1 / 59

Operational Audits and Risk Based Auditing

Operational Audits and Risk Based Auditing. Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM Resorts International. Agenda. Introductions Objectives Overview of Risk and Risk Assessment Risk Assessment Framework Impact on the Profession Questions.

kera
Download Presentation

Operational Audits and Risk Based Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Operational Audits and Risk Based Auditing Bob Rudloff, CIA, CFE, CRMA Vice President, Internal Audit MGM Resorts International

  2. Agenda • Introductions • Objectives • Overview of Risk and Risk Assessment • Risk Assessment Framework • Impact on the Profession • Questions

  3. What Would You Like to Accomplish? • What are the concerns or questions you have? • What are the roadblocks to risk assessment you are facing? • What would help you better assess risk today? • What would you like to be doing differently?

  4. Ten To-Dos for Audit Committees #6: Make sure Internal Audit is properly focused and fully utilized. Help refine internal audit’s role—and focus internal audit’s activities on key areas of risk, as well as risk management generally… Source: KPMG Audit Committee Institute

  5. CBOK 2010: Change in Focus of Internal Audit in Next Five Years Operational Audits Compliance Audits Audits of Financial Risk Fraud Investigations Evaluations of Internal Controls Corporate Governance Enterprise Risk Management Strategic Reviews Ethics Audits Migration to IFRS

  6. Forbes Insights SurveyOn behalf of Ernst & Young However… • IA helps the organization achieve business objectives? • Strong link between IA and enterprise risk functions? • Process improvement recommendations are implemented? • IA plays an important role in gathering business intelligence and sharing leading practices? • IA acts as a business advisor as evidenced by requests from the business for assistance? • IA attracts future leaders and high potential talent from the business? 44% 43% 42% 38% 36% 32%

  7. Forbes Insights SurveyOn behalf of Ernst & Young Are you receiving the performance you expect from your internal audit investment? 87% Yes Do you believe there is an opportunity to improve your organization’s internal audit function? 74%Yes … we are spending too much.

  8. 2010 State of the Internal Audit ProfessionPwC Survey The 2010 survey data supports the notion that internal audit departments have made significant change and that they have the right priorities, but that there is still a critical performance gap in achieving the key attributes of high-performing internal audit functions. Some of this may be due to a critical dilemma we observe in the field in discussions we have had with CFOs and audit committee members. They often have a sense that their internal audit function could and should deliver more value, but they are unsure as to what that is or how they should do it.

  9. Real World Risk Assessment

  10. Risk Assessment Felix Baumgartner

  11. Risk Assessment Erik Weihenmayer

  12. Risk Assessment Cynthia Cooper

  13. Risk Assessment

  14. Audit Risk Assessment:What is it?

  15. Table Discussion What Does Risk Assessment Mean in Your Organization?

  16. Audit Risk Assessment • Audit risk assessment is a stage in the audit planning process. • Audit risk assessment is part of the series of controls which are used to manage the integrity of an audit, and to determine when and how audits should be conducted, and by whom. • Audit risk consists of several components. The first is • the likelihood that a material misstatement will be made. • the risk that the misstatement will not be caught by internal controls, and • the misstatement will not be caught by an auditor.

  17. Audit Risk Assessment • Risk assessments performed by internal auditors are entirely different risk assessment performed by independent auditors. • Risk Assessments use various elements: • Changes in volume, management, technology and other factors • Knowledge of the business and experience • Time since the last audit and known issues • Potential of loss • Requests of management • Financial exposure

  18. Why AsSess Risk?

  19. Why Assess Risk? Business Universe

  20. Why Assess Risk? Risk Ranked Business Universe

  21. Why Assess Risk? Risk Ranked Business Universe

  22. Why Assess Risk? 16,000 hr Available Resources Audit Needs 82,000 hr Likelihood NOW WHAT? Impact

  23. Why Assess Risk? 16,000 hr Available Resources Audit Needs 82,000 hr Likelihood NOW WHAT? Impact

  24. Table Discussion What is new in your organization today when compared to one year ago?

  25. What are our goals? Helping you RIGHT SIZE your audits by… • Aligning Internal Auditing with the organization’s priorities and expectations. • Identifying and assessing risks. • Determining the right scope of an audit. • Optimizing audit effort to more effectively achieve audit objectives. • Seeing below the surface and getting at what’s important.

  26. What are our goals? Helping you RIGHT SIZE your audits by… • Aligning Internal Auditing with the organization’s priorities and expectations. • Identifying and assessing risks. • Determining the right scope of an audit. • Optimizing audit effort to more effectively achieve audit objectives.

  27. Risk ... What is it? • The possibility that an event will occur and adversely affect the achievement of objectives. (COSO definition) • The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. (IIA Standards—glossary definition) • Risk is anything that could impact the achievement of objectives – not only negative impacts but also the risk of missed opportunities.

  28. Risk …What Type of Risk Is It? • Hazard Risk is the risk associated with negative occurrences, and could include issues surrounding regulatory noncompliance, fraud or waste, significant accounting errors, or damage to the Company’s image. • Uncertainty is the risk associated with not meeting shareholder, employee, supplier, regulator, creditor, analyst, or others’ expectations, and can be impacted by both Hazard Risk and Opportunity Risk. • Opportunity Risk is the risk associated with failing to exploit opportunities smartly, and could include not pursuing a viable growth strategy, pursuing a flawed growth strategy, or not managing opportunities as effectively as anticipated.

  29. Risk …What Type of Risk Is It? Hazard Uncertainty Opportunity

  30. What is the goal of Risk Assessment? Risk Assessment should… • Consider internal as well as external factors that could impact the achievement of objectives. • Analyze the risks and provide a basis for managing them. • Allow auditors to focus their efforts based upon RISK to be more efficient. • Include consideration of the technology supporting business processes and objectives. • Be adapted to fit the pace of change in the organization and the world.

  31. IIA Standards: Risk Management 2010—Planning (per International Internal Audit Standards Board, September 2012) The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Interpretation: The CAE is responsible for developing a risk-based plan. The CAE takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior management and the board. The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

  32. IIA Standards: Risk Management 2010—Planning The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. • 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems. • 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud. • 2120.C1 – During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. • 2120.C2 – Internal auditors must incorporate knowledge of risks gained form consulting engagements into their evaluation of the organization’s risk management processes. • 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

  33. Signs for a Risk Makeover • Audit plan is restricted to what “IA can audit today” vs. what “IA should audit tomorrow.” • Audit plan includes repetitive, low-value audits. • SOX and administrative time make up a significant part of the audit plan. • Audit plan is not updated frequently enough to adapt to the changing risk profile or new initiatives. • Internal audit and senior management have very different views on risk priorities. • Key processes, programs, and initiatives are not linked to the Company’s strategic objectives. • Audit plan excludes coverage of emerging risks or catastrophic “Black Swan” events that could impact the company’s reputation.

  34. Risk Assessment Framework 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results.

  35. Understand the Control Environment 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results.

  36. Understand the Control Environment • Understand Business Objectives • Understand strategy, goals, objectives and organizational structure • Review prior audit reports, issues, deficiencies • Identify significant changes to operations or control environment Company-wide Business Unit Department or Function Audit Level

  37. Bottom-up Approach AUDIT PLAN Identify Risks within Auditable Business Units Define Auditable Business Units Traditional Approach: Based on stakeholder interviews and analysis. Focus is on coverage of risk areas, locations, and operations. RISK: Interviews usually not focused on obtaining the right level of information.

  38. Top-down Approach Identify Management’s Objectives Understand Relevant Inherent Risks (Strategic, Financial, Operational, Operations, Compliance) Evaluate Impact on Management’s Objectives AUDIT PLAN Top-Down Approach: Coverage is driven by issues that directly impact business objectives with a clear link to strategy.

  39. Understand the Control Environment 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results.

  40. Risk Categories Regulations & Government Policy I.T. Infrastructure Internal Controls Emerging Practices Business Unit Objectives Past Audit Results Complexity Turnover Results vs. Budget Impact of Failure Ethical Challenges

  41. Assess Relevant Risks 1. Gain Understanding of the Control Environment Understand entity objectives and identify significant changes to operations/control environment. 2. Identify Relevant Risks Develop audit scope and objectives based on risk assessment results. 3. Assess Relevant Risks Rate and prioritize business, financial, operational, and compliance risks. 4. Develop Risk-based Audit Strategy Develop audit scope and objectives based on risk assessment results.

  42. Assess Relevant Risks Calculate the Risk Rate the Impact of the Risk should it occur Rate the likelihood of the Risk occurring

  43. Risk Likelihood • For identified transactions or operating areas, exercise judgment about the likelihood of the risk occurring. • Is the likelihood Remote … Probable … Certain. • Conclude whether the nature of the risk, it potential magnitude, and the likelihood of it actually occurring represents a key risk requiring special audit consideration. • Don’t forget Emerging Risks.

  44. Risk Impact • Is the impact Negligible… Significant… Severe • Is the Risk preventable … controllable … manageable?

  45. Rating Scale

  46. Risk Heat Map Severe (5) 5 15 25 Impact Significant (3) 3 9 15 Negligible (1) 1 3 5 Remote (1) Probable (3) Almost Definite (5) Likelihood

  47. Impact and Likelihood High Risk MITIGATE & CONTROL Medium Risk SHARE RISK Impact Low Risk ACCEPT RISK Medium Risk CONTROL RISK Likelihood

  48. Group Brainstorming • Business Operations • Procedures • Regulations • Management • People • Financial Performance • Technology • Previous Issues 5 Minutes: Brainstorm as many examples of risks for each category.

More Related