INTERNAL CONTROLS AND RISK

AASHTO AUDIT SUBCOMMITTEE Annual Meeting Charleston, WV July 21-24, 2013

Presented by

Bryan L. Wood, CPA Customized Audit Training

1

True or False 1. When management installs proper “internal controls” including all elements of

COSO, (Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring) the internal audit process is enhanced tremendously.

2. It is permissible to recommend the elimination of ineffective and redundant internal controls.

3. The real responsibility for assessing “risk” is management’s.

4. Risk is constantly changing.

5. The assessment of risk should be performed on a continuous basis whenever possible.

6. Achievement of operations’ objectives is not always within the entity’s control.

2

GROUND RULE QUESTIONS

• INTERNAL CONTROLS: – What are they? – Who controls them? – Do we have enough? Too many? Too few? – Are they automated or manual? – Does management understand their responsibility

for internal controls? – Is “someone” actually held accountable for the

controls?

3

GROUND RULE QUESTIONS

• RISK: – What is risk? What is risk assessment? – Who defines risk and performs the risk

assessment? – How often is a risk assessment performed? – Can Risk Assessment be performed continuously? – Is there an accountability for the performance of

the risk assessment ?

4

5

Definition of Internal Control • Internal Control is broadly defined as a process, effected by

an entity’s Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: – Effectiveness and efficiency of operations (O) – Reliability of financial reporting (F) – Compliance with applicable laws and regulations (C) – Safeguarding of assets (S)

Definition of Risk

• DOT Risk: The possibility of spending taxpayers’ money inefficiently and being accounted for improperly.

• Audit Risk: The possibility of the audit department not reviewing the right areas in a timely manner or performing the audit incompetently .

• Is there any difference between these two definitions?

6

Definition of Risk Assessment

• The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and management’s determination of an acceptable level of risk.

7

8

Risk Assessment

• Identify Potential Risks • Create Risk Assessment Worksheet – Example on next

slide. • Brainstorm potential risks

• Assess risks by likelihood and impact Rank risks • Determine any controls that exist over the risks identified

• Evaluate the design of the control system in place • Determine any other mitigating factors that lessen the effect

of the risks identified

9

10

Risk Assessment • Identify Potential Risks

• Likelihood: probability of a threat • Often likelihood can be measured as a percentage.

• Impact: to have an effect upon • Often impact can be measured in dollars.

• Audit Procedures should be created for coverage of critical and highly rated items.

• Audit procedures generally do not need to be performed for low rated items.

Did you know: Sometimes it’s the potential loss

or consequence that makes some items more “risky” than

others.

Determining Risk

11

12

• Consider Fraud Risks in Risk

Assessment • Is it a requirement that all auditors

consider the risk of fraud and be aware of potential red flags of fraud associated with area being audited?

Risk Assessment - Fraud Consideration

RISK ASSESSMENT

and its relationship to

CONTINUOUS AUDITING

13

Analyzing The Role of Audit In Relationship To The Business Entity

• Auditors must synchronize themselves with the business entity – Know how it works.

• The auditors primary responsibility is to audit the business entity which should act as the primary driver

• The business entity is generally driven by data therefore data should drive the audit process

14

Analyzing The Roles of Audit In Relationship To The Business

15

ERM of the Organization

Audit Planning and Risk Assessment

ERM of the Organization

Audit Planning and Risk Assessment

Risk Model and Continuous Auditing

16

ERM Model For Organization –”BRAIN”

Continuous Auditing Methodology

Audit Planning and Risk Assessment

Setting The Tone For A Data Centric Audit Process: Core Structure Analysis

• A data centric audit process is dependent upon a data driven risk assessment

• Data driven risk assessment depends the ability

to assess risks in all parts of the enterprise

17

Understanding Data and Its Use

• Auditors should know how to employ fundamental tools and methodologies to accomplish data mining and its uses

• Auditors should use the key data mined for any and all audit related tasks

• The objective of the exercise is audit efficiency and

effectiveness and not massaging tons of data

18

Defining The Key Audit Disciplines • Key audit disciplines are:

– The ability to understand and interpret data – Determining the key audit uses for data

• Risk assessment • Audit focus • Minimization of testing: or • Automation of the testing 100% of population • 24/7 oversight and virtual auditing • Business focused visual audit reports • Measurement of audit contributions • Creating and using multi-purpose audit tools

19

The Audit Spectrum: Today To The Future

20

Testing by Sample/Selection

Static Fixed Point

Near Time Testing by

Data Interrogation

Reactive Selection

Real Time Oversight/

Governance

Dynamic/Fluid

Dangerous Very Progressive ART-The Ultimate

Traditional vs. Data Focused Continuous Audit Process

• Traditional: – Subjective risk assessment for annual plan – Program driven audit process – Rotational audit coverage – Random; Sampling based audit testing – Narrative based documentation – Narrative reporting format; findings not solution

based

21

Traditional vs. Data Focused Continuous Audit Process

• Data Focused Continuous Audit Process: – Data driven risk assessment for annual plan – Custom designed audit process – Risk driven audit coverage – Specifically focused audit testing: if required – Business data; based documentation – Data focused, solution based audit format

22

Continuous Auditing

• Risk model is baseline for organization and is data centric

• Audit risk model is extracted directly from BRAIN and is data based

• Continuous auditing is linked directly to the risk models which then define the activities of the audit/consulting function

23

Virtual Audit Process

• Continuous auditing can migrate from Auditing Near Time (ANT) to Auditing Real Time (ART)

• The difference is in the tools and how much automation is employed

• To move to a virtual audit process involves vision,

strategy and high level management support

24

An Example

Risk Based Oversight: A Framework for Ensuring Compliance with the FAR

(Federal Acquisition Regulation) Cost Principles

25

Risk Based Oversight: A Framework for Ensuring Compliance with the FAR (Federal Acquisition Regulation)

Cost Principles

• INTRODUCTION: Each State Department of Transportation (DOT) maintains a set of procedures that dictates how it conducts business covering the various functions and responsibilities of that agency. The audit function within the State DOT is one component of many within that set of procedures. Recent events have increased the expectations for written procedures pertaining to the audit function, especially those that relate to oversight of Architectural and Engineering (A/E) consultant professional service agreements.

26

Risk Based Oversight: A Framework for Ensuring Compliance with the FAR (Federal Acquisition

Regulation) Cost Principles

• The Federal Highway Administration (FHWA) recognizes that State DOT audit groups must employ a “risk-based oversight” approach to effectively ensure compliance with the Federal Acquisition Regulation (FAR) cost principles among the population of A/E firms performing consultant services, especially given the limited resources at their disposal.

27

Risk Based Oversight: A Framework for Ensuring Compliance with the FAR (Federal Acquisition

Regulation) Cost Principles

• For many State DOTs, it will not be feasible to perform audits or cognizant CPA work paper reviews for all A/E firms that perform work and are located in their home states; however, the onus remains on State DOTs to obtain reasonable assurance that the rates submitted by A/E firms are FAR compliant. Accordingly, to accept rates without performing an audit or cognizant work paper review, the State DOTs must perform a risk analysis.

28

Now can I tell you what really bothers me?

29

Personal Profile

• I have been an auditor for 41 years. • I have tried to maintain the highest auditing

standards within the profession. • 20 years ago I started teaching auditing

concepts. And

I’M CONCERNED

30

We, as auditors, are not able to bring about enough

CHANGE

31

Is it us?

Or

Is it them?

32

Two Books Worth Reading

• “Change Anything” • “Influencer”

– Books by:

• Kerry Patterson • Joseph Grenny • David Maxfield • Ron McMillan • Al Switzler

33

I will go on the premise that we, as auditors, are the first who need to

change!

34

“CHANGE ANYTHING”

• From the preface of the book…..a promise!

• “If you apply certain principles and tactics we outline (in this book), you can rapidly, profoundly and sustainably change your own behavior….and dramatically improve results in most any area of life.

35

Conclusion • We can’t change the world or our profession

overnight, but if we sharpen the tools of our trade, we can begin to bring about change to our profession and environment.

• Knowledge is power and the more we know, the more we can assist in improving internal controls and risk assessments for our agencies.

36

Questions ? ?

Contact Information for Customized Audit Training, LLC

Bryan L. Wood, CPA – Principal

Donna J. Hillenbrand – Marketing Director

info@customizedaudittraining.com

website: www.customizedaudittraining.com

Address: 7836 West Sahara Avenue Las Vegas, NV 89117

Tele: Bryan: (530) 545-0206; Donna:(530) 318-9491 37