risk based internal auditing – an introduction slides of figures and appendices ©david m...
TRANSCRIPT
Risk based internal auditing – an introduction Slides of figures and appendices
©David M GriffithsV3.2
©David M Griffiths www.internalaudit.biz
Risk based internal auditing – an introduction slides of figures and appendices
• The following slides are those used in the book Risk based internal auditing – an introduction available fromwww.internalaudit .biz
• The slides of figures are:– 1 Internal auditing objectives – 2 Grid for significance risks– 3 Stages of an audit– 4 RBIA documentation– 5 Processes involved in stage 2– 6 Grid for frequency of audits– 7 Factors to reduce inherent risk scores risks– 8 Processes involved in stage 3– 9 Grid for significance of residual risks
• Slides of appendices are– A Internal auditing objectives– B Hierarchy of objectives, risks and controls– C Process map– E Grid for risk workshop– J Stages of an internal audit
– Other appendices are on the excel spreadsheet RBIA introduction excel v3
©David M Griffiths www.internalaudit.biz
Internal auditing objectives(Figure 1 and appendix A)
©David M Griffiths www.internalaudit.biz
The main aim of internal auditing is to assist the
organization to achieve its objectives
The management
of an organization
have
Objectives
Aninternal control
is a process which manages a risk
Arisk
is a set of circumstances that hinder the achievement of
objectives
Internal auditingprovides an independent and
objective opinion to an organization’s management as to whether its risks
are being managed to acceptable levels.
2 Grid for significance of risks
©David M Griffiths www.internalaudit.biz
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementary issue: Action is advisable if resources are available
Acceptable: No action required
Rar
e(1)
U
nlik
ely
(2)
P
ossi
ble
(3)
P
roba
ble
(4) A
lmos
t cer
tain
(5)
2Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f ri
sk
Consequence of risk
16Unacceptable
3Acceptable
2Acceptable
1Acceptable
5Issue
3Acceptable
5Supplementary
Issue
4Acceptable
4Acceptable
4Acceptable
6Supplementary
Issue
6Supplementary
Issue
9Issue
12Issue
8Supplementary
Issue
8Supplementary
Issue
12Issue
10Issue
10Issue
15Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Risk appetite, as defined by the board
IR
RR
IR = Inherent Risk RR = Residual Risk
Inte
rnal
co
ntr
ol
Fig.2 Grid showing the significance of risks
3 Stages of an audit
©David M Griffiths www.internalaudit.biz
Assess risk
maturity
Feedback results
into RAU
Individual audit
Management's
Risk Register(if available)
Audit plan
Audit report
Risk Naive Risk Enabled
Risk Managed
Risk Defined
Risk Aware
Use organisation's
risks
Facilitate risk
identification
Audit Committee report
Stage 2
Stage 1
Audit universe
Management's
Risk Register(amended)
Assign risks to
audits
Risk and audit universe
(RAU)
Stage 3
Fig 3 Stages of an audit
4 RBIA documentation
©David M Griffiths www.internalaudit.biz
Fig. 4 RBIA documentation
risks
last audits
scores
controls
AuditCommittee
report
universe
risks
tests
scores
controls
auditreports
risk and audit audit databases
risks
last audits
scores
controls
AuditCommittee
report
risks
tests
scores
controls
auditreports
objectives objectives
5 Processes involved in stage 2
©David M Griffiths www.internalaudit.biz
Risks which will be tolerated
Risks on which assurance is provided
by others
Risk and Audit Universe
Filter risks
Audit plan
Risks on which assurance is
required
Risks within the risk appetite
Risk Register (audited)
Categorise risks
Risks not requiring an audit in this period
Link risks to audits
Select risks to be covered
Allocate resources to
audits
Audit Universe
Audit Committee report
Fig 5 Processes involved in Stage 2
6 Grid for frequency of audits
©David M Griffiths www.internalaudit.biz
Rar
e(1)
U
nlik
ely
(2)
P
ossi
ble
(3)
P
roba
ble
(4) A
lmos
t cer
tain
(5)
2Never
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f in
he
ren
t ri
sk
Consequence of inherent risk
16Every year
3Never
2Never
1Never
5Every three
years
3Never
5Every three
years
4Never
4Never
4Never
6Every three
years
6Every three
years
9Every two
years
12Every two
years
8Every three
years
8Every three
years
12Every two
years
10Every two
years
10Every two
years
15Every year
20Every year
15Every year
20Every year
25Every year
Fig. 6 Grid for the frequency of audits
7 Factors to reduce inherent risk scores risks
©David M Griffiths www.internalaudit.biz
0.75 1 1
0.5 0.75 1
0.25 0.5 0.75
Green Amber Red
1 ye
ar
2
year
s
3
yea
rsT
ime
sin
ce
last
au
dit
Audit result
Fig. 7 Factors to reduce inherent risk scores
8 Processes involved in stage 3
©David M Griffiths www.internalaudit.biz
Define draft audit scope
Set up an audit database to record the audit
details, or update the Risk and Audit Universe
Agreed scope
Test the monitoring and proper operation of
controls
Audit plan
Meetings to determine objectives, risks and
agree scope
Obtain relevant documentation on
processes
Audit database
Examine the risk management process for the area audited
Decide on audit approach
Conclude on risk maturity for the
area audited
Risk and audit universe
9 Grid for significance of residual risks
©David M Griffiths www.internalaudit.biz
Unacceptable: Immediate action required to control the risk
Issue: Action required to control the risk
Supplementary issue: Action is advisable if it is cost-effective
Acceptable: No action required
Rar
e(1)
U
nlik
ely
(2)
P
ossi
ble
(3)
P
roba
ble
(4) A
lmos
t cer
tain
(5)
2Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f re
sid
ua
l ris
k
Consequence of residual risk
16Unacceptable
3Acceptable
2Acceptable
1Acceptable
5Supplementary
Issue
3Acceptable
5Supplementary
Issue
4Acceptable
4Acceptable
4Acceptable
6Supplementary
Issue
6Supplementary
Issue
9Issue
12Issue
8Supplementary
Issue
8Supplementary
Issue
12Issue
10Issue
10Issue
15Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Risk appetite, as defined by the board
Fig. 9 Grid for the significance of residual risks
Hierarchy of objectives, risks and controls(Appendix B)
©David M Griffiths www.internalaudit.biz
Devise a strategy for the next five
years to deliver our objectives
Relieve famine in central Africa
No clear strategy as to
how to achieve our
objective
Unable to predict where
and when famines will
occur
Unable to obtain food
Unable to deliver the food to the
starving
Inadequate resources to deliver the objectives
Set up a system which enables us to
predict famine areas
Set up agreements with donors
to obtain food
Establish a supply chain to ensure prompt delivery of food to the highest priority area
Establish functions to support the
field operations
Insufficient drivers
Fuel not available for lorries
Do not know where food is required most
urgently
Routes become
impassable due to the weather
Labor to load lorries
not available
Lorries break down
Don't distribute food efficiently and
effectively
Work with other
agencies and the
military to plan routes
Fuel is stored in
the compound
Charity has established a
network of reliable local people with access to
mobile phones
List of drivers
available for hire is kept
by the compound
office
The warehouse provides loaders
Two mechanics are on the permanent
staff
Risks level 1
Objective level 1
Risks Level 2
Internal controls
Objective level 2
Arrange land transportObjective level 3
Objectives map(appendix C)
©David M Griffiths www.internalaudit.biz
Relieve famine in central Africa
1Devise a
strategy for the next five
years to deliver our objectives
2Set up a
system which enables us to
predict famine areas
3Set up
agreements with donors
to obtain food
4Establish a
supply chain to ensure prompt
delivery of food to the
highest priority area
5Employ
sufficient, suitably
qualified staff using
sufficient resources
4.2Arrange land
transport
4.1Arrange sea
transport
objective
1.2The strategy is converted
into targets and action for
all staff
1.1The trustees of the charity
define the future aims and plans
1.3Aims and
plans to be regularly updated
5.2Safeguard money and
assets
5.3Provide
purchasing services
5.6Provide
information technology
5.1Operate
organisation according to
legal requirements
5.4Provide
transaction processing
5.5Provide an
HR department
Level 2 objectives
Level 3 objectives
Grid for risk workshop(appendix E)
©David M Griffiths www.internalaudit.biz
Rar
e(1)
U
nlik
ely
(2)
P
ossi
ble
(3)
P
roba
ble
(4) A
lmos
t cer
tain
(5)
2Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Lik
elih
oo
d o
f ri
sk
Consequence of risk
16Unacceptable
3Acceptable
2Acceptable
1Acceptable
5Issue
3Acceptable
5Supplementary
Issue
4Acceptable
4Acceptable
4Acceptable
6Supplementary
Issue
6Supplementary
Issue
9Issue
12Issue
8Supplementary
Issue
8Supplementary
Issue
12Issue
10Issue
10Issue
15Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
1 52
3 4
6
Stages of an internal audit (appendix J)
©David M Griffiths www.internalaudit.biz
Works
with
the organiza
tion to
identify
risks
hindering th
e process
es
Tests the controls mitigating the risks
The management
of an organization
have
Objectives
Aninternal control
is a process which manages a risk
Arisk
is a set of circumstances that hinder the achievement of
objectives
Significant risks generatethe audit plan
Internal auditingInternal auditing: provides an
independent and objective opinion to an organization’s management as to whether its risks are being managed
to acceptable levels.
Assures that risks are mitigated to an acceptable level
5
Determines processes and their objectives
1
Reports where risks are not sufficiently mitigated by controls4
3
2
The audit
Version Control
©David M Griffiths www.internalaudit.biz
Date Version Comments21-Feb-15 3.2 Made consistent with book and spreadsheet