View
221
Download
0
Category
Preview:
Citation preview
8/11/2019 Rbi a Introduction Powerpoint v 3
1/15
8/11/2019 Rbi a Introduction Powerpoint v 3
2/15
David M Griffiths www.internalaudit.biz
Risk based internal aud it ing an int roduct ion
slides of figures and appendices
The following slides are those used in thebook Risk based internal auditing anintroduction available from
www.internalaudit .biz
The slides of figures are:
1 Internal auditing objectives
2 Grid for significance risks
3 Stages of an audit
4 RBIA documentation
5 Processes involved in stage 2
6 Grid for frequency of audits
7 Factors to reduce inherent risk scores risks 8 Processes involved in stage 3
9 Grid for significance of residual risks
Slides of appendices are
A Internal auditing objectives
B Hierarchy of objectives, risks and controls C Process map
E Grid for risk workshop
J Stages of an internal audit
Other appendices are on the excel spreadsheet RBIA introduction excel v3
http://www.internalaudit.biz/http://www.internalaudit.biz/8/11/2019 Rbi a Introduction Powerpoint v 3
3/15
David M Griffiths www.internalaudit.biz
Internal auditing objectives(Figure 1 and appendix A)
The main aim of internalauditing is to assist theorganisation to achieve its
objectives
The
managementof an
organisationhave
Objectives
Aninternal controlis a process which
manages a risk
Arisk
is a set ofcircumstancesthat hinder theachievement of
objectives
Internal auditingprovides an independent and
objective opinion to an
organisations management as to
whether its risks are being managed
to acceptable levels.
8/11/2019 Rbi a Introduction Powerpoint v 3
4/15
David M Griffiths www.internalaudit.biz
2 Grid for significance of risks
Unacceptable: Immediate action required to manage the risk
Issue: Action required to manage the risk
Supplementaryissue: Action is advisable if resources are available
Acceptable: No action required
Rare(1)
Unlikely(2)
Possible(3)
Probable(4)Almostcertain(5)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Likelihoodo
frisk
Consequence of risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Risk appetite, as defined by the board
IR
RR
IR = Inherent Risk RR = Residual Risk
Internal
control
Fig.2Grid showing the significance of risks
8/11/2019 Rbi a Introduction Powerpoint v 3
5/15
3 Stages of an audit
David M Griffiths www.internalaudit.biz
Assess risk
maturity
Feedback results
into RAU
Individual audit
Management's
Risk Register
(if available)
Audit plan
Audit report
Risk Naive Risk Enabled
Risk Managed
Risk Defined
Risk Aware
Use organisation's
risks
Facilitate risk
identification
Audit Committee
report
Stage 2
Stage 1
Audit universe
Management's
Risk Register
(amended)
Assign risks to
audits
Risk and audit
universe
(RAU)
Stage 3
Fig 3 Stages of an audit
8/11/2019 Rbi a Introduction Powerpoint v 3
6/15
David M Griffiths www.internalaudit.biz
4 RBIA documentation
Fig. 4RBIA documentation
risks
last audits
scores
controls
AuditCommittee
report
universe
risks
tests
scores
controls
auditreports
risk and audit
audit databases
risks
last audits
scores
controls
AuditCommittee
report
risks
tests
scores
controls
auditreports
objectives objectives
8/11/2019 Rbi a Introduction Powerpoint v 3
7/15
5 Processes involved in stage 2
David M Griffiths www.internalaudit.biz
Risks which will be
tolerated
Risks on which
assurance is provided
by others
Risk and Audit
Universe
Filter risks
Audit plan
Risks on which
assurance is
required
Risks within the risk
appetite
Risk Register
(audited)
Categorise risks
Risks not requiring an
audit in this period
Link risks to
audits
Select risks to
be covered
Alllocate
resources to
audits
Audit Universe
Audit Committee
report
Fig 5 Processes involved in Stage 2
8/11/2019 Rbi a Introduction Powerpoint v 3
8/15
David M Griffiths www.internalaudit.biz
6 Grid for frequency of audits
Rare(1)
Unlikely(2)
Possible(3)
Probable(4)Almostcertain(5)
2
Never
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Likelihoodofinh
erentrisk
Consequence of inherent risk
16Every year
3
Never
2
Never
1
Never
5Every three
years
3
Never
5Every three
years
4
Never
4
Never
4
Never
6Every three
years
6Every three
years
9Every two
years
12Every two
years
8Every three
years
8Every three
years
12Every two
years
10Every two
years
10Every two
years
15Every year
20Every year
15Every year
20Every year
25Every year
Fig. 6Grid for the frequency of audits
8/11/2019 Rbi a Introduction Powerpoint v 3
9/15
David M Griffiths www.internalaudit.biz
7 Factors to reduce inherent risk scores risks
0.75 1 1
0.5 0.75 1
0.25 0.5 0.75
Green Amber Red
1
year
2years
3years
Timesincelas
taudit
Audit result
Fig. 7Factors to reduce inherent risk scores
8/11/2019 Rbi a Introduction Powerpoint v 3
10/15
8 Processes involved in stage 3
David M Griffiths www.internalaudit.biz
Define draft audit
scope
Set up an audit databaseto record the audit
details, or update the
Risk and Audit Universe
Agreed scope
Audit plan
Meetings to determine
objectives, risks and
agree scope
Obtain relevant
documentation on
processes
Audit
database
Examine the risk
management process
for the area audited
Decide on audit
approach
Conclude on risk
maturity for the
area audited
Risk and audit universe
8/11/2019 Rbi a Introduction Powerpoint v 3
11/15
David M Griffiths www.internalaudit.biz
9 Grid for significance of residual risks
Unacceptable: Immediate action required to control the risk
Issue: Action required to control the risk
Supplementaryissue: Action is advisable if it is cost-effective
Acceptable: No action required
Rare(1)
Unlikely(2)
Possible(3)
Probable(4)Almostcertain(5)
2
Acceptable
Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Likelihoodofres
idualrisk
Consequence of residual risk
16Unacceptable
3
Acceptable
2
Acceptable
1
Acceptable
5Supplementary
Issue
3
Acceptable
5Supplementary
Issue
4
Acceptable
4
Acceptable
4
Acceptable
6Supplementary
Issue
6Supplementary
Issue
9
Issue
12
Issue
8Supplementary
Issue
8Supplementary
Issue
12
Issue
10
Issue
10
Issue15
Unacceptable
20Unacceptable
15Unacceptable
20Unacceptable
25Unacceptable
Risk appetite, as defined by the board
Fig. 9Grid for the significance of residual risks
8/11/2019 Rbi a Introduction Powerpoint v 3
12/15
David M Griffiths www.internalaudit.biz
Hierarchy of objectives, risks and controls(Appendix B)
Devise astrategy forthe next five
years todeliver ourobjectives
Relieve famine incentral Africa
No clearstrategy asto how to
achieve our
objective
Unable topredict where
and whenfamines will
occur
Unable toobtain food
Unable todeliver thefood to the
starving
Do not havethe staff andsystems tosupport the
operation
Set up asystem whichenables us to
predictfamine areas
Set upagreementswith donorsto obtain
food
Establishdelivery
systems todeliver food
when and whereit is required
Establishfunctions tosupport the
fieldoperations
Insufficient
lorries totransport
grain
Lorriesbreakdown
Do not know
where food isrequired
most urgently
Unable to
obtainspace on
ships
Insufficientdrivers
Roads areimpassable
Establish a supply chain toensure prompt delivery offood to the highest priority
area
Decide howfuture needs
are to bemet, by
local carrier
or ownlorries
Lorries tobe properlymaintained
Set upstrategy forprioritizing
camps
Establishcontacts
withshipping
companies
to anticipateproblems
Identifyhow to
recruit atshort
notice
Set uppossible
alternative routes
risks
Objective level 1
risks
Objective level 3
Objective level 2
8/11/2019 Rbi a Introduction Powerpoint v 3
13/15
David M Griffiths www.internalaudit.biz
Objectives map(appendix C)
Relieve famine in
central Africa
1Devise a
strategy forthe next five
years todeliver ourobjectives
2Set up a
system whichenables us to
predict
famine areas
3Set up
agreementswith donorsto obtain
food
4Establishdelivery
systems todeliver foodwhen andwhere it isrequired
5Establish
functions tosupport the
fieldoperations
4.2Decide howfuture needs
are to be
met, by localcarrier or own
lorries
4.6Set up strategyfor prioritizing
camps
4.1Establish
contacts withshipping
companies toanticipateproblems
4.4Identify how
to recruit
drivers atshort notice
4.5Set up
possiblealternativeroutes fordelivery
objective
1.2Communicate
strategy
1.3Deliver
strategy
1.1Agree a
strategy
1.4Update
strategy
5.2Provide
financialadvice
5.3Provide
transactionprocessing
5.6
Provide humanresources
5.1
Raise money
5.4
Provide legalservices
5.5Provide
informationtechnology
Level 2 objectives
4.3Lorries to be
properlymaintained
Level 3 objectives
8/11/2019 Rbi a Introduction Powerpoint v 3
14/15
8/11/2019 Rbi a Introduction Powerpoint v 3
15/15
David M Griffiths www.internalaudit.biz
Stages of an internal audit (appendix J)
The
managementof an
organisationhave
Objectives
Aninternal control
is a process whichmanages a risk
Arisk
is a set ofcircumstances
that hinder theachievement of
objectives
Significant risks generatethe audit plan
Internal auditingInternal auditing: provides an
independent and objective opinion to
an organisations management as to
whether its risks are being managed
to acceptable levels.
5
1
4
3
2
Theaudit
Recommended