UNF Finance and Audit Committee January 15, 2013

Similar documents
Enterprise Risk Management

Enhanced Risk Management Policy

Texas Facilities Commission (TFC) Office of Internal Audit (OIA)

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

Strengthening Your Enterprise Risk Management Process

More than 2000 organizations use our ERM solution

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

REQUIREMENTS DOCUMENTATION

Texas Tech University System

Identify and Use Risk to Your Contracting Advantage

Risk Management Strategy

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Clause-byclause. Interpretation. Transitioning to ISO 9001:2015

AUDIT COMMITTEE HANDBOOK

Active Essex Risk Management Strategy

Leveraging ERM to meet. and create business value. Management Flora Do, Senior Manager, Enterprise Risk Management

Risk Management Policy Arvind Infrastructure Limited

Taking ERM to a. 6 GRC Today / October 2015

Lake County School District. Quality Assurance & Improvement Program. Internal Self-Assessment for. The Internal Audit Department

ISACA CRISC. Certified in Risk and Information Systems Control. Download Full Version :

ARCHIVED Audit of Risk Management

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Risk Management at Statistics Canada

Software Project & Risk Management Courses Offered by The Westfall Team

Self Assessment Workbook

RISK MANAGEMENT STRATEGY AND POLICY

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

International Standards for the Professional Practice of Internal Auditing (Standards)

Finance & Audit Committee Meeting

The Role of the Chief Risk Office and the Board s Role in Risk Oversight

A Guide to IT Risk Assessment for Financial Institutions. March 2, 2011

Office of Internal Auditing

Charter for Enterprise Risk Management

HSE Integrated Risk Management Policy. Part 3. Managing and Monitoring Risk Registers Guidance for Managers

Sarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit

RISK MANAGEMENT REPORT

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

Why BSI? Our products and services. To find out more visit: bsigroup.com/en-au. Conclusion

A Public Interest Framework for the Accountancy Profession

REPORT 2015/077 INTERNAL AUDIT DIVISION

External Quality Assessment Review of University of Florida s Office of Internal Audit

B U S I N E S S R I S K M A N A G E M E N T L T D

Gartner IAM Maturity Scale

Risk Management. Implementation Guideline

Using Risk / Issue / Opportunity Management to Shape Your Acquisition

IRM s Professional Standards in Risk Management PART 1 Consultation: Functional Standards

Community Bankers Conference

Risk Management Policy and Framework

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

CGEIT Certification Job Practice

FY17-FY18 Audit Plan. Office of Internal Auditing

RISK MANAGEMENT Good Practice Note

1. Definition & Mission

THE ENTERPRISE AND RISK MANAGEMENT POLICY

Methodology for evaluating usage and comparison of risk assessment and risk management items

An ACUA Whitepaper Presentation: A Practical Guide to Internal Audit Risk Assessments in Higher Education. Presenters

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

E D M O N T O N ADMINISTRATIVE PROCEDURE

Enterprise Risk Management Handbook. June, 2010

What is Enterprise Risk Management (ERM)? What the Heck is ERM? Is There an 8 th Element of a Good Compliance Program?

PROJECT MANAGEMENT. Quality Management (QM) Course 7 Project Management Knowledge Areas (5) Risk Management (RM)

Sample Corporate Risk Management Policy

Risk Management. Embedding Good Practice. Aidan Horan Governance IPA

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

International Standards for the Professional Practice of Internal Auditing (Standards)

New Central Library Readiness Audit

Table of Contents. Introduction xxv. Assessment Test xxxvi. Chapter 1 What Is a Project? 1. Is It a Project? 2. Projects versus Operations 3

Statement on Risk Management and Internal Control

Internal Control Integrated Framework. May 2013

IIA ACFE Conference April 17, 2015

UGANDA HEALTH MARKETING GROUP (UHMG)

Enterprise Risk Management Montana State Fund

Questions a Board may ask to understand how an organisation controls its risks

Information Outlook June, The Information Audit as a First Step Towards Effective Knowledge Management. Author: Susan Henczel

CRISC Q&As Certified in Risk and Information Systems Control

CORROSION MANAGEMENT MATURITY MODEL

Project Risk Management

Prysmian Group ERM Project. A journey

Applying a quality systems approach to improve supply chain management

Office of Internal Auditing Status Update. Finance & Audit Committee Meeting December 11, :30 am

Enterprise Risk Management Defined and Explained

Key Risks and Risk Based Management Update

Policy and Procedures Date: November 5, 2017

Project Management The Enterprise Bottom Line

Enterprise Risk Management

Enterprise Risk Management

Advisory Services Governance, Risk & Compliance

CERT Resilience Management Model, Version 1.2

The Urbis Academy Trust Risk Management Strategy

Enterprise Risk Management Course outline

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Project Quality Management. For the PMP Exam using PMBOK

REPORT 2016/033 INTERNAL AUDIT DIVISION

Enterprise Risk Management Demystified

ISACA. The recognized global leader in IT governance, control, security and assurance

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

Enterprise risk management Protecting and enhancing value Advisory

Transcription:

Item 7 UNF Finance and Audit Committee January 15, 2013 Issue Office of Internal Auditing Audit Planning Methodology Proposed Action Report Background Information The purpose of this item is to present Board members with an overview of the purpose of the Office of Internal Auditing. Mr. Robert Berry, director, Office of Internal Auditing, will address the committee and present the overview. Supporting Documentation Report on Audit Planning Methodology

UNIVERSITY OF NORTH FLORIDA Office of Internal Auditing Audit Planning Methodology Finance & Audit Committee January 2013

Table of Contents Executive Summary... 2 Enterprise Risk Management... 4 Basics Concepts... 4 Risk Management Maturity... 5 Measuring Risks... 5 Audit Planning Methodology... 6 I. Assess Risk Management Maturity... 6 II. Build Risk & Audit Universe... 6 Risk/Item Identification... 6 Risk and Audit Universe Assessment... 7 III. Potential Project Identification... 9 IV. Resource Allocation... 9 Appendix... 10 Risk and Audit Universe Listing... 10 Internal Audit Planning Methodology Page 1 of 14

Executive Summary Internal Auditing is an independent organizational function charged with providing stakeholders with reasonable assurance that risks are appropriately identified, treated, managed and controlled. Planning activities is an important internal auditing practice. The goal of audit planning is to effectively allocate efforts based on enterprise risks and the resources available (i.e. head count, knowledge, experience, etc). The nature and extent of audit planning is largely dependent on the organization s risk management practices. There are at least three different audit planning approaches, each with its benefits and detriments. Regardless of the approach each should involve: Assessing the organization s Risk Management Maturity Developing or consulting a management developed Risk Universe Identifying potential projects Allocating resources to projects Three Approaches to Audit Planning There are three approaches to audit planning. 1. Traditional Approach Audit planning based on departments and processes. Audit testing surrounds controls. 2. Risk Based Approach Audit planning is based on management identified and rated risks. Audit testing is risk focused. 3. Hybrid Approach Audit planning is based on department, processes and risks. Audit testing can be control and/or risk focused. The Ideal Approaches The Risk Based Approach is the ideal method for audit planning. However, it is contingent upon the risk management maturity level of the organization. Specifically, there must be at a minimum a: Clearly defined risk appetite Comprehensive management driven risk register Formal risk reporting Formal risk responses Culture of global risk awareness and understanding The Hybrid Approach is an acceptable method when the organization s risk management practices do not contain the elements listed above. Our Approach Based on the organization s ERM maturity level, the University of North Florida s Office of Internal Auditing uses a Hybrid Audit Planning Approach. In this approach, process owners assist in identifying items based on functions, departments and/or risks. We then use a standard methodology to rate items. Next, we filter the risk list placing lesser focus on items already audited, items covered by another assurance provider or items not meeting the risk appetite. Finally, we determine resource availability and allocate time to projects. The Results The audit universe contains over 175 items that are prioritized and considered for audit engagements. Internal Audit Planning Methodology Page 2 of 14

Page Intentionally Blank Internal Audit Planning Methodology Page 3 of 14

Enterprise Risk Management Enterprise risk management (ERM) is the formal systematic identification, assessment, and prioritization of risks. Basics Concepts There are six fundamental ERM activities: (1) Determining the risk appetite, (2) setting objectives that reflect the appetite, (3) identifying risks (4) assessing risk (5) developing or implementing plans to respond to risks gathering information and communicating it to people in time for them to fulfill their risk management responsibilities, and (8) continuously monitoring the program and making adjustments as needed. Figure 1 - Risk Management Concept Risk Management Fundamentals Risk Definitions Risk Appetite The amount of risk management is willing to accept Risk Assessment Risk assessment refers to the processes undertaken to identify, assess and evaluate risks. Risk Response There are four responses to risks: 1. Tolerate Risks may be tolerated when risks are within the risk appetite, there is an inability to address the risks, or the cost of responding is disproportionate to the potential benefit gained. 2. Transfer Some risks can be transferred via insurance or third party providers 3. Terminate Occasionally, risks can only be managed to acceptable levels by terminating the activity itself. 4. Treat Treatments are actions taken (or internal controls implemented) to constrain risks to an acceptable level. Risk Management Deliverables Risk Register The risk register is a record of risks, risk assessments, risk treatment strategies and responsible parties. Internal Audit Planning Methodology Page 4 of 14

L I K E L I H O O D University of North Florida Office of Internal Auditing Measuring Risks All risks have two attributes: Likelihood of risk occurrence Risk impact/consequence Measuring risks with these two attributes allow the calculation of a risk score. This, in turn, provides a basis to compare identified risks. The measurement of likelihood is typically based the following 5 point scale: 1 Remote 2 Unlikely 3 Possible 4 Likely 5 Very Probable Impact/consequence is typically based the following 5 point scale: 1 Insignificant 2 Minor 3 Moderate 4 High 5 Critical Risk Management Maturity Risk maturity refers to the extent to which an organization has implemented an Enterprise Risk Management (ERM) methodology. The audit planning approach is dependent on the organization s level of ERM maturity. Maturity Level Risk Naïve Risk Aware Risk Defined Risk Managed Risk Enabled Description No awareness of risk Aware of many risks, no defined and articulated risk appetite, few documented policies, semi-formal processes to identify, manage and monitor Defined policies & risk appetite, partial risk register, siloed approach to ERM Defined policies & appetite, risk register, enterprise risk awareness Defined policies, risk register, enterprise risk awareness, structured reporting and monitoring Figure 2 is an example of a risk heat map. Figure 2 - Sample Risk Heat Map Insignificant (1) P o t e n t i a l I M P A C T Minor Moderate (2) (3) High (4) Critical (5) Very Probable (5) Likely (4) 2g 1g 1a 1g 1g 1g Possible (3) Unlikely (2) 1b 1g 1c 1g Remote (1) Internal Audit Planning Methodology Page 5 of 14

Audit Planning Methodology The Office of Internal Auditing (OIA) planning methodology is largely dependent on the maturity of the organization s Enterprise Risk Management Maturity. There are essentially three planning approaches: 1. Traditional Approach Audit planning based on departments and processes. Audit testing is based on controls. The audit function drives the risk assessment. 2. Risk Based Approach Audit planning is based on management identified and rated risks. Audit testing is based on risks. Management drives risk assessment. 3. Hybrid Approach Audit planning is based on department, processes and risks. Audit testing can be control and/or risk focused. The next sections describe the planning processes which involves (1) Assessing the risk management maturity (2) Determining the risk and audit universe (3) Identifying potential projects I. Assess Risk Management Maturity As mentioned previously, the organization s ERM maturity directly affects the nature, extent and timing of internal audit planning. Therefore, the first step in audit planning is to determine the ERM maturity level. The University of North Florida is categorized as Risk Aware. As a result, the OIA must take a more active role in formal risk identification and assessment. Also, items included in the risk register are risks, processes, functions and departments. The more granular detailed all risks approach is utilized in organizations with a different ERM maturity level. II. Build Risk & Audit Universe Risk/Item Identification In its role of risk identification facilitation, the OIA conducts stakeholder interviews, consults various industry publications, and actively participates in professional organizations. This results in a list of risks, functions, processes and/or departments unfiltered, unrated and uncategorized. The next step is to rate risks using a standard methodology. (4) Allocating resources. Figure 3 - Risk Maturity Levels ERM Maturity Level Summary Description Risk Naïve Risk Aware Risk Defined Risk Managed Risk Enabled Formal ERM methodology No No Yes Yes Yes Defined risk appetite No Semi-formal Formal Formal Formal Risk Register No No Siloed Yes Yes ERM embedded in operations No No Semi Yes Yes Audit Planning Approach Traditional Traditional/ Hybrid Hybrid Risk Based Risk Based Internal Audit Planning Methodology Page 6 of 14

Risk and Audit Universe Assessment The UNF risk assessment methodology is one that utilizes qualitative and quantitative factors to determine the likelihood of a risk event as well as the impact. Coordinating among the various risk stakeholders can be daunting. As a result, the Office of Internal Auditing developed a survey tool that collects information and assigns values to answers provided. The survey contains a total of 24 questions spanning the following 7 areas (or risk factors). Financial Exposure Stakeholder Exposure Compliance Exposure Public & Political Sensitivity Control Environment Complexity of Operations Change & Growth All seven have sub factors that allow for greater granularity. For example, Financial Exposure further divided to measure Revenue Expenses Assets Liabilities Survey questions address these subcomponents and results in an overall score for each. These scores are useful individually, but more importantly they are combined to calculate the likelihood, impact and total risk score. The next page provides an example for the Income component. Internal Audit Planning Methodology Page 7 of 14

Figure 4 - Financial Risk Determination (income) A series of five questions assist in determining the Income risk score. The graph to the right displays sample questions. For example, anything less than $10,000 receives a score of 1 and is calculated as low risk. As the dollar amount increases, the risk score increases. This exercise continues for expenses, assets and liabilities. As a result, financial risk is quantified not only in total, but also in individual components that comprise financial risk. The figure below is an example of how the rating of financial risks comes together. Figure 5 - Financial Risk Exposure Summary Internal Audit Planning Methodology Page 8 of 14

III. Potential Project Identification After the maturity assessment, and the building of the risk and audit universe, the next step is to identify potential audit projects by filtering the universe. Filtering involves: IV. Resource Allocation Allocated resources to potential projects is the last, but probably most critical step in audit planning. It involves the following decision process Identifying items below the established risk appetite Collaborating with other assurance providers to eliminate potential duplication Determining prior audit coverage Developing a modified risk assurance map Refer to Figure 6 below for a sample. As example, the first item is rated High risk and was reviewed in 2010. As a result, it was not schedule for potential review in 2012 or 2013 fiscal years. It is important to note that at this stage, project identification is not contingent upon resources. Determine available hours Evaluate staff proficiency in identified areas Where feasible, obtain knowledge in areas where there may proficiency deficiencies or Outsource engagements to other third party providers with specialized expertise Build the audit plan based on potential risks and available resources. Figure 6 - Modified Risk Assurance/Coverage Map Internal Audit Planning Methodology Page 9 of 14

Appendix Risk and Audit Universe Listing Internal Audit Planning Methodology Page 10 of 14

Internal Audit Planning Methodology Page 11 of 14

Internal Audit Planning Methodology Page 12 of 14

Internal Audit Planning Methodology Page 13 of 14

Internal Audit Planning Methodology Page 14 of 14

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback