Professional Documents
Culture Documents
IA Risk Assessment and Planning Slides
IA Risk Assessment and Planning Slides
IA Risk Assessment and Planning Slides
Audit Risk
Assessment and Audit
Assessment and Audit
Planning
May 6, 2011
Eric Miles, Partner, CPA, CIA, CFE
Ric Jazaie, CPA, CIA
Ric Jazaie, CPA, CIA
1. Yes
1 Yes
2. No
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 8
How often do you perform an Internal Audit
Ri k A
Risk Assessment?
t?
1.
1 Bi annually +
Bi‐annually +
2. Annually
3. Semi‐annually
ll
4. Quarterly
5. Other/We don’t
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 10
Wh Ri k B d A dit Pl
Why Risk‐Based Audit Planning?
i ?
• IPPF Performance Standard 2010.A1 – “The internal
audit activity’ss plan of engagements must be based
audit activity plan of engagements must be based
on a documented risk assessment, undertaken at
least annually. The input of the senior
management and the board must be considered in
d h b d b id d i
this process.”
• More than a requirement
More than a requirement
o Makes the best use of limited resources
o Improves ability to impact organization
o G
Generates buy‐in from management
b f
o Creates value
1.
1 75% ‐ 100%
75% 100%
2. 50% ‐ 75%
3. 25% ‐ 50%
5 5
4. 0% ‐ 25%
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 13
What Makes Risk‐Based Audit Planning
g
Difficult?
• Lack of understanding of risk concepts
Lack of understanding of risk concepts
• Lack of specialized knowledge (e.g. IT)
• p ( p)
No time to plan (the continuous “do” loop)
• Lack of senior management and Board support (i.e.
strict compliance
• Perceived lack of impact on value perception (i.e. it
wouldn’t make a difference)
• Paralysis through analysis
l h h l
Measure Risks
Prioritize Risks
Select and Develop Audits
Sketch Audit Universe
Develop Risk Define Objectives
Universe Universe
Validate Audit Universe
Develop Risk Define Objectives
Universe Universe
Sketch Audit Universe
College #1 College #2
Department A
Department A
Department B
Process B1
Process B1
Process B2
Sub‐ Process B2.1
Sub‐ Process B2.2
MOSS ADAMS LLP | 21
Do you have a formally documented Audit
U i
Universe?
?
1. Yes
1 Yes
2. No
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 23
A dit U i
Audit Universe Categorization
C t i ti
Category Government Audit Staff: 1 to 5 Universe
Departments
Departments 97% 89% 86%
Processes 97% 89% 93%
Service Line 58% 40% 55%
Organization Units/Locations 81% 61% 78%
Programs 75% 33% 51%
ERM Risk Portfolio 28% 30% 34%
Other 22% 14% 17%
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 24
Id tif Ri k
Identify Risks
Sketch Audit Universe
Define Objectives
Universe
Sketch Audit Universe
Develop Risk Define Objectives
Universe Universe
Sketch Audit Universe
Develop Risk Define Objectives
Universe Universe
Validate Audit Universe
Develop Risk Define Objectives
Universe Universe
Measure Risks
Prioritize Risks
Select and Develop Audits
Determine Risk Factors
Weight Risk Factors
Score Risk Factors
1.
1 11+
11+
2. 8‐10
3. 4‐7
4. 1‐3
5. 0
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 43
F t
Factors Influencing Risk Assessment
I fl i Ri k A t
Factor Government Audit Staff: 1 to 5 Universe
Degree of Financial Materiality
Degree of Financial Materiality 100% 84% 92%
Complexity of Activities 94% 79% 87%
Control Environment 94% 79% 89%
Reputational Sensitivity 92% 53% 69%
Inherent Risk 92% 72% 84%
Extent of Change 89% 84% 89%
Confidence in Mgmt 83% 61% 68%
Fraud Potential 81% 65% 81%
Time Since Last Audit
Time Since Last Audit 78% 67% 80%
Volume of Transactions 78% 65% 70%
Degree of Automation 72% 60% 72%
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 44
F t
Factors Influencing Risk Assessment
I fl i Ri k A t
Factor Government Audit Staff: 1 to 5 Universe
Employee Turnover
Employee Turnover 69% 56% 60%
Environmental Factors 64% 42% 48%
Other 22% 11% 17%
Competitive Pressures 17% 32% 36%
Source: IIA GAIN 2009 Benchmark Study
MOSS ADAMS LLP | 45
M
Measure Risks
Ri k
o Determine Risk Factors (Cont.)
Ch
Choose a number of factors to represent important aspects of
b ff t t ti t t t f
the auditable unit(s) risks.
These factors should be determinant. That is, the
measurements on these factors should vary within each
t th f t h ld ithi h
auditable unit from conditions of low risk to high risk.
Limit risk factors to no more than 10. Using 5, plus or minus 2,
should be your goal. The more factors, the more likely you are
h ld b l Th f h lik l
duplicating the influence of a particular risk, and the less
influence any particular factor has on determining ultimate
risk.
risk
See Handout for list of common risk factors.
Determine Risk Factors
Weight Risk Factors
Score Risk Factors
Determine Risk Factors
Weight Risk Factors
Score Risk Factors
Measure Risks
Prioritize Risks
Select and Develop Audits
o Prioritize Risks and Develop Audit Plan (Cont.)
p ( )
There are three primary methods to select audits from the
audit universe to include in the annual audit plan:
– Cycle Approach.
Cycle Approach
– Risk‐Based Approach
– Cycle‐Based Risk Approach
The recommended Risk‐Based Approach by mapping risks that
relate to the same or similar Auditable Unit and could
reasonable fit within the same audit program. For example, the
audit on the next slide has a audit score of 153.
dit th t lid h dit f 153
MOSS ADAMS LLP | 52
P i iti Ri k
Prioritize Risks and Develop Audit Plan
d D l A dit Pl
o Prioritize Risks and Develop Audit Plan (Cont.)
p ( )
Risk
Auditable Unit Risk Score Audit
Entity A Cash Inadequate segregation of duties Entity A
Disbursements between Vendor Invoice Entry and Cash 56 AP Cycle
Disbursements run
Entity A Cash
Entity A Cash Accounts Payable check stock is not
Payable check stock is not Entity A
Entity A
35
Disbursements adequately secured. AP Cycle
Entity A An approved PO or vendor invoice is not Entity A
Accounts required before processing 62 AP Cycle
P bl
Payable di b
disbursements.
t
o Prioritize Risks and Develop Audit Plan (Cont.)
p ( )
Once all risks have been mapped to relevant audits, the audits
are then ranked from highest to lowest based on audit score.
The
The annual audit plan is chosen based on the percentage of
annual audit plan is chosen based on the percentage of
“total risk” that is to be covered.
Typically a value between 50% to 75% is chosen.
The audits from the top of the list representing this point total
h d f h f h l h l
are chosen. The balance of the auditable units is not included
in the annual plan.
In the next example, the total risk is 628 and audits Nos. 1 and
2 (potentially 3) would be selected. The other audits may be
scheduled for future years or left off completely.
MOSS ADAMS LLP | 54
P i iti Ri k
Prioritize Risks and Develop Audit Plan
d D l A dit Pl
o Prioritize Risks and Develop Audit Plan (Cont.)
p ( )
Audit Audit Score
Audit 1 225
Audit 2 ‐
A di 2 Entity A Cash
E i AC h 153
Disbursements
Audit 3 100
Audit 4 75
Audit 5 50
Audit 6 25
Thank You!
Thank You!
The material appearing in this presentation is for informational purposes only and is not legal or accounting
advice. Communication of this information is not intended to create, and receipt does not constitute, a legal
relationship, including, but not limited to, an accountant‐client relationship. Although these materials may have
been prepared by professionals, they should not be used as a substitute for professional services. If legal,
accounting, or other professional advice is required, the services of a professional should be sought. MOSS ADAMS LLP | 57