Applying a risk model in state internal and external audits.

Slides:

Advertisements

Similar presentations

Organizational Governance

Advertisements

. . . a step-by-step guide to world-class internal auditing

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Auditing, Assurance and Governance in Local Government

Child Safeguarding Standards

IMFO Audit & Risk Indaba June 2012

© Sigma (Bookham) Ltd British Computer Society 19 March 2007 'Embedding Benefit Realisation Management – Friends Provident’s experiences Ann Watts – Head.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Institute of Municipal Finance Officers & Related Professions

IS Audit Function Knowledge

1 Strategies to Maintaining Internal & External Relationships The Institute of Internal Auditors April 13, 2004 Xenia Parker, CIA, CISA, CFSA Principal.

Quality evaluation and improvement for Internal Audit

Office of Inspector General (OIG) Internal Audit

Purpose of the Standards

PAINTING THE FULL PICTURE

1 Portfolio Committee on Home Affairs Presentation on Internal Audit 19 April 2013 Building a New Home Affairs.

Control environment and control activities. Day II Session III and IV.

Information Technology Audit

Internal Auditing and Outsourcing

Energy Efficiency Opportunities (EEO) Program 2nd International Conference on the Global impact of Energy Management Systems: ‘Creating the right environment.

DAA and GEP Orlando Audit & Compliance or Audit vs. Compliance.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Central Piedmont Community College Internal Audit.

The role of internal audit in enterprise-wide risk management (ERM)

Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.

Risk Management Report to Audit Committee 26 September 2006 Lee Harris Assistant Chief Executive.

Internal Audit within the Financial Services Authority

Session 3 & 4. Institute of Internal Auditors Inc (IIA) was created for internal auditors in 1941 Generally accepted criteria of a profession are: –Adopting.

RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.

Internal Audit Role in Order to Develop an Ethical Corporate Culture as a Competitiveness Factor A.I.I.A. - Internal Auditing body Università degli Studi.

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

Determining Where Resources Are Most Needed The Concept of Risk.

Section Topics Establish a framework for assessing risk

IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.

© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved. 1 Differing Roles of Internal Auditor and Risk.

Changes in the International Standards for the Professional Practice of Internal Auditing & Implications for Healthcare Organizations AHIA Northwest Regional.

S7: Audit Planning. Session Objectives To explain the need for planning To explain the need for planning To outline the essential elements of planning.

Health and Safety Policy

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Audit Planning. Session Objectives To explain the need for planning To outline the essential elements of planning process To finalise the audit approach.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.

The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

The UNIVERSITY of GREENWICH 1 October 2009 L8a Audit and assurance J. E. Spencer-Wood Auditing and assurance Lecture 8a Internal audit.

Workshop on Implementing Audit Quality Practices Working Group on Audit Manuals and Methods March 2006 Vilnius (Lithuania) Hungarian Experiences.

IT Controls Global Technology Auditing Guide 1.

S3: Understanding the Business. Session objective To explain why understanding of the business of the entity is important for the auditor To explain why.

12-CRS-0106 REVISED 8 FEB 2013 APO (Align, Plan and Organise)

Risk Management and the Audit Plan abc CIPFA in the Midlands Audit Training Seminar Wednesday 24th November 2004 Tina Spiers.

Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

PIC EU-28 Conference Paris, 26 – 27 November 2015 PIC An EU Approach Assurance Maps An Introductory workshop Nathan Paget United Kingdom.

RISK MANAGEMENT IN THE PUBLIC SECTOR CONVERGING MULTIPLE STAKEHOLDER’S EXPECTATIONS Organised by National Treasury Presented by WELEKAZI DUKUZA CEREBRO.

Public Sector Internal Audit Standards for External Assessments Sarah Blackburn EQA Reviewer Chartered Institute of Internal Auditors.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

F8: Audit and Assurance. 2 Audit and Assurance Designed to give you knowledge and application of: Section A: Audit Framework and Regulation Section B:

Torbay Council Partnerships Review August PricewaterhouseCoopers LLP Date Page 2 Torbay Council Partnerships Background The Audit Commission defines.

Internal Audit: panacea or distraction? Philip Ratcliffe President 29 January 2009 Managing Partners’ Forum for risk management professionals.

Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.

Internal Audit Quality Assessment Guide

11.1 Plan Risk Management The process of defining how to conduct risk management activities for a project Detailed risk planning enhances the overall probability.

Following Up on Internal Audit Reports Workshop on IIA Standard 2500

Strawman Best Practice IIA Change Forum June 2017

Adding Value Across the Board

Portfolio, Programme and Project

Taking the STANDARDS Seriously

Robin Youll Office for National Statistics

Good practices for risk assessment and control activities

Presentation transcript:

Applying a risk model in state internal and external audits

Audit and Risk Haven’t we, as auditors always considered risk within our audit plans?

Roles and Responsibilities

Governing Body Audit/Risk Committee Incorporating risk into the planning process for overall coverage. Considered opinions on specific elements of the organisation. Overall opinion of control environment. Assessment of completeness and effectiveness of the risk management process. Assessment of the effectiveness of specific elements of the control environment. Promotes good practice drives and monitors risk framework and action plans maintains risk map and risk profile Reviews risk profile. Analyses emerging risks. Tracks existing risks. Co-ordinates RMSA Co-ordinates risk reporting Risk Workshops Managing specific risks Apply risk management cycle Implement action plans Develop capabilities, processes, Controls Monitor performance Manage issues/breaches Efficiency reviews Improvement programmes Process optimisation Cost reduction Risk ProfessionalInternal Audit Business/Risk owners Organisational Improvement Outputs Socialising risk Identification of key risks Decide on how to manage risk Measuring residual risk Data for risk reporting Outputs Reviews of: Risk management methodology Corporate Governance statements Statements on internal controls Management responses to key risks

Roles and Responsibilities Promotes good practice Drives and monitors risk framework and action plans Maintains risk register Analyses emerging risks. Supports risk owners. Co-ordinates Risk Reporting. The Risk Professional.

Roles and Responsibilities Managing specific risks Apply risk management cycle Implement action plans Develop capabilities, processes, Controls Monitor performance Manage issues/breaches Tracks existing risks. Business risk owners

Roles and Responsibilities Efficiency reviews Improvements programmes Process optimisation Cost reduction Organisational Improvement

Incorporating risk into the planning process for overall audit coverage. Considered opinions on specific elements of the business. Overall opinion of control environment. Assessment of completeness and effectiveness of the risk management process. Assessment of the effectiveness of specific elements of the control environment. Roles and Responsibilities Internal Audit

Risk Management Reporting Governing Body Risk Register SELFCERTIFICATIONSELFCERTIFICATION A U D I T O P I N I O N S Scrutiny/Audit Cttee CHIEF EXECUTIVE DIRECTORS MANAGERS Organisation Chief Internal Auditor FUNCTIONS & OPERATIONS INDIVIDUAL AUDITS AUDIT OPINIONS

Risk Management Is Therefore More Than Just a Cyclical Audit or Insurance Review and Report. The Risk Management Process

Roles and Responsibilities Risk management cannot be introduced in isolation. It has to be in partnership with all those other interested parties.

The Contribution of Internal Audit Role is changing Challenges of good Governance FD/CEO Expectations changing The need to evidence measurable added value IIA re-defining the role

IIA Definition Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organisation. It assists an organisation in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisations risk management,control, and governance processes.

Definition of Audit Auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts

Risk Matrix Important risks – might potentially affect provision of key services or duties Key risk- may potentially affect provision of key services or duties Immediate action needed - serious threat to provision and/or achievement of key services or duties Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties Key risks - may potentially affect provision of key services or duties No action necessary Monitor as necessary - ensure being properly managed Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties Over £5 million OR Questions raised in Parliament £2million-£5 million OR Reported in National Press £500,000 - £2 Million OR Reported in Local Paper £ 100,000 - £500,000 OR Unacceptable levels of Complaints Under £100,000 OR Some complaints from individuals. Rare- once in 20 years Unlikely - Once in years Possible- Once in 10 years Likely- Once in 3years Certain- Once a year

Translating Key Risks Into the Assurance Programme Key risks as identified in the matrix should be the basis of the Audit programme Should form 60% approx of full programme Some risks not easily auditable Consider specialists, CSA etc

What Should The Audit Role Be In Establishing a Risk Management Process?

Audit Participation in Risk Programmes OPTIONS Manage the whole programme Facilitate the workshops Jointly facilitate the workshops Coordinate responses etc Attend the workshops as a participant Monitor and report on the action plans Review perceived versus actual controls

Audit Reporting Linking to key risks gives visibility Perceived versus actual controls Monitoring of action plans Board, audit Cttee.Risk Cttee. Snr mgt. Focus on achievements –Monetary –Risk reduction (matrix movements –IT security, fraud,reduction in surprises

Audit Reporting Refer to organisational objectives Specify the risk to their achievement Explain findings specifically related to those risks Specify actions to address the exposures or opportunities ( and what they will achieve )

Effectiveness of the Control Environment Risk Minus the cost of: TransferControlRecover Equals Exposure ++

Cascading the Techniques Into Project and Change Management.

Projects & Improvement Programs Within the programs planned do you have objectives that you want to achieve? Amongst the action plans and recommendations that you have to introduce are there some that could stop or delay the overall program? Can the likelihood and impact of failing to achieve these recommendations and action plans be assessed?

Projects & Improvement Programs A program/project is therefore ideal for using risk management techniques to prioritise where you need to focus. You know your objectives. You have already identified the issues (risks) that you have to manage to successfully achieve: –Action Plans –Recommendations.

Projects & Improvement Programs If we assess the likelihood of not successfully implementing each of the the action plans and recommendations and If we assess the impact to the overall program of not successfully implementing them.

Projects & Improvement Programs This gives us a simple method of categorizing and prioritising the steps that have to be taken.

Projects & Improvement Programs EXAMPLE

Projects & Improvement Programs Objective. To improve the the procurement systems of State Government.

Projects & Improvement Programs Issue: Make the External Auditors Office responsible for carrying out ex-post control of procurement, with the appropriate means to hire experts for independent audits.

Risk Matrix HIGH Impact Of Risk LOW Unlikely Likelihood of Occurrence Likely

Risk Matrix HIGH Impact Of Risk LOW Unlikely Likelihood of Occurrence Likely

Projects & Improvement Programs Issue: Enact a new public procurement laws based on Model Law being prepared used else where

Risk Matrix HIGH Impact Of Risk LOW Unlikely Likelihood of Occurrence Likely

Projects & Improvement Programs Issue: Issue Circular to improve procurement process with mandatory requirements for  advertisement of all bidding opportunities in the Gazettes, local dailies and notice boards of procuring entities;  public bid opening;  publication of contract awards above a certain threshold.

Risk Matrix HIGH Impact Of Risk LOW Unlikely Likelihood of Occurrence Likely

Risk Management Risk management is a journey. You can expend great effort and travel miles If, however you haven’t plotted your course in line with the organisations strategy you will do nothing but waste valuable time and resources.