assessing organizational risks – a focus on internal audit
TRANSCRIPT
![Page 1: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/1.jpg)
Assessing Organizational Risks –A Focus on Internal Audit
![Page 2: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/2.jpg)
To Receive CPE Credit› Individuals
• Participate in entire webinar• Answer polls when they are provided
› Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to [email protected] within 24 hours of webinar
› If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar. Due to the large volume of certificates of completion issued, requests to reissue lost or misplaced certificates will be honored up to 60 days following the webinar
![Page 4: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/4.jpg)
What Is an Internal Audit Risk Assessment & What Is Not?
![Page 5: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/5.jpg)
Examples of Risk Assessments › Information Security/Information Technology› Bank Secrecy Act/Anti-Money Laundering (BSA/AML)› Health Insurance Portability and Accountability Act (HIPAA)› Wire Transfers› Automated Clearing House (ACH)› Supply Chain Analysis› Vendor Management› Internal Audit
![Page 6: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/6.jpg)
Common Characteristics› Summary of business risks & vulnerabilities› Summary of mitigating activities or internal controls› Methodology for rating or scoring risks identified› Assessment of the likelihood of occurrence› Assessment of individual & overall level of risk› Assessment of potential impacts› Required by company or industry regulators
![Page 7: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/7.jpg)
Internal Audit Risk Assessment› Scope is enterprisewide (internal audit universe)› Scope is not limited to a specific business function or risk› May include key internal control activities› Establishes priorities for company monitoring activities› Involves management at all levels in the organization› Builds on other risk assessment types
![Page 8: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/8.jpg)
Who Completes the Risk Assessment?
![Page 9: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/9.jpg)
Team Approach› Audit committee/board of directors› Executive leadership› Internal audit & risk professionals› Department managers › Process owners
![Page 10: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/10.jpg)
Team Member Roles› Audit committee/board of directors
• Establish timeline & provide project oversight
› Executive leadership• Demonstrate “tone at the top” & provide project direction
› Internal audit & risk professionals• Coordinate the project with management & report results to oversight body
› Department managers• Identify & rate the business risks present in each line of business
› Process owners• Identify the internal control activities present to mitigate identified risks
![Page 11: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/11.jpg)
How Often Is a Risk Assessment Completed?
![Page 12: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/12.jpg)
Frequency › Continual process› Updated annually or when new risks are identified› Associated with development of annual internal audit budget
![Page 13: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/13.jpg)
Why Do We Need to Do a Risk Assessment?
![Page 14: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/14.jpg)
Purpose› Documents the business risks at a point in time› Memorializes internal control activities at a point in time› Establishes criteria for a risk-based internal audit plan› Addresses regulatory expectations or requirements
![Page 15: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/15.jpg)
Where Do I Start?
![Page 16: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/16.jpg)
Keep the Objectives in Mind› Identify the audience
• What are the expectations of the audience?• How detailed does the final deliverable need to be?
› Identify the major operational areas of the organization• What business functions go within each operational area?
› Identify the team members• Who should be involved in the project?
› Identify the timeline for completion
![Page 17: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/17.jpg)
How Do I Start?
![Page 18: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/18.jpg)
Fundamentals› Format – narrative, tabular, or hybrid styles› Level of detail› Project timeline› Previous risk assessments› Peers› Consultants› Training› Regulatory guidance
![Page 19: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/19.jpg)
What Format Should I Use?
![Page 20: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/20.jpg)
Format› Narrative style
• More descriptive of business risks• Operational processes & internal control activities are summarized• Helpful to users who want to better understand processes/controls
o Auditors (external & internal)o Regulators
• Requires more time to prepare the initial risk assessment• Requires more process owner & management time
![Page 21: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/21.jpg)
Format› Tabular style
• Risks are summarized & assigned a numerical value in a table• Less detail is needed to complete• Less time is needed to complete • More definitions are required to document methodology• May not provide enough context relevant to setting risk levels• May result in more requests for clarification from users• Best suited for less complex organizations
![Page 22: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/22.jpg)
Format› Hybrid style
• Includes elements of both the narrative & the tabular style• Provides a level of operational detail for users• Provides a summarized table of risk types & rating for each area
![Page 23: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/23.jpg)
What Should I Include?
![Page 24: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/24.jpg)
Contents – All Types› Description of risk assessment approach› Organizational overview› Service provider overview (vendors involved in monitoring)› Business risk definitions› Rating definitions & descriptions of methodologies› Risk ratings by risk type for each operational area› Assessment of likelihood of occurrence› Resulting internal audit approach
![Page 25: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/25.jpg)
Contents – Narrative & Hybrid Styles› Summary of operational area› Description of key policies & procedures › Management monitoring activities› Key internal control activities › Results of prior monitoring activities› Narrative describing business risks & trends by operational area
![Page 26: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/26.jpg)
What Business Risks Should I Include?
![Page 27: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/27.jpg)
Business Risk› A broad definition of business risk is the threat that an event or
action will adversely affect a company’s ability to achieve its business objectives & execute its corporate strategies
![Page 28: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/28.jpg)
Business Risk Examples› Credit risk› Market risk› Compliance risk› Legal risk› Reputation risk› Transaction risk› Technology risk› Strategic risk
![Page 29: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/29.jpg)
Aspects of Business Risk› Inherent risk
• Overall risk involved with the activities performed in the audit universe area without considering mitigating controls or personnel involved
› Residual risk• Risk involved with the activities performed in the audit universe area
after considering mitigating controls & personnel involved› Direction of risk
• Risk involved with the activities performed in the audit universe area after considering mitigating controls & personnel involved
![Page 30: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/30.jpg)
How Do I Develop the Content?
![Page 31: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/31.jpg)
Organizational Summary › Financial statements› Call reports› Organizational bylaws› Minutes of board of director meetings› Audit committee charter› Corporate website› Organizational chart
![Page 32: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/32.jpg)
Operational Areas› Management surveys› Internal control questionnaires› Interviews of management & process owners› Risk rating worksheets› Policies & procedures› Internal control narratives or matrices› Prior audit & regulatory examination reports
![Page 33: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/33.jpg)
How Do I Validate the Content?
![Page 34: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/34.jpg)
Quality Control› Detailed review of responses from management› Follow-up interviews to address questions from review› Comparison to prior risk assessments› Consultation with other risk professionals› Consultation with vendors
![Page 35: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/35.jpg)
What Can Go Wrong?
![Page 36: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/36.jpg)
Common Challenges› Risk ratings are biased or not based on definitions
• Line managers may want their operational area to be seen as low risk• Risk-aversive managers rate all risks as high no matter what• Not understanding the difference between inherent & residual risks
› Not all relevant risks are identified• Line managers may not see a risk exists because of controls in place
› Lack of participation by individuals due to competing priorities› Managers view the process as internal audit’s responsibility
![Page 37: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/37.jpg)
What’s Next?
![Page 38: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/38.jpg)
Risk-Based Internal Audit Plan› Define the internal audit universe› Rank the operational areas based on risk assessment› Determine the frequency of the operational internal audits› Tailor the internal audit procedures based on the identified risks› Identify in-house resources or outsourced vendor resources› Develop the internal audit budget› Present the risk assessment & internal audit plan to governance
![Page 39: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/39.jpg)
Questions?
![Page 40: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/40.jpg)
Continuing Professional Education (CPE) Credit
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
![Page 41: Assessing Organizational Risks – A Focus on Internal Audit](https://reader034.vdocuments.us/reader034/viewer/2022042522/62625528047bf46172126a6e/html5/thumbnails/41.jpg)
CPE Credit› CPE credit may be awarded upon verification of participant
attendance
› For questions, concerns, or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]