Figure 1 and appendix A) The main aim of internal auditing is to assist the organisation to achieve its objectives The management of an organisation have Objectives An internal control is a process which manages a risk A risk is a set of circumstances that hinder the achievement of objectives Internal auditing provides an independent and objective opinion to an organisation’s management as to whether its risks are being managed to acceptable levels.

4 ©David M Griffithswww.internalaudit.biz 2 Grid for significance of risks Unacceptable: Immediate action required to manage the risk Issue: Action required to manage the risk Supplementary issue: Action is advisable if resources are available Acceptable: No action required Rare(1) Unlikely (2) Possible (3) Probable (4) Almost certain (5) 2 Acceptable Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Likelihood of risk Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board IR RR IR = Inherent Risk RR = Residual Risk Internal control Fig.2 Grid showing the significance of risks

5 3 Stages of an audit ©David M Griffithswww.internalaudit.biz Assess risk maturity Feedback results into RAU Individual audit Management's Risk Register (if available) Audit plan Audit report Risk Naive Risk Enabled Risk Managed Risk Defined Risk Aware Use organisation's risks Facilitate risk identification Audit Committee report Stage 2 Stage 1 Audit universe Management's Risk Register (amended) Assign risks to audits Risk and audit universe (RAU) Stage 3 Fig 3 Stages of an audit

6 ©David M Griffithswww.internalaudit.biz 4 RBIA documentation Fig. 4 RBIA documentation risks last audits scores controls Audit Committee report universe risks tests scores controls audit reports risk and audit audit databases risks last audits scores controls Audit Committee report risks tests scores controls audit reports objective s

7 5 Processes involved in stage 2 ©David M Griffithswww.internalaudit.biz Risks which will be tolerated Risks on which assurance is provided by others Risk and Audit Universe Filter risks Audit plan Risks on which assurance is required Risks within the risk appetite Risk Register (audited) Categorise risks Risks not requiring an audit in this period Link risks to audits Select risks to be covered Alllocate resources to audits Audit Universe Audit Committee report Fig 5 Processes involved in Stage 2

8 ©David M Griffithswww.internalaudit.biz 6 Grid for frequency of audits Rare(1) Unlikely (2) Possible (3) Probable (4) Almost certain (5) 2 Never Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Likelihood of inherent risk Consequence of inherent risk 16 Every year 3 Never 2 Never 1 Never 5 Every three years 3 Never 5 Every three years 4 Never 4 Never 4 Never 6 Every three years 6 Every three years 9 Every two years 12 Every two years 8 Every three years 8 Every three years 12 Every two years 10 Every two years 10 Every two years 15 Every year 20 Every year 15 Every year 20 Every year 25 Every year Fig. 6 Grid for the frequency of audits

9 ©David M Griffithswww.internalaudit.biz 7 Factors to reduce inherent risk scores risks 0.7511 0.50.751 0.250.50.75 Green AmberRed 1 year 2 years 3 years Time since last audit Audit result Fig. 7 Factors to reduce inherent risk scores

10 8 Processes involved in stage 3 ©David M Griffithswww.internalaudit.biz Define draft audit scope Feedback results into risk and audit universe Set up an audit database to record the audit details, or update the Risk and Audit Universe Agreed scope Audit report Test the monitoring and proper operation of controls Audit plan Meetings to determine objectives, risks and agree scope Draw preliminary conclusions and discuss them Obtain relevant documentation on processes Audit database Examine the risk management process for the area audited Decide on audit approach Conclude on risk maturity for the area audited Risk and audit universe Fig 5 Processes involved in stage 3

11 ©David M Griffithswww.internalaudit.biz 9 Grid for significance of residual risks Unacceptable: Immediate action required to control the risk Issue: Action required to control the risk Supplementary issue: Action is advisable if it is cost-effective Acceptable: No action required Rare(1) Unlikely (2) Possible (3) Probable (4) Almost certain (5) 2 Acceptable Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Likelihood of residual risk Consequence of residual risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Supplementary Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable Risk appetite, as defined by the board Fig. 9 Grid for the significance of residual risks

12 ©David M Griffithswww.internalaudit.biz Hierarchy of objectives, risks and controls (Appendix B) Devise a strategy for the next five years to deliver our objectives Relieve famine in central Africa No clear strategy as to how to achieve our objective Unable to predict where and when famines will occur Unable to obtain food Unable to deliver the food to the starving Do not have the staff and systems to support the operation Set up a system which enables us to predict famine areas Set up agreements with donors to obtain food Establish a supply chain to ensure prompt delivery of food to the highest priority area Establish functions to support the field operations Insufficient lorries to transport grain Lorries break down Do not know where food is required most urgently Fuel not available for lorries Insufficient drivers Roads are impassable Don't distribute food efficiently and effectively Attempt to buy in stocks Lorries to be properly maintained Set up strategy for prioritizing camps Decide how future needs are to be met, by local carrier or own lorries Identify how to recruit at short notice Set up possible alternative routes Risks level 1 Objective level 1 Risks Level 2 Internal controls Objective level 2 Arrange land transport Objective level 3

13 ©David M Griffithswww.internalaudit.biz Objectives map (appendix C) Relieve famine in central Africa 1 Devise a strategy for the next five years to deliver our objectives 2 Set up a system which enables us to predict famine areas 3 Set up agreements with donors to obtain food 4 Establish delivery systems to deliver food when and where it is required 5 Establish functions to support the field operations 4.2 Arrange land transport 4.1 Arrange sea transport objective 1.2 Tell all staff about the strategy 1.3 The strategy is converted into targets and action for all staff 1.1 The trustees of the charity define the future aims and plans 1.4 Aims and plans to be regularly updated 5.2 Provide financial advice 5.3 Provide transaction processing 5.6 Provide human resources 5.1 Raise money 5.4 Provide legal services 5.5 Provide information technology Level 2 objectives Level 3 objectives

14 ©David M Griffithswww.internalaudit.biz Grid for risk workshop (appendix E) Rare(1) Unlikely (2) Possible (3) Probable (4) Almost certain (5) 2 Acceptable Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Likelihood of risk Consequence of risk 16 Unacceptable 3 Acceptable 2 Acceptable 1 Acceptable 5 Issue 3 Acceptable 5 Supplementary Issue 4 Acceptable 4 Acceptable 4 Acceptable 6 Supplementary Issue 6 Supplementary Issue 9 Issue 12 Issue 8 Supplementary Issue 8 Supplementary Issue 12 Issue 10 Issue 10 Issue 15 Unacceptable 20 Unacceptable 15 Unacceptable 20 Unacceptable 25 Unacceptable 152 34 6

15 ©David M Griffithswww.internalaudit.biz Stages of an internal audit (appendix J) Works with the business to identify risks hindering the processes Tests the controls mitigating the risks The management of an organisation have Objectives An internal control is a process which manages a risk A risk is a set of circumstances that hinder the achievement of objectives Significant risks generate the audit plan Internal auditing Internal auditing: provides an independent and objective opinion to an organisation’s management as to whether its risks are being managed to acceptable levels. Assures that risks are mitigated to an acceptable level 5 Determines processes and their objectives 1 Reports where risks are not sufficiently mitigated by controls 4 3 2 The audit

Download ppt "Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths www.internalaudit.biz."

Similar presentations

Hazard and Risk Analysis What are the socio-economic and political trends? Consider recent assessment / reviews / baseline studies / analytical exercises.

Hazard and Risk Analysis What are the socio-economic and political trends? Consider recent assessment / reviews / baseline studies / analytical exercises.
1 Welcome Safety Regulatory Function Handbook April 2006.

1 Welcome Safety Regulatory Function Handbook April 2006.
1 Marsh Risk Profiling User Guide for all Schools and Departments.

1 Marsh Risk Profiling User Guide for all Schools and Departments.
Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths www.internalaudit.biz.

Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths
Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.

Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.
Debt Management Strategy: Governance and Transparency

Debt Management Strategy: Governance and Transparency
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths V3.2 ©David M Griffithswww.internalaudit.biz.

Risk based internal auditing – an introduction Slides of figures and appendices ©David M Griffiths V3.2 ©David M Griffithswww.internalaudit.biz.
How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London.

How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London.
Institute of Municipal Finance Officers & Related Professions

Institute of Municipal Finance Officers & Related Professions
Business Assurance Service An explanation of risk based auditing and reporting Anthony Garnett, Head of BAS February 2008.

Business Assurance Service An explanation of risk based auditing and reporting Anthony Garnett, Head of BAS February 2008.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 5 Slide 1 Project management.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 5 Slide 1 Project management.
Risk-Focused Examinations David Vacca, Assistant Director – Insurance Analysis & Information Services, NAIC Welcome to the © 2009 The National Association.

Risk-Focused Examinations David Vacca, Assistant Director – Insurance Analysis & Information Services, NAIC Welcome to the © 2009 The National Association.
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
UNCW Institutional Risk Management IRM Overview and Policy Development & Implementation Plan Overview.

UNCW Institutional Risk Management IRM Overview and Policy Development & Implementation Plan Overview.
Appraisal Process & Paperwork Update Workshop Jackie Skeel 13 March 2014.

Appraisal Process & Paperwork Update Workshop Jackie Skeel 13 March 2014.
For more information visit us at www.hempsons.co.uk Small Charities Coalition Risk management Catherine Rustomji Head of Third Sector North – Hempsons.

For more information visit us at Small Charities Coalition Risk management Catherine Rustomji Head of Third Sector North – Hempsons.
The role of internal audit in enterprise-wide risk management (ERM)

The role of internal audit in enterprise-wide risk management (ERM)
Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.

Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.

Similar presentations

Ads by Google