Upload
corbin
View
34
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Continuous Business Risk Assessment. About BYU. Private, Church-sponsored Founded 1875 Three campuses Provo, Utah (30,000) Rexburg, Idaho (14,000) Laie, Hawaii (2,000) Internal Audit: 11 professionals, 10 associate (student) auditors. Why?. Our current risk assessment model is - PowerPoint PPT Presentation
Citation preview
Continuous Continuous Business Business
Risk AssessmentRisk Assessment
About BYU
• Private, Church-sponsored• Founded 1875• Three campuses
– Provo, Utah (30,000)– Rexburg, Idaho (14,000)– Laie, Hawaii (2,000)
• Internal Audit: 11 professionals, – 10 associate (student) auditors
Why?Our current risk assessment model is
• It no longer enables us to keep up with emerging risks in a dynamic business environment;
• Assumes management/auditor omnipotence• One year cycle time is just tooooo long to formally
address risks• Relies on single method of harvesting risk information
(annual survey)• No method for prioritizing work• Annual audit plan becomes the “Hotel California” of audit
projects• Risks working with blinders on.
Why?
• Comply with IIA Performance Standards
• Ensure alignment with University mission and objectives
• Add value to our audit customers
• Are you following, unchanged, the audit plan you developed for 2003?
Questions
“Most often used measures (of internal audit effectiveness) are absolutely dysfunctional. I think of one: you do your annual audit plan and commit to the audit committee that you’re going to do X number of these audits for the coming year.”
--Dr. James Roth
Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Best Practices
•Extensive Staff Expertise•Challenging Work Environment•Organizational Alignment•Participative, Qualitative, Real-time Risk Assessment•An Array of Audit Services
February 2003 Internal Auditor
Array of Audit Services
• Risk-based audits – working with management to identify the business risks they face.
• Process audits – auditing an entire business process rather than an organizational unit and looking for ways to improve the process instead of simply trying to find control weaknesses.
• Pre-implementation reviews – participating on new-product or system-development teams and/or reviewing the project at certain defined milestones.
• Self-Assessment – hosting workshops, administering questionnaires, and conducting structured interviews to address soft controls.
• Internal-Control Education – formal training programs designed and taught by internal auditors, as well as ad-hoc training, when needed, during assurance or consulting projects.
Internal Audit Tools
• Control Self-Assessment Workshops• Client-Relationship Management
– Relationship Development– Client Training
• Control Model Mentoring• Computer-Aided Exception Identification (Continuous
Auditing)• Process Improvement Programs (Quality Improvement,
Continuous Improvement)– Team Facilitation– Improvement Models
Internal Audit Tools
• Process Mapping/Control Evaluation (SOx, FCPA)
• Risk-based Auditing• Maturity Model Evaluation/Implementation• Management Review• Risk Management Council• Improvement Models
– Accountability– Continuous Improvement
Continuous Business Risk Assessment
Continuous Risk Assessment is a participative process whereby we evaluate emerging risks on a continuous, qualitative, real-time basis rather than on an annual basis.
Participative
• Involve more than Internal Auditors• Seek out managers and employees who know
and understand emerging risks.
Continuous
• Periodic vs. Annual• As frequently as needed• Various sources of information (meeting,
conference, workshop, survey, interview)
Qualitative
• Relies on professional judgment• Includes political and strategic factors as well as
traditional measures• Involves more than one opinion
Real-Time
• Results in changes to the audit schedule NOW• Decisions made in close proximity to issue and
risk identification
Event Identification
Risk Assessment
Process Imp.
Action Plan
Audit
Mgt. Review
Risk Response
RiskRisk AssessmentProcess
Risk Evaluation &Response
Inve
stig
atio
n
Mg
t. C
on
f.
Co
ntr
ol
Do
c.
Audit Population
Strengthening Control
Environment
Monitoring
Compliance
Risk-Based Audits &
Requested Services
CBRA
Event/ProjectIdentification
Risk Assessment
Risk Response
PrioritizeProjects
CBRA
Event/ProjectIdentification
Risk Assessment
Risk Response
PrioritizeProjects
RiskDatabase
Risk AssessmentTeam
Evaluate risk orproject proposal
Action
Detailed RiskAssessment
Report
Staff
Conduct DetailedRisk Assessment
Risk AssessmentTeam
Initiate project(project type, tool,objective, scope,
resources)
End
Risk AssessmentTeam
Prioritize projects andadjust audit schedule
EngagementPlan
Risk Information Sources
GeneralObservations
CI (CSA)Workshops
ClientRelationship Mgt
Mgt Requests
QualityImprovement
Program
Audit Results
Audit Committee
End
ID Task Name Start Finish DurationSep 2002 Oct 2002
26 27 28 29 30 1 2 3 4 5 6 7 8 9
1 3d9/30/20029/26/2002Task 1
2 3d 4h10/3/20029/30/2002Task 2
3 2d9/27/20029/26/2002Task 3
4 2d10/7/200210/3/2002Task 4
5 2d10/8/200210/7/2002Task 5
6
7
8
9
10
11
12
13
14
15
16
17
Risk Tracking Log
•Access Database
•Three Screens
•Input Log
•Evaluation Screen
•Strategic Considerations
Audit Project Portfolio
•Excel
•Categorized
What We Get
• Increased capability to systematically respond to business risks
• Increased ability to identify risks by expanding and improving risk information harvesting methods
• Improved utilization of Internal Audit resources
• Compliance with IIA Performance Standards
• Overall, a more mature risk assessment process
Standards Summary
• Risk-based plan of engagements• Develop at least annually• Determine priorities consistent with
organization’s goals• Consider input of senior management and
board• Identify significant exposures to risk• Consider consulting proposals
Impacts
• More time identifying, characterizing and evaluating risks.
• Need more flexible audit schedule.• Trust in consensus/professional opinion.
• Copy of slide presentation• Access database template (Tracking Log)
Continuous Continuous BusinessBusiness
Risk AssessmentRisk Assessment