risk assessment – – internal audit’s role assessment – – internal audit’s role steve...
TRANSCRIPT
![Page 1: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/1.jpg)
Risk Assessment Risk Assessment –– Internal Internal AuditAudit’’s Role s Role
Steve Goepfert, CIA, CPAStaff VP – Internal Audit Continental Airlines
IIA – Dallas Thursday, November 1, 2007
![Page 2: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/2.jpg)
2
Risk AssessmentRisk Assessment AgendaAgenda
• Audit Universe– Field Audits– Corporate Audits– Systems Audits
• Field Risk Assessment Process– 8 Key Factors
• Corporate & Systems Risk Assessment Process - Key Factors
![Page 3: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/3.jpg)
3
Audit UniverseAudit Universe
FIELD OPERATIONS• Aircraft are in the air around the
world, around the clock• Service reaches 5 continents:
Europe, North America, South America, Asia and Australia
• Serve 210 airports worldwide with over 2,100 daily departures
![Page 4: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/4.jpg)
4
Audit UniverseAudit Universe
FIELD OPERATIONS• Domestic operations (ATOs &
CTOs)• International operations (ATOs,
CTOs, Admin offices, & GSAs)• Cargo Facilities• Alliance Partners
![Page 5: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/5.jpg)
5
Audit UniverseAudit Universe
CORPORATE OPERATIONS• Discern auditable entities• Review Balance Sheet /
Income Statement Accounts• Large Budget Variances• Hot-Button Items (i.e., officer
expenses, capitalized assets)
![Page 6: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/6.jpg)
6
Audit UniverseAudit Universe
SYSTEMS OPERATIONS• New Systems Development• Existing applications• General security controls – data
centers• Business resumption planning• Penetration / attack scenario
![Page 7: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/7.jpg)
7
Field Risk AssessmentField Risk Assessment
THE PROCESS• Determine a methodology to identify High
Risk Locations to receive priority audits• Identify the key risk factors for the locations• Obtain input from Key Constituents (CFO;
V.P. & Controller; Airport Services Senior Management; International Sales; Public Accountants)
• Plan the audit schedule based on this analysis
![Page 8: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/8.jpg)
8
Field Risk AssessmentField Risk Assessment
KEY RISK FACTORS• Location Size• Last Audit Review• Management Change Date• Unreported Sales Value• Timeliness of Sales Reporting• Accuracy/Propriety of Local Disbursements• Timeliness of Deposits• Timeliness of Cash Transfers
![Page 9: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/9.jpg)
9
Field Risk AssessmentField Risk Assessment
QUANTIFYING THE FACTORS• Criteria was established to determine a
measure for the significance of the risk• Point value of risk assigned to each
factor• Higher point value for each factor
translates to HIGHER RISK
![Page 10: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/10.jpg)
10
Field Risk AssessmentField Risk Assessment
POINT SYSTEM DEFINEDSizeHub/Level 1=5Level 2=3Level 3=2 Last Audit DateLevel 4=1 < 5 years=4
< 4 years=3 Mgmt Change< 3 years=2 < 1 year=4< 2 years=1 < 2 years=3 Unreported
< 3 years=2 Sales< 4 years=1 > $2,500/qtr=5
> $1,500/qtr=3< $1,500/qtr=1
![Page 11: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/11.jpg)
11
Field Risk AssessmentField Risk Assessment
POINT SYSTEM DEFINED
Sales Reporting>2 days late = 4<2 days late = 1 Disbursement
Accuracy>50% errors = 4 Deposit/Transfer>25% errors = 2 Frequency<25% errors = 1 High/High = 4
High/Med = 3Med/High = 2Low/Low = 1
![Page 12: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/12.jpg)
12
Field Risk AssessmentField Risk Assessment
EVALUATING THE RISKS• Total Composite Risk Value = 30• Locations computing risk value greater
than 17 considered first for inclusion in audit plan
• Risk Assessment revealed certain number of high and medium risk locations
![Page 13: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/13.jpg)
13
Corporate Risk AssessmentCorporate Risk Assessment
THE PROCESS• Analyze Balance Sheet and Income
Statement accounts for large dollar amounts
• Inquire of Senior Management, Controllers Group, and External Auditors
• Analyze large budget variances and related explanations
• In house vs. third-party vendor
![Page 14: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/14.jpg)
14
Corporate Risk AssessmentCorporate Risk Assessment
THE PROCESS• Discern likelihood of errors/strength of
controls associated with auditable entities
• Assess prior audit results for auditable areas
• Ascertain if a new area or major changes to the function from prior exam
• Corporate image / Regulatory compliance
![Page 15: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/15.jpg)
15
Corporate Risk AssessmentCorporate Risk Assessment
THE PROCESS• Determine significance of
Hot-Button items or other management concerns
• Identify timing to conduct exam (sooner vs. later)
![Page 16: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/16.jpg)
16
Corporate Risk AssessmentCorporate Risk Assessment
FACTOR IDENTIFICATION• Create a Matrix• High/Low impact ($) and
High/Low risk determination• Quantitative & qualitative
assessments required
![Page 17: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/17.jpg)
17
Corporate Risk AssessmentCorporate Risk Assessment
(illustration only)HIGH
Cash Mgt Rev MgtX X
Aircraft Rentals Advertising X X
$ Impact
PAC X Company Store
Employee Uniforms X X
LOW HIGHRisk Assessment
EVALUATING THE RISKS
![Page 18: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/18.jpg)
18
Systems Risk AssessmentSystems Risk Assessment
THE PROCESS• Identify new systems development projects• Locate AFE/work-in process values for
software development• Discern major existing applications and
platforms utilized• Obtain input from key constituents (CFO;
CIO; VP & Controller; key business users)
![Page 19: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/19.jpg)
19
Systems Risk AssessmentSystems Risk Assessment
THE PROCESS• Major control issues in each
selected area
• Last audit date (for applications)
![Page 20: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/20.jpg)
20
Systems Risk AssessmentSystems Risk Assessment
EVALUATING THE RISKS• $ Impact on company• Impact on company if system fails
to work as planned• Security considerations
(password; access)• Business continuity planning
![Page 21: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/21.jpg)
21
Risk AssessmentRisk Assessment
OVERALL CONCLUSIONS• High risk areas now identified expeditiously• Continuous updates of risk factors• Improved resource allocation to perform
audits• Management input obtained more timely• Operating divisions now utilize factors for
monitoring• Auditor judgment is critical
![Page 22: Risk Assessment – – Internal Audit’s Role Assessment – – Internal Audit’s Role Steve Goepfert, ... • Audit Universe – Field Audits ... • Plan the audit schedule based](https://reader031.vdocuments.us/reader031/viewer/2022020204/5aee400a7f8b9a572b8c7873/html5/thumbnails/22.jpg)
22
QuestionsQuestions