120 likes | 528 Views
Business Assurance Service. An explanation of risk based auditing and reporting Anthony Garnett, Head of BAS February 2008. Traditional Internal Audit . Risk based internal auditing . Policies. Audit. Reporting. Starts with policies and agreed procedures
E N D
Business Assurance Service An explanation of risk based auditing and reporting Anthony Garnett, Head of BAS February 2008
Traditional Internal Audit Risk based internal auditing Policies Audit Reporting • Starts with policies and agreed procedures • Considers what management have stated should occur • Rules based • Focused on compliance and conformance • Policeman role • Focuses on discrete systems (may risk prioritise systems) • Sample testing of ‘transactions’ • Historically focused on financial processes • Reports based on reporting exceptions • Reports operationally focused • Reports at low level • Identify minor issues • Easy to respond to as focus on discrete systems and departments • Conclusions based in levels of compliance / operation of controls Risk Based Internal Audit Objectives Risks Audit Reporting • Audit work considers risks to objectives and will look for expected controls / mitigating actions • The work will follow the risk, so if a risk is managed across a number of departments the audit will consider how to assess this and work across the departments • Audit is qualitative and based on professional judgement. • Audit covers all processes and systems across the institution • Audit asks not just ‘is the University doing things right [compliance / operation of controls], but is it doing the right things [effectiveness / design of controls]’ • Starts with objectives as agreed by management. • Where no clear objectives have been agreed (absence of a policy or strategy) imputed objectives are considered • Role is not to challenge objectives • Objectives cover many systems, processes and departments • Consider risks that flow from objectives • Will use management’s own risk assessment where one is present (this is not the case at the University for most areas) • Audit will perform a risk assessment identifying the risks and scoring risks • Report identifies risks and makes suggestions for management to consider to mitigate identified risks • Risks prioritised at strategic and operational level. • Qualitative and professional judgement applied to risk grading and conclusions • Reports become a dialogue and are co-produced with management • Recommendations are not prescriptive but are suggestions
Report format Clear risk grading based on net risk exposure to the University from the current arrangements in place over the process or system reviewed Clear tracking of the report based upon the dates agreed with management in the scope. Note that for BAS KPIs the protocol will be used to report on these as these measure stage-to-stage performance Clear UEC and process owner sponsor, as agreed in the scope Clear version control
Report format 2 page executive summary Clear opinion on the adequacy of controls as operated (compliance) and as designed (effectiveness against objectives) Risk grading given (maps to front of report) based upon the net risk exposure taking into account current controls in place Summary of the risks identified within the report categorised by the size of the risk. Also a one line italicised summary of the agreed University action. Top three categories only. Grading of recommendations by the size of the risk. Categorisation below.
Report format Report points linked under themes that align to either management responsibility or linked areas of operation Risk grading given to each risk and colour coded to scale (on previous page) to enable quick navigation of report Suggested recommendations to address the risks identified. This may refer to appendices where best practice ideas or benchmarking is provided Space to record planned University actions. This includes a due date and assigned person responsible for the action. The four potential University responses to actions listed below:
Report format Risk map illustrates a selection of risks considered by the audit to the University’s objectives for the process audited. The aggregate net risk should align to the risk grading of the report.