Applying a risk model in state internal and external audits.
-
Upload
rosaline-jordan -
Category
Documents
-
view
221 -
download
0
Transcript of Applying a risk model in state internal and external audits.
![Page 1: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/1.jpg)
Applying a risk model in state internal and external audits
![Page 2: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/2.jpg)
Audit and Risk
Haven’t we, as auditors always considered risk within our audit
plans?
![Page 3: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/3.jpg)
Roles and Responsibilities
![Page 4: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/4.jpg)
Governing Body
Audit/Risk Committee
•Incorporating risk into the planning process for overall coverage.•Considered opinions on specific elementsof the organisation. •Overall opinion of control environment.•Assessment of completeness and effectiveness of the risk management process.•Assessment of the effectiveness of specificelements of the control environment.
•Promotes good practice•drives and monitors risk frameworkand action plans•maintains risk map and risk profile•Reviews risk profile.•Analyses emerging risks.•Tracks existing risks.•Co-ordinates RMSA•Co-ordinates risk reporting
Risk Workshops
•Managing specific risks• Apply risk management cycle
•Implement action plans• Develop capabilities, processes, Controls
•Monitor performance•Manage issues/breaches
•Efficiency reviews•Improvement programmes
•Process optimisation•Cost reduction
Risk ProfessionalInternal Audit
Business/Risk owners Organisational Improvement
Outputs•Socialising risk
•Identification of key risks•Decide on how to manage
risk•Measuring residual risk•Data for risk reporting
OutputsReviews of:
•Risk management methodology•Corporate Governance statements
•Statements on internal controls•Management responses to key
risks
![Page 5: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/5.jpg)
Roles and Responsibilities
•Promotes good practice•Drives and monitors risk frameworkand action plans•Maintains risk register•Analyses emerging risks.•Supports risk owners.•Co-ordinates Risk Reporting.
The Risk Professional.
![Page 6: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/6.jpg)
Roles and Responsibilities
•Managing specific risks• Apply risk management cycle
•Implement action plans• Develop capabilities, processes, Controls
•Monitor performance•Manage issues/breaches
•Tracks existing risks.
Business risk owners
![Page 7: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/7.jpg)
Roles and Responsibilities
•Efficiency reviews•Improvements programmes
•Process optimisation•Cost reduction
Organisational Improvement
![Page 8: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/8.jpg)
•Incorporating risk into the planning process for overall audit coverage.•Considered opinions on specific elementsof the business. •Overall opinion of control environment.•Assessment of completeness and effectiveness of the risk management process.•Assessment of the effectiveness of specificelements of the control environment.
Roles and Responsibilities
Internal Audit
![Page 9: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/9.jpg)
Risk Management ReportingGoverning Body
Risk Register
SELF
CERTIFICATION
A UDIT
OPINIONS
Scrutiny/Audit Cttee
CHIEF EXECUTIVE
DIRECTORS
MANAGERS
OrganisationChief Internal Auditor
FUNCTIONS & OPERATIONS
INDIVIDUALAUDITS
AUDIT OPINIONS
![Page 10: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/10.jpg)
Risk Management
Is Therefore More Than Just a Cyclical Audit or Insurance
Review and Report.
The Risk Management Process
![Page 11: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/11.jpg)
Roles and Responsibilities
• Risk management cannot be introduced in isolation.
• It has to be in partnership with all those other interested parties.
![Page 12: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/12.jpg)
The Contribution of Internal Audit
• Role is changing
• Challenges of good Governance
• FD/CEO Expectations changing
• The need to evidence measurable added value
• IIA re-defining the role
![Page 13: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/13.jpg)
IIA Definition
Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organisation.
It assists an organisation in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisations risk management ,control , and governance processes.
![Page 14: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/14.jpg)
Definition of Audit
Auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts
![Page 15: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/15.jpg)
Risk MatrixImportant risks –
might potentially affect provision of key
services or duties
Key risk- may potentially affect
provision of key services or duties
Immediate action needed - serious
threat to provision and/or achievement of key services or
duties
Monitor as necessary - less important but still could have a serious
effect on the
provision of key services or duties
Monitor as necessary - less
important but still could have a serious
effect on the provision of key
services or duties
Key risks - may potentially affect
provision of key services or duties
No action necessary
Monitor as necessary - ensure
being properly managed
Monitor as necessary
- less important but still could have a
serious effect on the provision of key
services or duties
Over £5 millionOR
Questions raised in Parliament
£2million-£5 million OR
Reported in National Press
£500,000 - £2 Million
OR
Reported in Local Paper
£100,000 - £500,000 OR
Unacceptable levels of Complaints
Under £100,000 OR
Some complaints from individuals.
Rare- once in 20 years
Unlikely-Once in 10-20 years
Possible- Once in 10
years
Likely-Once in 3years
Certain- Once a
year
![Page 16: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/16.jpg)
Translating Key Risks Into the Assurance Programme
• Key risks as identified in the matrix should be the basis of the Audit programme
• Should form 60% approx of full programme
• Some risks not easily auditable
• Consider specialists, CSA etc
![Page 17: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/17.jpg)
What Should The Audit Role Be In Establishing a Risk Management Process?
![Page 18: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/18.jpg)
Audit Participation in Risk Programmes
OPTIONS• Manage the whole programme• Facilitate the workshops• Jointly facilitate the workshops• Coordinate responses etc • Attend the workshops as a participant• Monitor and report on the action plans• Review perceived versus actual controls
![Page 19: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/19.jpg)
Audit Reporting
• Linking to key risks gives visibility• Perceived versus actual controls• Monitoring of action plans• Board, audit Cttee.Risk Cttee. Snr mgt.• Focus on achievements
– Monetary– Risk reduction (matrix movements– IT security, fraud ,reduction in surprises
![Page 20: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/20.jpg)
Audit Reporting
• Refer to organisational objectives
• Specify the risk to their achievement
• Explain findings specifically related to those risks
• Specify actions to address the exposures or opportunities ( and what they will achieve )
![Page 21: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/21.jpg)
Effectiveness of the Control Environment
Risk
Minus the cost of:
Transfer Control Recover
Equals
Exposure
+ +
![Page 22: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/22.jpg)
Cascading the Techniques Into Project and Change
Management.
![Page 23: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/23.jpg)
Projects & Improvement Programs
• Within the programs planned do you have objectives that you want to achieve?
• Amongst the action plans and recommendations that you have to introduce are there some that could stop or delay the overall program?
• Can the likelihood and impact of failing to achieve these recommendations and action plans be assessed?
![Page 24: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/24.jpg)
Projects & Improvement Programs
• A program/project is therefore ideal for using risk management techniques to prioritise where you need to focus.
• You know your objectives.• You have already identified the issues (risks) that
you have to manage to successfully achieve:– Action Plans
– Recommendations.
![Page 25: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/25.jpg)
Projects & Improvement Programs
• If we assess the likelihood of not successfully implementing each of the the action plans and recommendations
and
• If we assess the impact to the overall program of not successfully implementing them.
![Page 26: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/26.jpg)
Projects & Improvement Programs
This gives us a simple method of categorizing and prioritising the steps that have to be
taken.
![Page 27: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/27.jpg)
Projects & Improvement Programs
EXAMPLE
![Page 28: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/28.jpg)
Projects & Improvement Programs
Objective.
To improve the the procurement systems of State Government.
![Page 29: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/29.jpg)
Projects & Improvement Programs
Issue:
Make the External Auditors Office responsible for carrying out ex-post control of procurement , with the appropriate means to hire experts for independent audits.
![Page 30: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/30.jpg)
Risk Matrix
6 8 9
3 5 7
1 2 4
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
![Page 31: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/31.jpg)
Risk Matrix
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
![Page 32: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/32.jpg)
Projects & Improvement Programs
Issue:
Enact a new public procurement laws based on Model Law being prepared used else where
![Page 33: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/33.jpg)
Risk Matrix
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
![Page 34: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/34.jpg)
Projects & Improvement Programs
Issue:
Issue Circular to improve procurement process with mandatory requirements for advertisement of all bidding opportunities in the Gazettes, local dailies and notice boards of procuring entities; public bid opening; publication of contract awards above a certain threshold.
![Page 35: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/35.jpg)
Risk Matrix
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
![Page 36: Applying a risk model in state internal and external audits.](https://reader035.fdocuments.in/reader035/viewer/2022062322/5697bf9a1a28abf838c91f5a/html5/thumbnails/36.jpg)
Risk Management
Risk management is a journey.You can expend great effort and travel
miles
If, however you haven’t plotted your course in line with the organisations strategy you will do nothing but waste valuable time and resources.