Transcript PowerPoint - Internal audit

Risk based
internal auditing
– an introduction
Slides of figures
and appendices
©David M Griffiths
V3.2
©David M Griffiths
www.internalaudit.biz
Risk based internal auditing – an introduction
slides of figures and appendices
• The following slides are those used in the
book Risk based internal auditing – an
introduction available from
www.internalaudit .biz
• The slides of figures are:
–
–
–
–
–
–
–
–
–
1
2
3
4
5
6
7
8
9
Internal auditing objectives
Grid for significance risks
Stages of an audit
RBIA documentation
Processes involved in stage 2
Grid for frequency of audits
Factors to reduce inherent risk scores risks
Processes involved in stage 3
Grid for significance of residual risks
• Slides of appendices are
–
–
–
–
–
A Internal auditing objectives
B Hierarchy of objectives, risks and controls
C Process map
E Grid for risk workshop
J Stages of an internal audit
–
Other appendices are on the excel spreadsheet RBIA introduction excel v3
©David M Griffiths
www.internalaudit.biz
Internal auditing objectives
(Figure 1 and appendix A)
The
management
of an
organization
have
Objectives
Internal auditing
provides an independent and
objective opinion to an
organization’s management as to
whether its risks are being managed
to acceptable levels.
The main aim of internal
auditing is to assist the
organization to achieve its
objectives
An
internal control
is a process which
manages a risk
A
risk
is a set of
circumstances
that hinder the
achievement of
objectives
©David M Griffiths
www.internalaudit.biz
Probable (4) Almost certain (5)
4
Acceptable
Supplementary
Issue
Possible (3)
IR
10
Issue
3
Acceptable
Supplementary
Issue
9
Issue
Unlikely (2)
5
Supplementary
Issue
2
Acceptable
4
Acceptable
6
8
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
5
Issue
Rare(1)
8
6
Insignificant (1)
Minor (2)
15
20
25
Unacceptable
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
12
Issue
15
Internal control
Likelihood of risk
2 Grid for significance of risks
RR
Moderate (3)
Major (4)
Unacceptable
Catastrophic (5)
Consequence of risk
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required
Risk appetite, as defined by the board
IR = Inherent Risk
RR = Residual Risk
Fig.2 Grid showing the significance of risks
©David M Griffiths
www.internalaudit.biz
3 Stages of an audit
Management's
Risk Register
(if available)
Risk Enabled
Risk Naive
Risk Aware
Assess risk
maturity
Risk Managed
Stage 1
Risk Defined
Facilitate risk
identification
Audit universe
Management's
Risk Register
(amended)
Use organisation's
risks
Assign risks to
audits
Stage 2
Risk and audit
universe
(RAU)
Audit plan
Audit Committee
report
Individual audit
Audit report
Feedback results
into RAU
Fig 3 Stages of an audit
©David M Griffiths
www.internalaudit.biz
Stage 3
4 RBIA documentation
risk and audit
universe
audit databases
objectives
objectives
risks
risks
scores
scores
controls
controls
last audits
tests
Audit
Committee
report
audit
reports
Fig. 4 RBIA documentation
©David M Griffiths
www.internalaudit.biz
5 Processes involved in stage 2
Risk Register
(audited)
Risks on which
assurance is provided
by others
Risks within the risk
appetite
Filter risks
Risks not requiring an
audit in this period
Risks which will be
tolerated
Risks on which
assurance is
required
Categorise risks
Audit Universe
Link risks to
audits
Risk and Audit
Universe
Select risks to
be covered
Allocate
resources to
audits
Audit plan
©David M Griffiths
Fig 5
www.internalaudit.biz
Processes
involved in Stage 2
Audit Committee
report
10
Every two
years
4
Never
8
12
Every three
years
Every two
years
Possible (3)
3
Never
6
9
12
Every three
years
Every two
years
Every two
years
Unlikely (2)
Probable (4) Almost certain (5)
5
Every three
years
2
Never
4
Never
6
8
10
Every three
years
Every three
years
Every two
years
1
Never
2
Never
3
Never
4
Never
Every three
years
Rare(1)
Likelihood of inherent risk
6 Grid for frequency of audits
Insignificant (1)
Minor (2)
15
20
25
Every year
Every year
Every year
Moderate (3)
16
20
Every year
Every year
Major (4)
15
Every year
5
Catastrophic (5)
Consequence of inherent risk
Fig. 6 Grid for the frequency of audits
©David M Griffiths
www.internalaudit.biz
3 years
0.75
1
1
2 years
0.5
0.75
1
0.25
0.5
0.75
1 year
Time since last audit
7 Factors to reduce inherent risk scores risks
Green
Amber
Red
Audit result
Fig. 7 Factors to reduce inherent risk scores
©David M Griffiths
www.internalaudit.biz
8 Processes involved in stage 3
Audit plan
Define draft audit
scope
Examine the risk
management process
for the area audited
Conclude on risk
maturity for the
area audited
Decide on audit
approach
Meetings to determine
objectives, risks and
agree scope
Agreed scope
Obtain relevant
documentation on
processes
Risk and audit universe
©David M Griffiths
Set up an audit database
to record the audit
details, or update the
Risk and Audit Universe
www.internalaudit.biz
Audit
database
4
Acceptable
Supplementary
Issue
15
20
25
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
Possible (3)
10
Issue
3
Acceptable
Supplementary
Issue
9
Issue
12
Issue
Unacceptable
Unlikely (2)
Probable (4) Almost certain (5)
5
Supplementary
Issue
Unacceptable
2
Acceptable
4
Acceptable
6
8
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
Supplementary
Issue
Rare(1)
Likelihood of residual risk
9 Grid for significance of residual risks
8
6
Insignificant (1)
Minor (2)
Moderate (3)
Major (4)
15
5
Catastrophic (5)
Consequence of residual risk
Unacceptable: Immediate action required to control the risk
Issue: Action required to control the risk
Supplementary issue: Action is advisable if it is cost-effective
Acceptable: No action required
Risk appetite, as defined by the board
Fig. 9 Grid for the significance of residual risks
©David M Griffiths
www.internalaudit.biz
Hierarchy of objectives, risks and controls
(Appendix B)
Objective level 1
Relieve famine in
central Africa
Risks level 1
No clear
strategy as
to how to
achieve our
objective
Unable to
predict where
and when
famines will
occur
Unable to
obtain food
Unable to
deliver the
food to the
starving
Inadequate
resources to
deliver the
objectives
Set up a
system which
enables us to
predict
famine areas
Set up
agreements
with donors
to obtain
food
Establish a
supply chain to
ensure prompt
delivery of food
to the highest
priority area
Establish
functions to
support the
field
operations
Objective level 2
Devise a
strategy for
the next five
years to
deliver our
objectives
Don't distribute food
efficiently and
effectively
Risks Level 2
Objective level 3
Insufficient
drivers
Routes
become
impassable
due to the
weather
Arrange land
transport
Fuel not
available
for lorries
Labor to
load lorries
not
available
Lorries
break
down
Do not know
where food is
required
most urgently
Fuel is
stored in
the
compound
The
warehouse
provides
loaders
Two
mechanics
are on the
permanent
staff
Charity has
established a
network of
reliable local
people with
access to
mobile phones
Internal controls
List of
drivers
available for
hire is kept
by the
compound
office
Work with
other
agencies
and the
military to
plan routes
©David M Griffiths
www.internalaudit.biz
Objectives map
(appendix C)
objective
Relieve famine in
central Africa
Level 2 objectives
1
Devise a
strategy for
the next five
years to
deliver our
objectives
2
Set up a
system which
enables us to
predict
famine areas
3
Set up
agreements
with donors
to obtain
food
4
Establish a
supply chain
to ensure
prompt
delivery of
food to the
highest
priority area
5
Employ
sufficient,
suitably
qualified staff
using
sufficient
resources
Level 3 objectives
1.2The
strategy is
converted
into targets
and action for
all staff
1.1
The trustees
of the charity
define the
future aims
and plans
1.3
Aims and
plans to be
regularly
updated
4.1
Arrange sea
transport
5.1
Operate
organisation
according to
legal
requirements
5.2
Safeguard
money and
assets
©David M Griffiths
5.3
Provide
purchasing
services
4.2
Arrange land
transport
5.4
Provide
transaction
processing
www.internalaudit.biz
5.5
Provide an
HR
department
5.6
Provide
information
technology
Grid for risk workshop
4
Acceptable
Supplementary
Issue
2
1
Unacceptable
Unacceptable
12
Issue
16
20
Unacceptable
Unacceptable
3
Acceptable
Supplementary
Issue
9
Issue
12
Issue
15
2
Acceptable
4
Acceptable
6
8
Supplementary
Issue
Supplementary
Issue
10
Issue
1
Acceptable
2 3
Acceptable
3
Acceptable
4
Acceptable
5 4
Issue
Insignificant (1)
8
6
Minor (2)
Moderate (3)
Major (4)
Consequence of risk
©David M Griffiths
www.internalaudit.biz
25
5
20
Possible (3)
10
Issue
Unlikely (2)
Probable (4) Almost certain (5)
5
Supplementary
Issue
15
Rare(1)
Likelihood of risk
(appendix E)
Unacceptable
6
Unacceptable
Catastrophic (5)
Stages of an internal audit (appendix J)
The
Internal auditing
of an
organization
have
Internal auditing: provides an
independent and objective opinion to
an organization’s management as to
whether its risks are being managed
to acceptable levels.
management
5
Objectives
1
The
audit
4
An
internal control
is a process which
manages a risk
A
risk
is a set of
circumstances
that hinder the
achievement of
objectives
©David M Griffiths
3
2
Significant risks generate
the audit plan
www.internalaudit.biz
Version Control
Date
Version
Comments
21-Feb-15
3.2
Made consistent with book and spreadsheet
©David M Griffiths
www.internalaudit.biz