1

Risk  Based  Audi,ng  with  

Raven  Catlin  Raven  Global  Training  

1

Raven  Catlin,  CPA,  CIA,  CFSA  !  Call  me:  571-­‐283-­‐1878  !  Email  me:  raven@ravenglobaltraining.com  !  Check  out  www.ravenglobaltraining.com  !  TwiLer:  @raventraining  !  Your  mission:  

!  Have  Fun!  !  Think  !  Ask  Ques,ons  !  Share  something  !  Learn  something   2

2

•  2010.A1  –  The  internal  audit  ac,vity’s  plan  of  engagements  should  be  based  on  a  risk  assessment,  undertaken  at  least  annually.    

•  2120.A1  –  Based  on  the  results  of  the  risk  assessment,  the  internal  audit  ac,vity  should  evaluate  the  adequacy  and  effec,veness  of  controls  encompassing  the  organiza,on’s  governance,  opera,ons,  and  informa,on  systems.  

Risk-­‐Based  Audit  Standards  

3

3

RISK  &  CONTROL  CONCEPTS  OVERVIEW  AND  REFRESHER  

4

4

3

What  is  Risk?  !  All  businesses  have  risks    !  Those  risks  must  be  iden,fied  and  addressed  

!  Risk  is  the  threat  that  an  event,  ac,on,  or  non-­‐ac,on  will  affect  an  organiza,on’s  ability  to  achieve  its  business  objec,ves  and  execute  its  strategies  successfully.    

!  “Risk  blindness”  5

5

Risk:  Types  and  Assessment  !  What  types  of  risk  are  there?  !  Inherent  

!  Residual  

!  How  do  we  assess  risk?  !  Impact  

!  Likelihood  6

6

4

AUDIT  PLANNING  STEPS  

7

7

Building  a  Risk  Based  Audit  Plan  

1.  Inventory  the  business  processes  or  auditable  en,,es  

2.  Correlate  business  processes  with  objec,ves  or  risks  

3.  Iden,fy  universal  risk  factors  4.  Weight  the  risk  factors  5.  Create  the  risk  profile  for  the  organiza,on  6.  Select  audits  to  be  performed  7.  Iden,fy  gaps  and  resource  needs  8.  Gain  agreement  from  management  

8

8

5

Risk  Factors  !  Transac,on  complexity  !  Management  stability  !  Liquidity  conversion  !  Degree  of  automa,on    !  Confidence  in  management    

!  Extent  of  major  change  !  Employee  turnover    !  Environmental  factors    

!  Compe,,ve  pressures    !  Control  environment    !  Time  since  last  audit    !  Con,nuous  audi,ng  results  

!  Degree  of  financial  materiality    

!  Volume  of  transac,ons  

9

9

Ques,ons  for  Management  

!  What  could  go  wrong?  !  Who  could  we  fail?  !  Where  are  we  vulnerable?  !  What  resources  do  we  need  to  protect?  !  What  must  go  right  for  us  to  succeed?  !  How  could  our  opera,ons  be  disrupted?  !  What  informa,on  must  we  rely  on?  !  What  decisions  require  the  most  judgment?   10

10

6

Ques,ons  for  Management  con,nued  

!  What  ac,vi,es  are  the  most  complex?  !  What  ac,vi,es  are  regulated?  !  What  is  our  greatest  legal  exposure?  !  How  could  someone  convert  assets?  !  How  successful  will  be  at  managing  change?  !  How  will  we  retain  cri,cal  resources?  !  What  is  the  worst  thing  that  happened  in  your  department  this  year,  last  year,  5  years  ago?  

11

11

Engagement  Level  Risk  Assessment  (ELRA)  /  Risk  Control  Matrix  (RCM)  

!  Start  with  business  /  process  objec,ves  !  Iden,fy  risks  !  Assess  risks  !  Document  scope  considera,ons  !  Iden,fy  controls  !  Assess  adequacy  of  controls  !  Document  effec,veness  of  controls  !  Document  audit  findings  

12

12

7

Priori,ze  Your  ELRA  

!  Priori,ze  iden,fied  risks  (risk  matrix)  !  For  high  risks,  increase  audit  intensity  !  Iden,fy  control  aLributes  !  Priori,ze  your  controls  

13

13

Seing  Objec,ves  

!  Preliminary  (ini,al)  objec,ves  !  Type  of  audit  

•  Opera,onal  •  Financial  •  Compliance  •  Performance  •  IT  •  Others..  

!  Management  objec,ves  !  Refined  objec,ves   14

14

8

Determining  Audit  Scope  

!  Es,mated  ,me  budget  •  Fixed,  closed-­‐end  date  driven  •  Hours  

!  Impact  of  other  audits  !  Audit  intensity  !  Use  of  technology    !  Dependence  on  en,ty  level  controls  !  Types  of  audit  tests  !  Sampling  method   15

15

IDENTIFYING  AND  DOCUMENTING  CONTROLS  

…Intelligent  Internal  Controls  vs.  process  ste  …interviews,  surveys,  ques,onnaires,  documenta,on  reviews    

16

16

9

Iden,fy  Controls  !  Categories  !  Experience  !  Guidance  material  !  Other  risk  and  control  matrices  !  Risk  examples  for  others  in  industry  !  Team  effort  !  Interviews  /  walkthroughs  !  Process  maps  /  flowcharts  !  ICQs  /  Surveys   17

17

Basic  Control  Objec,ves  !  Authoriza,on  !  Accuracy  !  Completeness  !  Existence  !  Valua,on  !  Classifica,on  !  Timeliness  /  Cutoff  !  Segrega,on  of  Du,es  (separate  authoriza,on,  custody,  and  accoun,ng)  

!  Safeguarding  Assets  18

18

10

Key  Controls  

!  Significant  controls  that  both  ensure  and  give  assurance  that  the  organiza,on  is  achieving  key  business  objec,ves.  

!  The  control  that  management  is  most  dependent  upon  to  makes  certain  the  right  things  get  completed  the  right  way.  

!  When  the  absence  of  that  control  would  increase  residual  risk  

19

19

Key  Controls  …con,nued  !  Controls  for  significant  accounts  and  

processes  !  Transac,on  ini,a,on,  authoriza,on,  

processing,  and  repor,ng  !  Key  check  points  for  each  transac,on  !  Controls  designed  to  prevent  or  detect  

fraud  !  Controls  that  management  depend  on  !  Controls  that  show  management  C.A.R.E.S  !  Controls  that  mi,gate  more  than  one  risk  

20

20

11

TESTING  ADEQUACY  &  EFFECTIVENESS  OF  CONTROLS  

…assessing  adequacy  of  controls  …tes,ng  effec,veness  of  controls  

21

21

Control  Adequacy  Weaker   Stronger  

Manual   Automated  

Detec,ve   Preven,ve  

Single   Mul,ple  /  Overlapping  

Complex:  Many  steps   Single:  One  step  

High  level   Transac,on  level  

Uses  sampling   Done  100%  

Takes  place  later   Done  real  ,me  22

22

12

Techniques  to  Test  Control  Effec,veness  

!  Surveys  !  Control  Self  Assessment  !  Con,nuous  Monitoring  !  Con,nuous  Audi,ng  !  Analy,cal  Reviews  !  Paper  reviews  !  Audits  

23

23

CAATs  Scope  

!  Know  your  data  !  Know  how  to  get  your  data  !  Understand  data  warehouse  !  Know  what  you  need  to  get  manually  

24

24

13

CAATs  Uses  

!  Substan,ve  tes,ng  !  Compliance  tes,ng  !  Financial  tes,ng  (end-­‐of-­‐year  transac,ons  and  balances)  

!  Analy,cal  review  !  Efficiency  analysis  !  System  controls  tes,ng  

25

25

Determining  Sampling  Sizes  

!  Iden,fy  your  popula,on  1st    !  Base  sample  size  on  risk  !  Consider  transac,on  frequency  !  Establish  a  sampling  technique  /  process  !  Consider  the  number  of  excep,ons  you  expect  to  find  (more  excep,ons  =  more  samples)  –  set  your  error  rate  

!  Ask  your  external  auditor  26

26

14

Tes,ng  other  controls  

!  1st  you  must  know  a  deficiency  is  s,ll  a  deficiency  even  if  a  compensa,ng  control  is  present  

!  Test  complementary  and  compensa,ng  controls  as  needed  to  assist  with  deficiency  assessment  

!  Redundant  controls  are  “redundant”  

27

27

COMMUNICATING  RISK  BASED  AUDIT  RESULTS  

…residual  risk  …what  really  maLers?  

28

28

15

What  is  a  good  audit  report?  

!  Complies  with  communica,on  standards  of  our  profession  

!  Meets  the  needs  of  the    target  audience  !  Maintains  appropriate  tone  !  Helps  the  company  mi,gate  risks  and  improve  processes  

29

29

Ques,ons  ?  

Raven Catlin raven@ravenglobaltraining.com

DC Metro 571-283-1878 www.ravenglobaltraining.com

@raventraining

30

30