methods of devising the audit universe and annual audit plan
TRANSCRIPT
11-13 October 2016
BRUNEI DARUSSALAM
Eşo YALÇINDAĞ
Auditor
Methods of devising the audit
universe and annual audit plan.
What’s on the agenda?
- Methods of devising the audit universe
- Standards
- Risk assessment process
- Annual audit plan
- Standards
- Planning steps
Please note: Audit programs and audit approaches of the CBRT are CONFIDENTAL
2
Audit universe
Methods of devising the audit
universe
=> Risk assessment
3
Standards
IIA-Standard 2010.A1 -Planning
The internal audit activity’s plan of engagements should be
based on a risk assessment, undertaken at least annually.
The input of senior management and the Board should be
considered in this process.
4
Standards
IIA-Standard 2110.A1
The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.
IIA-Standard 2110.A2
The internal audit activity should evaluate risk exposures relating to the organization's governance, operations and information systems regarding the
-reliability and integrity of financial and operational information
-effectiveness and efficiency of operations
-safeguarding of assets
-compliance with laws, regulations and contracts.
5
Standards
IIA-Standard 2110 –Risk Management
The internal audit activity should assist the organisation by
identifying and evaluating significant exposures to risk and
contributing to the improvement of risk management and
control systems.
6
Risk Assessment Process
Aims to identify risky processes
Helps to rank and select processes to be audited
Helps us to find the best use of our limited resources
7
Risk Assessment Process
Identify risk
Measure risk
Prioritize risk
Select and develop audits
8
Risk Assessment Process
IDENTIFY RISK
Measure risk
Prioritize risk
Select and develop audits
9
Risk Assessment Process:
Identify risk
Financial risks
Operational Risks
Reputational risk
10
Risk Categories
1. Financial Risks
2. Reputation Risks
3. Organizational Risks
Risk Assessment Process:
Identify risk
11
Risk Assessment Process:
Measure Risk
Identify risk
MEASURE RISK
Prioritize risk
Select and develop audits
12
Risk Assessment Process:
Measure Risk
Determine risk factor
Weight risk factor
Score risk factor
13
Risk Assessment Process:
Measure Risk- Determine risk factor
Risk Categories
1. Financial Risks
Financial losses from fraud or error
Complexity of operations, high volume of trading
2. Reputation Risks
Legal obligations
The impact of fraud and error on CBRT's reputation
3. Organizational Risks
System infrastructure, human resources
Need for specialization
14
Risk Assessment Process:
Measure Risk- Weight risk factor
Risk Categories Weights
1. Financial Risks 45%Financial losses from fraud or error 15%
Complexity of operations, high volume of trading 30%
2. Reputation Risks 30%Legal obligations 15%
The impact of fraud and error on CBRT's reputation 15%
3. Organizational Risks 25%System infrastructure, human resources 15%
Need for specialization 10%
15
Risk Assessment Process:
Measure Risk- Score risk factor
Each process in the Audit Universe is rated from 1 to 5,
along these risk categories.
Risk Level 5The most risky level
Risk Level 1The least risky level
16
Risk Assessment Process:
Measure Risk- Score risk factor
Financial Risk
-Financial losses from fraud or error
Risk level 1: Possible loss is less than 50.000 ₺
Risk level 2: Possible loss is 50.000 ₺ – 200.000 ₺
Risk level 3: Possible loss is 200.000 ₺- 1.000.000 ₺
Risk level 4: Possible loss is 1.000.000 ₺-5.000.000 ₺
Risk level 5: Possible loss is more than 5.000.000 ₺
17
Risk Assessment Process:
Measure Risk- Score risk factor
- Complexity of operations, high volume of trading
Risk level 1: Operations are routine and are not
complex, no need for high IT system usage, volume of
trading is low, no time pressure
Risk level 5: Operations are highly complex, very
diverse procedures, most of the operations require IT
system usage, the volume of trading is very high, thigh
pressure for time
18
Risk Assessment Process:
Measure Risk- Score risk factor
Reputation Risks
- Legal Obligations Risk level 1: Possible mistakes or nonconformity with law
doesn’t cause any compensation, a loss of reputation or
financial burden
Risk level 5: Possible mistakes or nonconformity with law can
cause national or international compensation, very severe
effect of the reputation or very high financial burden
19
Risk Assessment Process:
Measure Risk- Score risk factor
Reputation Risks
The impact of fraud and error on CBRT's reputation Risk level 1: There will not be any reputational effect if the public find out the possible mistake or nonconformity with law; The process doesn't have any confidential information, There is no limitation for reaching the information of the process
Risk level 5: There will be very severe reputational effects if the public find out the possible mistake or nonconformity with law and the markets may be effected; The process has highly confidential information and there is very strict limits for reaching the information of the process.
20
Risk Assessment Process:
Measure Risk- Score risk factor
Organizational risk
- System infrastructure, human resources
Risk level 1: There is no planned change for the IT
processes, organizational structure, operations and the
important human resources
Risk level 5: A very important IT process, organizational
structure or human resource is about the change, there will
be new highly diverse processes or complicated operations
21
Risk Assessment Process:
Measure Risk- Score risk factor
Organizational risk - Need for specialization
Level 1: There is no need for specialization as the
operations are routine and not complicated
Level 5: All the employee must be highly specialized and
there is a need for ongoing training. It is very important to
have highly qualified employee as the operations are very
complicated
22
Risk Assessment Process:
Measure Risk
Risk Categories Assessment Weights Results
1. Financial Risks 45%Financial losses from fraud or error 5 15% 0,75
Complexity of operations, high volume of trading 3 30% 0,90
2. Reputation Risks 30%Legal obligations 5 15% 0,75
The impact of fraud and error on CBRT's reputation 5 15% 0,75
3. Organizational Risks 25%System infrastructure, human resources 2 15% 0,30
Need for specialization 4 10% 0,40
TOTAL RISK 3,85
23
Risk Assessment Process:
Prioritize Risk
Identify risk
Measure risk
PRIORITIZE RISK
Select and develop audits
24
Risk Assessment Process:
Prioritize Risk
Inherent risk
• Financial
• Operational
• Reputational
Effectiveness of Internal Controls
25
Control Categories Weights
The quality of current internal controls Fraud/Error/Events reported
The quality of human resources
Automation/Integrity of operations
Time lapsed since the last audit
Risk Assessment Process:
Prioritize Risk
26
Risk Assessment Process:
Prioritize Risk
Control Categories Weights
The quality of current internal controls 30%Fraud/Error/Events reported 15%
The quality of human resources 15%
Automation/Integrity of operations 25%
Time lapsed since the last audit 15%
27
Risk Assessment Process:
Prioritize Risk
Each process in the Audit Universe is rated from 1 to 5,
along these control categories.
Control Level 1Adequacy of internal controls
Control Level 5 Inadequacy of internal controls
28
Risk Assessment Process:
Prioritize Risk
The quality of internal controls
Control level 1: There are documentations and procedures
for every step of the process. Internal controls are
explained in details and procedures are up to date
Control level 5: There is no documentation or procedure for
the process or the current procedures are not up to date.
29
Risk Assessment Process:
Prioritize Risk
Fraud/error/events reported
Control level 1: There is no fraud/error/events
reported for the process
Control level 5: Very severe fraud/error/events
are being reported regularly for the process
30
Risk Assessment Process:
Prioritize Risk
The quality of human resources
Control level 1: HR is enough and qualified
Control level 5: Lack of enough and qualified
HR ongoing basis, especially for highly
important process
31
Risk Assessment Process:
Prioritize Risk
Automation/ integrity of operations
Control level 1: All the process is done by
automation
Control level 5: There is no automation
application other than office programs
32
Risk Assessment Process:
Prioritize Risk
Time lapsed since last audit
Control level 1: Less than 1 year
Control level 5: More than 4 years
33
Risk Assessment Process:
Prioritize Risk
Department
Audit objects
Risk factors Internal controls
Inherent risk
Control risk
Residual Risk
Fin
anci
al lo
sses
fro
m
frau
d/e
rro
r
Co
mp
lexi
ty o
f o
per
atio
ns
Lega
l op
erat
ion
s
Rep
uta
tio
nal
ris
k
HR
Nee
d f
or
spec
ializ
atio
n
Qu
alit
y o
f In
tern
al c
on
tro
l Fr
aud
/err
or/
even
ts
rep
ort
ed
HR
qu
alit
y
Au
tom
atio
n a
nd
in
tegr
atio
n o
f o
per
atio
ns
Tim
e la
pse
d s
ince
th
e la
st
aud
it
Markets department
Open market operations
D3 E3 F3 G3 H3 I3 J3 K3 L3 M3 N3
=(D3*0,15+E3*0,3+F3*0,15+G3*0,15+H3*0,15+I3
*0,1)/5
=(J3*0,3+K3*0,15+L3*0,15+M3*0,25+N3*0
,15)/5
=O3*P3
34
Risk Assessment Process:
Prioritize Risk
Department
Audit objects
Risk factors Internal controls
Inherent risk
Control
risk
Residual Risk
Fin
anci
al lo
sses
fr
om
fra
ud
/err
or
Co
mp
lexi
ty o
f o
per
atio
ns
Lega
l op
erat
ion
s
Rep
uta
tio
nal
ris
k
HR
N
eed
fo
r sp
ecia
lizat
ion
Qu
alit
y o
f In
tern
al c
on
tro
l Fr
aud
/err
or/
eve
nts
rep
ort
ed
HR
qu
alit
y
Au
tom
atio
n a
nd
in
tegr
atio
n
Tim
e la
pse
d
sin
ce t
he
last
au
dit
Markets department
FX operations
4 4 3 4 3 3 3 2 2 3 5 %72 %57 %41
Banknot printing plant
Phsical and electronic security services
3 4 3 4 3 3 3 2 2 4 5 %72 %57 %41
Accounting Tax patyments
4 3 4 4 3 2 2 2 2 3 5 %71 %55 %39
Markets department
Money market operations
4 4 3 5 3 3 2 2 2 2 5 %72 %55 %39
Banknot printing plant
Banknot printing process
4 4 4 5 3 3 2 2 2 3 4 %74 %52 %39
Issue Safeguard Assessment
4 5 3 4 3 1 3 2 2 4 4 %73 %54 %39
35
Risk Assessment Process:
Prioritize Risk
In the end; the residual risk is calculated by multiplying
the numbers acquired through risk and control
assessment.
This rating is done for each process in the Audit Universe.
Then, the processes are ranked based on their residual
risks.
36
Risk Assessment Process:
Select and Develop Audit Plan
Identify risk Measure
risk Prioritize
risk
SELECT AND DEVELOP
AUDIT PLAN
37
Risk Assessment Process:
Select and Develop Audit Plan
Do you use a formal risk assessment process for audit
planning?
How often do you perform an Internal Audit Risk
Assessment?
Do you have a formally documented Audit Universe?
38
39
ANNUAL AUDIT PLAN
Standards
IIA-Standards2010 – Planning
The chief audit executive should establish risk-based plans
to determine the priorities of the internal audit activity,
consistent with the organization's goals.
IIA-Standard2030 – Resource Management
The chief audit executive should ensure that internal audit
resources are appropriate, sufficient and effectively
deployed to achieve the approved plan.
40
Audit Plan
Audit universe
Risk assessment
Audit budget
Annual Plan
Approval& execution
41
Audit Universe
Audit universe
Risk assessment
Audit budget
Annual Plan
Approval& execution
42
Audit Universe
Audit Universe: All available processes/issues subject to
auditing.
Audit universe is devised and reviewed at year-ends
through meetings with the management of audited
units.
Audit forms are prepared to depict a short summary of
the scope of the process to be audited
43
AUDIT OBJECT:
Audit Universe
Objectives
Scope
Method
Main risk areas
Date
44
Audit Universe
45
Audit Universe
The Audit Universe of CBRT contains 109 Audit Objects,
which was revised at the end of 2013
28 of the Audit Objects is IT audits
46
Audit Universe
Examples of audit universe:
Reserve requirements operations
R&D operations
Banknote Printing process
Other printing activities
Safeguard assessment
Training activities
Performance evaluations
Activities of Istanbul School of Central Banking
Public Procurement
Property management
Tax payments
ABC Accounting
Financial Reporting - IFRS Civil defense activities
Strategic planning
Health care services
FX management IT- Corporate data
management
IT- Password safety
General: Corporate Governance
General: Business Continuity management
47
Risk Assessment
Audit universe
Risk assessment
Audit budget
Annual Plan
Approval& execution
48
Audit Budget
Audit universe
Risk assessment
Audit budget
Annual Plan
Approval& execution
49
Audit Budget
Assignment of Resources
Preparing a list that includes all time budgets
Gross-time of all staff member time - budgets for non-
audit work(e. g. administration, training, vacation) -
Budget for unpredictable tasks (e. g. special
investigations)
= net time, available for audit
planning
50
Audit Budget
Special Projects
Risk Management process
Advisory / Consulting Services
Compliance Activities
Professional Development
Audit Support Activities
Leave Time
Other factors
51
Annual Plan
Audit universe
Risk assessment
Audit budget
Annual Plan
Approval& execution
52
Annual Plan
Setting up annual audit plan:
- Risk-based selection from the ranking list
- Special requests from the management
- Consulting Engagements
53
Annual Plan
2016’s Audit Plan: 32 audit objects
8 of audit objects are IT audits Examples of 2016’s Audit Plan: Micro financial analysis and
financial stability operations Communication with international
authorities Reserve requirements Physical and electronic safety
operations Occupational safety and health
Safeguard assessment operations Short term training activities Activities of CBRT library
Financial and monetary statistics
Payment other than tax and per diem spending
General- Business Continuity General – User ID and password
confidentiality – ACL based
IT – IT investment process IT – IT governance IT – Quality management
54
Approval & Execution
Audit universe
Risk assessment
Audit budget
Annual Plan
Approval& execution
55
Approval & Execution
Annual audit plan is prepared by the audit
management
Annual audit plan is approved by the Governor of the
CBRT
Any change of the plan is approved by the Governor
during the year
56
Approval & Execution
Assigning the auditors to the audits
Determination of the
- Audit engagement manager
- Timing of the engagements
- The audit-teams
57
Approval & Execution
Updating the audit plan during the year Dynamic, not static Forward-looking
58
Audit Plan
How do you prepare your annual audit plan?
Who is responsible of planning?
Who approves the plan?
How often you update the plan?
How do you assign the auditor – any specialization?
Is there any other step you have for the annual planning
process?
59
QUESTIONS???
Thank you for your attention and
contribution
60