Applying a risk model in state internal and external audits

1 / 36
About This Presentation
Title:

Applying a risk model in state internal and external audits

Description:

Haven't we, as auditors always considered risk within our audit plans? ... Socialising risk. Identification of key risks. Decide on how to manage risk ... –

Number of Views:53
Avg rating:3.0/5.0
Slides: 37
Provided by: danielwa
Category:

less

Transcript and Presenter's Notes

Title: Applying a risk model in state internal and external audits


1
Applying a risk model in state internal and
external audits
2
Audit and Risk
  • Havent we, as auditors always considered risk
    within our audit plans?

3
Roles and Responsibilities
4
Governing Body
Audit/Risk Committee
Risk Professional
Internal Audit
  • Promotes good practice
  • drives and monitors risk framework
  • and action plans
  • maintains risk map and risk profile
  • Reviews risk profile.
  • Analyses emerging risks.
  • Tracks existing risks.
  • Co-ordinates RMSA
  • Co-ordinates risk reporting
  • Incorporating risk into the planning process
  • for overall coverage.
  • Considered opinions on specific elements
  • of the organisation.
  • Overall opinion of control environment.
  • Assessment of completeness and effectiveness
  • of the risk management process.
  • Assessment of the effectiveness of specific
  • elements of the control environment.
  • Outputs
  • Reviews of
  • Risk management methodology
  • Corporate Governance statements
  • Statements on internal controls
  • Management responses to key risks

Risk Workshops
Business/Risk owners
Organisational Improvement
  • Managing specific risks
  • Apply risk management cycle
  • Implement action plans
  • Develop capabilities, processes, Controls
  • Monitor performance
  • Manage issues/breaches
  • Efficiency reviews
  • Improvement programmes
  • Process optimisation
  • Cost reduction
  • Outputs
  • Socialising risk
  • Identification of key risks
  • Decide on how to manage risk
  • Measuring residual risk
  • Data for risk reporting

5
Roles and Responsibilities
The Risk Professional.
  • Promotes good practice
  • Drives and monitors risk framework
  • and action plans
  • Maintains risk register
  • Analyses emerging risks.
  • Supports risk owners.
  • Co-ordinates Risk Reporting.

6
Roles and Responsibilities
Business risk owners
  • Managing specific risks
  • Apply risk management cycle
  • Implement action plans
  • Develop capabilities, processes, Controls
  • Monitor performance
  • Manage issues/breaches
  • Tracks existing risks.

7
Roles and Responsibilities
Organisational Improvement
  • Efficiency reviews
  • Improvements programmes
  • Process optimisation
  • Cost reduction

8
Roles and Responsibilities
Internal Audit
  • Incorporating risk into the planning process
  • for overall audit coverage.
  • Considered opinions on specific elements
  • of the business.
  • Overall opinion of control environment.
  • Assessment of completeness and effectiveness
  • of the risk management process.
  • Assessment of the effectiveness of specific
  • elements of the control environment.

9
Risk Management Reporting
Governing Body
S E L F C E R T I F I C A T I O N
Scrutiny/Audit Cttee
A U D I T O P I N I O N S
CHIEF EXECUTIVE
Organisation Chief Internal Auditor
AUDIT OPINIONS
FUNCTIONS OPERATIONS
DIRECTORS
MANAGERS
INDIVIDUAL AUDITS
Risk Register
10
Risk Management
The Risk Management Process
  • Is Therefore More Than Just a Cyclical Audit or
    Insurance Review and Report.

11
Roles and Responsibilities
  • Risk management cannot be introduced in
    isolation.
  • It has to be in partnership with all those other
    interested parties.

12
The Contribution of Internal Audit
  • Role is changing
  • Challenges of good Governance
  • FD/CEO Expectations changing
  • The need to evidence measurable added value
  • IIA re-defining the role

13
IIA Definition
  • Internal auditing is an independent and objective
    assurance and consulting activity that is guided
    by a philosophy of adding value to improve the
    operations of the organisation.
  • It assists an organisation in accomplishing its
    objectives by bringing a systematic and
    disciplined approach to evaluate and improve the
    effectiveness of the organisations risk
    management ,control , and governance processes.

14
Definition of Audit
  • Auditing is a process by which an organisation
    gains assurance that the risk exposures it faces
    are understood and managed appropriately in
    dynamically changing contexts

15
Risk Matrix
Important risks might potentially affect provision of key services or duties Key risk- may potentially affect provision of key services or duties Immediate action needed - serious threat to provision and/or achievement of key services or duties
Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties Key risks - may potentially affect provision of key services or duties
No action necessary Monitor as necessary - ensure being properly managed Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties
Over 5 million OR Questions raised in Parliament
2million-5 million OR Reported in National
Press
500,000 - 2 Million OR Reported in Local Paper
100,000 - 500,000 OR Unacceptable levels of
Complaints
Under 100,000 OR Some complaints from
individuals.
Unlikely-Once in 10-20 years
Possible- Once in 10 years
Likely-Once in 3years
Certain- Once a year
Rare- once in 20 years
16
Translating Key Risks Into the Assurance Programme
  • Key risks as identified in the matrix should be
    the basis of the Audit programme
  • Should form 60 approx of full programme
  • Some risks not easily auditable
  • Consider specialists, CSA etc

17
What Should The Audit Role Be In Establishing a
Risk Management Process?
18
Audit Participation in Risk Programmes
  • OPTIONS
  • Manage the whole programme
  • Facilitate the workshops
  • Jointly facilitate the workshops
  • Coordinate responses etc
  • Attend the workshops as a participant
  • Monitor and report on the action plans
  • Review perceived versus actual controls

19
Audit Reporting
  • Linking to key risks gives visibility
  • Perceived versus actual controls
  • Monitoring of action plans
  • Board, audit Cttee.Risk Cttee. Snr mgt.
  • Focus on achievements
  • Monetary
  • Risk reduction (matrix movements
  • IT security, fraud ,reduction in surprises

20
Audit Reporting
  • Refer to organisational objectives
  • Specify the risk to their achievement
  • Explain findings specifically related to those
    risks
  • Specify actions to address the exposures or
    opportunities ( and what they will achieve )

21
Effectiveness of the Control Environment
Risk
Minus the cost of
Transfer
Control
Recover


Equals
Exposure
22
Cascading the Techniques Into Project and Change
Management.
23
Projects Improvement Programs
Yes
  • Within the programs planned do you have
    objectives that you want to achieve?
  • Amongst the action plans and recommendations that
    you have to introduce are there some that could
    stop or delay the overall program?
  • Can the likelihood and impact of failing to
    achieve these recommendations and action plans be
    assessed?

Yes
Yes
24
Projects Improvement Programs
  • A program/project is therefore ideal for using
    risk management techniques to prioritise where
    you need to focus.
  • You know your objectives.
  • You have already identified the issues (risks)
    that you have to manage to successfully achieve
  • Action Plans
  • Recommendations.

25
Projects Improvement Programs
  • If we assess the likelihood of not successfully
    implementing each of the the action plans and
    recommendations
  • and
  • If we assess the impact to the overall program of
    not successfully implementing them.

26
Projects Improvement Programs
  • This gives us a simple method of categorizing and
    prioritising the steps that have to be taken.

27
Projects Improvement Programs
EXAMPLE
28
Projects Improvement Programs
  • Objective.
  • To improve the the procurement systems of State
    Government.

29
Projects Improvement Programs
  • Issue

Make the External Auditors Office responsible for
carrying out ex-post control of procurement ,
with the appropriate means to hire experts for
independent audits.
30
Risk Matrix
6 8 9
3 5 7
1 2 4
HIGH
Impact Of Risk
LOW
Unlikely
Likely
Likelihood of Occurrence
31
Risk Matrix



HIGH
Impact Of Risk
LOW
Unlikely
Likely
Likelihood of Occurrence
32
Projects Improvement Programs
  • Issue

Enact a new public procurement laws based on
Model Law being prepared used else where
33
Risk Matrix



HIGH
Impact Of Risk
LOW
Unlikely
Likely
Likelihood of Occurrence
34
Projects Improvement Programs
  • Issue

Issue Circular to improve procurement process
with mandatory requirements for   advertisement
of all bidding opportunities in the Gazettes,
local dailies and notice boards of procuring
entities    public bid opening
   publication of contract awards above a
certain threshold.
35
Risk Matrix



HIGH
Impact Of Risk
LOW
Unlikely
Likely
Likelihood of Occurrence
36
Risk Management
  • Risk management is a journey.
  • You can expend great effort and travel miles
  • If, however you havent plotted your course in
    line with the organisations strategy you will do
    nothing but waste valuable time and resources.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Applying a risk model in state internal and external audits" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!