assessing audit risk in audit planning.ppt
DESCRIPTION
Assessing Audit Risk in Audit Planning.pptTRANSCRIPT
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 1/42
ASSESSING RISK IN AUDIT PLANNING
Presented to the European Internal Audit Conference
October 8, 2004
Richard F. Chambers, CIA, CGAP, CFE
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 2/42
Presentation Overview
Background – why internalauditors assess risk
Traditional audit planning
Benefits and objectives of risk-based planning
A process for risk-based auditplanning
The TVA OIG model for planning based on risk
Risk-based engagementplanning
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 3/42
Overview: Why Assess Risk?
For annual audit planning
to target high impact areas
to allocate scarce resources
When planning/executing audits
frame objectives
establish scope
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 4/42
When providing consulting
services
To advise management
on vulnerabilities
on corrective actions
Overview: Why Assess Risk?
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 5/42
Purpose of Annual Audit Planning
Provide a guide for the
organization
Justification/support for audit
resources
Means of engaging management
and board in establishing
priorities and identifying areas inrisk and control
Source: Sawyer’s Internal Auditing
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 6/42
Purpose of Annual Audit Planning
Provides a basis for measuring
accomplishments
Provides indication to external
auditors and others of planned
audit coverage
Helps ensure audit resources are
directed to top priorities
Source: Sawyer’s Internal Auditing
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 7/42
Traditional Methods of Audit Planning
Audit cycle
Audit universe
Managementrequests
Statutes, regulations,
or other requirements
Auditors’ experience
and expertise
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 8/42
Value of Risk-Based Audit Planning
Yields disciplined analytical approach to evaluating
the audit universe
Highlights potential risks in organization that might
otherwise be unknown
Fosters dedicated audit coverage to high-risk areas
Allocates resources where pay-back is greatest
Provides a tool for management to gauge or
assess enterprise risk
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 9/42
Key Defini tions
Risk: The uncertainty o f an event oc curr ing that could have an impact on the ach ievement of
object ives.
Risk assessment: A systemic process for assessing and integrat ing profession al judgments
about p robable adverse condi t ions and/or events.
Risk management: The culture, pro cesses and
stru ctu res that are directed towards the effect ive
management o f potent ial oppo rtuni t ies and
adverse effects .
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 10/42
“Management is responsible for identifying risk
and for the internal control environment…When
an organizat ion has a standard risk assessm ent framework in place, the internal aud itor can d raw
on this…When there is no such framework, the
internal auditor’s work will provide valuable
information about the organization’s risk to topmanagement.”
Remember!
Source: A Guide to the Use of Risk Management Within the Internal Audit Process©2002 – The IIA – Australia
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 11/42
The Objective of Risk-Based Planning:
Target audit
resources
where risk
is greatest!
ProbabilityHL
H
Source: A Guide to the Use of Risk Management Within the Internal Audit Process©2002 – The IIA – Australia
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 12/42
Audit Standards and Risk-based Plans
2010.A1 – The internal audit
activity’s plan of engagements should be
based on a risk assessment,
undertaken at least annually.
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 13/42
Audit Standards and Risk-based Plans
2120.A1 – Based on the results
of the risk assessment, the
internal audit activity should
evaluate the adequacy and
effectiveness of controls
encompassing the
organization’s governance,operations, and information
systems.
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 14/42
A Risk Assessment Process for
Annual Audit Planning
1. Define the audit universe
2. Identify and weight risk factors
3. Establish a mechanism and score
risk factors for auditable units
4. Sort the auditable units by total risk
score
5. Develop the annual audit plan based
on the ranked audit universe
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 15/42
Step 1: Defining the Audit Universe
1. Distinct units or functions of the
enterprise
2. Business or organizational processes
3. Requests from senior management
4. Requests from the Board of Directors
5. Regulatory or statutory requirements
6. Potential audits based on experience or
instincts
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 16/42
Step 2: I dentifying
and Weighting Risk Factors
1. Exercise judgment
based on nature of
enterprise and prior
experience
2. Limit number of
factors
3. Ensure weightsreflect relative
significance
Common Risk Factors
Previous audit results
Time since last audit
Materiality and liquidity
Confidentiality
System maturity
Complexity of the system
Employee turnover
Competence of management
Performance indicators
Public relations
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 17/42
Step 3: Establish a Mechanism
and Score Risk Factors
Should address impact and probability
May be adjectival or numeric
Design and apply “objective” criteria for
assigning scores
Ensure consistency of application
The most challenging step in the process
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 18/42
Steps 4 & 5: Sort Units by Scores
and Develop the Plan
Step 4 is largely mechanical – but should
be carefully reviewed
Look of inconsistencies during staff reviews – personal agendas can surface
The plan should be based largely – but not
exclusively – on the results
Flexible audit plans are invariably more
successful in meeting organizational needs
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 19/42
A systemic process designed
to yield a comprehensive risk
assessment
Used to allocate audit
resources of the Office of
Inspector General
Focuses on TVA processes aswell as programs
• core business processes
• enabling processes
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 20/42
Overview of Audit Planning Process
Interviewed key managers
Reviewed planning documents
Reviewed historical data
Reviewed audit requests from other stakeholders
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 21/42
Overview of Audit Planning Process (continued)
Identified audit areas
Assessed project risk factors
• Materiality
• Impact on operations
• Public sensitivity
Assigned probability factor
Adjusted risk factor scores
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 22/42
Risk Planning Model
P R OBAB
I LI TY
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
MATERIALITY
Visibility and
Sensitivity
Impact on
Enterprise
Operations
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 23/42
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Risk Factors
Materiality Points Audit Area over $100 million 8-10
Audit Area $10 million to $100 million 4-7
Audit Area less than $10 million 1-3
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 24/42
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Risk Factors
Impact on Operations Points Significant impact on core business 8-10
Significant impact on specificprogram moderate impact on core
business 4-7 Negligible impact on specific program
or core business 1-3
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 25/42
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Risk Factors
Public Sensitivity Points Likely to result in public or
congressional interest 8-10
May result in public or
congressional interest 4-7 Unlikely to result in public or
congressional interest 1-3
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 26/42
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Probabil i ty Factors
Probability of Risk Points High probability of significant issues 0.8-1.0
Moderate probability of significantissues and high probability of
improvement needed 0.4-0.7 Low probability of significant issues
and moderate to low probability of improvement needed 0.1-0.3
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 27/42
Risk Assessment in Annual Planning:
The Tennessee Valley Authority Model
Security of Office Equipment
Environmental Compliance
Executive Compensation
4 7 5 16 0.5 8.0
7 7 8 22 0.6 13.2
3 5 9 17 0.3 5.1
Potential Audit Subject
Example of Risk Assessment
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 28/42
Beyond Annual Planning: Assessing Risk
in Audit Engagement Planning
“Applying the concepts
from risk-based auditing
to the assessment of risk
at the individual audit
level requires the auditor
to mentally shift gears
from focusing oncontrols in the audit
process to focusing on
risk.”
Source: The IIA Research Foundations ©1998
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 29/42
Audit Standards and Risk-based Plans
2210.A1 – When planning the
engagement, the internal
auditor should identify and
assess risks relevant to the
activity under review. The
engagement objectives shouldreflect the results of the risk
assessment.
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 30/42
Risk-Based Audit Engagements:
UnderstandProcesses
and
Objectives
1
Identify
Risks
2
Measure
Potential
Impacts
3
EvaluateControls and
Estimate
Probability
4Evaluate
and
Prioritize
Risks
5
Develop
Audit
Objectives
& Program
6
Source: A IIA Seminar – Assessing Business Risk: The Gateway to Effective Results ©2002
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 31/42
Presentation Summary
Internal auditors assess risk for a variety of reasons
Traditional audit planning has emphasized cyclesand repeat engagements
Risk-based audit planning is mandated by IIAstandards and offers multiple advantages
A risk-based audit planning process containsmultiple steps
TVA OIG plans based on risk
Beyond risk assessment in annual planning – risk-based engagement planning
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 32/42
QUESTIONS?
Richard.f [email protected]
Presented October 8, 2004By Richard F. Chambers, CIA, CGAP, CFE
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 33/42
How Many Audit Activities are
I n Your Universe?
Less than 20 4.5%
21 to 50 20.8%
51 to 100 21.2%
101 to 500 41.7%
Over 500 11.8%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 34/42
How Many Risk Assessment Rating
Factors Do You Use?
Less than 10 76.7%
11 to 20 20.5%
21 to 50 2.5%
Over 50 0.4%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 35/42
Approaches to I denti fying Auditable Units
Functional Areas or Departments 71.8%
Business Processes 68.0%
Products or Service Lines 23.0%
Organization Units or Locations 55.3%
Major Contracts or Programs 34.0%
Other 10.0%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 36/42
What Type of Risk Model do You Use?
N/A - we don't use a formal model 14.5%
Commercial 6.9%
In-house model 50.2%
Simple spreadsheet 28.4%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 37/42
How Many Times Per Year Do You
Update the Model?
Once - when we develop the annual
audit plan 63%
Quarterly 6%
Semi-annual 7%
Ongoing (e.g., after audits are
completed, based on clientcontacts, etc.) 24%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 38/42
How Long Does it Take to Create an
Organization-wide Risk Assessment?
Less than 80 hours 31.8%
81 to 160 hours 37.6%
161 to 240 hours 15.0%
241 to 480 hours 9.5%
481 to 960 hours 3.6%
Over 960 hours 2.6%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 39/42
How I nvolved Are Clients, or Risk Owners,
in Engagement Level Risk Assessments?
Fully involved (e.g., they actively
participate in the risk
assessment process, etc.) 30.2%
Somewhat involved 54.9%
Not involved (e.g., internal
auditing independently completes
the risk assessment, etc.) 14.9%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 40/42
What Percent of the Audit Budget Comprises
the Engagement Level Risk Assessment ?
10% or less 62.1%
11% to 20% 25.0%
21% to 30% 10.6%
Over 31% 2.3%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 41/42
How Much Value do Engagement Level Risk
Assessments Add to the Audit Process?
A lot 57.4%
Some 37.3%
Limited 5.3%
Source: Global Audit Information Network Flash Survey
7/16/2019 Assessing Audit Risk in Audit Planning.ppt
http://slidepdf.com/reader/full/assessing-audit-risk-in-audit-planningppt 42/42
Do You Perform a Risk Assessment at the
Engagement Level?
Yes 53.5%
Sometimes 31.3%
No 15.3%