Part 1 3 – 1V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

1. Establish a framework for assessing risk

2. Use of the framework

3. Identify internal audit resource requirements

Section Topics

4. Coordinate the internal audit activity’s efforts

5. Select engagements

Part 1, Section 3

Part 1 3 – 2V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Control and Risk Management

“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved”

“A process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization’s objectives”

Control Risk Management

Part 1, Section 3, Introduction

Part 1 3 – 3V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Help management understand internal controls and risk management processes.

Develop and implement a risk assessment framework for internal audit planning.

Practice a systematic, disciplined auditing approach.

Provide objective and independent assurance.

Recommend improvements, as warranted.

Internal Audit Activity Role in Risk Management

Part 1, Section 3, Introduction

Part 1 3 – 4V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

A Risk-based Assessment Framework

• Identifies all sources of potential engagements and all potential auditable activities

• Assesses internal and external risks based primarily on their impact on organizational goals and objectives

• Evaluates proposed engagements • Establishes criteria and ranks risks• Considers staffing

Determine the audit universe.

Examine organizationalrisk factors.

Prioritize audits.

Annual audit plan

Part 1, Section 3, Topic 1

Part 1 3 – 5V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

The Audit Universe

Sourcesof

engagements

Other sources

External business relationships

Regulatory mandates

Operating entities

Management and employees

Management requests

Part 1, Section 3, Topic 2

Strategic plan

Information technology

Part 1 3 – 6V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

A.determine if risks must be handled by external auditors.

B.conduct a focus group with business unit leaders to discuss likelihood and impact.

C.survey management and employees to quantify attitudes and perceptions.

Answer: B. A focus group can help prioritize risks based on magnitude and probability of occurrence.

Discussion QuestionA meeting between the CAE and the general counsel identifies several key business risks. A logical next step is to

Part 1, Section 3, Topic 2

Part 1 3 – 7V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Examples:• Interviews• Focus groups• Observations• Meetings

Examples:• Studies • Reports • Surveys

Qualitative Data Quantitative Data

Subjective, or soft, measures Measures derived from

concrete, objective criteria

+

Part 1, Section 3, Topic 2

Part 1 3 – 8V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Assessing Organization-wide Risk

Takes a systematic look at the nature of risks and opportunities

Risk identification

Evaluates the potential impact of risks based on the probability of occurrence

Risk measurement

Ranks risks and establishes relative strengths and potential consequences

Risk prioritization

Part 1, Section 3, Topic 2

Part 1 3 – 9V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Audit plan should be based on the audit universe, input from senior management and the board, and an assessment of risk and exposures affecting the organization.

Key audit objectives are usually to provide senior management and the board with assurance and information to help them accomplish the organization’s objectives, including an assessment of the effectiveness of management’s risk management activities.

Proposed Engagements

Practice Advisory 2010-1, “Linking the Audit Plan to Risk and Exposures”

Part 1, Section 3, Topic 2

Part 1 3 – 10V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Which of the following are decision factors used to rank and validate risk priorities? Respond “yes” or “no.”

Discussion Question

1. Quality of existing internal controls

2. Asset liquidity

3. Likelihood of coordination with external auditors

4. Potential financial impact

Answers:

Yes

No

Yes

Yes

Part 1, Section 3, Topic 2

Part 1 3 – 11V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Reinforcing Activity 1-6Part 1, Section 3, Topics 1 and 2

Establish and Use Frameworkfor Assessing Risk

Part 1, Section 3, Topic 2

Part 1 3 – 12V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

A. seek the advice of the audit committee about which engagements should be delayed.

B. look at ways to coordinate engagements with regulatory bodies and other assurance functions.

C. communicate the impact of resource limitations to the board and senior management.

D. ask for additional resources.

Answer: C. The CAE must communicate the impact of resource limitations to the board/senior management.

Discussion QuestionTen high-risk engagements have been identified. The CAE can staff only seven. The BEST course of action is to

Part 1, Section 3, Topic 3

Part 1 3 – 13V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

• Apply a systematic, disciplined approach to evaluate and improve risk management, control, and governance processes.

• Concerned with all aspects of the organization.

• Focus on future events.

• Defined by Section 2100 of the Standards.

Scope for Internal and External Auditors

Internal auditors

External auditors

• Ordinary examination is designed to obtain sufficient evidential matter to support an opinion on the overall fairness of the annual financial statements.

• Approach is historical.

• Defined by their professional standards.

Part 1, Section 3, Topic 4

Part 1 3 – 14V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Achieve effective coordination of work.

Minimize duplication with internal auditing coverage.

Assist external auditors—possibly agreeing to perform some work.

Regularly evaluate the coordination between internal and external auditors.

The CAE’s Role in Coordination with External Auditors

Practice Advisory 2050-1, “Coordination”

Part 1, Section 3, Topic 4

Part 1 3 – 15V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Which of the following describe appropriate coordination activities? (Select all that apply.)

I. Evaluating corrective actions taken to reducehazardous waste

II. Comparing annual internal and external audit plans

III. Reviewing related regulatory reports

IV. Exchanging audit schedules and reportswith the quality control function

Answer: All of these are valid coordination efforts to maximize audit coverage and minimize redundancies.

Discussion Question

Part 1, Section 3, Topic 4

Part 1 3 – 16V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Coordination with Other Internal Assurance Functions

Internal Audit Activity

Compliance

Quality control

Security

Safety

Enterprise risk management

Part 1, Section 3, Topic 4

Part 1 3 – 17V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Reinforcing Activity 1-7Part 1, Section 3, Topics 3 and 4

Identify Resources and CoordinateIA Activity’s Efforts

Part 1, Section 3, Topics 3 and 4

Part 1 3 – 18V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

The Internal Audit Activity’s Contributions to Risk-based Planning

Communicate and obtain approval.

Select engagements.

Participate in selection process.

Updates

1

2

34

Part 1, Section 3, Topic 5

Part 1 3 – 19V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Reinforcing Activity 1-8Part 1, Section 3, Topic 5

Select Engagements

Part 1, Section 3, Topic 5

Part 1 3 – 20V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Questions?

End of Section 3

Part 1, Section 3