Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
HOW
to go about conducting an
audit
3
Risk / Exposure Profiling
Risk/Exposure
Profiling
Risk
Assessment
Audit Planning
Fieldwork
Follow-up Reporting
4
Managing Business Risk
What can go wrong with my
business?
If it matters,
Can I avoid, monitor, or manage
it?
5
Risk Definition
* Managing Business Risk, An Integrated Approach, The Economist Intelligence Unit, 1995
6
Risk Assessment
Risk/Exposure
Profiling
Risk
Assessment
Audit Planning
Fieldwork
Follow-up Reporting
7
Why conduct a risk assessment?
• To quantify and use a constant method by which
compliance measures are assessed
• To identify those risk areas in the high risk
potential and/or high risk consequence region that
may require more resources to effectively
implement and enforce policies
• To identify which areas of an effective
compliance program are lacking across the
corporation
– Training and Education, Auditing and Monitoring
• To provide a starting point for to-be-created
centralized compliance group
8
Risk Concepts
• Risk
Driver Impact
– A risk driver
increases or Probability
decreases the
probability that
a risk will
occur Risk Driver
9
Risk Concepts
• Risk Drivers
– Environmental Drivers:
• External Environment
• Ethical Environment
• Control Environment
– Operational Drivers:
• Change – Business Complexity
• Growth – Pressure to Meet Goals
10
Risk Concepts
• Exposure
Exposure =
Impact Impact
•Sales/activity level
•Assets
•Visibility
•Headcount
Probability
11
Do I care if something
goes wrong?
This is
High where you
want to
focus!
Impact
Low High
Probability
12
Risk Assessment Model
Set Goals
What do you
want to
accomplish?
Assess Risk
What can
go wrong?
13
Audit Planning
Risk/Exposure
Profiling
Risk
Assessment
Audit Planning
Fieldwork
Follow-up Reporting
14
Prioritize Audit Units
PLANNING GUIDELINES
H Audit
Receives significant audit effort
Audit annually
EXPOSURE
Caution
Audit activity based on specific
risk factors
Caution
M Low
No Audit Services activity
current plan year
Low
Attention
L M H
RISK
15
Audit Engagement Overview
Effort
Fieldwork Reporting
Audit Planning (end of
(2-3 weeks)
(2-3 months) final week)
Duration
Audit Process
"Auditor" Responsibilities
Interviews
Observations
Testing
Arrive
on site
Validation Leave
Feedback site
Action Plans
"Site" Responsibilities
17
Program Development
• Outlines objectives for the audit
Program
1. ......
• Indicates what is to be done
2. ..........
• Decribes how it is to be done
3. ........
4. ... • Provides record of planned
procedures
• Assists audit control
Written policies and
procedures
Compliance Audits Training
Auditing/monitoring
Discipline/learning 18
Population Selection and Data
Collection
Determining Audit Population
• All
• Cumulative %
• Square root of n +1
Data Collection
• Interview Questions
• Spreadsheets
19
Fieldwork
Risk/Exposure
Profiling
Risk
Assessment
Audit Planning
Fieldwork
Follow-up Reporting
20
Fieldwork Process
• Opening Meeting (Audit Objectives and Scope)
• Gather information
• Conduct interviews
• Understand business processes
• Review procedures and documentation
• Perform testing and observations
• Document facts
• Review against control objectives
• Hold periodic "talk-ups" to validate facts
• Consolidate and assess results
• Write DRAFT report
• Closing Meeting (Distribute Final Report)
21
Documentation Process
Facts
Workpapers
Program
PACs
1. ......
2. ..........
(Control weaknesses)
3. ........
4. ...
Facts
22
Workpapers
23
Workpapers & Evidence
Workpapers are based on facts (Evidence)
Observations
24
• Sufficient
• Convincing Evidence
• Adequate detail
• Relevant
• Competent
• Factual Facts
• Reliable
• From best source
(independent)
• Consistent with other
evidence
Risk
Assessment
Audit Planning
Fieldwork
Follow-up Reporting
26
Reporting Process
Revisions
Audit
Report
5 C's
.........
..........
PACs Comments ..........
..........
..........
..........
.........
.........
...
Talk-ups .........
.........
..
Workpapers Field Report
+ Management
Action Plans
Final Report
27
Potential Audit Comments (PACs)
PACs
28
Report Comments
• Comments Should Not:
30
Audit Process
Talk Ups
Report
Audit
Services Potential Audit Audit Comment /
Comments (PAC's) Recommendation /
1. Planning Program MAPS
1a 1a. PAC #1 - Issue 3a
2. Standard 1a
1b
b. PAC
Audit Program b
c. PAC #2 - Issue 1a & 1b
or Prepare c 1c
Program 2a 2a 2a. PAC #3 - Issue 2a-c
b
2b b. PAC
3. Pre-fieldwork c
2c
c. PAC
3a
3a
3a. PAC
Document Evidence
& Findings
Collect Evidence in Workpapers
Combine &
Rationalize PACs into
Issues
Begin (Team Discussion)
Fieldwork
31
Final Report
Final Report Distribution:
Detailed Comments Line Management
Comment 1
Compliance Organization
Recommendation
General Auditor
MAP's Management Action Plan
Outside auditors
EXECUTIVE SUMMARY
HR
• Objectives
…
…
Executive • Risks & Exposures
… RED audits – who else?
Summary • Overall Assessment
• Rating
32
Rating Scale
Control environment is satisfactory.
Continuing local management action and resource allocation
GREEN
is sufficient.
Processes/policy/procedure/practice sufficient to meet
business objectives
Improvement required.
YELLOW Important business risk issues that justify management
action, resource allocation.
Processes/policy/procedure/practice in place but
effectiveness needs to be enhanced.
33
Follow-up
Risk/Exposure
Profiling
Risk
Assessment
Audit Planning
Fieldwork
Follow-up Reporting
34
Red Comment Follow-up
• Audit Services will follow-up on any Red Comments
within 6 months of the audit
• The status of all Red Comments are reported to the
Audit Committee as one of the following:
Implemented, Past Due, or Not Yet Due
• An item is identified as Past Due if the Affiliate fails
to complete the Management Action Plan by the
Implementation Date stated in the Final Report
35