1 / 17

Good practices for risk assessment and control activities

Good practices for risk assessment and control activities. Costanza Schivi – 10 April 2019. Our Role as defined by International Standards for the Professional Practice of Internal Auditing.

pamw
Télécharger la présentation

Good practices for risk assessment and control activities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Good practices for risk assessment and control activities Costanza Schivi – 10 April 2019

  2. Our Role as defined by International Standards for the Professional Practice of InternalAuditing • “The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: • Achievement of the organization’s strategic objectives. • Reliability and integrity of financial and operational information (main focus of ECA) • Effectiveness and efficiency of operations and programs. • Safeguarding of assets. • Compliance with laws, regulations, policies, procedures, and contracts.  “Internal Audit Service: Improving the Commission’s Performance”

  3. The Internal Audit Service of the European Commission • Sets up strategic planning based on ownriskanalysisand coordinatedwithEuropean Court of Auditors • brings a systematic, disciplined approach in order to evaluate and improve the effectiveness of risk management, control and governance processes. • Reports to: • Audit Progress Committee • the Commission on the results of itswork (Internal audit Report) • Has full and unlimitedaccess to information

  4. Powers and duties of the internal auditor (art.118 Financial Regulation) The internal auditor shall advise his or her Union institution on dealing with risks, by issuing independent opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management. The internal auditor shall in particular be responsible for: • assessing the suitability and effectiveness of internal management systems and the performance of departments in implementing policies, programmes and actions by reference to the risks associated with them • assessing the efficiency and effectiveness of the internal control and audit systems applicable to each budget implementation operation.  “Internal Audit Service: Improving the Commission’s Performance”

  5. A risk based methodology for Strategic Plan -define audit universe -assess the risks of the underlying components (using the Commission's risk management framework ) -consider issues (i) not covered for some time on a cyclical basis (ii) inherently material -financial management of each audited entity is covered at least every three years irrespective of the level of risk => annual opinion on the state of internal control (limited assurance) -requests and/or concerns from IAS, Commission and Executive Agencies senior management and/or the APC (top-down steer)  “Internal Audit Service: Improving the Commission’s Performance”

  6. Which risks to assess? AUDITORS ASSESS INHERENT RISK risk by making abstraction of the controls in place MANAGERS ASSESS RESIDUAL RISK no time to assess controls during the risk assessment. If during the risk assessment auditors obtain information which indicates that key controls are missing or display very significant weaknesses, this information is likely to influence the likelihood aspect of the identified risk. controls are assessed during the preliminary survey of audits If the IAS identifies high inherent risks and management judge the residual risk to be lower => IAS may decide to carry out an audit in order to re-assure management of the appropriateness and well-functioning of mitigating controls.  “Internal Audit Service: Improving the Commission’s Performance”

  7. Audit Universe of the IAS IT Grants HR Monitoring EU law Financial statements Non-financial processes Financial processes Ethics Pre-financing Procurement Communication Accountability, including management disclosure 233 auditable entities 406 auditable entities Payroll Risk assessment Risk factors REPORTING IAS Strategic Audit Plan 3% Financial/Compliance 31% Performance (incl.IT) 59% Comprehensive (fin/compl+performance) 7% Other (consultancy, limited reviews) Audit Results  “Internal Audit Service: Improving the Commission’s Performance” Performance Indicators

  8. Non-financial processes -do not belong to the financial management audit universe -may generate significant risks for the Commission's reputation e.g. • handling of crises • IT systems supporting policies • information security • ethics • citizen or staff safety (e.g. handling of pandemics, natural disasters, etc.) • sound financial and resource management  “Internal Audit Service: Improving the Commission’s Performance”

  9. Non-financial processes (cont.) They also include significant policy areas with some budgetary impact such as • competition policy, with resulting fines • controls over trade policy • anti-dumping measures • controls over the respect of EU law • infringement procedures  “Internal Audit Service: Improving the Commission’s Performance”

  10. Commission’s standard risk typology  “Internal Audit Service: Improving the Commission’s Performance”

  11. Controls The internal audit work focuses on auditing those controls that are deemed by management to be effective (i.e. strong controls identified by management).  “Internal Audit Service: Improving the Commission’s Performance”

  12. The internal audit work focuses on auditing those controls that are deemed by management to be effective (i.e. strong controls identified by management). In practice At the end of the preliminary survey FINANCIAL/COMPLIANCE AUDITS Risk Control Matrix: identifies per process or activity, the main risks/control objectives and the existing controls. PERFORMANCE AUDITS Performance Audit Matrix: starts from a question tree and for each (sub)question to be answered, states the criteria to be used against which the auditors will assess the answers, the testing procedures to be used and the potential findings and recommendations that the audit may conclude.  “Internal Audit Service: Improving the Commission’s Performance”

  13. A few key controls in the EC Control architecture • Ex-ante system assessment on implementing bodies • Ex-ante control of transactions (Financial Circuits « 4 eyesprinciples ») • Beneficiariesaudit reports • Ex-post control of transactions/system (audit or transactions based) • Monitoring missions on projects management (ResultsOriented Missions) • Verificationmissions or on-the-spot controls  “Internal Audit Service: Improving the Commission’s Performance”

  14. Examples of objectives of an audits of control strategies: • efficiency of the control coordination • adequacy of the design and the effectiveness of the control strategies in force • effectiveness of the controls underpinning the assurance building process (system audits, ex-ante and ex-post checks, monitoring, reporting) • timeliness and adequacy of corrective measures • effectiveness of anti-fraud controls  “Internal Audit Service: Improving the Commission’s Performance”

  15. Challenges • Understand the business! • Complementarity with management assessment (IAS: High risks Management: Critical risks) • Determine subjects and scope of work • Be informed at an early stage of new systems and changes substantially affecting the Commission's internal control system

  16. Questions?

  17. Contact the Internal Audit Service:ias-europa@ec.europa.eu

More Related