1 / 26

Risk Assessment

Risk Assessment. Communicate Results. Understand the Auditee. Assess Risk. Develop Audit Plan. Execute the Audit. Co-Develop Expectations. Co-Develop Expectations. Organize Information. Identify the risks. Prioritize the risks. Source the risk In the process. Present to

velika
Télécharger la présentation

Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Assessment

  2. Communicate Results Understand the Auditee Assess Risk Develop Audit Plan Execute the Audit Co-Develop Expectations

  3. Co-Develop Expectations Organize Information Identify the risks Prioritize the risks Source the risk In the process Present to Senior Management Obtain approval from the auditee head

  4. Risk Assessment • Objective: • To independently identify the entity-level risks to be targeted for audit based on the information gathered at the earlier phase of the methodology using the Auditee Risk Model (ARM). The IAD should leverage also on the result of a formal risk assessment conducted by the Auditee.

  5. Risk Assessment • Risks are assessed based on its significance and likelihood in its inherent state of occurring using a scale to be developed by the IA team. For example: high, moderate or low.

  6. Risk Assessment • Key activities: • 1. Organize Information Obtained from Co-developed Expectations and Understanding the Auditee • 2. Identify the Risks • 3. Prioritize the Risks • 4. Source the Risks in the Processes • 5. Present to Senior Management • 6. Obtain Approval from head of the auditee

  7. Understand the Financial and Operating Processes and Performance • A. Organize InformationObtained from Co-developed Expectations and UTA Objective: To organize the data obtained during the previous phase of the methodology and evaluate if any of the data gathered poses a risk to the Auditee. Focus: gaining an overall understanding of the operations, to determining the critical risks that will hinder the Auditee from achieving its internal control objectives, goals and strategies.

  8. Understand the Financial and Operating Processes and Performance • A. Organize Information Obtained from Co-developed Expectations and UTA • Information needed: • AAF • Results of Co-develop Expectations • Auditee Performance • Assessment of Control Environment

  9. Identify the risks • B. Identify the Risks Procedures • Identify the risks based on the IAD evaluation of the documents obtained/prepared in step A above using the ARM. The list of risks to be identified at this stage is called “Risk Universe.” • 2. Review the Risk Universe and customize the generic definitions of the risk for your Auditee, if necessary.

  10. Procedures (continued) 3. Gather the senior management and validate the Risk Universe, including the risk definitions. At this stage the senior management should be able to have a common understanding of the risk definitions.

  11. Procedures (continued) • 4. Obtain inputs from senior management for any potential additional risks being faced by the Auditee. The IA should also evaluate if there is resistance to any of the risks identified • 5. Update the Risk Universe considering the inputs from senior management.

  12. Prioritize the Risks • C. Prioritize the Risks • Based on the Risk Universe • Prioritize the risks based on the assessment of the senior management. • The IAD should share its perspective on risks assessed during the facilitation.

  13. Prioritize the Risks • C. Prioritize the Risks (continued) • Prioritizing the risks can be performed using different techniques, such as surveys, interviews, workshops, and facilitation. • In prioritizing the risks, the Auditor should consider these factors:  • Significance • Likelihood • Control Effectiveness

  14. Prioritize the Risks • C. Prioritize the Risks (continued) Each risk identified will be assessed using the following risk factors: 1. Financial impact 2. Public service delivery impact 3. Reputation impact 4. Complexity of operation

  15. Prioritize the Risks • C. Prioritize the Risks (continued) Each risk identified will be assessed using the following risk factors (continued): • 5. Regulatory requirements and political sensitivity • 6. Existence of fraud and corruption • 7. Extent of use of information technology • 8. Extent of changes in operations and processes • 9. Results of previous audits

  16. Prioritize the Risks • C. Prioritize the Risks (continued) • The risk management or control effectiveness factors to be considered are: • Quality of controls shown in prior audits, if applicable • Current high-level assessment of the organizational controls

  17. Source the risk in the process • D. Source the Risks in the Process • Objectives: • To source where the key risks manifest in the process and • Identify the possible target processes for audit. • At this stage, the PCS customized for the Auditee under the UTA will be used.

  18. D. Source the Risks in the Process Procedures • 1. Using the Process Classification Scheme (PCS) and the Risk Map, source where the risks manifest in the processes. • 2. Prepare a Process-Risk Matrix (PRM) to plot the processes and the risks. Use the tool Prioritize Risk Universe template • 3. Finalize the PRM.

  19. Present to Senior Management • E. Present the PRM to Senior Management Objective: To validate with the senior management whether the IAD has appropriately identified the processes where the risks manifest. Management will have a preliminary understanding of the potential audit areas for the period.

  20. E. Present the PRM to Senior Management • Some risks residing in the processes may be more appropriately covered by another unit in the Auditee such as the Inspectorate Department, for example, fraud. • The IA may provide assistance such as guidance and supervision to effectively audit these areas. The IA should highlight these possibilities.

  21. E. Present the PRM to Senior Management ( Procedures • 1. Set a meeting with senior management. • 2. Present the final PRM to senior management for confirmation. The IA may also present the Risk Universe and the Risk Map.

  22. Obtain approval from the auditee head • F. ObtainApproval from Head of the Auditee • Objective: • To obtain approval and support from the head of the auditeeon the possible target audit areas. • This activity may also be conducted upon the completion of the annual audit plan in the next phase of the RBPFA.

  23. F. ObtainApproval from Head of the Auditee Procedures • 1. Prepare concise presentation materials summarizing the key information obtained in the UTA and Risk Assessment phases of the RBPFA. The presentation materials should be concise enough for the head of the auditee to understand the process undertaken by the IA.

  24. F. ObtainApproval from Head of the Auditee The presentation materials should include: • Brief description of the process from Co-Develop Expectations to Risk Assessment. • How the senior management was involved in the process. • Results of the activities, such as AAF, Assessment of Control Environment, the PCS, the Risk Universe, Risk Map and the PRM.

  25. F. ObtainApproval from Head of the Auditee Procedures (continued) 2. Present the results of the activity and obtain approval from the Head of the Auditee.

More Related