operational audits and risk based auditing
DESCRIPTION
Operational Audits and Risk Based Auditing. Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM Resorts International. Agenda. Introductions Objectives Overview of Risk and Risk Assessment Risk Assessment Framework Impact on the Profession Questions. - PowerPoint PPT PresentationTRANSCRIPT
OPERATIONAL AUDITS AND RISK BASED AUDITING
Bob Rudloff, CIA, CFE, CRMA
Vice President, Internal Audit
MGM Resorts International
Agenda• Introductions• Objectives• Overview of Risk and Risk Assessment• Risk Assessment Framework• Impact on the Profession• Questions
What Would You Like to Accomplish?
• What are the concerns or questions you have?• What are the roadblocks to risk assessment you are
facing?• What would help you better assess risk today?• What would you like to be doing differently?
Ten To-Dos for Audit Committees
#6: Make sure Internal Audit is properly focused and fully utilized.
Help refine internal audit’s role—and focus internal audit’s activities on key areas of risk, as well as risk management generally…
Source: KPMG Audit Committee Institute
CBOK 2010: Change in Focus of Internal Audit in Next Five Years
Corporate Governance
Enterprise Risk Management
Strategic Reviews
Ethics Audits
Migration to IFRS
Operational Audits
Compliance Audits
Audits of Financial Risk
Fraud Investigations
Evaluations of Internal Controls
Forbes Insights SurveyOn behalf of Ernst & Young
However…• IA helps the organization achieve business objectives?• Strong link between IA and enterprise risk functions?• Process improvement recommendations are implemented?• IA plays an important role in gathering business intelligence
and sharing leading practices?• IA acts as a business advisor as evidenced by requests from
the business for assistance?• IA attracts future leaders and high potential talent from the
business?
44%
43%
42%
38%
36%
32%
Forbes Insights SurveyOn behalf of Ernst & Young
Are you receiving the performance you expect from your internal audit investment?
87% Yes
Do you believe there is an opportunity to improve your organization’s internal audit function?
74% Yes … we are spending too much.
2010 State of the Internal Audit Profession PwC Survey
The 2010 survey data supports the notion that internal audit departments have made significant change and that they have the right priorities, but that there is still a critical performance gap in achieving the key attributes of high-performing internal audit functions. Some of this may be due to a critical dilemma we observe in the field in discussions we have had with CFOs and audit committee members.
They often have a sense that their internal audit function could and should deliver more value, but they are unsure as to what that is or how they should do it.
REAL WORLD RISK ASSESSMENT
Risk Assessment
Felix Baumgartner
Risk Assessment
AUDIT RISK ASSESSMENT:WHAT IS IT?
Table Discussion
What Does Risk Assessment Mean in Your Organization?
Audit Risk Assessment• Audit risk assessment is a stage in the audit planning
process. • Audit risk assessment is part of the series of controls
which are used to manage the integrity of an audit, and to determine when and how audits should be conducted, and by whom.
• Audit risk consists of several components. The first is
1. the likelihood that a material misstatement will be made.
2. the risk that the misstatement will not be caught by internal controls, and
3. the misstatement will not be caught by an auditor.
Audit Risk Assessment• Risk assessments performed by internal auditors are
entirely different risk assessment performed by independent auditors.
• Risk Assessments use various elements: • Changes in volume, management, technology and other factors• Knowledge of the business and experience• Time since the last audit and known issues• Potential of loss• Requests of management• Financial exposure
WHY ASSESS RISK?
Why Assess Risk?
Business Universe
Why Assess Risk?
Risk RankedBusiness Universe
Why Assess Risk?
Risk RankedBusiness Universe
Why Assess Risk?
Available Resources 16,000 hr
Audit Needs 82,000 hr
NOW WHAT?Like
lihoo
d
Impact
Why Assess Risk?
Available Resources 16,000 hr
Audit Needs 82,000 hr
NOW WHAT?Like
lihoo
d
Impact
Table Discussion
What is new in your organization today when compared to one year ago?
What are our goals?
Helping you RIGHT SIZE your audits by…
• Aligning Internal Auditing with the organization’s priorities and expectations.
• Identifying and assessing risks.• Determining the right scope of an audit.• Optimizing audit effort to more effectively achieve audit
objectives.• Seeing below the surface and getting at what’s important.
What are our goals?
Helping you RIGHT SIZE your audits by…
• Aligning Internal Auditing with the organization’s priorities and expectations.
• Identifying and assessing risks.• Determining the right scope of an audit.• Optimizing audit effort to more effectively achieve audit
objectives.
Risk ... What is it?• The possibility that an event will occur and adversely
affect the achievement of objectives. (COSO definition)
• The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. (IIA Standards—glossary definition)
• Risk is anything that could impact the achievement of objectives – not only negative impacts but also the risk of missed opportunities.
Risk …What Type of Risk Is It?
• Hazard Risk is the risk associated with negative occurrences, and could include issues surrounding regulatory noncompliance, fraud or waste, significant accounting errors, or damage to the Company’s image.
• Uncertainty is the risk associated with not meeting shareholder, employee, supplier, regulator, creditor, analyst, or others’ expectations, and can be impacted by both Hazard Risk and Opportunity Risk.
• Opportunity Risk is the risk associated with failing to exploit opportunities smartly, and could include not pursuing a viable growth strategy, pursuing a flawed growth strategy, or not managing opportunities as effectively as anticipated.
Risk …What Type of Risk Is It?
Hazard
Uncertainty
Opportunity
What is the goal of Risk Assessment?
Risk Assessment should…• Consider internal as well as external factors that could
impact the achievement of objectives.• Analyze the risks and provide a basis for managing them.• Allow auditors to focus their efforts based upon RISK to
be more efficient.• Include consideration of the technology supporting
business processes and objectives.• Be adapted to fit the pace of change in the organization
and the world.
IIA Standards: Risk Management2010—Planning (per International Internal Audit Standards Board, September 2012)
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.
Interpretation:
The CAE is responsible for developing a risk-based plan. The CAE takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior management and the board. The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
IIA Standards: Risk Management2010—Planning
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.• 2120.A1 – The internal audit activity must evaluate risk exposures relating to
the organization’s governance, operations, and information systems.• 2120.A2 – The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud.• 2120.C1 – During consulting engagements, internal auditors must address
risk consistent with the engagement’s objectives and be alert to the existence of other significant risks.
• 2120.C2 – Internal auditors must incorporate knowledge of risks gained form consulting engagements into their evaluation of the organization’s risk management processes.
• 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.
Signs for a Risk Makeover1. Audit plan is restricted to what “IA can audit today” vs. what “IA
should audit tomorrow.”
2. Audit plan includes repetitive, low-value audits.
3. SOX and administrative time make up a significant part of the audit plan.
4. Audit plan is not updated frequently enough to adapt to the changing risk profile or new initiatives.
5. Internal audit and senior management have very different views on risk priorities.
6. Key processes, programs, and initiatives are not linked to the Company’s strategic objectives.
7. Audit plan excludes coverage of emerging risks or catastrophic “Black Swan” events that could impact the company’s reputation.
Risk Assessment Framework
1. Gain Understanding of the Control Environment
2. Identify Relevant Risks
3. Assess Relevant Risks
4. Develop Risk-based Audit Strategy
Understand entity objectives and identify significant changes to operations/control
environment.
Develop audit scope and objectives based on risk assessment results.
Rate and prioritize business, financial, operational, and compliance risks.
Develop audit scope and objectives based on risk assessment results.
Understand the Control Environment
1. Gain Understanding of the Control Environment
2. Identify Relevant Risks
3. Assess Relevant Risks
4. Develop Risk-based Audit Strategy
Understand entity objectives and identify significant changes to operations/control
environment.
Develop audit scope and objectives based on risk assessment results.
Rate and prioritize business, financial, operational, and compliance risks.
Develop audit scope and objectives based on risk assessment results.
Understand the Control Environment
• Understand Business Objectives• Understand strategy, goals, objectives and organizational
structure• Review prior audit reports, issues, deficiencies• Identify significant changes to operations or control
environment
Company-wideBusiness
UnitDepartment or
Function Audit Level
Traditional Approach:
Based on stakeholder interviews and analysis. Focus is on coverage of risk areas, locations, and operations.
RISK:Interviews usually not focused on obtaining the right level of information.
Bottom-up Approach
AUDIT PLAN
Identify Risks within Auditable Business Units
Define Auditable Business Units
Top-Down Approach:
Coverage is driven by issues that directly impact business objectives with a clear link to strategy.
Top-down Approach
Identify Management’s Objectives
Understand Relevant Inherent Risks (Strategic,
Financial, Operational, Operations, Compliance)
Evaluate Impact on Management’s Objectives
AUDIT PLAN
Understand the Control Environment
1. Gain Understanding of the Control Environment
2. Identify Relevant Risks
3. Assess Relevant Risks
4. Develop Risk-based Audit Strategy
Understand entity objectives and identify significant changes to operations/control
environment.
Develop audit scope and objectives based on risk assessment results.
Rate and prioritize business, financial, operational, and compliance risks.
Develop audit scope and objectives based on risk assessment results.
Risk Categories
Regulations & Government Policy
Internal Controls
Business Unit Objectives
I.T. Infrastructure
Emerging Practices
Complexity Past Audit Results
TurnoverResults vs. Budget
Ethical Challenges Impact of Failure
Assess Relevant Risks
1. Gain Understanding of the Control Environment
2. Identify Relevant Risks
3. Assess Relevant Risks
4. Develop Risk-based Audit Strategy
Understand entity objectives and identify significant changes to operations/control
environment.
Develop audit scope and objectives based on risk assessment results.
Rate and prioritize business, financial, operational, and compliance risks.
Develop audit scope and objectives based on risk assessment results.
Assess Relevant Risks
Rate the likelihood of the
Risk occurring
Rate the Impact of the Risk
should it occur
Calculate the Risk
Risk Likelihood• For identified transactions or operating areas, exercise
judgment about the likelihood of the risk occurring.
• Is the likelihood Remote … Probable … Certain.
• Conclude whether the nature of the risk, it potential magnitude, and the likelihood of it actually occurring represents a key risk requiring special audit consideration.
• Don’t forget Emerging Risks.
Risk Impact• Is the impact Negligible … Significant … Severe
• Is the Risk preventable … controllable … manageable?
Rating Scale Scale Impact Likelihood
HIGH
An incident of noncompliance and/or the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on operations, assets, or people.
Without regard to the effects of compliance controls or mitigation strategy, it is highly likely (over 75%) and capable of happening in the next 24 months.
MEDIUM
An incident of noncompliance and/or the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on operations, assets, or people.
Without regard to the effects of compliance controls or mitigation strategy, it is likely (25% – 75%) and capable of happening in the next 24 months.
LOW
An incident of noncompliance and/or the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on operations, assets, or people.
Without regard to the effects of compliance controls or mitigation strategy, it is remotely possible (less than 25%) or may not be capable of happening in the next 24 months.
Risk Heat MapIm
pact
Likelihood
Severe(5)
Significant(3)
Negligible(1)
5
Remote(1)
Probable(3)
Almost Definite
(5)
15
3
5
9 15
25
1 3
Impact and Likelihood
Impa
ct
Likelihood
Medium Risk
SHARE RISK
High Risk
MITIGATE & CONTROL
Low Risk
ACCEPT RISK
Medium Risk
CONTROL RISK
Group Brainstorming
• Business Operations• Procedures• Regulations• Management• People• Financial Performance• Technology • Previous Issues
5 Minutes:Brainstorm as many
examples of risks for each category.
Debrief
Business Operations
Complexity of the operation
Changes in the operation
Changes in financial projections
Nonstandard practices
Procedures
Process breakdowns
Segregation of duties
Appropriateness of corrective action
Departure from standards
Debrief
Regulations
Compliance standards
Changes
Monitoring and enforcement
Relationship with regulators
Management
Structure change
Management’s risk appetite
Attitude toward controls and procedures
Tone at the top
Debrief
People
Competency
Sufficient numbers
Delegation of authority
Extensive use of consultants
Financial Performance
Pressure to meet expectations
Debt covenants
Changes in operating margins
Accounting standards
Debrief
Technology
Stability
Reliability
Back up and recovery
Access controls
Previous Issues
Identified by internal audit
Identified by independent auditors
Identified by regulators
Self-reported issues
Risk Based Audit Strategy
1. Gain Understanding of the Control Environment
2. Identify Relevant Risks
3. Assess Relevant Risks
4. Develop Risk-based Audit Strategy
Understand entity objectives and identify significant changes to operations/control
environment.
Develop audit scope and objectives based on risk assessment results.
Rate and prioritize business, financial, operational, and compliance risks.
Develop audit scope and objectives based on risk assessment results.
Risk Planning Framework
Perform Business Analysis
Perform Value Driver
Analysis
Evaluate Risk
Prioritize Risks
Define / Refine Scope
Use All Available Inputs
Internal Audit
Health & Safety
Compli- ance
External Audit
Risk Mgmt
SOX
Legal
Other?
Other? Other?
Other?
Other?
Other? Other?
Other?
Other?
Other?
Other?
Risks: 15 most often cited risks (PwC Study)
Economic Uncertainty
Regulations & Government Policy
Competition
Financial Markets
Data Privacy & Security
Talent & Labor
Reputation & Brand
Commercial Market Shifts
Energy & Commodity Costs
Government Spending & Taxation
New Product Introductions
Fraud & Ethics
Business Continuity
Mergers, Acquisitions, & Joint Ventures
Large Programs