11/18/2018

1

TALLAHASSEE CHAPTER

RISK ASSESSMENTWhat is Internal Audit’s Role?

Emphasize the Basics, Elevate the Standards

November 27-28, 2018

Susan Cureton, CFE, CIA, CIG

Deputy Inspector General

Florida Division of Emergency Management

TALLAHASSEE CHAPTER

Learning Objectives

Define Risk

Importance of a Risk Assessment

Benefits of a Risk Assessment

Key Steps in Performing a Risk Assessment

Communicating Results to Management

Preparing Annual Plan

TALLAHASSEE CHAPTER

What is Risk?

What is risk?

The possibility of an event occurring that will have an impact on the

achievement of objectives. -The Institute of Internal Auditors

How do we manage risk?

Control processes are the policies, procedures, and activities that

are part of a control framework; designed to ensure that risks are

contained within the risk tolerances established by the risk

management process.

11/18/2018

2

TALLAHASSEE CHAPTER

What is a Risk Assessment?

• Identification and analysis of relevant

risks that threaten the achievement

of an organization’s objectives.

• Risk is measured in terms of impact

and likelihood.

• Determining how those risks should

be managed.

TALLAHASSEE CHAPTER

Required by Florida Statutes:

• 20.055 (5)(i), Florida Statutes: The inspector general shall

develop long-term and annual audit plans based on the

findings of periodic risk assessments.

• The plan shall show the individual audits to be conducted

during each year and related resources to be devoted to the

respective audits.

Why Conduct a Risk Assessment?

TALLAHASSEE CHAPTER

Why Conduct a Risk Assessment?

Required by Internal Audit Standards:

• IIA Performance Standard 2010:

The chief audit executive must establish

a risk-based plan to determine the

priorities of the internal audit activity,

consistent with the organization’s goals.

• The internal audit activity’s plan of engagements must be based on

a documented risk assessment, undertaken at least annually. The

input of senior management…must be considered in this process.

11/18/2018

3

TALLAHASSEE CHAPTER

Why Conduct a Risk Assessment?

“If you want auditing that matters, audit what

matters.” –Norman Marks

Maximizes internal audit resources - makes the best

use of limited resources.

Maximizes internal audit’s ability to impact the

agency.

Assists management buy-in regarding audit topics.

Add value.

TALLAHASSEE CHAPTER

Question?

• How many of you have been involved in

conducting a formal risk assessment?

TALLAHASSEE CHAPTER

Risk Example

11/18/2018

4

TALLAHASSEE CHAPTER

Key Steps in Performing a Risk

Assessment

Identify the Audit Universe (auditable units).

Measure risk of auditable units.

Rank major activities according to risk scores.

Identify high-risk areas.

Determine available resources.

Prepare Annual Plan.

TALLAHASSEE CHAPTER

Audit Universe

The audit universe is all the possible audits that

could be performed.

WE DO AUDIT WE DO NOT AUDIT

• Operations • Specific individuals

• Compliance

• Divisions

• Programs

• Information Technology Systems

• Agency-wide Processes

TALLAHASSEE CHAPTER

Audit Universe

How do you identify the audit universe?

• Organizational charts

• Management surveys/interviews

• Previous audit reports/External audits

• Strategic plans

• Focus groups

• Performance Measures

• Discussions with Senior Management/Agency Head

11/18/2018

5

TALLAHASSEE CHAPTER

Audit Universe Example

TALLAHASSEE CHAPTER

Measuring Risk

Develop risk factors:

• Complexity of operations or activities

• Recently audited

• Personal hazard

• Instability of operations

• Staff size

• Asset liquidity

• Closely aligned with agency mission

• Management concern/requests

• Public exposure

TALLAHASSEE CHAPTER

Measuring Risk

Define Risk Scoring System:

• Define risk scale (for example, 1-5)

1= risk & 5 = risk

• Define weights for each risk factor

• Assign risk scores

• Score overall risk

• Weigh the likelihood vs. the impact

11/18/2018

6

TALLAHASSEE CHAPTER

Likelihood vs. Impact

TALLAHASSEE CHAPTER

Measuring Risk Example

TALLAHASSEE CHAPTER

Measuring Risk Example

11/18/2018

7

TALLAHASSEE CHAPTER

Measuring Risk Example

TALLAHASSEE CHAPTER

Identify High-Risk Areas

• Calculate risk scores.

• Rank auditable units.

• Discuss results with management.

• Prepare the Annual Plan.

TALLAHASSEE CHAPTER

Risk Ranking Example

11/18/2018

8

TALLAHASSEE CHAPTER

Where does info come from?

Management/staff surveys

Management/staff interviews

Previous audit reports/External audits

Brainstorming ideas

Organizational charts

Strategic plans

Focus groups

Performance Measures

Discussions with Senior Management/Agency Head

TALLAHASSEE CHAPTER

Benefits of Risk Assessment

Makes the best use of limited

resources.

Maximizes internal audit’s ability to impact the agency.

Monitor the control environment to deter fraud, waste and abuse.

Adds value to the agency.

Builds relationships.

TALLAHASSEE CHAPTER

Build Relationships

• What is Internal Audit?

11/18/2018

9

TALLAHASSEE CHAPTER

Build Relationships

What do Internal Auditors Do?

Identify risks and ensure they are effectively managed.

Find better ways and best practices.

Partner with management to find solutions.

Ensure a control framework is in place and operating properly.

Keep management informed.

TALLAHASSEE CHAPTER

Annual Plan

“The internal audit plan is intended to ensure that internal audit

coverage adequately examines areas with the greatest exposure to

the key risks that could affect the organization’s ability to achieve

its objectives.” -The Institute of Internal Auditors

Steps to complete Annual Plan:

Evaluate audit resources available.

Review risk assessment results with management.

Select high-risk audits identified during risk assessment.

Prepare the annual plan.

TALLAHASSEE CHAPTER

Annual Plan

20.055 (6)(i), Florida Statutes, requires:

Submitted and Approved by agency head.

Submitted to Chief Inspector General (for state agencies

under the jurisdiction of the Governor).

Submitted to the Auditor General.

“The chief audit executive must review and adjust the plan, as

necessary, in response to changes in the organization’s

business, risks, operations, programs, systems, and controls.”

–IIA, IG2010

11/18/2018

10

TALLAHASSEE CHAPTER

What is Internal Audit?

TALLAHASSEE CHAPTER

Questions?

Susan Cureton, CFE, CIA, CIG

Susan.Cureton@em.myflorida.com