Upload
wwwavivaspectrumcom
View
421
Download
1
Embed Size (px)
DESCRIPTION
Risk assessments are the primary component when planning, executing and delivering value in an internal audit. They are the building blocks of your internal audit activities and operational audit program. Sonia Luna CPA, CIA, CEO of Aviva Spectrum and Monica Raffety, CIA Senior Manager, Financial Controls at Kaiser Permanente will help you to: Understand risk assessment tools available Learn how and when to apply risk assessment techniques Leverage different forms of quantitative and qualitative analysis techniques Learn when to deviate from risk assessment templates with a memo or scoring Understand what external auditors, management and the Board need to know when executing a risk assessment. Understand how risk assessment impact the internal audit activities, from walkthroughs to testing
Citation preview
Compliance Made Simple
Risk Assessments
Best Practice & Practical Approaches
Thursday, June 19, 2014
Presented by:
Sonia Luna & Monica Raffety
2Compliance Made Simple
Bios
• Sonia Luna: has over 16 years of internal and external audit experience. Worked at 2 of the Big 4 before leaving as an audit manager to create Aviva Spectrum, in 2004. Aviva Spectrum provides a wide variety of internal audit services including SOX404, COSO 2013 transition, compliance audits and quality assessment reviews.
• Monica Raffety: has over 15 years of internal audit and compliance experience. She began her career in the financial services industry where she held various internal audit / risk management roles. She is also a former President and current Board of Governors member of the San Gabriel Valley IIA Chapter.
Risk Assessments
3Compliance Made Simple
Disclaimer
The comments, statements, views and opinions expressed in this webinar and other printed material do not reflect the views or opinions of the presenters’ current or past employers.
Risk Assessments
4Compliance Made Simple
Risk Assessment Planning Process
Establish the Purpose and Identify Risks
Measure Risks
Review, Report, and Communicate Results
Risk Assessment
Risk Assessments
5Compliance Made Simple
Establish the Purpose – Identify purpose and focus: Financial Misstatement,
Fraud, Other– Collaborate with Internal Audit, Compliance,
Business Management, and IT Management: Risk Assessment meetings, conduct interviews, complete risk assessment questionnaires, perform site visits to validate understanding of strategy, initiatives, products/services, and system changes
– Establish ownership of the risk assessment process– Establish risk assessment frequency: quarterly,
annually– Create format that is easy to review by stakeholders
and maintain
Risk Assessments
Risk Assessment- Establish the Purpose
6Compliance Made Simple Risk Assessments
Risk Assessment Questionnaire Example
7Compliance Made Simple
Identify the Risks– Review Regulatory Literature for your industry:
• Office of the Comptroller of the Currency (OCC) for risks affecting Financial Institutions. Semiannual Risk Perspective Fall 2013
• Centers of Medicare and Medicaid Services (CMS) for risks affecting Health Care. http://www.cms.gov/Medicare/Compliance-and-Audits
– Review past audit reports: • Length of time since last audit, prior findings, # of findings
– Perform quantitative and qualitative analysis: • Significant financial statement line items• Threshold such as exceeding overall materiality (5% of pre-tax
income) • Volume of transactions – dollar and #• Identify risk factors
Risk Assessments
Risk Assessment- Identify the Risks
8Compliance Made Simple
Examples of Risk Categories
Risk Assessments
Financial Information Technology Legal / Regulatory / ComplianceCredit Risk Physical Events Risk Compliance Risk
Interest Rate Risk Capacity / Flexibility Risk Safety and Soundness Risk
Asset Quality Risk Systems Availability Risk FDICIA Risk
Liquidity Risk Information Security Risk Contractual / Third-Party Vendor Risk
Physical Asset Risk Fiduciary Risk
Counterparty Risk BSA/AML
Financial Reporting Risk
Concentration Risk
Price Risk
Transactions Risk
Human Resources / Management Experience Operations / Change / Complexity Prior / Other Audit – Internal, External & RegulatoryKey Personnel Risk Operational Risk Remediation Risk
Workforce Risk Cyber Threat Risk
Integrity Risk
Market / StrategicProduct / Services Risk
Reputation Risk
Market Structure Risk
Competition Risk
Political Risk
Acquisition Risk
Strategic Technology Risk
9Compliance Made Simple
Measure the Risks– Set risk levels for each auditable activity:
• Risk Factors such as: Financial risks, IT risks, Legal / Compliance risks, Operational risks, Strategic risks, Human Resource risks and Prior / Other Audit activities
– Assign a “Risk Score” to each audit activity: • Based on likelihood/probability and impact (potential
losses) of inherent risks associated with the activity– Assign a “Risk Rating” to each audit activity:
• High, Medium, or Low – to each audit activity / area based on the level of risk associated with the activity
Risk Assessments
Risk Assessment- Measure the Risks
10Compliance Made Simple Risk Assessments
Example Risk Assessment – Risk Score Matrix
Impact: Risk impact on achieving Organizational/Business Unit strategies and objectives
Probability: The likelihood that a given risk will occur, given current control/business environment
3. High 3. Probable
Represents a risk which materially or significantly impacts the achievement of goals and objectives
Given the current control environment, the risk is likely or very likely to occur and there is a possibility of repeated incidents
2. Medium 2. MaybeRepresents a risk that may prevent achieving goals and objectives
Given the current control/business environment, it is possible that the risk may sometimes occur
1. Low 1. Remote
Represents a risk with little or no impact on achieving goals and objectives
Given the current control/business environment, there is only a remote possibility that the risk will occur
11Compliance Made Simple Risk Assessments
Risk Assessment- Prioritize the Risks and Develop Audit Plan/Project
Prioritize the Risks and Develop Audit Plan/Project
– Develop a risk-based audit plan based on the results of the risk assessment - the assigned risk ratings help to determine the frequency and scope of audit testing
– Example
• High risk areas may be audited annually
• Medium risk areas may be audited on a rotating basis and every 2-3 years
• Low risk areas may be audited on rotating basis and every 3-4 years.
12Compliance Made Simple Risk Assessments
Risk Assessment- Review, Report, & Communicate Results
Review, Report, & Communicate Results– Look at the big picture:
• What risks are you controlling?• Do you have many controls in areas that are low risk or have
not had a material misstatement or fraud event? If yes, why?
– Prepare a risk assessment package:
• Share with Executive Management and review quarterly or annually.
– Identify items that may call for a re-assessment of risks:
• Examples: Systems implementations, acquisitions, divestitures, changing business models, changing control/business environment, new technology etc.
• Update your audit plan as needed
13Compliance Made Simple
Template Materials
• Sample Risk Assessment Questionnaire• Sample Risk Score Matrix• Sample Risk Assessment Templates• Sample Audit Plan• Sample Change Management Questionnaire
Thank you to the Internal Audit Community that contributed these templates!! Please feel free to share your “scrubbed” or original templates with this group.
Risk Assessments
Microsoft Excel Worksheet
14Compliance Made Simple
COSO & Risk AssessmentsNew 17 Principles
Risk Assessments
Still the Same only better, more clear and more relevant.
15Compliance Made Simple
COSO 2013: Risk Assessment Updates!
• Fraud Risk Assessment: Finally documented but conducted in practice.
• Includes monitoring of risks as a “Must Have”.
Risk Assessments
16Compliance Made Simple
Risk Assessment Evidence
Risk Assessments
Monitorin
g
17Compliance Made Simple
Principles: What “holds” a principle UP!
Risk Assessments
Princ
iple
18Compliance Made Simple
Risk Assessment Case Study
Risk Assessments
Company Background:
– Public financial services company– Three divisions A, B and C– Objective Category for COSO framework =
External Financial Reporting (SOX 404)
19Compliance Made Simple
Case study:Control Analysis
Risk Assessments
• Mgmt documented its overview of its assessment of control effectiveness.
• Management determined it has some revenue recognition control deficiencies and need to reflect the severity of those deficiencies. One of the revenue streams lacked good controls. They noted deficiencies in one of their up and coming divisions “DIVISION C” but there were NO KNOWN financial statement errors!
• Root case analysis concluded that management failed to implement control activities over the revenue recognition process at Division C, which became a significant part of their overall revenue and growth for the organization.
20Compliance Made Simple
Case studies – Polling Question
Risk Assessments
QUESTION ?How bad is it? Was this a ……
A)Control Deficiency,
B) Significant Deficiency
C) Material Weakness
D) Not a deficiency
21Compliance Made Simple
Case Study: Conclusion
Risk Assessments
What COSO has to say:
A related weakness was noted in Principle #9 “Identifies & Analyzes Significant Change”, because the company never adopted key controls over this Division C that was growing rapidly and Corporate office assumed it was doing what they expected. The conclusion was a:
MATERIAL WEAKNESS for 2 Principles!Principle #10 “Selects and Develops Control Activities” andPrinciple #9 “ID & Analyzes Significant Change”
22Compliance Made Simple
Case Study Solutions
• Create and implement a Risk Assessment Policy/Procedure• Interim SOX 404 control analysis, including risk
assessment procedures• Evaluate Materiality (prior to interim testing or just after).
Risk Assessments
23Compliance Made Simple
Transition Analysis – 6 mos.
Risk Assessments
24Compliance Made Simple
Control Compliance Analysis
Risk Assessments
COSO Transition
1. Top Transition Failures (Case Studies)
2. Audit Evidence required3. Priority Driven by
Principles
PCAOB, IIA & SEC Guidance
1. Latest PCAOB Internal Control Standards
2. IIA Incorporated Top 7 IC Failures
3. SEC Guidance for Mgmt on Internal Controls
[email protected]: CCA Reservation 5
25Compliance Made Simple
Polling Question 2
Risk Assessments
Does your organization have a Risk Assessment Policy/Procedure document?
Risk Policy
A Yes, we have one
B No, wish I had one
C Don’t Know
26Compliance Made Simple
Risk Assessment Impact of Reported Changes
Risk Assessments
Change ManagementSelect
Yes, No, NA
Yes
Yes
Yes
No
3. Process (including report) Changes Are there any significant changes in the business processes, including reporting changes? (Process or Control narrative should be updated for specific changes to controls and/or business processes)
4. Significant Policy or Regulatory ChangesAre there any significant changes in regulations, operating and/or financial policies and/or procedures?
List any planned significant changes (organization, systems, process, policies and procedures and others) that you anticipate in 201X that may affect or potentially affect the internal controls over financial reporting for your business process, including the expected implementation date, impact of such changes and related action items to ensure that the key control and/or business process continue to operate effectively.
This section must be completedFor each item (1 - 4) select "Yes", "No", or "NA" if a change occurred.
Comments (If the answer is "YES", identify the personnel change, name of application/system affected, business process change, affected policy(ies) name(s), date of change(s), and action items taken to ensure the key control and/or business process continue to operate effectively.)
1. Organizational Changes Are there any significant changes in the key personnel managing the process?
2. System/Technology ChangesAre there any significant changes in the financial (application) systems, including additions or modifications to existing systems? Are there any significant technology changes?
Benefits/Impact of Regular Change Management Reporting• Identify areas that require
walkthrough or new areas to be added to audit plan:
– Could lead to postponed testing
– Updated audit plan– Updated testing strategy– Updated risk assessment
• Identify current and future areas of risk:
– Significant changes in people, process, or technology
• Identify opportunities to serve in an advisory role
– New systems/technology– New regulations that may
impact the Organization
27Compliance Made Simple
Polling Question 3
Risk Assessments
Is your organization conducting risk based walkthroughs?
Walkthroughs
A Yes,
B No, wish we would
C Don’t Know
28Compliance Made Simple Risk Assessments
• Caused audit procedure layering
• More in-depth written description of estimates and use of judgment, especially review controls
• Detailed documentation and testing of system reports utilized in performance of controls.
New PCAOB Auditing BAR!
29Compliance Made Simple Risk Assessments
Level of precision in Plain English?
• How detailed is management’s review of journal entries?
• Document your thought process– Dollar Threshold– Percentage of Revenue– Geographic Location– Lines of Business– Other Risk Factors– Timing
30Compliance Made Simple
IT dependent controls (pg#27)
Risk Assessments
31Compliance Made Simple
IT Spreadsheets – RA Process
Risk Assessments
Inventory your Excel files (Total in-versus-out of scope)!Next tab reveals what you’re test!
32Compliance Made Simple
Combined Risk ScoringIn-Scope Excel Files
Risk Assessments
33Compliance Made Simple
Testing Example
Risk Assessments
34Compliance Made Simple
Polling Question 4
Risk Assessments
For sampling controls to test do you find your current risk assessment is adequate? Sampling
A Yes, to a degree
B Yes, but needs some work
C No, we need new approach
35Compliance Made Simple
Community & Sharing
Risk Assessments
Join Our LinkedIn GroupCOSO Framework Discussion &
Webinars
http://www.linkedin.com/groups/2013-COSO-Implementation-4888186/about
Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework.
Share your latest templates here!
36Compliance Made Simple
Q & A session (5 – 8 Min)
Risk Assessments
Sonia Luna- President, CEOAviva Spectrumwww.linkedin.com/in/sonialuna www.slideshare.net/soxppt www.avivaspectrum.com/podcasts