assessing organizational risks – a focus on internal audit

Assessing Organizational Risks –A Focus on Internal Audit

To Receive CPE Credit› Individuals

• Participate in entire webinar• Answer polls when they are provided

› Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to training@bkd.com within 24 hours of webinar

› If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar. Due to the large volume of certificates of completion issued, requests to reissue lost or misplaced certificates will be honored up to 60 days following the webinar

Presenters

Zack Patton, CPASenior Associate IIzpatton@bkd.com

Bryan Neal, CPA, CIA®Director

bneal@bkd.com

What Is an Internal Audit Risk Assessment & What Is Not?

Examples of Risk Assessments › Information Security/Information Technology› Bank Secrecy Act/Anti-Money Laundering (BSA/AML)› Health Insurance Portability and Accountability Act (HIPAA)› Wire Transfers› Automated Clearing House (ACH)› Supply Chain Analysis› Vendor Management› Internal Audit

Common Characteristics› Summary of business risks & vulnerabilities› Summary of mitigating activities or internal controls› Methodology for rating or scoring risks identified› Assessment of the likelihood of occurrence› Assessment of individual & overall level of risk› Assessment of potential impacts› Required by company or industry regulators

Internal Audit Risk Assessment› Scope is enterprisewide (internal audit universe)› Scope is not limited to a specific business function or risk› May include key internal control activities› Establishes priorities for company monitoring activities› Involves management at all levels in the organization› Builds on other risk assessment types

Who Completes the Risk Assessment?

Team Approach› Audit committee/board of directors› Executive leadership› Internal audit & risk professionals› Department managers › Process owners

Team Member Roles› Audit committee/board of directors

• Establish timeline & provide project oversight

› Executive leadership• Demonstrate “tone at the top” & provide project direction

› Internal audit & risk professionals• Coordinate the project with management & report results to oversight body

› Department managers• Identify & rate the business risks present in each line of business

› Process owners• Identify the internal control activities present to mitigate identified risks

How Often Is a Risk Assessment Completed?

Frequency › Continual process› Updated annually or when new risks are identified› Associated with development of annual internal audit budget

Why Do We Need to Do a Risk Assessment?

Purpose› Documents the business risks at a point in time› Memorializes internal control activities at a point in time› Establishes criteria for a risk-based internal audit plan› Addresses regulatory expectations or requirements

Where Do I Start?

Keep the Objectives in Mind› Identify the audience

• What are the expectations of the audience?• How detailed does the final deliverable need to be?

› Identify the major operational areas of the organization• What business functions go within each operational area?

› Identify the team members• Who should be involved in the project?

› Identify the timeline for completion

How Do I Start?

Fundamentals› Format – narrative, tabular, or hybrid styles› Level of detail› Project timeline› Previous risk assessments› Peers› Consultants› Training› Regulatory guidance

What Format Should I Use?

Format› Narrative style

• More descriptive of business risks• Operational processes & internal control activities are summarized• Helpful to users who want to better understand processes/controls

o Auditors (external & internal)o Regulators

• Requires more time to prepare the initial risk assessment• Requires more process owner & management time

Format› Tabular style

• Risks are summarized & assigned a numerical value in a table• Less detail is needed to complete• Less time is needed to complete • More definitions are required to document methodology• May not provide enough context relevant to setting risk levels• May result in more requests for clarification from users• Best suited for less complex organizations

Format› Hybrid style

• Includes elements of both the narrative & the tabular style• Provides a level of operational detail for users• Provides a summarized table of risk types & rating for each area

What Should I Include?

Contents – All Types› Description of risk assessment approach› Organizational overview› Service provider overview (vendors involved in monitoring)› Business risk definitions› Rating definitions & descriptions of methodologies› Risk ratings by risk type for each operational area› Assessment of likelihood of occurrence› Resulting internal audit approach

Contents – Narrative & Hybrid Styles› Summary of operational area› Description of key policies & procedures › Management monitoring activities› Key internal control activities › Results of prior monitoring activities› Narrative describing business risks & trends by operational area

What Business Risks Should I Include?

Business Risk› A broad definition of business risk is the threat that an event or

action will adversely affect a company’s ability to achieve its business objectives & execute its corporate strategies

Business Risk Examples› Credit risk› Market risk› Compliance risk› Legal risk› Reputation risk› Transaction risk› Technology risk› Strategic risk

Aspects of Business Risk› Inherent risk

• Overall risk involved with the activities performed in the audit universe area without considering mitigating controls or personnel involved

› Residual risk• Risk involved with the activities performed in the audit universe area

after considering mitigating controls & personnel involved› Direction of risk

• Risk involved with the activities performed in the audit universe area after considering mitigating controls & personnel involved

How Do I Develop the Content?

Organizational Summary › Financial statements› Call reports› Organizational bylaws› Minutes of board of director meetings› Audit committee charter› Corporate website› Organizational chart

Operational Areas› Management surveys› Internal control questionnaires› Interviews of management & process owners› Risk rating worksheets› Policies & procedures› Internal control narratives or matrices› Prior audit & regulatory examination reports

How Do I Validate the Content?

Quality Control› Detailed review of responses from management› Follow-up interviews to address questions from review› Comparison to prior risk assessments› Consultation with other risk professionals› Consultation with vendors

What Can Go Wrong?

Common Challenges› Risk ratings are biased or not based on definitions

• Line managers may want their operational area to be seen as low risk• Risk-aversive managers rate all risks as high no matter what• Not understanding the difference between inherent & residual risks

› Not all relevant risks are identified• Line managers may not see a risk exists because of controls in place

› Lack of participation by individuals due to competing priorities› Managers view the process as internal audit’s responsibility

What’s Next?

Risk-Based Internal Audit Plan› Define the internal audit universe› Rank the operational areas based on risk assessment› Determine the frequency of the operational internal audits› Tailor the internal audit procedures based on the identified risks› Identify in-house resources or outsourced vendor resources› Develop the internal audit budget› Present the risk assessment & internal audit plan to governance

Questions?

Continuing Professional Education (CPE) Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

CPE Credit› CPE credit may be awarded upon verification of participant

attendance

› For questions, concerns, or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

Bryan Neal405.606.2596bneal@bkd.com

Zack Patton812.428.6503zpatton@bkd.com

Thank You!