IIA年会风险基础审计计划.ppt

《IIA年会风险基础审计计划.ppt》由会员分享，可在线阅读，更多相关《IIA年会风险基础审计计划.ppt（66页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、IIA年会风险基础审计年会风险基础审计计划计划Presentation OverviewBackground why internal auditors assess riskAssessing risk in annual audit planning Components of risk assessment The US Postal Service Model The Tennessee Valley Authority ModelAssessing risk in engagement planning The audit planning process Where risk fi

2、ts into engagement planning The City of San Jose modelConclusion wrap-upOverview: Why Internal Auditors Assess Risk For annual audit planning to target high impact areas to allocate scarce resources When planning/executing audits frame objectives establish scopeOverview: Why Internal Auditors Assess

3、 Risk When providing consulting services To advise management on vulnerabilities on corrective actionsAssessing Risk in Annual Audit Planning“there is a definite emerging paradigm shift from a control-based internal auditing to a risk-based internal auditing among leading practitioners.”The IIA Rese

4、arch Foundations 1998Purpose of Annual Audit Planning Provide a guide for the organization Justification/support for audit resources Means of engaging management and board in establishing priorities and identifying areas in risk and controlSource: Sawyers Internal Auditing Page 981-982Purpose of Ann

5、ual Audit Planning - continued - Provides a basis for measuring accomplishments Provides indication to external auditors and others of planned audit coverage Helps ensure audit resources are directed to top prioritiesSource: Sawyers Internal Auditing Page 981-982Traditional Methods of Audit Planning

6、 Audit cycle Audit universe Management requests Statutes, regulations, or other requirements Auditors experience and expertiseAudit Standards and Risk-based Plans2010.A1 The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually.Audit Standard

7、s and Risk-based Plans - continued -2120.A1 Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organizations governance, operations, and information systems.Phases In Typical Risk Assessments Identify a

8、nd catalog auditable entities Identify and weigh appropriate risk factors Gather information from appropriate sourcesPhases In Typical Risk Assessments - continued - Complete the risk assessment Employ information to allocate resourcesKey Risks for Government Agencies Not meeting legislative mandate

9、s Not accomplishing objectives and goals Inefficient use of resourcesSource: The United States Department of Agriculture Graduate School“A significant risk area for any governmental program is the possibility of management override.”Lawrence Alwin, CPAState Auditor of TexasKey Risks for Government A

10、gencies - continued - Not safeguarding assets Not complying with laws and regulations Unreliable information Inadequate reportingSource: The United States Department of Agriculture Graduate SchoolRisk Factors in Audit Planning Previous audit results Time since last audit Materiality and liquidity Co

11、nfidentiality System maturitySource: Sawyers Internal Auditing Page 1000“Many factors have been advanced for assessing risk in the audit universe. Some become extremely complicated and require the use of computers”Sawyers Internal AuditingRisk Factors in Audit Planning - continued - Changes to the s

12、ystem Complexity of the system Administrative controls Employee turnover Unit revenue and volumeSource: Sawyers Internal Auditing Page 1000Risk Factors in Audit Planning - continued - Effect on competitiveness Government regulations Competence of management Performance indicators Public relationsSou

13、rce: Sawyers Internal Auditing Page 1000Indicators of Potential High Risk“In assessing and considering susceptibility, the auditor should be on the look out for what are referred to as “Red Flags.”Source: The United States Department of Agriculture Graduate School Limited history or prior history of

14、 program ineffectiveness New or revised program requirements Significant increases or reductions of resources Management weakness identified in previous auditsSource: The United States Department of Agriculture Graduate SchoolIndicators of Potential High Risk - continued - High turnover of personnel

15、 Inexperienced management or personnel Weak or nonexistence internal controls Inadequate automated systemsSource: The United States Department of Agriculture Graduate School“The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of

16、 consequences and likelihood.”Standards for the Professional Practice of Internal Auditing“Risk assessment is a systemic process for assessing and integrating professional judgements about probable adverse conditions and/or events.”The Institute of Internal AuditorsRiskRisk AssessmentReview of Risk

17、DefinitionsQuick Risk Assessment for the Annual Audit PlanThe IIA Research Foundation 1998Define the audit universeIdentify the major risksTranslate the risks into measurable risk factorsChoose weights for the risk factorsQuick Risk Assessment for the Annual Audit Plan (continued )The IIA Research F

18、oundation 19985. Establish a scoring mechanism for each factorScore the factors for each auditable unitSort the auditable units by total risk score6. Develop the annual audit plan based on the ranked audit universeRisk-Based Annual Planning Processes:A Closer Look at Two ModelsRISK“IMAGE 2000” A sys

19、temic process designed to yield a comprehensive risk assessment Used to allocate audit resources of the US Postal Inspection Service Focuses on USPS processes as well as programs core business processes enabling processes Auditable entities classified by processesRisk Assessment in Annual Planning:

20、The US Postal Inspection Service ModelIMAGE 2000 - RISK FACTORS Internal controls Materiality Audit Results Goals and objectives ExposureRisk Assessment in Annual Planning: The US Postal Inspection Service ModellComplexity of business operationslEffectiveness and complexity of internal control syste

21、mlAttitude of management or “tone at the top”INTERNAL CONTROLS (20 PERCENT)RISKRisk Assessment in Annual Planning: The US Postal Inspection Service ModellThe greater the assets, revenues, workhours, and liquidity, the greater the risk lEffect of audit subject on the Postal Services financial positio

22、nMATERIALITY (15 PERCENT)RISKRisk Assessment in Annual Planning: The US Postal Inspection Service ModellFocus of auditlFrequency of auditslResults of previous auditAUDIT RESULTS (10 PERCENT)RISKRisk Assessment in Annual Planning: The US Postal Inspection Service ModellCritical impact on corporate go

23、als and objectiveslAlignment of local and national goalsGOALS AND OBJECTIVES (30 PERCENT)RISKRisk Assessment in Annual Planning: The US Postal Inspection Service ModelRISKlMedia negativitylPolitical pressureslPublic perceptionlFederal, state, and local laws and regulationsEXPOSURE (25 PERCENT)Risk A

24、ssessment in Annual Planning: The US Postal Inspection Service Model3.005 Customer Telecommunication & Consultation3.006 Customer Direct Contact & Consultation3.007 Sales of Postal Products/Services3.00Collecting, Accepting, Inducting Core Process8 Mail Deposited by customer3.009 Mail Collections by

25、 carriers3.0010 Collection mail separation3.0011 Collection mail staging/disptch3.0012 Transport to Plant/Acceptance Unit3.0013 Customer Drop Shipment Processes3.0014 Customer Plant Load Verification3.00Sorting & Distributing Core Process15 Unloads trucks ( & dock transfers)3.0016 Identify Mail Type

26、s & Separate 3.0017 Bulk Mail Verification & Acceptance3.0018 Mail forwarding Process (CFS)3.0019 Stage for 010 Bypass3.0020 Stage for 010 Processing3.0021 Separate & Cancel 0103.0022 Stage mail for processing3.0023 Pick-up mail for processing 3.0024 Automation - Letters3.0025 RBCS - Letters3.0026 A

27、utomation - Flats3.0027 Automation - Parcels3.0028 Mechanization - Letters3.0029 Mechanization - Flats3.0030 Mechanization - Parcels 3.0031 Mechanization - SPR & bundles3.0032 Manual - Letters3.0033 Manual - Flats3.0034 Manual - Parcels3.0035 Manual - SPR & bundles3.0036 Label mail (& ACT tags)3.003

28、7 Containerize mail & label3.00lVoice of the CustomerlVoice of the EmployeelVoice of the BusinessSUPPORTS CUSTOMERPERFECT!Risk Assessment in Annual Planning: The US Postal Inspection Service Model A systemic process designed to yield a comprehensive risk assessment Used to allocate audit resources o

29、f the Office of Inspector General Focuses on TVA processes as well as programs core business processes enabling processesRisk Assessment in Annual Planning: The Tennessee Valley Authority ModelOverview of Audit Planning Process Interviewed key managers Reviewed planning documents Reviewed historical

30、 data Reviewed audit requests from other stakeholdersRisk Assessment in Annual Planning: The Tennessee Valley Authority ModelOverview of Audit Planning Process (continued) Identified audit areasAssessed project risk factors Materiality Impact on operations Public sensitivityAssigned probability fact

31、orAdjusted risk factor scoresRisk Assessment in Annual Planning: The Tennessee Valley Authority ModelRisk Planning ModelPROBABILITYPROBABILITYRisk Assessment in Annual Planning: The Tennessee Valley Authority ModelMATERIALITYVisibility and SensitivityImpact on Enterprise OperationsRisk Factors Mater

32、iality PointsAudit Area over $100 million8-10Audit Area $10 mi to $100 million 4-7Audit Area less than $10 million 1-3Risk Assessment in Annual Planning: The Tennessee Valley Authority ModelRisk Factors Impact on OperationsPointsSignificant impact on core business 8-10Significant impact on specific

33、program moderate impact on core business 4-7Negligible impact on specific program or core business 1-3Risk Assessment in Annual Planning: The Tennessee Valley Authority ModelRisk Factors Public SensitivityPointsLikely to result in public or congressional interest 8-10May result in public or congress

34、ional interest 4-7Unlikely to result in public or congressional interest 1-3 Risk Assessment in Annual Planning: The Tennessee Valley Authority ModelProbability Factors Probability of RiskPointsHigh probability of significant issues0.8 - 1.0Moderate probability of significant issues and high probabi

35、lity of improvement needed 0.4 - 0.7Low probability of significant issues and moderate to low probability of improvement needed0.1 - 0.3Risk Assessment in Annual Planning: The Tennessee Valley Authority ModelExample of Risk AssessmentRisk Assessment in Annual Planning: The Tennessee Valley Authority

36、 ModelSecurity of Office EquipmentEnvironmental ComplianceExecutive CompensationMaterialityImpact VisibilitySubtotalProbabilityRisk Score 7 5 16 0.5 8.0 7 8 22 0.6 13.2 3 5 9 17 0.3 5.1 Potential Audit SubjectAssessing Risk in Audit Engagement Planning“Applying the concepts from risk-based auditing

37、to the assessment of risk at the individual audit level requires the auditor to mentally shift gears from focusing on controls in the audit process to focusing on risk.”The IIA Research Foundations 1998Audit Standards and Risk-based Plans2210.A1 When planning the engagement, the internal auditor sho

38、uld identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.The Typical Audit ProcessSURVEYREPORTINGFIELD WORKFOLLOWUPTHE AUDIT PROCESS IN GOVERNMENTThe Typical Audit ProcessTHE AUDIT PROCESS IN GOVERNMENTThe Survey

39、 Phase Determine the significance of topics and needs of potential users Obtain an understanding of the program to be audited Identify criteria to use in evaluating subject matterThe Typical Audit ProcessTHE AUDIT PROCESS IN GOVERNMENTThe Survey Phase (continued) Review findings and recommendations

40、from previous audits Consider the work of others Consider legal and regulatory requirements Review management controlsThe Typical Audit ProcessTHE AUDIT PROCESS IN GOVERNMENTThe Survey Phase (continued) Assess risk associated with program operations Identify areas issues with highest risk Determine

41、audit objectives Determine audit scope Prepare the audit programRisk-Based Audit Engagements: The audit objective is based on how management is dealing with the risk in the work unit. The audit is designed to test risk management techniques. The audit is reported out to management in terms of risk m

42、anagement principles and referring to the risk framework of the organization.“In control-based auditing, audit program planning is where the consideration of risk typically stops. In risk-based auditing, the whole audit process is based around risk management concepts.”The IIA Research Foundations 1

43、998Risk Factors in Audit Planning Adequacy of controls Managerial effectiveness and integrity Size of unit or function Complexity of operations“Internal auditors concerned with potential risks, look for the safeguards that will help prevent losses from such risks.”Sawyers Internal Auditing 4th Editi

44、onRisk Factors in Audit Planning (continued) Liquidity of assets Economic conditions Extent of growth Degree of automation and strength of automated controls Quality and experience of staffRisk Factors in Audit Planning (continued) Inherent risks Newness of program or function Degree of oversight Vi

45、sibility or sensitivityA Closer Look at a Government Agency ModelRISKRisk Assessment in Engagement Planning: The City of San Jose, CA Model Identify the threats facing the program or contract under audit Identify the controls or procedures the city has in place to prevent, eliminate, or minimize thr

46、eats.Risk Assessment in Engagement Planning: The City of San Jose, CA ModelPurpose of Engagement Risk Assessment Determine probability that noncompliance could occur without timely prevention/detection Identify audit procedures necessary to document threats actually occurring. Risk Assessment in Eng

47、agement Planning: The City of San Jose, CA ModelPurpose of Engagement Risk Assessment (continued) In conducting risk assessments the auditor:Identifies threats associated with area under reviewDetermines inherent risk associated with identified threatsAssesses whether existing controls will prevent,

48、 detect or correct instances when threats actually occurRisk Assessment in Annual Planning: The City of San Jose, CA ModelConducting Engagement Risk Assessment Extent of testing related to degree of vulnerability Areas with high vulnerability require more extensive tests Strong internal controls may

49、 mitigate exposure. Strong controls may allow for limited testingRisk Assessment in Annual Planning: The City of San Jose, CA ModelConducting Engagement Risk Assessment (continued)Risk Assessment in Annual Planning: The City of San Jose, CA ModelAssessing and Mitigating Risk Through Consulting“Inter

50、nal auditors should be observant of the effectiveness of risk management and control processes during formal consulting engagements.”PA 1000.C1-2 2002 The IIA“Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add v