1 / 14

Food and Consumer Product Safety Authority

Ministry of Economic Affairs, Agriculture and Innovation. Food and Consumer Product Safety Authority. Rob de Heus Chris Hagen Internal Audit Department. Introduction. Starting point Control versus audit Definition of risk Risks examples Risk analysis Sources of risk groups

thina
Download Presentation

Food and Consumer Product Safety Authority

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ministry of Economic Affairs,Agriculture and Innovation Food and Consumer Product Safety Authority Rob de Heus Chris Hagen Internal Audit Department

  2. Introduction • Starting point • Control versus audit • Definition of risk • Risks examples • Risk analysis • Sources of risk groups • Risk assessment • Turning wheels for a risk-based audit approach • Discussion

  3. Starting point Our suggestion: split up the document in • risk based planning of audits • risk based planning of controls Because: • Planning of controls is part of the first and second line of defense; while audit is part of the third line of defense; • The manager is responsible for planning of controls, the auditor for planning for audits; • Audits aim at the planned and implemented controls. • It’s just not the same!

  4. Control versus audit (1) first line the first line of the control environment is the business operations which perform day today risk mangement activity second line oversight functions in the company, such as finance, HR risk management set directions, define policy and provide assurance third line internal and external audit are the third line of defence, offering independent challenge to the levels of assurance provided by business operations and oversight functions.

  5. Control versus audit (2) Internal audit third line control first and second line

  6. Definition of risk In common parlance people use the term risk for: • Causes • Events • Uncertainties • Chances • Impact • Effects • Bottlenecks • Inadequate Controls Our suggestion: A risk is a threat / hazard / event / uncertainty with an underlying cause which causes an effect (or result). A risk is not the result or effect itself, because this approach does not give starting points for corrective actions. We can only do something about the causes and the events, but we can’t control or turn back the effects!

  7. Can you think of controls to cope with these issues? Risks (example 1) cause cause cause cause Yes event uncertainty Yes change effects/results / continuity/objectives No impact weighing

  8. Can you think of controls to cope with these issues? Risks (example 2)Climbing the Mount Everest bad dress broken material bad weather illness Yes expedition member falls into the abyss Yes change objective is in danger  there is food leftclaimspublicity No impact weighing

  9. Risk analysis Risk analysis consists of: • Event identification (what threats / hazards / events / uncertainties can we identify?) • Risk assessment (probability X impact) Our suggestion: Risk analysis is crucial for an adequate risk-based auditplan. We can start the RA with a closer view at al kind of risk sources (next sheets) after identification you can discuss the priority of each of the identified risk on the bases of impact and probability. This process of risk assessment shouldn’t be formalized

  10. Sources of risk groups (1) • Environmental Risks • risks outside the organization; social developments; supervisors; legislation; natural disasters; political developments; suppliers; competition • Operational Risks • risks in the management and control of the organization; lack of risk management; weak control environment; style of leadership; culture; structure of rewards • Process Risks • risks at the process level;inefficient process; insufficient trained staff; insufficient availability of resources; insufficient quality of the product; surplus of resources/staff • Financial risks • risks within the business with a financial nature

  11. Sources of risk groups (2) • Information Risks • the risk that wrong decisions are taken eg. insufficient or untimely information (it may be concerning operational, financial or strategic information); managers get too late information needed to steer; no progress information about projects; insufficient understanding of political developments to anticipate; information does not meet the need of information; prioritization based on false information; insufficient understanding of customers needs • IT risks (include specific risks around IT systems) • data integrity; continuity (backup recovery, physical security); privacy • Integrity • subject risks to the reputation of the organization; socially sensitive decisions; unlawful act; Fraud; unauthorized use; communication

  12. Risk assessment High priority risks input for auditplan Broad Probability Impact

  13. Turning wheels for a risk-based audit plan Broad Year 1 Year 5 Narrow Range Priority Once Thorough Each year Superficial Frequence Depth Our suggestion: After identifying events and assessing the risks we can plan the audits on a base of 4 dimensions (turning wheels)

  14. DISCUSSION!

More Related