1 / 31

Risk-Based Audit

Risk-Based Audit. Audit Risk Assessment Model. (Excel model included in last slide). Audit Risk Model. AUDIT RISK MODEL Purpose to prioritize audit schedule for creation of audit plan. All risks are relative but can be compared by combining three key factors with equal overall weighting :

gada
Télécharger la présentation

Risk-Based Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk-Based Audit Audit Risk Assessment Model (Excel model included in last slide)

  2. Audit Risk Model AUDIT RISK MODEL • Purpose to prioritize audit schedule for creation of audit plan. • All risks are relative but can be compared by combining three key factors with equal overall weighting : • Inherent Risk (IR) Size of the risk or exposure. • Control Risk (CR) Likelihood that risk will materialize and • Detection Risk (DR) Probability of detection if risk materialize

  3. Risk-Based Planning - Step • Create audit universe by dividing functions or systems into auditable area • Whole business population must be covered and division approach is consistent • Evaluate risks in each function or system throughout the universe to create score for IR, CR, and DR • Sub-categories in IR, CR, and DR are given different weightings to reflect their relative importance • Combine overall score to create overall result which can be ranked alongside results for all other functions or systems

  4. Risk Factors Inherent Risk (IR) Parameters relating to the size of the exposure or risk A = Combined value of annual income and expenditure B = Number of employees involved C = Impact on the organization D = Volume of transactions per month

  5. Risk Factors Control Risk (CR) Parameters relating to the likelihood of the risk materializing F = Impact of Management and Staff G = Third Party Sensitivity H = Standard of Internal Control J = Likelihood of Occurrence

  6. Risk Factors Detection Risk (DR) Parameters relating to the probability of unwanted consequences being detected if they do materialize. K = Likely effectiveness of audit L = Duration of the audit M = Length of time since last audit N = Effectiveness of other assurance providers

  7. Aggregate Risk Score FORMULA USED FOR CALCULATION OF RISK FACTOR INHERENT CONTROL DETECTION (2A + B + 3C + D) X (2F + G + 3H + 3J) X (K + 2L + 2M+ 2N) 35 45 35 THE RESULT IS MULTIPLIED BY 200

  8. Audit Interval ASSESSMENT OF RESULTS SCORE >80E - Top Priority 60 - 79H - Critical topic for review 40 - 59M - Important to tackle 20 - 39L - Lower priority but still valid audit topic <19N - Audit probably unnecessary

  9. Aggregate Risk Factor

  10. Audit Risk Priority

  11. Long-term Audit Plan

  12. Audit Resource Planning

  13. Risk Scoring Sheet

  14. Risk Scoring Sheet

  15. Risk Scoring Sheet

  16. Inherent Risk (IR) A - Combined value of annual income and expenditure (Baht) or value of business it supports • Up to 10M • Between 10M - 40M • Between 40M - 200M • Between 200M - 400M • Over 400M

  17. Inherent Risk (IR) B - Number of employees involved / persons able to access • Up to 10 • 11 to 30 • 31 to 50 • 51 to 100 • Over 100

  18. Inherent Risk (IR) C - Impact on the organization • "Insignificant: Low financial loss, no disruption to capability, no impact on community standing" • "Minor: Medium financial loss, minor disruption to capability, minor impact on community standing" • "Moderate: High financial loss, some ongoing disruption to capability, modest impact on community standing" • "Major: Major financial loss, ongoing disruption to capability, major impact on community standing" • "Catastrophic: Mission critical financial loss, permanent disruption to capability, and ruinous impact on community standing"

  19. Inherent Risk (IR) D - Volume of business transactions or user activities (per month) • fewer than 500 • 501 to 2500 • 2501 to 5000 • 5001 to 15,000 • over 15,000

  20. Control Risk (CR) F - Impact of management and staff / IT staff and users a) Quality of Management b) Extent of Staff Turnover c) Length of time operation has been within the business d) Degree of expressed concern by management e) Management's attitude to risk taking f) Morale of Staff

  21. Control Risk (CR) F - Impact of management and staff / IT staff and users • Top quality management and staff with low turnover of both, in an operation which has been in existence for more than three years and about which no known concern is being expressed • High quality management and staff • Medium quality management and staff • Below average quality management and staff • Poor management and staff with high turnover of both, in an operation which has been in existence for less than three months and about which a great number of concerns is being expressed

  22. Control Risk (CR) G - Third party / outsourced service provider sensitivity a) Tax Implications b) Extent of Regulatory Requirements c) Legal Implications / privacy / fraud d) Service delivery and availability • There are no tax, legal, regulatory or other third party implications • Low sensitivity • Moderate • High sensitivity • Very significant third party sensitivity is present

  23. Control Risk (CR) H - Standard of internal control a) Means of authority to commit (e.g. none, sole, sole with review, dual, committee) b) Extent of losses c) Scope for intentional manipulation d) Vulnerability to fraud e) Degree of technical sophistication of systems f) Extent to which standard systems are being used g) Extent to which operating manuals are complied with h) Extent of recent reorganizations and system changes i) Known factors which should ring warning bells j) Reliability of last internal control review k) Extent of weakness highlighted in last internal control review l) Strength of accounting systems m) Extent of formal procedures n) Other IT security and controls

  24. Control Risk (CR) H - Standard of internal control • "Excellent: with no known significant re-organizations or systems changes; little known scope for intentional manipulation" • "Above Average: with standard systems in use throughout" • Sound • Known or suspected to be weak • Known or suspected to be very unsound

  25. Control Risk (CR) J - "Likelihood of occurrence - related to the level of Impact on the organization of Factor C (Relative Probability %)" • "Rare: The risk/ loss events may occur only in exceptional circumstances ( 0% - 3%)" • "Unlikely: The risk/ loss events could occur at some time ( +3% - 30%)" • "Possible: The risk/ loss events might occur at some time ( +30% - 60%)" • "Likely: The risk/ loss events will probably occur in most circumstances • ( +60 % - 97% )" • "Almost Certain: The risk/ loss events are expected to occur in most circumstances ( + 97% )"

  26. Detection Risk (DR) K - Likely effectiveness of audit a) Willingness and ability of client to react positively to results of audit b) Extent to which relevant specialist skills are available to internal audit c) Ability to conduct a competent audit d) The degree of need for thorough audit follow-up e) The quality of internal audit systems documentation f) Knowledge of business and experience of staff g) Involvement and availability of management

  27. Detection Risk (DR) K - Likely effectiveness of audit • There are significant constraints that are likely to preclude doing an effective audit i.e. a function with novices, high turnover of experienced staff, with a little knowledge of the business together with poor line management • Likely to have some constraint to effective audit • Medium constraint to effective audit • Unlikely constraint to effective audit • There are no significant constraints that are likely to preclude doing an effective audit i.e. a well-established function with fully experienced and trained staff with a good knowledge of the business together with receptive and focused line management

  28. Detection Risk (DR) L - Duration of the audit • Over 70 days • 41 to 70 days • 21 to 40 days • 10 to 20 days • Less than 10 days

  29. Detection Risk (DR) M - Length of time since the last review • Less than 12 mo or closely observed or involved during implementation phase • Between 12 and 18 mo • Between 18 and 24 mo • Between 24 and 36 mo • More than 36 mo or never audited

  30. Detection Risk (DR) N - Effectiveness of other assurance providers • Regular internal, QA and other audits with no significant findings • Regular internal, QA and other audits with some significant findings • No other audit work completed • Regular internal, QA and other audits with many significant findings • Continual significant problems identified by assurance reviews

  31. Q&A PAIRAT SRIVILAIRIT, CIA CCSA CFSA CBA CISA CISSP CFE FSVP Head of Internal Audit TISCO Financial Group Public Company Limited Mobile : +66819031457 Office : +6626337821 Email : pairat@tisco.co.th

More Related