Navigation:


DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
Thread Title: Too many risks?
Created On Thursday April 04, 2013 11:46 AM
  Too many risks?
  Too many risks?
  Too many risks?
  Too many risks?
  Too many risks?
  Too many risks?
  Too many risks?
  Too many risks?


ammania


Posts: 6
Joined: Apr 2013

Thursday April 04, 2013 11:46 AM

User is offline View thread in raw text format

Is it possible that a preliminary risk assessment has too many risks? I am a junior auditor and recently shifted companies. I am trying to get used to the new way of working at the new place... today my supervisor told me that I identified too many potential risks in the preliminary risk assessment of my audit plan memorandum.

I am wondering because the same supervisor told me he doesn't want to include too sensitive cases in our sample so it seems odd all together.... any input is very much appreciated!

Reply
Quote
Top
Bottom



LivetoLearn


Posts: 49
Joined: Jul 2010

Friday April 12, 2013 12:08 PM

User is offline View users profile View thread in raw text format

Aren't auditors supposed to identify all risks? Of course, we don't audit for all of them. We use a system to identify key risks in terms of likelihood and impact to focus our audit's scope and do a thorough job without claiming to evaluate for every risk. Is it possible that your supervisor is not seeing you paring down your emphasis?

It seems odd to me that a supervisor would direct which cases to include in the sample. I choose my samples at random, and do not deviate from my selected sample, except to add further testing when I identify a problem area.

Reply
Quote
Top
Bottom



ammania


Posts: 6
Joined: Apr 2013

Wednesday April 17, 2013 2:38 AM

User is offline View thread in raw text format

Thank you LivetoLearn for your helpful answer. In my previous company we used to make a prelimenary risk assessment listing all the potential risks, after that indeed we would rate the risks and based on the highest ones (in terms of impact and likelihood) develop an audit programme containing all the audit steps and tests adressing these risks.
In my current company it is completely different. There is a standard 'risk assessment' that we use for every unit we audit (we mainly audit suboffices) and predefined audit steps. I guess we are more complaince-auditors but still they persist calling themselves risk-based performance auditors. I find it highly confusing.

I also do not understand how you can develop standard audit steps/tests for risk-based performance audits. In my view you would have to develop a tailored audit programme based on your unique risk assessment of that particular audit unit. Of course when you audit suboffices some risks come up all the time, but still some risks are context-specific (and probably the most valuable to look into to?) and secondly maybe more importantly perhaps we should even reconsider our audit universe. Perhaps identifying suboffices as audit units is not the best way to go about.

Any thought very much appreciated. Too confused now.



Reply
Quote
Top
Bottom



ammania


Posts: 6
Joined: Apr 2013

Wednesday April 17, 2013 8:09 AM

User is offline View thread in raw text format

Thank you very much for your answer LivetoLearn! Indeed I would also think that in the prelimenary risk assessment one would identify all the risks (to the extent possible) and then rate them and finally use the highest scoring ones to develop the audit programme.

The thing I also do not understand in this new company is that they are talking about developing standard audit programmes for their performance audits. How can these be risk-based performance audits (as they call them)? Wouldn't that be more like compliance audits? So confusing.
And management is complaining about receiving the same observations over and over again; I think no wonder if you do the same audit steps over and over again.

Reply
Quote
Top
Bottom



ammania


Posts: 6
Joined: Apr 2013

Thursday April 18, 2013 7:31 AM

User is offline View thread in raw text format

Another question; can you have a standard audit programme with standard risks and audit steps for a risk-based performance audit? To be used for all suboffices? Shouldn't there be room for specific risks that are not applicable all across the board?

Sorry for double-posting!

Reply
Quote
Top
Bottom



Mark R. Simmons


Posts: 133
Joined: Nov 2003

Wednesday April 24, 2013 9:03 PM

User is offline View users profile View thread in raw text format

Your questions:
(1) In the preliminary risk assessment wouldn't one would identify all the risks (to the extent possible) and then rate them and finally use the highest scoring ones to develop the audit programme. Shouldn't there be room for specific risks that are not applicable all across the board?

(2) How can one develop standard audit steps/tests for risk-based performance audits to be used for all suboffices?. you would have to develop a tailored audit programme based on your unique risk assessment of that particular audit unit.

(3) How can these be risk-based performance audits (as they call them)? Wouldn't that be more like compliance audits?

(4) Perhaps we should even reconsider our audit universe. Perhaps identifying suboffices as audit units is not the best way to go about.


My Input (I'm a retired Chief Audit Executive with extensive experience in the public and private sectors):

(1) In very broad strokes, risk assessment occurs at three levels: (a) By senior management as part of strategic planning; (b) by the CAE in preparing the annual plan (a strategic assessment of the organization as a whole in order to focus IA department resources most effectively); and (c) by the auditor-in-charge at the start of each audit (a tactical assessment of the operational risks in the business unit under review in order to apply assigned staff resources most effectively). At all three levels, best practices (e.g. COSO's Enterprise Risk Management Framework, or a similar recognized framework) indicates as a first step the identification of the key/critical risks (not all possible risks), followed by a ranking of the key/critical risks. Typically there will be key/critical risks that are common to all business units at the strategic level; and in addition, at the business unit level, there will be key/critical risks unique to the individual business units. Also, at the business unit level, unless the auditor-in-charge is a subject matter expert, it would be foolish to perform the risk identification/assessment process without the input and participation of the responsible business unit manager and key staff. Without knowing the industry in which you work or the organization structure of your company, it's difficult to give a more focused answer.

(2) The Generally Accepted Government Auditing Standards (GAGAS) of the United States Government Accountability Office defines "Performance Audits" as "audits that provide findings or conclusions based on an evaluation of sufficient, appropriate evidence against criteria. Performance audits provide objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. The term 'program' is used in GAGAS to include government entities, organizations, programs, activities, and functions...Performance audit objectives vary widely and include assessments of program effectiveness, economy, and efficiency; [assessments of] internal control; [assessments of] compliance; and prospective analyses. These overall objectives are not mutually exclusive."

The IIA's IPPF does not define "performance audit"; rather, the IPPF defines the practice of internal auditing (and thus internal audits). "The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

The only overlap between the GAGAS and IPPF definitions concerns the objective of assessing internal controls against criteria, by which both GAGAS and the IPPF mean COSO's five integrated components of management control (the control environment, risk assessment, control activities, information & communications, and monitoring activities) that provide reasonable assurance the critical risks associated with effective operations, reliable reporting, and compliance with laws and regulations are mitigated effectively. This is key to answering your second question. All five components will be common to all business units. However, the Control Activities component (i.e., the specific procedures found in each business unit that mitigate the critical risks of that business unit) will be a combination of procedures common to all business units (e.g. processing travel requests) and procedures unique to the objectives and risks of each business unit (e.g. procedures in the marketing department specific to marketing objectives/risks will differ from procedures in the treasury department specific to treasury objectives and risks.). So in terms of a standardized audit program, based on the five COSO components of integrated control it is possible (and desirable for a number of reasons) to develop standardized audit steps, augmented by steps customized to evaluate the Control Activities unique to a given business unit.

(3) As described in #2, under either GAGAS or the IPPF, internal control focused audits can and should be risk based in order to use audit resources effectively, and can focus specifically on management controls over compliance with laws and regulations, or on management controls over effective operations, or on management controls over reliable financial and management reporting. Under GAGAS they would be a type of "performance audit"; under the IPPF they would simply be "internal audits".

Under GAGAS, a "Compliance Audit" is another type of "performance audit" with the objective of making a straight forward assessment of compliance with policies & procedures (i.e limited to COSO's Control Activities component); or compliance with laws and regulations; or compliance with contractual terms, etc. It may take the system of management control into account, depending on the objective, but typically does not, and results in "exception reporting" rather than the balanced reporting of results that is required of audit reports issued under the IPPF. Compliance audits may or may not be risk focused, depending on the reason for the audit (e.g. required by law or regulation; required by contractual terms; or, due to a specific fraud risk). The IPPF does not reflect compliance audits. Rather, the IPPF is strategic in focus: assessment of: the system of management controls over compliance objectives/risks; governance of strategic compliance objectives; and management of strategic compliance risks. Testing for compliance would occur during the portion of the internal audit that evaluates the Control Activities component of management control.

(4) There are numerous methods for defining and risk assessing the audit universe. The best method is the one that works best for your organization's senior leadership and board of directors.

Regards,
Mark R. Simmons, CIA CFE (retired)

Edited: Friday April 26, 2013 at 1:17 PM by Mark R. Simmons

Reply
Quote
Top
Bottom



maartinn456


Posts: 3
Joined: Jun 2013

Wednesday June 19, 2013 12:25 PM

User is offline View thread in raw text format

Hi Friends, Graphics cards are impressive pieces of hardware. Some types of games demand more of a graphics card. If you're running on a PC with a Celeron or Athlon II CPU, you can get some extra graphics oomph by upgrading to a better graphics card, but the improvement will be limited. Let's take a look at what one of the latest card, please click: - [url=http://www.ezdia.com/epad/ati-radeon-hd-5670-series-graphics-card-amd/6972/] ATI RADEON HD 5670 – SERIES GRAPHICS CARDS FROM AMD [/url]

Reply
Quote
Top
Bottom



ammania


Posts: 6
Joined: Apr 2013

Friday August 02, 2013 7:33 AM

User is offline View thread in raw text format

Thank you Mark for your detailed explanation.

Reply
Quote
Top
Bottom

DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org