33
Risk based internal auditing Three views on implementatio David Griffiths www.internalaudit.biz Version 2.2

Rbi a Implementing

Tags:

Embed Size (px)

DESCRIPTION

rbiaimplementing

Citation preview

Implementation Risk basedinternalauditingThree views onimplementationDavidGriffithsPhD FCAwww.internalaudit.bizVersion 2.2Implementing RBIA - ContentsContentsContentsContents.....................................................................................................................2Introduction................................................................................................................11 Why is risk based internal auditing imortant!...................................................11.1 Why is understanding risk imortant!..........................................................11.2 What is risk based internal auditing!...........................................................11." What#s the aim o$ this book!........................................................................22 %uidance $or directors.........................................................................................&2.1 Why understand risks!.................................................................................&2.2 What is risk based internal auditing as $ar as I#m concerned!.....................'2." What is the resonsibility o$ the directors!...................................................'2.& What are the luses and minuses!..............................................................(2.' I#)e got some *uestions................................................................................+" %uidance $or Chie$ Audit ,-ecuti)es...................................................................".1 Why should I read this!.................................................................................".2 What/s $undamentally di$$erent!...................................................................."." Can I carry on as though nothing has haened!........................................".& What is 01IA as $ar as I#m concerned! What are the challenges!...........12".' Peole........................................................................................................12".'.1 1oard and audit committee..........................................................................12".'.2 3anagement................................................................................................ 11".'." 0isk management........................................................................................ 12".'.& Audit sta$$..................................................................................................... 12".( Processes...................................................................................................1"".+ What#s in it $or me 4 the luses and minuses!..........................................1"".+.1 Audit resources............................................................................................ 1"".+.2 3anagement o$ the internal audit deartment..............................................1"".+." An audit trail $or audits.................................................................................1"".5 I#)e got some *uestions..............................................................................1&& %uidance $or internal audit sta$$........................................................................1(&.1 Why should I read this!..............................................................................1(&.2 What is 01IA!............................................................................................1(&." What do I ha)e to do!................................................................................1(&.".1 Audit aroach............................................................................................. 1(&.& What#s in it $or me 4 the luses and minuses!..........................................1(6Da)id 3 %ri$$ithsImplementing RBIA - Contents&.' I#)e got some *uestions..............................................................................1+' %lossary o$ terms..............................................................................................15( 7ersion control..................................................................................................220isk based internal auditing by Da)id %ri$$iths is licensed under a Creati)e Commons Attribution89onCommercial ".2 :norted ;icense.6Da)id 3 %ri$$ithsImplementing RBIA - IntrodutionIntroductionWelcome to risk based internal auditing hese oinions are more con)entionally known as Eassurance#@ which includesthe oortunity to indicate why assurance cannot be gi)en@ in art or whole. 6D 3 %ri$$ithswww.internalaudit.1i7Page 1Implementing RBIA - IntrodutionIn imlementing 01IA@ the assurance re*uired by the board $rom )arious $unctions he board is resonsible $or determining the nature and e-tent o$ the rincialrisks it is willing to take in achie)ing its strategic obFecti)es. >he board should maintain sound risk management and internal control systems./ Douth A$rica? 1ing Code of 2overnance 'rinciples )3une 2-12. 'rinciple *1. />he board should be resonsible $or the go)ernance o$ risk/. Dingaore? Code of Corporate 2overnance )"a$ 2-12. 'rinciple 11. >he 1oard is resonsible $or the go)ernance o$ risk. >he 1oard should ensure that 3anagement maintains a sound system o$ risk management and internal controls to sa$eguard shareholders/ interests and the comany/s assets@ and should determine the natureand e-tent o$ the signi$icant risks which the 1oard is willing to take in achie)ing its strategic obFecti)es.Assuming your organization has embedded risk management into its rocesses@ how can you ensure that the organization/s risks are being roerly controlled in order to achie)e your obFecti)es!>hat/s where internal audit comes in. Its resonsibility is to agree with the board he methodology that internal audit will use is risk based internal auditing.6D 3 %ri$$ithswww.internalaudit.1i7Implementing RBIA - Guidane for diretors2.2 What is risk based internal auditing as *ar as I)m concerned?Do risk based internal auditing he simli$ied diagram below shows the relationshi between the risk aetite hat board has aro)ed a risk aetite $or the organization on such a basis that risks can be easily identi$ied as being abo)e@ or below@ the risk aetite. >hat resonsibility $or ro)iding an oinion on the risk management $ramework is de$ined. >his will include de$ining the resonsibilities o$ management@ e-ternal audit@ internal audit and any other $unctions that ro)ide assurance@ such as I0@ Finance@ ;oss Pre)ention and Iealth and Da$ety deartments.In most large organizations a suitable risk management $ramework should be in lace@ because they are a$$ected by regulations which re*uire the identi$ication@ assessment@ management and monitoring o$ risks. Additional work may be re*uired to ensure all signi$icant risks ha)e been identi$ied and to record all risks and score these in order to rioritize them. 9one o$ these tasks is the resonsibility o$ the internal audit deartment@ although it could act as chamion@ and e)en roFect manager@ $or risk management@ esecially in the early stages o$ introduction. Dome boards may wish to de$ine di$$erent risk aetites $or di$$erent arts o$ their organization he signi$icant risks are documented in the CbFecti)es@ 0isks and Controls register C0C0= and the audit lan shows which risks are to be assessed as ha)ing ade*uate controls 8 and which risks will not be assessed. Kou are there$ore in a osition to consider i$ the audit lan $ul$ils your re*uirements in assuring the board that risks are being roerly controlled. Dince 01IA in)ol)es ro)iding an oinion to directors on the risk management rocesses o)er all risks@ the audit lan may contain audits not carried out by auditors be$ore@ $or e-amle@ co)ering risks a$$ecting ublic relations@ suly chain management and treasury. Internal audit#s resonsibility is limited to ensuring managers ha)e identi$ied their risks and ha)e resonded aroriately to reduce them to below the risk aetite. I$ secialist knowledge is re*uired to do this@ it maybe a)ailable $rom within the organization@ and suitably *uali$ied sta$$ could be seconded to internal audit@ i$ they are indeendent o$ the area being audited. I$ such secialist knowledge has to be obtained outside@ additional costs will be in)ol)ed. In addition@ there may be resistance $rom managers not used to audits o$ their areas o$ resonsibility. 1y concentrating on audits o$ inherent risks abo)e the risk aetite@ some audits re)iously considered imortant might disaear. >hese could include audits o$ small o)erseas subsidiaries@ Eetty cash# and the Dta$$ Docial Club. 01IA directs scarce internal audit resources at checking the resonses to the risks that resent a serious threat to an organization and regulations are now re*uiring directors to ensure these risks are roerly managed. 01IA thus ro)ides directors with an oinion that this is haening@ or a warning that it isn#t. Iowe)er 01IA re*uires that the organization has a comlete@ structured@ rioritizedlist o$ inherent risks. >his may list se)eral thousand risks and@ since risks are a management resonsibility@ will in)ol)e senior management resources to comile it.Iowe)er@ once comiled@ such a list needs only to be ket u8to8date by eriodic re)isions and is re*uired $or other uroses@ such as management decision8making.6D 3 %ri$$ithswww.internalaudit.1i7Implementing RBIA - Guidane for diretors Cne aim o$ 01IA is to check that the system o$ control is reducing risks to below the organization/s risk aetite. >he board should there$ore ha)e $ormally aro)edthe risk aetite in the same terms as used $or rioritizing the risks his is a comle- issue and boards may be reluctant to de$ine the risk aetite in such e-act terms. Cne bene$it o$ 01IA is that@ not only should it highlight risks that are not roerly controlledA it should highlight risks that are o)er8controlled and there$ore consumingunnecessary resources.>he adotion o$ risk based internal auditing has direct bene$its $or all directors@ or their e*ui)alents in all tyes o$ organizations.2., I)!e got some -uestions%t4s all ver$ well $ou sa$ing drop audits of pett$ cash5 but if m$ local authorit$ auditors don4t do these audits and there is even a small fraud5 the council4s name appears in the local newspaper as wasting ta6pa$ers7 mone$* 8ow do $ou solve this9It is un$ortunate that a M'22 $raud will attract more media attention than the $ailure o$ a M2m roFect to deli)er all the e-ected bene$its. Aart $rom the ob)ious answer o$ increasing the number o$ auditors in order to obtain assurance on the management o$ low risks@ which is not usually an otion@ the resonsibility o$ managers needs to be considered.Dince they are resonsible $or de)eloing@ oerating and monitoring the system o$ internal control@ they are accountable $or controlling accounting transactions 8 not internal audit. >hus@ the controls which management uses to monitor risks need to be considered. For e-amle@ do managers occasionally obser)e@ without warning@ the counting o$ cash $loats@ do they recei)e regular con$irmation that the etty cash $loat has been counted by an indeendent member o$ sta$$!While this is additional work $or managers@ the cash $loats are their resonsibility@ not those o$ internal audit. In addition@ in)ol)ement by management emhasizes to sta$$ that controls are considered imortant.8ow do % set a risk appetite9Deciding on a risk aetite is a comle- issue and this book is not intended to ro)ide ad)ice on risk management. Iowe)er a brie$ e-lanation is ossible. For more details@ the re$erences in EFurther reading# should be checked@ $or e-amle the ECrange 1ook? 3anagement o$ 0isk 8 Princiles and Concets# a)ailable on the :B %o)ernment/s websiteis alicable to any organization.Although there are other business reasons $or setting a risk aetite@ the management o$ risk re*uires a le)el against which a risk can be comared to determine i$ it needs a resonse to reduce it. >he system o$ controls which reduces risks to below this le)el can be considered as Eoerating e$$ecti)ely#.A risk aetite can be de$ined by $irstly de$ining the le)els o$ conse*uence $or an organization. For e-amle?;oss o$ cash$low i$ riskoccurs;ess thanM'@222M'@221 8M'2@222M'2@221 8M1mM1m 8 M'm C)er M'mDescrition Immaterial Dmall Digni$icant 3aFor Catastrohic6D 3 %ri$$ithswww.internalaudit.1i7Implementing RBIA - Guidane for diretors Conse*uencescore1 2 " & '>hese le)els can also be set $or a subsidiary@ or other unit in a large organization.0isk aetite can then be de$ined as a combination o$ likelihood and conse*uence. For e-amle risks with a conse*uence score e*ual to@ or greater than "@ with a likelihood o$ Ecertain# will not be tolerated@ assuming they can be cost e$$ecti)ely controlled. >here will robably be a need to set a higher risk aetite $or new )entures@ in order not to sti$le oortunities.It would be ossible to set a risk aetite so high that $ew@ i$ any@ risks e-ceeded it. Iowe)er@ there will still be a need to comly with any regulations re*uiring Ee$$ecti)e controls#. >he risk aetite should there$ore be set at a le)el below which all risks are considered Ee$$ecti)ely controlled#.6D 3 %ri$$ithswww.internalaudit.1i7Implementing RBIA - Guidane for Chief Audit 5:eutives3 Guidance for Chief Audit Eecuti!es(.1 Why should I read this?:irectors are e-ected to understand the risks their organization is $acingA managers are e-ected to identi$y@ assess@ monitor and reort these risksA the Chief !udit &6ecutive )C!&. or 8ead of %nternal !udit is e-ected to ro)ide an oinion that risk management rocesses are e$$ecti)e. 0isk based internal auditing ro)ides the means to do this. (.2 What$s *undamentally di**erent?I$ you accet? internal auditing is $undamentally about internal controls@ and Internal controls are necessary to mitigate risks hat/s where you come inG(.+ What is RBIA as *ar as I)m concerned? What are the challenges?6D 3 %ri$$ithswww.internalaudit.1i7Implementing RBIA - Guidane for Chief Audit 5:eutivesI$ 01IA is to ro)ide assurance on those risk management rocesses which co)er all signi$icant risks threatening the obFecti)es o$ the organization@ there are $our elements which the CA, needs to consider? 1. >he e-tent to which the board and management determine@ assess manage and monitor risks. he Erisk maturity# o$ the organization=.2. >he e-istence o$ a risk register he adotion o$ risk based internal auditing e$$ects e)eryone in the team. >he e-tent o$ thechange will deend on the current methodology used by the deartment imlementing 01IA but it is likely that e)eryone in the internal audit team will be a$$ected. >o understand this section@ the re)ious section@ $or the CA,@ needs to be read as well as books 1 and 2.+.2 What is RBIA?0isk 1ased Internal Auditing is the methodology that ro)ides an oinion as to whether therisk management $ramework is oerating as re*uired by the board. 01IA not only in)ol)es risks in rioritizing the annual audit lan but also in rioritizing tests within an indi)idual audit@ since testing e$$ort can be concentrated on the management o$ risks with a high control score he section o$ this guidance $or the chie$ audit e-ecuti)e considers how the risk maturity o$the organization will determine the audit aroach. For internal audit sta$$@ there are two aroaches? 'roviding an opinion? >he biggest di$$erence $rom traditional audit work is that there is much less emhasis on the negati)e@ /$inding $aults/ and more on the ositi)e@ /con$irming controls work/. Consultan2? >his includes $acilitating management#s identi$ication and assessment o$risks and ro)iding ad)ice on the otimum resonses to risks. >he aroach will be used where residual risks are abo)e the risk aetite@ and $or systems being imlemented.>he indi)idual risk based internal audit is )ery similar to a systems audit in that it in)ol)es understanding the rocesses and controls in)ol)ed and testing these to ensure they are oerating roerly. Iowe)er@ it is also )ery di$$erent $rom a systems audit@ articularly those using audit rograms@ in that it is dri)en by the risks identi$ied by management. Iowe)er@ this does not mean that management determine the audit work to be done@ as the auditor always has the right to carry out whate)er work is re*uired to gi)e an oinion whether risks are being managed to an accetable le)el his is articularly true when re)ious audit work in)ol)ed comleting audit rograms on $inancial controls@ or carrying out comliance audits.>he new areas to be audited will be unused to auditors@ and there will be much more in)ol)ement with managers throughout the audit@ not only at the end when resenting $indings. Auditors will ha)e to understand more about the racticalities o$ business and $acilitate the imlementation o$ controls accordingly.01IA thus resents oortunities@ and challenges@ $or internal audit sta$$.6D 3 %ri$$ithswww.internalaudit.1i7Implementing RBIA - Guidane for Internal Audit his includes resentation skills. Inter)iewing and listening skills@ since you will ha)e to understand the business you areauditing. 0unning meetings and workshos@ since these will ro)ide you with your basic buildingblocks o$ obFecti)es@ risks and controls. A wider knowledge o$ your organization@ since you will be auditing high le)el risks you will need to understand the high le)el obFecti)es. >his includes understanding the e-ternal risks threatening your organization.;hat techni=ues should % use901IA doesn#t necessarily change the auditing techni*ues to be used@ but where they will be used. Physical )eri$ication is still )ital to ensure what eole are telling you should haen is actually haening. >hus you will still continue to use walkthrough tests@ samling o$ transactions@ e-amination o$ authorizing signatures and )eri$ying balances. >he reason $or carrying out these tests is to ensure that the controls that treat risks@ and the monitoring controls that ensure these controls are oerating@ are e$$ecti)e. >he tests are not designed seci$ically to detect incorrect@ or $raudulent@ transactions. >hat is management#s Fob.;hat about computer assisted audit techni=ues )C!!T.9>heir use is Fusti$ied i$ they are intended to ro)e controls are e$$ecti)e. I$ their intention is to detect errors@ or $raud@ then management should take resonsibility $or oerating them. I$ internal auditors are used to detect errors then they become art o$ the control rocess and not art o$ the assurance $unction.6D 3 %ri$$ithswww.internalaudit.1i7Implementing RBIA - Glossar2 of terms# Glossary of terms$ An approach to implementing Risk Based Internal Auditing for more offiial versions.Assurane? A ositi)e con$irmation intended to gi)e con$idence that what is reorted may be relied uon.Audit 'lan? A list o$ audits to be carried out in a seci$ied time $rame.Audit universe? A list o$ all the audits re*uired to ro)ide assurance that all signi$icant risks are roerly managed.Board? A board is an organization/s go)erning body@ such as a board o$ directors@ suer)isory board@ head o$ an agency or legislati)e body@ board o$ go)ernors or trustees o$a non8ro$it organization.Control? Processes which manage risksControl he di$$erence between the inherent and residual risk scores. >he higher the )alue@ the more imortant the control.Diretor? 3ember o$ a controlling board@ such as a comany director@ trustee@ councilor or go)ernor. 5nterprise-wide Ris0 #anagement $5R#.? A structured@ consistent and continuous rocess across the whole organization $or identi$ying@ assessing@ deciding on resonses toand reorting on oortunities and threats that a$$ect the achie)ement o$ its obFecti)es.Inherent $gross. Ris0? the status o$ risk he imlementation o$ resonses to risks@ which reduce their threat to below the le)el o$ the risk aetite or@ where this is not ossible@ reorts the risk tothe board


Improved Rbi

Improved Rbi

Documents
Rbi a Manual

Rbi a Manual

Documents
Rbi Assistantsmp3

Rbi Assistantsmp3

Documents
Risk Based Inspection (RBI) solutions - library.e.abb.com · (RBI) solutions Improve integrity, reduce costs through more effective inspection. What is RBI? RBI is a well proven approach

Risk Based Inspection (RBI) solutions - library.e.abb.com · (RBI) solutions Improve integrity, reduce costs through more effective inspection. What is RBI? RBI is a well proven approach

Documents
RISK BASED INSPECTION (RBI) IMPLEMENTATION … · RBI (RISK BASED INSPECTION) ... RBI Methodology facilitation workshops started Monitor RBI ... shell, dishes and internal piping,

RISK BASED INSPECTION (RBI) IMPLEMENTATION … · RBI (RISK BASED INSPECTION) ... RBI Methodology facilitation workshops started Monitor RBI ... shell, dishes and internal piping,

Documents
RBI Methodology

RBI Methodology

Documents
RBI Publication

RBI Publication

Documents
PowerPoint Presentation - 01 EPRS... · Lithuania Romania - RBI EU existing CBI and RBI schemes Cyprus - CBI Malta - Malta - CBI RBI (2) Bulgaria - CBI Malta - Estonia - RBI (2) RBI

PowerPoint Presentation - 01 EPRS... · Lithuania Romania - RBI EU existing CBI and RBI schemes Cyprus - CBI Malta - Malta - CBI RBI (2) Bulgaria - CBI Malta - Estonia - RBI (2) RBI

Documents
RBI Introduction

RBI Introduction

Documents
Rbi a Compilation Rau

Rbi a Compilation Rau

Documents
A Complete Project on RBI

A Complete Project on RBI

Documents
RBi portfolio

RBi portfolio

Documents
RBI Initiative

RBI Initiative

Business
A Project on m.p of Rbi

A Project on m.p of Rbi

Documents
rbi report.pdf

rbi report.pdf

Documents
Rbi instruments

Rbi instruments

Economy & Finance
Rbi Final Copy of Rbi 1

Rbi Final Copy of Rbi 1

Documents
Rbi Reasoning

Rbi Reasoning

Documents
Rbi a Introduction v 3

Rbi a Introduction v 3

Documents
RBI 2300 HCA B-230 HCA BI RBI 2301 RBI 2301 F RBI ... - Beko

RBI 2300 HCA B-230 HCA BI RBI 2301 RBI 2301 F RBI ... - Beko

Documents
Rbi & brics

Rbi & brics

Documents
Rbi Assistantsmp5

Rbi Assistantsmp5

Documents
Rbi Intervention

Rbi Intervention

Economy & Finance
Rbi Assistantsmp4

Rbi Assistantsmp4

Documents
SEBI & RBI

SEBI & RBI

Documents
RBI Workshop

RBI Workshop

Documents
Rbi guidelines

Rbi guidelines

Economy & Finance
Qus Rbi 2013 05 Rbi Model

Qus Rbi 2013 05 Rbi Model

Documents
Liquidity Management - A regime change by RBI Manage… · Liquidity Management A regime change by RBI Liquidity Management – A regime change by RBI The RBI released its first monetary

Liquidity Management - A regime change by RBI Manage… · Liquidity Management A regime change by RBI Liquidity Management – A regime change by RBI The RBI released its first monetary

Documents
0- RBI a Quantitative Analysis

0- RBI a Quantitative Analysis

Documents