IIA Lunch and Learn_Risk Assessment_2.4.13
Transcript of IIA Lunch and Learn_Risk Assessment_2.4.13
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
1/40
The Institute of Internal AuditorsPittsburgh Chapter
Perspectives on Risk AssessmentFebruary 2013
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
2/40
Presenter
Name Level Contact Information Experience
Brian is a Pittsburgh based Senior Manager within the FinancialServices Office of Ernst & Youngs Advisory practice. He hasover fifteen years of management experience and nine years ofexperience in the financial services industry serving a variety of
BrianPortman
SeniorManager
+1-412-644-0495
, ,risk management. Brian leads several internal audit co-sourceand outsourcing arrangements, including all aspects of theinternal audit framework - risk assessment, audit planning, auditexecution, reporting, issue tracking and Audit Committeereporting. Prior to joining Ernst & Young, Brian worked as aBank Examiner with the OCC conductin safet and
soundness, compliance and specialty examinations.
Page 1
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
3/40
Agenda
Introduction Great expectations
Key risk assessment concepts Top down risk assessment
Engagement-level risk considerations Continuous monitoring risk considerations Risk assessment process Key takeaways Appendix: Sample matrices
Page 2
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
4/40
Great expectations
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
5/40
Great expectations
Institute of Internal Auditors 2010 Planning
The chief audit executive must establish a risk-based plan to determine the priorities of theinternal audit activity, consistent with the organizations goals
n erpre a on
The chief audit executive is responsible for developing a risk-based plan. The chief auditexecutive takes into account the organizations risk management framework, including usingrisk appetite levels set by management for the different activities or parts of theor anization. If a framework does not exist the chief audit executive uses his/her own
judgment of risks after consideration of input from senior management and the board. Thechief audit executive must review and adjust the plan, as necessary, in response to changes inthe organizations business, risks, operations, programs, systems, and controls.
. documented risk assessment , undertaken at least annually. The input of seniormanagement and the board must be considered in this process.
2210 En a ement Ob ectives
Objectives must be established for each engagement.
2210.A1 Internal auditors must conduct a preliminary assessment of the risksrelevant to the activity under review . Engagement objectives must reflect the results
Page 4
.
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
6/40
Great expectationsFederal Reserve Board
Internal Audit Risk Assessment Assessments typically analyze the risks inherent in a given business line or process,
,
institution Assessment should be well documented and dynamic, reflecting changes to the
system of internal controls, infrastructure, work processes and new/changedbusiness lines or laws and regulations.
Risk assessments should consider thematic control issues, risk tolerance, andgovernance within the institution
Assessments may be qualitative and quantitative and include factors such asimpact/likelihood of an event occurring.
Should be formally documented and supported with written analysis of the risks.
Should include specific rationale for the overall auditable entity score A high-level summary of risk assessment results should be provided to the audit
committee and include the most significant risks facing the institution, as well as
Page 5
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
7/40
Great expectationsPerspectives
Risk assessment is a process by which an auditor identifies andevaluates the quantity of the organizations risks and the quality of its
con ro s over ose r s sOCC
e ex s ence o r s s no e pr mary reason o concern , ra er au orsmust determine if the risks are warranted. Generally, risks are warranted if
they are understandable, controllable, and within the institutions capacity towithstand adverse performance
FFIEC
communicating and documenting judgments about the quantity of risk,
quality of risk management, and aggregate levels of risk.FFIEC
Page 6
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
8/40
Great expectationsFundamentals
All risk-based audit programs should: Identify all of an institutions businesses, product lines, services, and functions
Identify the activities and compliance issues within those businesses, product lines,
services, and functions that should be audited Include profiles of significant business units, departments, and products that identify
internal control systems.
Use a measurement or scoring system to rank and evaluate business and controlrisks of significant business units, departments, and products
Include board or audit committee approval of risk assessments or the aggregateresult thereof and annual risk-based audit plans
Implement the audit plan through planning, execution, reporting, and follow-up
Have systems that monitor risk assessments regularly and update them at leastannually for all significant business units, departments, and products
Page 7
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
9/40
Key Risk Assessment Concepts
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
10/40
Key risk assessment conceptsRisk hierarchy
Risk CategoryFacilitate the identification, measurement and reporting of riskwithin the business. They are used to help develop a profile ofrisk within business units of the company. They are the highestclassification of risk within the risk universe.
Example: Reputation Risk, Strategic Risk Operational Risk
The potential that events may have an adverse affect on theearnin s. Risks are com onents within the risk universe where
Riskevents may occur. Risks are categorized for ease ofmeasurement and reporting. Examples :
Governance: management oversight, policy/proceduresCompliance: legal/regulatory, fraud Operational Risk: systems, MIS, people
An event or activity that could lead to the realization of a risk .
Risk Causes overnance: e r s ar s ng rom e comm ee s ruc ure nobeing aligned or commensurate with the companysorganizational structure and risk profile
Operational, people: The risk arising from inadequate staffing
Page 9
, ,execution of the strategic plan or day-to-day operations.
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
11/40
Key risk assessment conceptsRisk analysis
1. Risk identification (what is the risk) a description of the risk presented Example: Risk of non-compliance with regulations
2. Risk rationale (why does the risk exist): - what event(s) cause the risk to occur Example: Risk of non-compliance with regulations due to reports of financial information
required by regulatory agencies or tax authorities being incomplete, inaccurate, or untimely .
. mpac so w a e ex en o w c , rea ze , e r s wou a ec eCompany; may be expressed in qualitative or quantitative terms Considerations: financial effect, reputation impacts, ability to achieve key goals and objectives Example: Risk of non-compliance due to reports of financial information required by
regu a ory agenc es or ax au or es e ng ncomp e e, naccura e, or un me y, expos ng t ecompany to fines, penalties and sanctions.
4. Likelihood (how often) probability of the risk occurring over a defined time frame
Example: Risk of non-compliance due to reports of operating and financial informationrequired by regulatory agencies or tax authorities being incomplete, inaccurate, or untimely,exposing the company to fines, penalties and sanctions. The likelihood of occurrence over thecourse of the quarter is considered to be high based on the volume of global reporting
Page 10
requirements
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
12/40
Key risk assessment conceptsUniversal considerations
Should include both quantitative and qualitative considerations
Metrics alone are not analysis auditors need to understand the drivers and impact. . , , ,
Need both top-down and bottoms-up assessment aspects Analysis may vary based on the level of assessment being performed e.g. Line of
. .
Auditors should have a consistent frame of reference for risk measurement orscoring to rank and evaluate risks e.g., what differentiates high vs. moderate vs. low
- ,objectives, growth strategies, new products, environmental and regulatory changes,etc.
Expanding risk assessments and documentation to include IT applications and
associated IT risks Ensuring that clear linkage exist between the auditable unit risk assessments, audit
scope and objectives, and testing work
Page 11
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
13/40
Key risk assessment conceptsRisk assessment framework
Risk Analysis OutputRisk Assessment Activity
Top RiskAssessmentTop RiskMemo
AU RiskAssessment
AU RiskAssessment
AU RiskAssessment
AU RiskAssessment
AU RiskWorksheet
Engagement LevelAssessment
Engagement LevelAssessment
Engagement LevelAssessment
Engagement LevelAssessment
PlanningMemo
Business MonitoringBM
Database
Documented risk anal sis occurs within ever sta e of the risk assessment
Page 12
framework
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
14/40
Top Down Risk Assessment
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
15/40
Top down risk assessment
Ke considerations Considers both internal and external risks
Should include quantitative and qualitative considerations
Helps gain an understanding of overall Enterprise-Level Risks
Uncover issues that directly impact stakeholder value, with clear and explicit linkageto strategic issues of company
Serve as a mechanism to understand the risk implications of the companys strategy
Ensure the most critical risks facing the company (that may not have been identified
by the bottom-up risk assessment) are identified and incorporated into the audit
May result in the performance of targeted audits, horizontal audits and specialprojects
,should be formed in collaboration with management
Page 14
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
16/40
Top down risk assessment
OverviewPurpose: Internal Audit performs activities to identify macro-level environmental,
industry, and enterprise-wide areas of current or potentially emerging interestto stakeholders and develops appropriate audit strategies to address suchareas.
Primary Objective : Development of the annual audit planFrequency: At least annually
Ke Com onents:
Overall Conclusion Key Focus Areas for the Current Year Line of Business Overview Common Risk Factor Analysis Business Change Process Regulatory Changes Other Lines of Defense assessment results
Legal Entity considerations Outstanding issues IT environment
Page 15
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
17/40
Top down risk assessment
Business environment impact
Economic Changes inRisk Management
Regulatoryenvironment
Changes to IAremit/a roach
Fundamentalbusiness
model change
Technology and Changes in
Rapid changein risk profile
o er c ange s appe e
Significant change to
... will result in significant change to universe and
universe and Internal Audit priorities
Page 16
n erna au pr or es
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
18/40
Top down risk assessment
Defining the risks that matter
Planning and resource allocation
Key considerations Are we focused on the risks that
matter?
Key Risks To Business Objectives
a or n a ves Mergers, acquisitions and divestures Market dynamics Communication and investor relations
Sales and marketing
Is the scope of our assessmentcomprehensive?
Do we leverage industry specific
Strategic
a ue c a n People Information technology Hazards Physical assets
r s mo e s Do we gain insights on the risks of
our key business partners andcustomers?
Operations
Liquidity and credit Accounting and reporting Tax Capital structure
Is our assessment approachconsistent?
Do we evaluate risk on a common
Financial
Governance Code of conduct Legal Regulatory
Do we recognize the impact tovalue drivers?
Does our process cover emerging
Compliance
Page 17
risks?
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
19/40
Top down risk assessment
Analysis considerationsAre we taking theright risks?
Are we taking theright amount of risk?
Are we adequatelymanaging our risks?
related to our strategies and
objectives? Do we know the significant
risks we are taking?
is consistent with our overall
level of risk? Does our organizational
culture promote or
process aligned with our
strategic decision-makingprocess and existingperformance measures?
Do the risks we take give usa competitive advantage?
How are the risks we take
discourage the right level ofrisk taking activities?
Do we have a well definedorganizational risk appetite?
Is our risk managementprocess coordinated andconsistent across the entireenterprise? Does everyoneuse the same definition of
re a e o ac v es acreate value?
Do we recognize thatbusiness is about taking
Has our risk appetite beenquantified?
Is our actual risk level
Do we have gaps and/oroverlaps in our riskcoverage?
conscious choicesconcerning these risks?
appetite?
Page 18
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
20/40
Bottoms Up Risk Assessment
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
21/40
Bottoms up risk assessment
OverviewPurpose: Internal Audit is responsible for the assessment of risks associated with Auditable
Units resulting in the assignment of risk ratings to each Auditable Unit for thepurpose of applying the frequency scheduling guidelines.
r mary ec ve: e erm ne requency o au coverage
Frequency: Annual and ongoingKey Components: Common Risk Definitions e.g. finance, compliance, operational, strategic Assignment of Inherent Risk, Control Factors and Residual Risk (see Appendix) Risk Trend e.g. constant, increasing or decreasing Comments/Reasons e.g. support for ratings assignments Governance risk mana ement and oversi ht
Key Considerations: Impact and likelihood of occurrence Process change factors
Page 20
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
22/40
Bottoms up risk assessment
Anal sis considerations What are the key business risks within the area?
For each of those risks, what are the contributing factors and managementconcerns, issues, or gaps in management coverage?
How do risks identified relate to governance, risk management and oversight?
How does management evaluate the effectiveness of the process and relatedcontrols in managing the risks?
Are there opportunities for improvement of processes and/or controls in managing
the risk?
Page 21
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
23/40
Engagement Level Risk Assessment
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
24/40
Engagement level risk assessment
OverviewPurpose: Audit Teams are responsible for the assessment of risks at the engagement level to
identify and assess the appropriate design of controls and test for operatingeffectiveness.
r mary ec ve: e erm ne e scope o coverage or an n v ua au
Frequency: Each engagementKey Components: Gain an understanding of associated business processes Confirm risks with business owners Document risks within the audit planning memo Governance, risk management, and oversight
How do these risks relate to auditable unit and/or LOB risks identified Risks in the context of what could go wrong Have I identified the key risks to the associated business process
Page 23
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
25/40
Engagement level risk assessment
Anal sis considerations What are the key risks related to each business process?
For each of those risks, what are the contributing factors and management concerns,ssues, or gaps n managemen coverage
How do risks identified relate to auditable unit or top risks? How does management evaluate the effectiveness of the process and related controls in
manag ng e r s s
Are there opportunities for improvement of processes and/or controls in managing therisk?
Page 24
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
26/40
Continuous Monitoring Risk Assessment
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
27/40
Continuous monitoring risk assessment
OverviewPurpose: Audit Teams are responsible to perform certain activities designed to contribute
to the identification of potential changes impacting the risk profile of the bank.
, ,
Frequency: Quarterly
Responsibility: Audit Teams
Key Components:
Management call program Analysis of quantitative and qualitative risk information
Industry / economic considerations
Key Considerations:
Activity is performed at the LOB level
Need to consider any changes to existing risk profile
Page 26
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
28/40
Continuous monitoring risk assessment
Anal sis considerations Has the existing risk profile changed?
Have any new risks been identified?
Have there been any significant changes to people, processes, or systems?
Are activity/risk trends consistent with expectations?
Page 27
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
29/40
Risk Assessment Process
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
30/40
The macro Internal Audit planning processhas been largely unchanged for many years
AuditUniverse Risk Assessment Prioritization Selectionand Sizing Audit Plan Approval
Parameters
Parameters Audits
... with refinements to meet specific needs
Page 29
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
31/40
The current environment demands a more dynamicprocess
Completenesschecks
Strategy
Criticallannin Audit Needs Challenge
AuditStakeholder key
expectations/Inputs desired outcomes
Risk Appetite/Risk tolerances
2 nd Line ofDefence
planning implications Strong stakeholder engagement Change control over the audit plan
Page 30
Completely integrated into execution
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
32/40
Risk assessment results
Results should be reviewed and challenged e.g. peer review
Results should drive frequency and intensity of audit coverage
Assurance can be provided through multiple delivery channels e.g. end-to-end process
reviews, targeted procedures, horizontals, continuous monitoring, Sox testing More organizations moving towards a 3+9 or 6+6 audit plan
Risk Rating Frequency Guideline Intensity
High 12 months 400 hours Full scope/ targeted
Moderate 24 months 300 hours Full scope / targeted
Low 36 months 200 hours Targeted / continuous monitoringVery Low 48 months 100 hours Targeted / continuous monitoring
Page 31
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
33/40
3 + 9 Audit Plan
Example Current Annual Audit Plan
3 + 9 Quarterly Audit Plan
Special Projects
Remaining Audit UniverseCurrent Quarter
u s o e execu e aseon results of audit needs
assessment
Remaining Audit Needs that may ormay not get coverage in the next 9
months
Page 32 32
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
34/40
Key Takeaways
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
35/40
Key takeaways
Risk assessment is NOT an annual, one-time event
Risk assessment considerations will differ based on the level of assessment e.g. top,au a e un , engagemen , an con nuous mon or ng
Risk assessment is more than simple risk identification must include robust analysis Requires continuous engagement with relevant stakeholders
Full written explanation of the Audit Plan and the thought process applied
Risk assessment must be integrated into audit execution
Common risk definitions su ort risk conver ence with other lines of defense
Audits risk assessment must be independent of business or enterprise risk assessments
Page 34
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
36/40
Appendices
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
37/40
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
38/40
Appendix B Likelihood and Control Scales
Likelihood 1Rare2
Infrequent3
Occasional4
Frequent5
Imminent
FrequencyIn more than / every
5 yearsWithin the next / every
3 to 5 yearsWithin the next / every
1 to 3 yearsWithin the next / every
1 year Within the next / every
Quarter
Control Rating Strong Reasonably Strong Adequate Marginally Adequate Weak or Nonexistent
The control processesand management's
mitigating activities arestrong and allow for the
The control processesand management's
mitigating activities aremore than adequate
The control processesand management'smitigating activitiesallow for effective
The control processesand management'smitigating activitiesallow for marginal
The control processesand management's
mitigating activities donot allow for the
Description
effective managementof the risk, thereby
significantly reducingthe frequency and/or
impact of the riskevent. It does not
and allow for themanagement of the
risk, thereby reducingthe frequency and/or
impact of the riskevent; however, there
management of therisk, thereby partially
reducing the frequencyand/or impact of therisk event occurring.
There are opportunities
management of therisk; there is minimal
reduction in thefrequency and/or
severity of the riskevent. Major gaps and
effective managementof the risk, there is no
reduction in thefrequency and/or
severity of the riskevent.
mean a ere s noexposure to risk or that
the risk has beenreduced to zero.
ncremen aopportunities for
improvement andtherefore the control
cannot be consideredstrong.
or mprovemen an oradding additional
compensating controlsto help mitigate the
residual risk.
e c enc es ave eenidentified.
(Note: This likelihood and control effectiveness scales are representative samples utilized to perform the internal audit risk assessment.The quantity of levels and definitions of each level may be modified to derive a more suitable scale based upon the maturity of the
Page 37
.
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
39/40
Appendix C - Inherent Risk Sample Matrix
Inherent Risk Rating
5Low Moderate Hi h Critical Critical
mm nent
4Frequent
Low Moderate High High Critical
L i k e
l i h o o
d 3Occasional
Very Low Low Moderate High High
2 Very Low Very Low Low Moderate Moderate
1Rare
Very Low Very Low Low Low Moderate
1 2 3 4 5Minor Moderate Significant Severe
Catastrophic
Impact
Note: This inherent risk scale is a re resentative sam le utilized to erform the internal audit risk
Page 38
assessment. This is a function of the impact and likelihood scales defined within Appendices A and B).
-
8/10/2019 IIA Lunch and Learn_Risk Assessment_2.4.13
40/40
Appendix D - Residual Risk Sample Matrix
Residual Risk Rating
5Weak or Non Very Low Low Moderate High Critical
s s
4MarginallyAdequate
Very Low Low Moderate High Critical
n t r
o l E f f e c t i v e n e
3Adequate
Very Low Very Low Low Moderate High
2 C Reasona y
StrongVery Low Very Low Low Mo erate Mo erate
1Strong
Very Low Very Low Low Low Moderate
1Very Low
2Low
3Moderate
4High
5Critical
Inherent Risk
Page 39
(Note: This residual risk scale is a representative sample utilized to perform the internal audit risk assessment.This is a function of the control effectiveness and inherent scales defined within Appendices B and C).