methods of devising the audit universe and annual audit plan

11-13 October 2016

BRUNEI DARUSSALAM

Eşo YALÇINDAĞ

Auditor

Methods of devising the audit

universe and annual audit plan.

What’s on the agenda?

- Methods of devising the audit universe

- Standards

- Risk assessment process

- Annual audit plan

- Standards

- Planning steps

Please note: Audit programs and audit approaches of the CBRT are CONFIDENTAL

2

Audit universe

Methods of devising the audit

universe

=> Risk assessment

3

Standards

IIA-Standard 2010.A1 -Planning

The internal audit activity’s plan of engagements should be

based on a risk assessment, undertaken at least annually.

The input of senior management and the Board should be

considered in this process.

4

Standards

IIA-Standard 2110.A1

The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.

IIA-Standard 2110.A2

The internal audit activity should evaluate risk exposures relating to the organization's governance, operations and information systems regarding the

-reliability and integrity of financial and operational information

-effectiveness and efficiency of operations

-safeguarding of assets

-compliance with laws, regulations and contracts.

5

Standards

IIA-Standard 2110 –Risk Management

The internal audit activity should assist the organisation by

identifying and evaluating significant exposures to risk and

contributing to the improvement of risk management and

control systems.

6

Risk Assessment Process

Aims to identify risky processes

Helps to rank and select processes to be audited

Helps us to find the best use of our limited resources

7


Identify risk

Measure risk

Prioritize risk

Select and develop audits

8


IDENTIFY RISK

Measure risk

Prioritize risk


9

Risk Assessment Process:

Identify risk

Financial risks

Operational Risks

Reputational risk

10

Risk Categories

1. Financial Risks

2. Reputation Risks

3. Organizational Risks


Identify risk

11


Measure Risk

Identify risk

MEASURE RISK

Prioritize risk


12


Measure Risk

Determine risk factor

Weight risk factor

Score risk factor

13


Measure Risk- Determine risk factor

Risk Categories

1. Financial Risks

Financial losses from fraud or error

Complexity of operations, high volume of trading

2. Reputation Risks

Legal obligations

The impact of fraud and error on CBRT's reputation

3. Organizational Risks

System infrastructure, human resources

Need for specialization

14


Measure Risk- Weight risk factor

Risk Categories Weights

1. Financial Risks 45%Financial losses from fraud or error 15%

Complexity of operations, high volume of trading 30%

2. Reputation Risks 30%Legal obligations 15%

The impact of fraud and error on CBRT's reputation 15%

3. Organizational Risks 25%System infrastructure, human resources 15%

Need for specialization 10%

15


Measure Risk- Score risk factor

Each process in the Audit Universe is rated from 1 to 5,

along these risk categories.

Risk Level 5The most risky level

Risk Level 1The least risky level

16



Financial Risk

-Financial losses from fraud or error

Risk level 1: Possible loss is less than 50.000 ₺

Risk level 2: Possible loss is 50.000 ₺ – 200.000 ₺

Risk level 3: Possible loss is 200.000 ₺- 1.000.000 ₺

Risk level 4: Possible loss is 1.000.000 ₺-5.000.000 ₺

Risk level 5: Possible loss is more than 5.000.000 ₺

17



- Complexity of operations, high volume of trading

Risk level 1: Operations are routine and are not

complex, no need for high IT system usage, volume of

trading is low, no time pressure

Risk level 5: Operations are highly complex, very

diverse procedures, most of the operations require IT

system usage, the volume of trading is very high, thigh

pressure for time

18



Reputation Risks

- Legal Obligations Risk level 1: Possible mistakes or nonconformity with law

doesn’t cause any compensation, a loss of reputation or

financial burden

Risk level 5: Possible mistakes or nonconformity with law can

cause national or international compensation, very severe

effect of the reputation or very high financial burden

19



Reputation Risks

The impact of fraud and error on CBRT's reputation Risk level 1: There will not be any reputational effect if the public find out the possible mistake or nonconformity with law; The process doesn't have any confidential information, There is no limitation for reaching the information of the process

Risk level 5: There will be very severe reputational effects if the public find out the possible mistake or nonconformity with law and the markets may be effected; The process has highly confidential information and there is very strict limits for reaching the information of the process.

20



Organizational risk

- System infrastructure, human resources

Risk level 1: There is no planned change for the IT

processes, organizational structure, operations and the

important human resources

Risk level 5: A very important IT process, organizational

structure or human resource is about the change, there will

be new highly diverse processes or complicated operations

21



Organizational risk - Need for specialization

Level 1: There is no need for specialization as the

operations are routine and not complicated

Level 5: All the employee must be highly specialized and

there is a need for ongoing training. It is very important to

have highly qualified employee as the operations are very

complicated

22


Measure Risk

Risk Categories Assessment Weights Results

1. Financial Risks 45%Financial losses from fraud or error 5 15% 0,75

Complexity of operations, high volume of trading 3 30% 0,90

2. Reputation Risks 30%Legal obligations 5 15% 0,75

The impact of fraud and error on CBRT's reputation 5 15% 0,75

3. Organizational Risks 25%System infrastructure, human resources 2 15% 0,30

Need for specialization 4 10% 0,40

TOTAL RISK 3,85

23


Prioritize Risk

Identify risk

Measure risk

PRIORITIZE RISK


24


Prioritize Risk

Inherent risk

• Financial

• Operational

• Reputational

Effectiveness of Internal Controls

25

Control Categories Weights

The quality of current internal controls Fraud/Error/Events reported

The quality of human resources

Automation/Integrity of operations

Time lapsed since the last audit


Prioritize Risk

26


Prioritize Risk

Control Categories Weights

The quality of current internal controls 30%Fraud/Error/Events reported 15%

The quality of human resources 15%

Automation/Integrity of operations 25%

Time lapsed since the last audit 15%

27


Prioritize Risk

Each process in the Audit Universe is rated from 1 to 5,

along these control categories.

Control Level 1Adequacy of internal controls

Control Level 5 Inadequacy of internal controls

28


Prioritize Risk

The quality of internal controls

Control level 1: There are documentations and procedures

for every step of the process. Internal controls are

explained in details and procedures are up to date

Control level 5: There is no documentation or procedure for

the process or the current procedures are not up to date.

29


Prioritize Risk

Fraud/error/events reported

Control level 1: There is no fraud/error/events

reported for the process

Control level 5: Very severe fraud/error/events

are being reported regularly for the process

30


Prioritize Risk

The quality of human resources

Control level 1: HR is enough and qualified

Control level 5: Lack of enough and qualified

HR ongoing basis, especially for highly

important process

31


Prioritize Risk

Automation/ integrity of operations

Control level 1: All the process is done by

automation

Control level 5: There is no automation

application other than office programs

32


Prioritize Risk

Time lapsed since last audit

Control level 1: Less than 1 year

Control level 5: More than 4 years

33


Prioritize Risk

Department

Audit objects

Risk factors Internal controls

Inherent risk

Control risk

Residual Risk

Fin

anci

al lo

sses

fro

m

frau

d/e

rro

r

Co

mp

lexi

ty o

f o

per

atio

ns

Lega

l op

erat

ion

s

Rep

uta

tio

nal

ris

k

HR

Nee

d f

or

spec

ializ

atio

n

Qu

alit

y o

f In

tern

al c

on

tro

l Fr

aud

/err

or/

even

ts

rep

ort

ed

HR

qu

alit

y

Au

tom

atio

n a

nd

in

tegr

atio

n o

f o

per

atio

ns

Tim

e la

pse

d s

ince

th

e la

st

aud

it

Markets department

Open market operations

D3 E3 F3 G3 H3 I3 J3 K3 L3 M3 N3

=(D3*0,15+E3*0,3+F3*0,15+G3*0,15+H3*0,15+I3

*0,1)/5

=(J3*0,3+K3*0,15+L3*0,15+M3*0,25+N3*0

,15)/5

=O3*P3

34


Prioritize Risk

Department

Audit objects

Risk factors Internal controls

Inherent risk

Control

risk

Residual Risk

Fin

anci

al lo

sses

fr

om

fra

ud

/err

or

Co

mp

lexi

ty o

f o

per

atio

ns

Lega

l op

erat

ion

s

Rep

uta

tio

nal

ris

k

HR

N

eed

fo

r sp

ecia

lizat

ion

Qu

alit

y o

f In

tern

al c

on

tro

l Fr

aud

/err

or/

eve

nts

rep

ort

ed

HR

qu

alit

y

Au

tom

atio

n a

nd

in

tegr

atio

n

Tim

e la

pse

d

sin

ce t

he

last

au

dit

Markets department

FX operations

4 4 3 4 3 3 3 2 2 3 5 %72 %57 %41

Banknot printing plant

Phsical and electronic security services

3 4 3 4 3 3 3 2 2 4 5 %72 %57 %41

Accounting Tax patyments

4 3 4 4 3 2 2 2 2 3 5 %71 %55 %39

Markets department

Money market operations

4 4 3 5 3 3 2 2 2 2 5 %72 %55 %39

Banknot printing plant

Banknot printing process

4 4 4 5 3 3 2 2 2 3 4 %74 %52 %39

Issue Safeguard Assessment

4 5 3 4 3 1 3 2 2 4 4 %73 %54 %39

35


Prioritize Risk

In the end; the residual risk is calculated by multiplying

the numbers acquired through risk and control

assessment.

This rating is done for each process in the Audit Universe.

Then, the processes are ranked based on their residual

risks.

36


Select and Develop Audit Plan

Identify risk Measure

risk Prioritize

risk

SELECT AND DEVELOP

AUDIT PLAN

37


Select and Develop Audit Plan

Do you use a formal risk assessment process for audit

planning?

How often do you perform an Internal Audit Risk

Assessment?

Do you have a formally documented Audit Universe?

38

39

ANNUAL AUDIT PLAN

Standards

IIA-Standards2010 – Planning

The chief audit executive should establish risk-based plans

to determine the priorities of the internal audit activity,

consistent with the organization's goals.

IIA-Standard2030 – Resource Management

The chief audit executive should ensure that internal audit

resources are appropriate, sufficient and effectively

deployed to achieve the approved plan.

40

Audit Plan

Audit universe

Risk assessment

Audit budget

Annual Plan

Approval& execution

41

Audit Universe

Audit universe

Risk assessment

Audit budget

Annual Plan

Approval& execution

42

Audit Universe

Audit Universe: All available processes/issues subject to

auditing.

Audit universe is devised and reviewed at year-ends

through meetings with the management of audited

units.

Audit forms are prepared to depict a short summary of

the scope of the process to be audited

43

AUDIT OBJECT:

Audit Universe

Objectives

Scope

Method

Main risk areas

Date

44

Audit Universe

45

Audit Universe

The Audit Universe of CBRT contains 109 Audit Objects,

which was revised at the end of 2013

28 of the Audit Objects is IT audits

46

Audit Universe

Examples of audit universe:

Reserve requirements operations

R&D operations

Banknote Printing process

Other printing activities

Safeguard assessment

Training activities

Performance evaluations

Activities of Istanbul School of Central Banking

Public Procurement

Property management

Tax payments

ABC Accounting

Financial Reporting - IFRS Civil defense activities

Strategic planning

Health care services

FX management IT- Corporate data

management

IT- Password safety

General: Corporate Governance

General: Business Continuity management

47

Risk Assessment

Audit universe

Risk assessment

Audit budget

Annual Plan

Approval& execution

48

Audit Budget

Audit universe

Risk assessment

Audit budget

Annual Plan

Approval& execution

49

Audit Budget

Assignment of Resources

Preparing a list that includes all time budgets

Gross-time of all staff member time - budgets for non-

audit work(e. g. administration, training, vacation) -

Budget for unpredictable tasks (e. g. special

investigations)

= net time, available for audit

planning

50

Audit Budget

Special Projects

Risk Management process

Advisory / Consulting Services

Compliance Activities

Professional Development

Audit Support Activities

Leave Time

Other factors

51

Annual Plan

Audit universe

Risk assessment

Audit budget

Annual Plan

Approval& execution

52

Annual Plan

Setting up annual audit plan:

- Risk-based selection from the ranking list

- Special requests from the management

- Consulting Engagements

53

Annual Plan

2016’s Audit Plan: 32 audit objects

8 of audit objects are IT audits Examples of 2016’s Audit Plan: Micro financial analysis and

financial stability operations Communication with international

authorities Reserve requirements Physical and electronic safety

operations Occupational safety and health

Safeguard assessment operations Short term training activities Activities of CBRT library

Financial and monetary statistics

Payment other than tax and per diem spending

General- Business Continuity General – User ID and password

confidentiality – ACL based

IT – IT investment process IT – IT governance IT – Quality management

54

Approval & Execution

Audit universe

Risk assessment

Audit budget

Annual Plan

Approval& execution

55


Annual audit plan is prepared by the audit

management

Annual audit plan is approved by the Governor of the

CBRT

Any change of the plan is approved by the Governor

during the year

56


Assigning the auditors to the audits

Determination of the

- Audit engagement manager

- Timing of the engagements

- The audit-teams

57


Updating the audit plan during the year Dynamic, not static Forward-looking

58

Audit Plan

How do you prepare your annual audit plan?

Who is responsible of planning?

Who approves the plan?

How often you update the plan?

How do you assign the auditor – any specialization?

Is there any other step you have for the annual planning

process?

59

QUESTIONS???

Thank you for your attention and

contribution

60

methods of devising the audit universe and annual audit plan

Documents