Steps in the Transition to an Impact-Focused Audit Function

1. Steps in the Transition to an Impact-Focused Audit Function Modifying Procedures, Audit Practices, and Reports to Address Risk Gert van der Linde, World Bank Uganda, Kampala May 18, 2004

2. From…… • Pre-audit (often 100%) • Checking compliance to procedural rules and regulations • No independence • Limited impact to improve the control environment ………..……to

3. An Independent IA function • Audit Committee • Annual Audit Coverage Planning • Assignment Planning • Risk Assessment • Control Identification • Control Assurance • Reporting

4. Annual Audit Coverage Planning • Determine audit universe • Compile audit coverage plan • Prioritisation and rating of areas • Type of assignment e.g. Business process, Product, Branch audit, etc. • Contract with line manager & SBU Exco • Approval by Group Exco • Approval by GACC • Deliverable: Annual Audit Coverage Plan

5. Assignment Planning • Preliminary review • Obtain background information of audit area • Determine assignment scope & objectives • Risk Management Plan, Control Adequacy Evaluation, Control Effectiveness Evaluation • Develop Assignment Planning Memorandum • Sign-off by Line manager • Notification to / Sign-off by SBU Exco member • Sign-off by Audit Services Section Head • Deliverable: Assignment Planning Memorandum

6. Risk Assessment • Identify functional areas • Identify risk areas • Identify risks • Identify risk elements • Prioritisation of risks & risk elements • Deliverable: Risk Profile

7. Risk Measurement • The risk elements of each risk are used to determine risk levels • Risks are evaluated by determining • the PROBABILITY of a risk occurring and • the SEVERITY should the risk materialise • As perceptions are measured it is important to involve senior management and experts • Deviations from median calculations are evaluated

8. Risk Measurement • Probability rating is done according to: • Past frequency • Current possibility • Seriousness rating is done according to • Monetary Loss • Time Loss • Image Loss

9. Risk Measurement • Risk rating tables are used to provide a standard to equate all risks • Worksheets are used to record the risk rating of risk elements • A weighted average of all risk elements is calculated per risk to establish the probability and severity rating of each risk

10. Probability rating guideline to ensure a uniform rating approach

11. Seriousnessrating guideline to ensure a uniform rating approach

12. 11 10 9 8 7 6 5 4 3 2 1 0 1 2 3 5 6 0 4 7 8 9 10 11 A “Risk Profile” Risk areas 1 - Implementation of trading strategy 2 - Marketing of products / services 3 - Market / product liquidity 4 - Obtaining of credit approvals 5 - Security documentation 6 - Management of counterparty exposures 7 - Dealing and pricing systems 8 - Quoting of rates 9 - Trading 10 - Income generation 11 - Fee / commission structure 12 - Position revaluation 13 - VaR / Sensitivity Analysis TREASURY - AGRIS Control Profile 42 43 44 45 46 47 48 78 58 49 52 53 54 55 56 50 59 65 61 62 63 64 57 66 67 68 51 74 70 71 72 73 75 60 76 69 77 25 79 81 82 83 84 85 87 40 88 39 38 37 36 35 34 41 33 32 86 80 26 30 24 23 22 21 29 20 18 17 16 15 14 13 19 31 Seriousness High Risk Areas 2 1 6 4 9 13 10 8 7 3 12 11 5 Medium Risk Areas Low Risk Areas Probability

13. Control Identification • Identify preventative controls • Identify contingent controls • Determine responsibility for controls • Deliverable: Risk Management Plan

14. Risk number Risk Definition of the risk Probability rating Seriousness rating Risk value Risk elements and ratings Preventative controls Contingent controls Responsibility Target dates Risk Management Plan - Contents

15. Control Assurance • Perform control adequacy evaluation • Ensure existence of controls • Evaluate economy and efficiency of application • Perform control effectiveness evaluation • Provide an opinion on the level of effectiveness of adequate controls • Perform substantive testing • To substantiate the impact where no controls exist • Deliverable: Audit Findings

16. Reporting and follow-up • Present findings and recommendations • Obtain management responses • Rank findings, using standard rating tables • Compile an Executive Summary • Critical and significant findings • Audit opinion on area audited • Risk Management Plan • Detailed findings • GACC reporting • Critical findings • Follow up actions • Deliverable: Audit Assignment Report

17. 1 - Implementation of trading strategy 2 - Marketing of products / services 3 - Market / product liquidity 4 - Obtaining of credit approvals 5 - Security documentation 6 - Management of counterparty exposures 7 - Dealing and pricing systems 8 - Quoting of rates 9 - Trading 10 - Income generation 11 - Fee / commission structure 12 - Position revaluation 13 - VaR / Sensitivity Analysis TREASURY - AGRIS 6 = Risk area Control Profile 32 20 15 16 53 14 17 21 19 13 31 22 23 24 25 18 33 48 26 42 34 35 36 37 38 39 40 41 50 43 44 51 46 47 49 29 45 52 62 56 57 58 59 60 70 61 63 64 65 66 67 68 69 71 73 55 80 81 75 76 77 78 79 30 82 72 83 84 85 86 87 88 54 74 11 10 9 8 7 Seriousness High Risk Areas 2 6 1 6 5 4 4 9 13 3 10 8 7 3 12 2 11 1 5 Medium Risk Areas 0 Low Risk Areas 1 2 3 5 6 0 4 7 8 9 10 11 Probability Challenge – Maintain a “Control Profile”

18. Steps in the Transition to an Impact-Focused Audit Function Modifying Procedures, Audit Practices, and Reports to Address Risk Questions?