1 / 36

Applying a risk model in state internal and external audits

Applying a risk model in state internal and external audits. Audit and Risk. Haven’t we, as auditors always considered risk within our audit plans?. Roles and Responsibilities. Governing Body. Audit/Risk Committee. Internal Audit. Risk Professional. Promotes good practice

latashaa
Download Presentation

Applying a risk model in state internal and external audits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Applying a risk model in state internal and external audits

  2. Audit and Risk Haven’t we, as auditors always considered risk within our audit plans?

  3. Roles and Responsibilities

  4. Governing Body Audit/Risk Committee Internal Audit Risk Professional • Promotes good practice • drives and monitors risk framework • and action plans • maintains risk map and risk profile • Reviews risk profile. • Analyses emerging risks. • Tracks existing risks. • Co-ordinates RMSA • Co-ordinates risk reporting • Incorporating risk into the planning process • for overall coverage. • Considered opinions on specific elements • of the organisation. • Overall opinion of control environment. • Assessment of completeness and effectiveness • of the risk management process. • Assessment of the effectiveness of specific • elements of the control environment. • Outputs • Reviews of: • Risk management methodology • Corporate Governance statements • Statements on internal controls • Management responses to key risks Risk Workshops Business/Risk owners Organisational Improvement • Managing specific risks • Apply risk management cycle • Implement action plans • Develop capabilities, processes, Controls • Monitor performance • Manage issues/breaches • Outputs • Socialising risk • Identification of key risks • Decide on how to manage risk • Measuring residual risk • Data for risk reporting • Efficiency reviews • Improvement programmes • Process optimisation • Cost reduction

  5. Roles and Responsibilities The Risk Professional. • Promotes good practice • Drives and monitors risk framework • and action plans • Maintains risk register • Analyses emerging risks. • Supports risk owners. • Co-ordinates Risk Reporting.

  6. Roles and Responsibilities Business risk owners • Managing specific risks • Apply risk management cycle • Implement action plans • Develop capabilities, processes, Controls • Monitor performance • Manage issues/breaches • Tracks existing risks.

  7. Roles and Responsibilities Organisational Improvement • Efficiency reviews • Improvements programmes • Process optimisation • Cost reduction

  8. Roles and Responsibilities Internal Audit • Incorporating risk into the planning process • for overall audit coverage. • Considered opinions on specific elements • of the business. • Overall opinion of control environment. • Assessment of completeness and effectiveness • of the risk management process. • Assessment of the effectiveness of specific • elements of the control environment.

  9. Risk Management Reporting Governing Body S E L F C E R T I F I C A T I O N Scrutiny/Audit Cttee A U D I T O P I N I O N S CHIEF EXECUTIVE Organisation Chief Internal Auditor AUDIT OPINIONS FUNCTIONS & OPERATIONS DIRECTORS MANAGERS INDIVIDUAL AUDITS Risk Register

  10. Risk Management The Risk Management Process Is Therefore More Than Just a Cyclical Audit or Insurance Review and Report.

  11. Roles and Responsibilities • Risk management cannot be introduced in isolation. • It has to be in partnership with all those other interested parties.

  12. The Contribution of Internal Audit • Role is changing • Challenges of good Governance • FD/CEO Expectations changing • The need to evidence measurable added value • IIA re-defining the role

  13. IIA Definition Internal auditing is an independentand objectiveassurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organisation. It assists an organisation in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisations risk management,control , and governance processes.

  14. Definition of Audit Auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts

  15. Risk Matrix Over £5 million OR Questions raised in Parliament £2million-£5 million OR Reported in National Press £500,000 - £2 Million OR Reported in Local Paper £100,000 - £500,000 OR Unacceptable levels of Complaints Under £100,000 OR Some complaints from individuals. Unlikely-Once in 10-20 years Possible- Once in 10 years Likely-Once in 3years Certain- Once a year Rare- once in 20 years

  16. Translating Key Risks Into the Assurance Programme • Key risks as identified in the matrix should be the basis of the Audit programme • Should form 60% approx of full programme • Some risks not easily auditable • Consider specialists, CSA etc

  17. What Should The Audit Role Be In Establishing a Risk Management Process?

  18. Audit Participation in Risk Programmes OPTIONS • Manage the whole programme • Facilitate the workshops • Jointly facilitate the workshops • Coordinate responses etc • Attend the workshops as a participant • Monitor and report on the action plans • Review perceived versus actual controls

  19. Audit Reporting • Linking to key risks gives visibility • Perceived versus actual controls • Monitoring of action plans • Board, audit Cttee.Risk Cttee. Snr mgt. • Focus on achievements • Monetary • Risk reduction (matrix movements • IT security, fraud ,reduction in surprises

  20. Audit Reporting • Refer to organisational objectives • Specify the risk to their achievement • Explain findings specifically related to those risks • Specify actions to address the exposures or opportunities ( and what they will achieve )

  21. Effectiveness of the Control Environment Risk Minus the cost of: Transfer + Control + Recover Equals Exposure

  22. Cascading the Techniques Into Project and Change Management.

  23. Projects & Improvement Programs Yes • Within the programs planned do you have objectives that you want to achieve? • Amongst the action plans and recommendations that you have to introduce are there some that could stop or delay the overall program? • Can the likelihood and impact of failing to achieve these recommendations and action plans be assessed? Yes Yes

  24. Projects & Improvement Programs • A program/project is therefore ideal for using risk management techniques to prioritise where you need to focus. • You know your objectives. • You have already identified the issues (risks) that you have to manage to successfully achieve: • Action Plans • Recommendations.

  25. Projects & Improvement Programs • If we assess the likelihood of not successfully implementing each of the the action plans and recommendations and • If we assess the impact to the overall program of not successfully implementing them.

  26. Projects & Improvement Programs This gives us a simple method of categorizing and prioritising the steps that have to be taken.

  27. Projects & Improvement Programs EXAMPLE

  28. Projects & Improvement Programs Objective. To improve the the procurement systems of State Government.

  29. Projects & Improvement Programs Issue: Make the External Auditors Office responsible for carrying out ex-post control of procurement , with the appropriate means to hire experts for independent audits.

  30. Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence

  31. Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence

  32. Projects & Improvement Programs Issue: Enact a new public procurement laws based on Model Law being prepared used else where

  33. Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence

  34. Projects & Improvement Programs Issue: Issue Circular to improve procurement process with mandatory requirements for ·  advertisement of all bidding opportunities in the Gazettes, local dailies and notice boards of procuring entities; ·   public bid opening; ·publication of contract awards above a certain threshold.

  35. Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence

  36. Risk Management Risk management is a journey. You can expend great effort and travel miles If, however you haven’t plotted your course in line with the organisations strategy you will do nothing but waste valuable time and resources.

More Related