11/18/2018
1
TALLAHASSEE CHAPTER
RISK ASSESSMENTWhat is Internal Audit’s Role?
Emphasize the Basics, Elevate the Standards
November 27-28, 2018
Susan Cureton, CFE, CIA, CIG
Deputy Inspector General
Florida Division of Emergency Management
TALLAHASSEE CHAPTER
Learning Objectives
Define Risk
Importance of a Risk Assessment
Benefits of a Risk Assessment
Key Steps in Performing a Risk Assessment
Communicating Results to Management
Preparing Annual Plan
TALLAHASSEE CHAPTER
What is Risk?
What is risk?
The possibility of an event occurring that will have an impact on the
achievement of objectives. -The Institute of Internal Auditors
How do we manage risk?
Control processes are the policies, procedures, and activities that
are part of a control framework; designed to ensure that risks are
contained within the risk tolerances established by the risk
management process.
11/18/2018
2
TALLAHASSEE CHAPTER
What is a Risk Assessment?
• Identification and analysis of relevant
risks that threaten the achievement
of an organization’s objectives.
• Risk is measured in terms of impact
and likelihood.
• Determining how those risks should
be managed.
TALLAHASSEE CHAPTER
Required by Florida Statutes:
• 20.055 (5)(i), Florida Statutes: The inspector general shall
develop long-term and annual audit plans based on the
findings of periodic risk assessments.
• The plan shall show the individual audits to be conducted
during each year and related resources to be devoted to the
respective audits.
Why Conduct a Risk Assessment?
TALLAHASSEE CHAPTER
Why Conduct a Risk Assessment?
Required by Internal Audit Standards:
• IIA Performance Standard 2010:
The chief audit executive must establish
a risk-based plan to determine the
priorities of the internal audit activity,
consistent with the organization’s goals.
• The internal audit activity’s plan of engagements must be based on
a documented risk assessment, undertaken at least annually. The
input of senior management…must be considered in this process.
11/18/2018
3
TALLAHASSEE CHAPTER
Why Conduct a Risk Assessment?
“If you want auditing that matters, audit what
matters.” –Norman Marks
Maximizes internal audit resources - makes the best
use of limited resources.
Maximizes internal audit’s ability to impact the
agency.
Assists management buy-in regarding audit topics.
Add value.
TALLAHASSEE CHAPTER
Question?
• How many of you have been involved in
conducting a formal risk assessment?
TALLAHASSEE CHAPTER
Risk Example
11/18/2018
4
TALLAHASSEE CHAPTER
Key Steps in Performing a Risk
Assessment
Identify the Audit Universe (auditable units).
Measure risk of auditable units.
Rank major activities according to risk scores.
Identify high-risk areas.
Determine available resources.
Prepare Annual Plan.
TALLAHASSEE CHAPTER
Audit Universe
The audit universe is all the possible audits that
could be performed.
WE DO AUDIT WE DO NOT AUDIT
• Operations • Specific individuals
• Compliance
• Divisions
• Programs
• Information Technology Systems
• Agency-wide Processes
TALLAHASSEE CHAPTER
Audit Universe
How do you identify the audit universe?
• Organizational charts
• Management surveys/interviews
• Previous audit reports/External audits
• Strategic plans
• Focus groups
• Performance Measures
• Discussions with Senior Management/Agency Head
11/18/2018
5
TALLAHASSEE CHAPTER
Audit Universe Example
TALLAHASSEE CHAPTER
Measuring Risk
Develop risk factors:
• Complexity of operations or activities
• Recently audited
• Personal hazard
• Instability of operations
• Staff size
• Asset liquidity
• Closely aligned with agency mission
• Management concern/requests
• Public exposure
TALLAHASSEE CHAPTER
Measuring Risk
Define Risk Scoring System:
• Define risk scale (for example, 1-5)
1= risk & 5 = risk
• Define weights for each risk factor
• Assign risk scores
• Score overall risk
• Weigh the likelihood vs. the impact
11/18/2018
6
TALLAHASSEE CHAPTER
Likelihood vs. Impact
TALLAHASSEE CHAPTER
Measuring Risk Example
TALLAHASSEE CHAPTER
Measuring Risk Example
11/18/2018
7
TALLAHASSEE CHAPTER
Measuring Risk Example
TALLAHASSEE CHAPTER
Identify High-Risk Areas
• Calculate risk scores.
• Rank auditable units.
• Discuss results with management.
• Prepare the Annual Plan.
TALLAHASSEE CHAPTER
Risk Ranking Example
11/18/2018
8
TALLAHASSEE CHAPTER
Where does info come from?
Management/staff surveys
Management/staff interviews
Previous audit reports/External audits
Brainstorming ideas
Organizational charts
Strategic plans
Focus groups
Performance Measures
Discussions with Senior Management/Agency Head
TALLAHASSEE CHAPTER
Benefits of Risk Assessment
Makes the best use of limited
resources.
Maximizes internal audit’s ability to impact the agency.
Monitor the control environment to deter fraud, waste and abuse.
Adds value to the agency.
Builds relationships.
TALLAHASSEE CHAPTER
Build Relationships
• What is Internal Audit?
11/18/2018
9
TALLAHASSEE CHAPTER
Build Relationships
What do Internal Auditors Do?
Identify risks and ensure they are effectively managed.
Find better ways and best practices.
Partner with management to find solutions.
Ensure a control framework is in place and operating properly.
Keep management informed.
TALLAHASSEE CHAPTER
Annual Plan
“The internal audit plan is intended to ensure that internal audit
coverage adequately examines areas with the greatest exposure to
the key risks that could affect the organization’s ability to achieve
its objectives.” -The Institute of Internal Auditors
Steps to complete Annual Plan:
Evaluate audit resources available.
Review risk assessment results with management.
Select high-risk audits identified during risk assessment.
Prepare the annual plan.
TALLAHASSEE CHAPTER
Annual Plan
20.055 (6)(i), Florida Statutes, requires:
Submitted and Approved by agency head.
Submitted to Chief Inspector General (for state agencies
under the jurisdiction of the Governor).
Submitted to the Auditor General.
“The chief audit executive must review and adjust the plan, as
necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.”
–IIA, IG2010
11/18/2018
10
TALLAHASSEE CHAPTER
What is Internal Audit?
TALLAHASSEE CHAPTER
Questions?
Susan Cureton, CFE, CIA, CIG