Use this training to train your auditors and give them practice with each step of the audit process.
The training covers the ISO Standard, gives the students a chance to work with it and get familiar with the requirements. Then the training guides the students through the audit process. They will prepare an audit plan, conduct opening meetings, audit documents and records, document their findings, hold a closing meeting and write the audit report. The training is recommended for groups of 6 to 12 students at a time. Moreover, the internal auditor also works with and alongside busy managers to help them understand the task of identifying and managing risks to their operations.
At the same time the internal auditor has to retain a degree of independence so as to ensure the all-important professional scepticism that is essential to the audit role.
The auditor's report to the board via the Audit Committee must have a resilience and dependability It shows the reader how to understand the audit context and how this context fits into the wider corporate agenda.
The new context is set firmly within the corporate governance, risk management and internal control arena. K H Spencer Pickett has also developed many helpful models and checklists that provide a short cut to understanding the work and coverage of internal auditing. Compatible with any devices. The most comprehensive guide to internal audit available, this book is a must-have for internal audit departments, an ideal resource for external advisers and essential reading for those studying internal audit.
Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations, detect risks and minimise their impact on an organisation. Using this book, internal auditors can be confident they help their organisation accomplish its objectives through a systematic, disciplined approach to risk management, control and governance processes. The second edition is vastly expanded and includes the very latest Institute of Internal Auditors Standards.
This update also takes account of the trend towards risk-based internal auditing: whilst boards expect internal audit to assure the adequacy of internal control systems, they are increasingly asking the internal audit team to focus on the most important, relevant issues to the business.
Internal audit now more than ever has to juggle risk and control with the need to be pragmatic and efficient. This handbook covers the theory, methods and practice of internal auditing, and includes chapters on specialist areas such as IT and environmental auditing.
As well as looking at the complete process - from planning to report writing and beyond - this title examines the principles and purpose of the internal audit, taking in independence, objectivity and quality assurance.
Apart from being a practitioner guide for use anywhere in the world, the handbook is also an essential textbook for trainees taking these exams. Deliver increased value by embedding quality into internal audit activities Internal Audit Quality: Developing a Quality Assurance and Improvement Program is a comprehensive and authoritative guide to better practice internal auditing.
Written by a global expert in audit quality, this guide is the first to provide complete coverage of the elements that comprise an effective internal audit quality assurance and improvement program. Readers will find practical solutions for monitoring and measuring internal audit performance drawn from The IIA's International Standards for the Professional Practice of Internal Auditing, and complemented by advice and case studies from leading audit practitioners from five different continents.
Major corporate and financial collapses over the past decade have challenged the value of internal audit. With an increased focus on internal audit's role in good governance, management is increasingly demanding that internal audit provides assurance of the quality of its own activities.
The IIA standards provide a framework for audit quality in the form of mandatory guidance. This is quite important in that if we view controls as means of reducing risk, we can now also view them as obstacles to grasping opportunities.
So risk management is partly about getting in improved controls where needed and getting rid of excessive controls where they slow proceedings down too much. In other words, making sure controls are focused, worth it and make sense. The review process may identify areas of opportunity, such as where effective risk management can be turned to competitive advantage. To incorporate this feature into our risk model we need to add a separate box that provides a grid of likelihood and impact considerations regarding the effect of the risk on the set objectives in Figure 3.
Having established the two aspects of risk, we can start to think about which risks are not only material, in that they result in big hits against us, but also whether they are just around the corner or kept at bay.
Since risk is based on uncertainty, it is also based on perceptions of this uncertainty and whether we have enough information to hand. Where the uncertainty is caused by a lack of information then the question turns to whether it is worth securing more information or examining the reliability of the existing information. Uncertainty based on a lack of information that is in fact readily available points to failings in the person most responsible for dealing with the uncertainty.
There is much that we can control, if we have time to think about it and the capacity to digest the consequences. We are close to preparing the risk management cycle and incorporating this into our original risk model. It is essential that there be openness of communication by management with the board on matters relating to risk and control.
Business risk is really about these types of issues, and not just the more well-known disasters, acts of God or risks to personal safety. This should revolve around the two-dimensional Impact, Likelihood considerations that we have already described earlier. Review The entire risk management process and outputs should be reviewed and revisited on a continual basis. This should involve updating the risk management strategy and reviewing the validity of the process that is being applied across the organization.
The above cycle is simple and logical and means clear decisions can be made on the types of controls that should be in place and how risk may be kept to an acceptable level, notwithstanding the uncertainty inherent in the nature of external and internal risks to the organization.
Most risk management systems fail because the process is implemented by going through the above stages with no regard to the reality of organizational life. Managers tick the box that states the stages have been gone through and eventually the board receives reports back that state risk management has been done in all parts of the organization.
Our risk models will have to be further developed to take on board the many intricacies that have to be tackled to get a robust and integrated system of risk management properly in place. Our latest risk model becomes Figure 3. We have developed ten measures for addressing risks that have already been assessed for impact and likelihood, in the bottom left box of our model.
Each of the ten responses 5Ts and 5Cs are numbered and can be located within the appropriate part of the Impact Likelihood Grid in the bottom right of the risk model. For example, where we have assessed a risk as high impact but low likelihood, we may want to transfer or spread some of this risk, to an insurer as a suitable response in this case number 3.
The responses are further described: 1. Terminate Here, where the risk is great and either cannot be contained at all or the costs of such containment are prohibitive. Controls One of the principal weapons for tackling risks is better controls.
Note that this is the subject of the next chapter. Transfer Where the risks are assessed as high impact but low likelihood, we may wish to adopt a strategy of spreading risk, wherever possible. Contingencies A useful response to risk that is again high impact, low likelihood is based around making contingency arrangements in the event the risk materializes. Take more One dimension of the risk management strategy is derived from the upside risk viewpoint.
Risk management is about knowing where to spend precious time and knowing where to spend precious resources. The 5Ts and 5Cs model provides a wide range of techniques for developing a suitable risk management strategy in the bottom right corner of Figure 3.
The subject of risk registers has a very interesting past. Project managers have used them for a long time as they assess risks at an early stage in a large project and enter the details in a formal record which is inspected by the sponsors. More recently, they have come to the fore as an important part of general business risk management.
Moreover, the registers may form part of the assurance process where they can be used as evidence of risk containment activity, which supports the statement of internal control. Risk registers can be attached to this process to record the above stages and end up with both a record and action plan. The register in our model in Figure 3. An elementary diagram forms the basis for a consideration of risk appetite in Figure 3. We need to turn once again to Peter Bernstein for an authoritative view on risk appetites.
As we grow older, wiser, richer, or poorer, our perception of risk and our aversion to taking risk will shift, sometimes in one direction, sometimes in the other. The contrasting positions are that the board sets a clear level of tolerance and tells everyone inside the organization; or that people are empowered to derive their own levels based around set accountabilities.
Although many people associate risk with loss of assets, the concept is viewed by the auditor as much broader. Funds will move in accordance with the level of risk that they are attracted to, so long as this level has been properly communicated to all interested parties. Risk appetite varies between organizations, between departments, between section, teams and more importantly between individuals.
If risk tolerance throughout an organization hovers at different levels with no rational explanation, then we may well experience problems. Where the entire organization has a high risk tolerance, then it will tend not to install too many controls, particularly where these controls are expensive. One model used to assess risk appetite uses the scale in Figure 3. Much confusion results from mixing gross and net risk. Risk, before we have put in measures to deal with it, is gross, or what we have called inherent risk.
Risk that has been contained, so far as is practicable, is net, or what we have called residual risk. A high risk occupation such as an astronaut may in practice be relatively safe because of the abundance of controls in place for each journey.
The risk tolerance for space exploration agencies may be near on zero, with a focus on controls and quality assurance routines and numerous tests of these controls.
Attitudes to risk tolerance become even more important when we consider the responsibilities of an organization to its stakeholders. But, they will also need to understand the way the organization behaves towards risks.
While companies need to work out their view on risk, it is much the same for government bodies. The NAO has reviewed risk management in government bodies along with the need to support innovation. This may inhibit innovation in the way government services are designed, resourced and delivered. It is in this type of environment that it becomes hard to develop consistent messages about risk tolerance.
The Turnbull report contains a reminder that board expectations must be made clear throughout the company. A focused board with a well-considered strategy that is properly implemented, reviewed and further developed is the foundation for establishing risk tolerances that actually make sense to all managers and employees.
Without these prerequisites there will always be problems where the concepts of accountability and blame become confused. One dynamic method of developing corporate risk appetites is to start with the board. If the board carry out a risk assessment to isolate their top ten risks then this reasoning may form the basis for categorizing risks throughout the organization which could then form the basis for developing risk registers at senior and middle level management.
In some organizations, risk assessment workshops are set up for key teams as a response to the trend towards CRSA programmes, often on the back of recommendations from the auditors or an external consultant. This annual exercise appears to be enough to satisfy the auditors and someone within the organization attempts to place the risk registers onto a database and eventually prepares summary reports for top management and the board. Better models use a key to highlight high impact, high likelihood perhaps indicated in red , which then triggers a rapid response from the board who will want to know that action is being taken to handle key exposures.
The board then reports that it has reviewed the system of internal control, partly through the use of the risk management process as described. We could go on, where risk workshops or risk reviews based on survey or interviews are derived from an incomplete model of the risk management system. As a result, we have developed our risk model to incorporate further dimensions that seek to counter the negatives listed above, as Figure 3.
The board make a statement on the systems of internal control in the annual report and it is the board that reports that this system has been reviewed. The King report from South Africa makes this point crystal clear: The board is responsible for the total process of risk management, as well as for forming its own opinion on the effectiveness of the process.
Management is accountable to the board for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the company. These policies should be clearly communicated to all employees to ensure that the risk strategy is incorporated into the language and culture of the company.
Turnbull represents aspirations that may not always be matched in practice. We are engaged in a continual search for better business practice. The board may in turn establish a risk management committee or look to the audit committee for advice and support, in respect of ensuring there is a reliable system for managing risks, or the audit committee may be more inclined to provide an independent oversight of the risk management and whether the arrangements are robust and focused.
Regardless of the set-up, the board remains responsible for ensuring management have implemented proper risk management. Some organizations have gone all the way and appointed a director of risk management, particularly in sectors such as banking, where the risk agenda is also driven by regulators.
The board sponsor will direct the risk management activity and ensure that it is happening and makes sense. One way of mobilizing the board and audit committee is to get them to participate in a facilitated risk assessment around the corporate strategy.
Many risk consultants suggest that the board arrive at the top ten or so risks to achieving the corporate strategy and make this information known to the management. The board come back into the frame when reviewing the risk management process and ensuring it stands up to scrutiny. They would also consider the reports that come back from their management teams that isolate key risks and whether these are being contained adequately.
People Buy-In Another problem with many risk management systems is that they do not mean anything to the people below middle management level. At worst, the employees are squeezed in between performance and costs in an attempt to work harder for less or the same recompense. In one risk management policy the organization had prepared a detailed diagram covering roles, responsibilities and relationships in the risk management system with committees, boards, risk manager, facilitators, auditors and stakeholder analysis.
The impression is that the risk management process is something that happens to them. The individual is really the foundation of risk management, since it is what people do and how they behave that determines whether an organization succeeds or fails. This person proactively directs the effort and sets up systems that embed the risk policy into everyday activities.
A version of a job advertisement for a business risk manager illustrates the importance of the new role: Reporting directly to the Audit Committee and Group Finance this role is a rare opportunity to join an exciting company and continue the development of the overall Risk Management framework for the business on a global basis.
They argue that we need to put right the silo reports on risks that are a feature of most big organizations. Still others, such as Terry Cunnington, have described arrangements where a risk assurance service provides enterprise risk management, internal audit and risk consultancy from one integrated team.
There needs to be an in-house expert who can drive through the risk policy and make it work in practice. No risk policy will work without a commitment to resource the necessary process and ensure there is someone who can help managers translate board ideals into working practices. To close, it is possible to list the items that may appear in the published risk policy and strategy itself: 1. Background to regulators and their requirements for risk management and note on corporate governance code.
Position on appetite and whether the aim is risk avoidance, risk seeking or a measured balance. Why bother? Background to the RM process the risk cycle and how it is integrated into decision making and planning, and performance management. Risk responses and strategies leading to better certainty of achieving goals. Internal controls—what this means with brief examples. The right control means putting in controls where risk is evident and getting rid of them where they are not required.
Training and seminars—importance and use. Roles and responsibilities of all staff and specialist people such as board, CRO, internal audit, external audit and technical risk-based functions. Importance of the business unit manager. Structures including board, audit committee, any risk committee and links to the CRO, quality teams and auditors.
Tools and techniques—guidance on the intranet including a short guide to CRSA workshop method, tools and principles involved. Links to the overall internal control model that is applied with particular reference to the need for a good control environment to underpin the risk process. Links to established risk assessment practices built into projects, security, contingency planning and so on. Assurance reporting—giving overall responsibilities, review points, validation of reports and the use of risk registers—including regular updates.
Need for integration into existing management systems such as performance management. Glossary of terms. Where to go to for help. The risk strategy will go into more detail and develop more guidance on how to put the policy into action. This is in contrast to the old approach where specialist pockets of dedicated processes such as contingency planning were risk assessed but only at a local level for the process in question. Before we delve into ERM further there is a related point to clarify with the risk model we have been using throughout this chapter.
The new risk model is amended in Figure 3. In the middle box we have added strategy and KPIs to the original factor, objectives. We started with objectives as the driver for risk management and this viewpoint stands.
What we are working towards is for risk management to be part of the strategic planning process and therefore integrated within the performance measurement system.
This can be best illustrated with another model Figure 3. The model is based on a simple management cycle with a mission that is translated into a strategy, which when implemented relates to performance measures that are used to monitor the progress of the adopted strategy and action taken to review and adjust.
No risk assessment is carried out and the strategic management cycle the four white boxes in Figure 3. There are very few organizations still at this stage. Here risk assessment is an annual event that is a separate exercise which is removed from the corporate strategy. It may be done once and then left, or carried out each year, mainly for the disclosure requirements where the organization reports that it has a risk management system in place.
Again, there is a minority of large organizations that take a mechanical view towards risk. Phase three places risk assessment inside the strategic management cycle. So that as strategy is revisited during the year or whenever there is a major change in direction, the assessment of key risks is also addressed.
Many organizations are at this phase, where risk assessment is a separate but component aspect of developing strategy. It drives the way objectives are set, the strategic framework, performance issues and monitoring and decision making.
It involves a culture shift towards formally addressing risk as part of business life. Here, all key decisions, change programmes and underpinning projects and resource shifts derive from a consideration of upside and downside risks.
Organizations that claim an ERM system is in place will have arrived at phase four. Risk assessment is so immersed into the culture of an organization that it becomes an implicit part of the corporate and personal value system for everyone involved with the organization. These objectives are aligned to eight main components of ERM: 1. Internal environment. Objective setting. Risk assessment. Risk response. Control activities. Information and communication.
Determine consequences and like- lihood and hence the level of risk. This analysis should consider the range of potential consequences and how these could occur. This enables decisions to be made about the extent and nature of treatments required and about priorities.
This is important for continuous improvement. Risks and the effectiveness of treatment measures need to be monitored to ensure changing circumstances do not alter priorities. By review of the critical control systems and risk management processes, the internal auditor can provide important assistance to organizational management. This big picture really does use the entire organization as the canvas for risk management.
In keeping with this analogy, we might suggest that the canvas is painted Red, Amber and Green for high, medium and low risk areas, which can be reviewed at board level as in Figure 3.
Each part of the organization will undertake risk assessment and compile risk registers containing the agreed risk management strategy. Activity and date Risk: Red, Amber Action plan KPIs and Risk reviewed Green and risk review owner category code summary version that gives the activities, risk rating, code Red, Amber, Green , owner and action required, using a suitable reporting tool in Table 3.
Major risk exposure—director involvement—rapid review. Moderate risk exposure—basic management practice applied. Low risk exposure—no special action. Trivial—review whether able to remove resources away from monitoring. In this way the board and top management may have a view on risk across the organization and how it is being handled. See the section above on risk appetite as this will impact on the way risks are reviewed and prioritized.
There may be need for a validation procedure to ensure that each risk register is valid and this is something that the CRO would address. Note that there are some internal auditors who consider this validation of risk management practices a useful way of applying the audit resource. Risk Categories Each organization will have its own interpretation of risk. We can review some of the well-known published risk guides and consider the prompts they contain on categorization.
Comprising targets, change programmes, new projects and new policies. There are many techniques for reaching all parts of an organization so that self-assessment by front line staff becomes the norm. Some argue the widespread use of questionnaires that are completed by key employees as a way of assessing whether there are operations that are at risk and whether controls are addressing these risk areas properly.
Another technique is the use of interviews with managers in particular business units to gauge whether the area is under control or not. These three techniques are fairly straightforward in that they involve a process superimposed on the normal business operations and support services. A more popular approach is the use of control self assessment workshops, or what some call control and risk self-assessment CRSA workshops.
Proponents of CRSA are convinced that the only way to get risk management into the heart and minds of the organization is to get everyone involved in a participative manner. CRSA may be called many different things in different organizations. In some companies the terms risk and control do not inspire people and other more friendly terms are applied to the workshops. Note that the technique is dealt with in Chapter 7 on the audit approaches.
Here we simply mention the key principles relating to CRSA as part of the risk management system. An article by Paul Makosz in CSA Sentinel outlined the development of the CRSA approach: While I was at Gulf Canada Resources, we began to recognize that the heart of many problems lies in a corporate culture that could directly affect the bottom line; but we unfortunately had no tools to help us in identifying major risks before they became problems.
He had been studying Watergate related issues at the parent company, Gulf Corp. About the same time, a serious management fraud had been discovered in a Gulf Canada subsidiary, although the internal auditors had been there only recently. The rest is history. A staged approach can be applied to this end as illustrated in Figure 3. Integrated Development of risk 7.
Risk exercise management 6. Infrastructure build 5. Awareness seminars 4. Top management interest 3. Responsible person 2. Rumblings of research 1. Stage one—general interest: build on the interest and focus it into a pro-organizational drive to get different specialist teams talking about their approach to risk management. Construct a checklist of matters to be addressed in formulating and implementing a corporate risk policy.
One way is to get the board and audit committee to carry out their own assessment to arrive at their top ten risks to start the process. Stage six—infrastructure build: much of this will revolve around building a suitable information system that categorizes and captures risk activities into a formal assurance reporting format.
As a result, many get stuck at an early stage and write the entire thing off as a false start. CRSA only really works where the organization has arrived at stage seven. Most risk standards, guides, aids and commentary contain the phrase or an equivalent term embedded risk management. Gordon Hill warns about trying to do too much too quickly: Integration with existing process is as important but presents different challenges purely because the process will be operational.
You could embark on a programme of reviewing all processes for risk. Wait until there is a problem within a process that suggests changes are needed; this is the time to introduce risk assessment and this will ensure the greatest value is delivered. Attacking everything at once is not a practical solution. Organizations need a way of deciding where to integrate and when. Using a properly prioritized risk register to focus on the biggest issues is the most effective way of targeting effort.
This way the organisation will achieve the fastest payback and the greatest commitment and will have in its grasp a route map to the managed risk culture. Meanwhile, there should be a further process for ensuring risk assessment is undertaken throughout key parts, if not all, of the organization and that it is driven from the top and runs down, across and throughout all levels of management.
SIC The risk efforts and ensuring controls should feed into the statement of internal control SIC that each larger organization should formally publish. Stakeholders The organization should have a formal process for communicating with stake- holders the efforts of the risk management system and any information that gives value to various interested parties.
The risk management system should address the concept of risk tolerance and make clear what areas are likely to pose a threat to the organization, or the general public where appropriate and the extent to which strategies and performance targets are likely to be fully achieved.
Much use can be made of the Internet website to communicate risk publicly. Time The risk model is based on doing more to research, analyse and address risks that impact the organization. And ensuring there is transparency and competence in the way these risks are addressed. Cost This factor is linked to time.
It does cost money to implement new ideas even where we are building these ideas into our existing systems. Values The best way to establish risk management is to avoid just delivering a set of regulations in the form of things that must be done to satisfy the policy requirements.
Models are available to help in the key decisions underpinning the new look internal audit role. No role. Auditing the risk management RM process. Active continuous support in RM oversight committees, status reporting. Managing and coordinating RM process. There is another Practice Advisory that explains how internal audit should assess the adequacy of the risk management processes.
This advisory argues that the risk management process should ensure: 1.
0コメント