IIA Northwest Chicago Chapter
Risk Assessment 2013 - Essential
Strategies to Maximize the Impact of
Internal Audit
September 2012
Agenda
•Introductions
•Session Objectives
•Overview of Risks and Risk Assessments
•Risk Assessment Planning Framework
•State of the Profession
•Audit Committee Expectations
•Panel Discussion
Introductions
Presenters:
Andy Dahle
•Partner in the Chicago Risk Assurance practice of PwC
•Currently serves as Chairman of the international Internal Audit Standards Board of the IIA
•Served as President of the IIA Chicago Chapter
•Thought leadership for the profession includes contributing in recent years to the annual global
PwC Internal Audit State of the Profession reports and co-authoring the 2011 IIA's book
Implementing the International Professional Practices Framework.
Beth Kuebler
•Director within the Risk Assurance group of PwC
•Executed projects that involved risk assessments of IT environments and diagnostic reviews of
key platforms (e.g. Windows, UNIX, SQL, etc).
•Assessed the controls for companies within financial services industry in support of attestation,
financial audits, and fraud investigations
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 3
Session objectives
What would you like to get out of attending today?
•What are the top concerns or questions you have?
•What are the current risk assessment roadblocks you are facing?
•What would be most valuable to you to help manage risk better today?
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 4
Session objectives
What are the goals?
In addition to meeting many, if not all, of your expectations for the day – upon
completing the training you will be able to “right size” your audits by:
•Aligning Internal Audit with the organization’s priorities & expectations;
•Appropriately identifying and assessing risks;
•Determining adequate scoping; and
•Optimizing audit hours in order to more efficiently achieve audit objectives.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 5
Overview of risk and risk assessments
The Potential Future…
Overview of risk and risk assessments
Definition Of Risk
Risk is the possibility that an event will occur and adversely affect the
achievement of objectives
– COSO Definition
The possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood
– IIA Standards Glossary Definition
Risk is anything that could impact the achievement of objectives – not only
negative impacts but also risk of missed opportunities.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 7
Overview of risk and risk assessments
What Is The Goal Of A Risk Assessment?
The risk assessment process should:
•Consider external and internal factors that could impact achievement of the
objectives
• Analyze the risks, and provide a basis for managing them.
•Allow auditors to focus efforts based upon risk in order to optimize efficiencies
•Include consideration of technology supporting business processes and objectives
•Be adapted to fit the pace of change in the organizational and market environment
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 8
Risk assessment planning framework
IT – Business Integration Of Risk Assessment
• The business ‘demands’ technology services and products to support the overall
business initiatives and goals.
• The ‘supply’ of the technology can reside either inside the IT department and/or in other
areas of the organization.
Demand Side
Supply Side
Business demands for technology to support the
overall business initiatives and objectives
Transaction
Overall Business
Key Business
processing
Objectives
Units/Functions
• Corporate
Strategy
• LT business
objectives
• ST tactical plans
Risk Assessments
PricewaterhouseCoopers
•
•
•
•
Finance
Accounting
HR
Other key BU’s
• Order to Cash
• Procure to Pay
• Other key
transaction
streams
IT supplies technology
IT Mgmt.
• Governance
& Leadership
• IT Budgeting
& Finance
• IT
Performance
Management
• IT
Compliance/
SOX
Sourcing
• Organization
Structure
• Human
Capital
Management
• Sourcing
Management
• Performance
Management
Enterprise Architecture
IT Delivery Security
• Application •
Dev. &
Support
•
• Service
Management•
• Service
Delivery
•
• Data Mgmt./
Bus. Intel
Intellectual
Property Prot.
ERP Security
Controls
Identity
Management
Sec.
Operations
& Monitoring
September 2012
Slide 9
Risk assessment planning framework
IIA Standards Of Risk Management
2010–Planning
(as accepted by the International Internal Audit Standards Board, September 2012)
The chief audit executive must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.
Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The
chief audit executive takes into account the organization’s risk management
framework, including using risk appetite levels set by management for the
different activities or parts of the organization. If a framework does not exist, the
chief audit executive uses his/her own judgment of risks after consideration of
input from senior management and the board. The chief audit executive must
review and adjust the plan, as necessary, in response to changes in the
organization’s business, risks, operations, programs, systems, and controls.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 10
Risk assessment planning framework
IIA Standards Of Risk Management
2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the
improvement of risk management processes.
• 2120.A1- The internal audit activity must evaluate risk exposures relating to the
organization's governance, operations, and information systems
• 2120.A2 - The internal audit activity must evaluate the potential for the occurrence of
fraud and how the organization manages fraud risk.
• 2120.C1 - During consulting engagements, internal auditors must address risk
consistent with the engagement's objectives and be alert to the existence of other
significant risks.
• 2120.C2 - Internal auditors must incorporate knowledge of risks gained from
consulting engagements into their evaluation of the organization's risk management
processes.
• 2120.C3 - When assisting management in establishing or improving risk
management processes, internal auditors must refrain from assuming any
management responsibility by actually managing risks.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 11
Risk assessment planning framework
What Should IA Groups Look Like Going Forward?
At the highest level, it must deliver the
right value at the right cost. Based on the
best practices of other leading
organizations, to be maximized, an
internal audit function must:
1.Align its value proposition with
stakeholders’ expectations
2.Focus on critical risks and issues
3.Engage and manage stakeholder
relationships
4.Deliver cost-effective services
5.Match its talent model to the value
proposition
6.Enable a client service culture
7.Promote quality improvement and
innovation
8.Leverage technology effectively
12
.
Risk assessment planning framework
Signs For A Risk Assessment And Audit Planning Makeover
1. Audit plan is restricted to what “IA can audit today” vs. what “IA should
audit tomorrow”
2. Audit plan includes repetitive, low value audits
3. SOX and administrative time make up a significant portion of the audit
plan
4. Audit plan is not updated frequently enough (e.g., a rolling six-month
plan) to adapt to the company’s changing risk profile and major
initiatives
5. Internal audit and senior management’s views on risk prioritization are
not aligned
6. Key processes, programs and initiatives are not linked the company’s
strategic objectives
7. Audit plan excludes coverage of emerging risks or catastrophic Black
Swan events that could impact the company’s reputation
13
Risk assessment planning framework
Risk Assessment And Planning Framework
Top Down, Risk-Based Approach
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 14
Risk assessment planning framework
Checking In
You would most likely use risk assessment for audit planning because it
provides:
A.A systematic process for assessing and integrating professional judgment
about probable adverse conditions.
B.A listing of potentially adverse effects on the organization.
C.A list of auditable activities in the organization.
D.The probability that an event or action may adversely affect the organization.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 15
Risk assessment planning framework
Risk Assessment Planning Framework
One key aspect is to understand the business objectives and strategy. Value
drivers are factors that are directed in such a way that the strategy is realized
and stakeholder value is created. A sample may be (handout):
Sample client
Increase Shareholder Value
• Increase Market Share
• EPS Growth
Financial
Perspective
Revenue Growth
• Return on Invested Capital(ROIC)
Productivity Strategy
New product development
Brand recognition
Drive organic growth
Manage financial resources/risk management
• Meet customer demand through
innovation.
• Meet environmental regulations (Engine
emission requirements).
• Continue to develop strong presense in
newly developed products.
• Support investment on research for new
technologies /products emphasizing on
stringent emission requirement
• Grow through market leadership
• Drive innovation
• Maintain broad product portfolio
• Understand market and customer needs
to expand product portfolio.
• New plant development
• Hedging potential losses from unfavorable currency positions/ • Enforce and monitor security measures to prevent damage from
transactions such as export agricultural and forestry machinery
disruptions or shutdowns due to attacks by hackers or breaches
• Actively manage production cost related to new products.
due to employee error or malfeasance, etc.
• Monitor economic and political situation in Western and Central • Improve global capacity through leading environmental
Europe as well as South America with emphasis in Argentina.
machinery.
• Effective implementation of credit policies.
• Innovations in machinery and technology influence agricultural
• Timely access to capital to meet future cash flow requirements equipment purchasing
and fund operations and the costs associated with engaging in
diversified funding activities.
Customer /
Regulator
Perspective
Brand recognition
Environmental compliance
• Quicker identification, recognition and integration of
innovations.
• Alignment of products (e.g. turf equipment) and marketing
strategies to better serve Western Europe and North America
markets.
• Increase efforts and presence in emerging markets (BRIC)
• Offers broad range of products to meet local weather conditions.
• Enforce compliance with environmental, health and safety laws • Changes in government farm program and policies, including
• Use knowledge of market trends and customer needs to drive
or regulations to mitigate investigation and defense costs that may direct payment and other subsidies, can significantly influence
innovations.
demand for agricultural equipment.
result in significant fines or penalties.
• Monitor policies impacting exchange rates and commodity prices
• Implement stringent engine emission reduction standards,
including InterimTier 4, FinalTier 4 and Stage IIIb non-road diesel or those limiting the export or import of commodities, including
emission requirements applicable to many engines manufactured the outcome of the global negotiations under the auspices of the
World Trade Organization. Such policies could have a material
and used in many models of agricultural, construction and
adverse effect on the international flow of agricultural and other
forestry equipment.
commodities which may result in a corresponding negative effect
on the demand for agricultural and forestry equipment in many
areas of the world.
Value Creating
Processes
Expansion and Innovation
Financial Discipline
Operational Excellence
Customer Focus
Social and Regulatory Compliance
• Develop and construct manufacturing facilities
• Manage foreign currency and interest rate
fluctuations
• Anticipate and manage emerging market risks
• Maintain an effective system of internal control
• Align capital structure with company strategy
• Continuously improve accuracy and relevance of
cash forecasting
• Standardize global operations (e.g., ethical
standards, operating practices and business
principles)
• Effectively monitor production schedules to meet
demand and delivery requirements
• Manage international operations
• Align procurement/sourcing objectives to the
business strategy
• Manage customer orders in accordance with
customer needs and operational capabilities
• Develop effective pricing strategies considering
customers, competitors and industry trends
• Determine customer needs and wants by capturing
feedback and predicting purchasing behavior
• Ensure suppliers comply with laws and regulations
locally and abroad
• Manage environmental restrictions in countries
outside the U.S.
• Develop and execute an environmental health and
safety program
Core Enablers
Risk Assessments
PricewaterhouseCoopers
Regulatory compliance
Technology initiatives
Product differentiation
People
Technology
Organization
• Align training and development programs with the company's long-term goals
• Motivate and retain high performing individuals
• Forecast and Plan workforce requirements (e.g., flexible staffing models)
• Recruit highly qualified individuals
• Leverage technology to support business initiatives
• Ensure information technology is secure (e.g. firewalls, application access)
• Provide strong executive level management guidance for advancing technology
initiatives
• Train and support users to realize value from technology
• Define and communicate roles and responsibilities throughout the organization
• Develop and set organizational goals (e.g. resources, market share, capital)
• Utilize performance measures to effectively manage the organization
• Build an infrastructure that sustains and measures innovation
September 2012
Slide 16
Risk assessment planning framework
Phase 1: Gain Understanding of the Control Environment
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 17
Risk assessment planning framework
Phase 1: Gain Understanding of the Control Environment
• Understand business unit’s objectives
• Understand entity strategy, goals, objectives, and organizational structure
• Review prior audit reports, findings, deficiencies
• Identify significant changes to operations/control environment, etc.
• What’s the difference between ERM and IA risk assessments?
• How do you assess “auditable” risks at your organization?
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 18
Risk assessment planning framework
Bottom-up Approach
Audit
Plan
Traditional
Approach
Traditional “bottomup” approach based
on stakeholder
interviews and
analysis. Focus is on
coverage of identified
risk areas, geography,
and business
operations.
Interviews are not
focused on obtaining
right level of
information
Identify
Risks within
Auditable Business
Units (ABU)
(Financial,
Operations,
Compliance)
Define ABU
(e.g., geography, business unit etc.)
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 19
Risk assessment planning framework
Top-down Approach
Identify Management’s Objectives
Understanding Relevant
Inherent Risks (Strategic,
Financial, Operations,
Compliance)
Evaluate Impact to
management’s
objectives
Audit
Plan
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 20
Risk assessment planning framework
Checking in…
What does “risk assessment” mean in your organization?
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 21
Risk assessment planning framework
Phase 2: Identify Relevant Risks
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 22
Risk assessment planning framework
Industry-Specific Risk Categories
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 23
Risk assessment planning framework
Current risk example – Eurozone Debt Crisis
Example of Emerging Risks
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 24
Risk assessment planning framework
Current risk example – Eurozone Debt Crisis
Emerging Risk Example - Eurozone Debt Crisis
Risk assessment planning framework
Current risk example – Eurozone Debt Crisis
Potential Scenarios
Scenario 1: Successive phases of fiscal and monetary action hold
the Eurozone together
Scenario 2: A sequence of manage defaults
Scenario 3: Greece exits but contagion avoided
Scenario 4: More countries exit Eurozone and a new currency bloc
forms
Risk assessment planning framework
Current risk example – Eurozone Debt Crisis
Risks and Actions Impact A Number Of Functions
• Treasury and finance – Determine how dependent on the Euro. Liquidity
assessment, distressed country concentration, daily sweeps…
• Legal, contracting or tax – Terms denominated in Euros may become
unsustainable. Consider denominating in a more stable currency, monitoring,
hedging, refinancing, repatriation…
Risk assessment planning framework
Current risk example – Eurozone Debt Crisis
Questions to Ask and Actions to Take to Address Risk
1.
2.
3.
How broad are the risks that we are
considering? Considering broader
risks allows companies to navigate
strategy through more potential
consequences.
What risk scenarios have we
considered to test our plans?
Scenario analysis with broad input
can clarify the impact of various risks.
Have we mapped our risks to key
performance and value measures?
Common metrics for risk and
performance can help prioritize action
plans and gain buy-in.
1.
Converting the Eurozone macro scenarios into
a set of most significant outcomes for the
business (for example, severe liquidity crunch,
loss of supplier, plummeting sales, or even the
opportunity to acquire a weakened company).
2.
Preparing a plan to mitigate negative
consequences and capitalize on opportunities.
3.
Assessing immediate needs for buffers or
shock absorbers, such as moving to more
liquid assets or diversifying funding sources
and suppliers.
4.
Determining how to increase the
organization’s adaptive capacity (for example,
increasing collaboration among the crossfunctional team members or more closely
monitoring key suppliers).
5.
Communicating commitment to the plan and
its payoff to stakeholders.
6.
Assigning responsibilities and walking through
plans to ensure they can be put in action.
Can Internal Audit be a catalyst, delivering insight and positive change?
Risk assessment planning framework
What IT related risks could keep us from achieving our
objectives?
Availability
Risk
IT Strategic
Risk
Financial
Risk
Security
Risk
Architecture
Risk
IT
Operational
Risk
Data
Risk
IT
RISK
Domains
IT
Reputation
Risk
Compliance
Risk
Change
Management
Risk
Project Risk
3rd Party
Sevices
Risk
Human
Capital
Risk
Michael Rasmussen
Forester Research, Inc.
Slide 29
Risk assessment planning framework
Sources of IT risk statements
This inventory of IT risks and trigger
questions considers both widely
adopted IT risk and control
frameworks as well as our experience
and methods.
Risk Source:
Association of Certified Fraud Examiners
Control Objectives for Information and related
Technology (IT Governance Institute)
COSO Enterprise Risk Management
Federal Financial Institutions
Examination Council
Information Systems Audit and Control
Association Journal (CISA Authority)
International Information Systems Security
Consortium (CISSP Authority)
International Security Standard
International Quality Standard
IT Compliance Institute
IT Infrastructure Library
IT Process Institute
U.S. National Institute of Standards
and Technology
PricewaterhouseCoopers LLP
U.S. Securities and Exchange Commission
Software Engineering Institute (CMMI, CERT,
OCTAVE, 'Build Security In' )
Enterprise Value: Governance of IT Investments:
The Val IT Framework (IT Governance Institute)
Acronym
ACFE
COBIT
COSO
FFIEC
ISACA
ISC2
ISO 17799
ISO 9000
ITCI
ITIL
ITPI
NIST
PwC
SEC
SEI
Val IT
Slide 30
Risk assessment planning framework
IT Risk Factors
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 31
Risk assessment planning framework
IT Risk Factors Cont’d
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 32
Risk assessment planning framework
Checking In
When identifying the risks associated with an activity, which of the following
factors should you not consider:
A.Staff turnover in the business unit
B.Standard business practices
C.Changes in the organizational structure
D.Policies
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 33
Risk assessment planning framework
Phase 3: Assess Relevant Risks
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 34
Risk assessment planning framework
Phase 3: Assess Relevant Risks
To make an assessment of the relevant risks there are 3 steps:
1.Rate the likelihood of the risk occurring
2.Rate the impact the risk would have if it materialized
3.Calculate the risk assessment
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 35
Risk assessment planning framework
Indicators of Risk Likelihood
• For identified transactions, areas, or conditions, exercise judgment about
the likelihood of the risk occurring:
• Conclude whether the nature of the risk, its likely magnitude and the
likelihood of the risk occurring are such that it represents a key risk
requiring special audit consideration.
• Assess if there is a remote, probable or almost definite chance of the risk
occurring.
1 = Remote
3 = Probable
5 = Almost Definite
• Where do emerging risks fit in?
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 36
Risk assessment planning framework
Impact Assessment
• The audit has to address risks at the transaction level that are relevant and
material if not already addressed by work addressing the higher level risks.
• Determine if the impact of the risk will be negligible, significant or severe
1= Negligible
Risk Assessments
PricewaterhouseCoopers
3=Significant
5=Severe
September 2012
Slide 37
Risk assessment planning framework
Risk Assessment – Rating Scale
Impact rating x Likelihood rating = Risk Rating
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 38
Risk assessment planning framework
Rating Scale
Scale
Impact
Likelihood
High
5
An incident of non-compliance and/or the
loss of confidentiality, integrity, or availability
could be expected to have a severe or
catastrophic adverse effect on
organizational operations, organizational
assets, or individuals.
Without regard to the effects of any
compliance controls or mitigation
strategies, the event is highly
possible and capable of
happening (greater than 75%
likelihood the event will happen in
the next 24 months)
Medium
3
An incident of non-compliance and/or the
loss of confidentiality, integrity, or availability
could be expected to have a serious
adverse effect on organizational operations,
organizational assets, or individuals.
Without regard to the effects of any
compliance controls or mitigation
strategies, the event is possible
and capable of happening (25 to
75% likelihood the event will
happen in the next 24 months).
An incident of non-compliance and/or the
loss of confidentiality, integrity, or availability
could be expected to have a limited
adverse effect on organizational operations,
organizational assets, or individuals.
Without regard to the effects of any
compliance controls or mitigation
strategies, the event is remotely
possible or may not be capable of
happening (less than 25%
likelihood the event will happen in
2012
the next 24 months). September
Slide 39
Low
1
Risk Assessments
PricewaterhouseCoopers
Risk assessment planning framework
Impact vs. Likelihood
High
Medium Risk
High Risk
I
M
Share
Mitigate & Control
P
Low Risk
Medium Risk
A
C
T
Low
Accept
Control
LIKELIHOOD
High
Risk assessment planning framework
Risk Factor Categories
• Business Operations
• External Events
• Procedures
• Management
• Resources
• Processes/Activities
In 3 minutes…
Brainstorm as
many examples of
risk factors under
each category.
• Previous Issues
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 41
Risk assessment planning framework
Risk factor debrief
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 42
Risk assessment planning framework
Risk factor debrief
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 43
Risk assessment planning framework
Risk factor debrief
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 44
Risk assessment planning framework
Risk factor debrief
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 45
Risk assessment planning framework
Example Risk Ranking Model
The ranking is performed on a scale of 1 through 5 with 5 being the highest risk and 1 indicating
minimal risk.
Likelihood:
•Degree of Change – Pace of change related to people, process and technology
•Human Resources – Stability of the group responsible for managing a process
•Process Complexity – Level of dependencies, input sources and support functions
Significance:
•Materiality – Relative to volume and value of the business objective and regulatory impact
•Management Concern – Listed as a top priority or major risk to the company within management
risk assessment meetings
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 46
Risk assessment planning framework
Significance Example
Almost
Certain
5
Likely
4
Possible
3
Unlikely
2
Rare
1
1
Insignificant
Financial
Reputational
Regulatory
Less than $1 million
annually with little or
no impact on liquidity
2
Minor
3
Moderate
$1 million to $4 million $4 million to $20
annually with minor
million annually and
impact on liquidity
some impact on
liquidity
4
Major
$20 million to $75
million, or
Over $100 million one
time with major impact
on liquidity
Worldwide publicity, or
Loss of customer
Local or one client
Limited national or
National or industry
publicity - one instance Industry publicity - one publicity - extended,
instance
customer or
Stakeholder impacting
M inor admonition or
M edium penalties and M ajor penalties and
M ajor censure which
minor penalties
increased regulatory
increased ongoing
impact customer
scrutiny
regulatory scrutiny
activities and
opportunities
M anagement has not
Strategy for a non-core M anagement has
Strategy could be
expressed interest. Not element of the business expressed interest
moderately effected
important to corporate could change
Considered important
goals
in corporate goals
Business & Strategic
Management Effort
Risk Assessments
PricewaterhouseCoopers
An event the impact of
which can be absorbed
through normal
activity
An event, the
consequences of which
can be absorbed but
management effort is
required to minimize
impact
A significant event
which can be managed
under normal
circumstances
A critical event which
with proper
management can be
endured
5
Catastrophic
Recurring over $75
million per year or
Significant impact on
liquidity
Extended worldwide
publicity or
Loss of major
customers
Business closure or
Top management
changes
M anagement has
expressed a high level
of interest
Explicitly considered
critical to corporate
goals
Results in key changes
to strategic direction
A disaster with
potential to lead to
collapse of the business
September 2012
Slide 47
Risk assessment planning framework
LIKELIHOOD (over 3 years)
Likelihood Example
Risk Assessments
PricewaterhouseCoopers
Event is expected to occur
more than once
>90%
Almost Certain
Event is expected to occur in
most circumstances
50-90%
Likely
Event could occur at
sometime
30-50%
Possible
Event is unlikely to occur at
some time
10-30%
Unlikely
Event may occur only in
exceptional circumstances
<10%
Rare
September 2012
Slide 48
Risk assessment planning framework
Checking in
Which of the following represents the best risk assessment technique?
A.Assessment of the risk levels for future events based on the extent of
uncertainty of those events and their impact on achievement of long-term
organizational goals.
B.Assessment of inherent and control risks and their impact on the extent of
financial misstatements.
C.Assessment of the risk levels of current and future events, their effect on
achievement of the organization’s objectives, and their underlying causes.
D.Assessment of the risk levels of current and future events, their impact on the
organization’s mission, and the potential for elimination of existing or possible
risk factors.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 49
Risk assessment planning framework
Checking in
How would you prioritize the time and resources spent to audit these risks?
(Resources vs. risk exposure – prioritization)
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 50
Risk assessment planning framework
Phase 4: Develop risk-based audit strategy
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 51
Risk assessment planning framework
Illustrative Initiative Details and Performance Measures
Initiative Name
Risk Assessment Optimization
Goals and
Desired Outcomes
•
•
•
•
Increased coordination with all assurance providers
Alignment of key processes and risks covered with business strategy
Global identification and assessment of common risks and unique factors
Integrated Internal Audit plan
Strategies
•
•
•
Integrate activities with ERM, compliance, and others as needed
Define common risk language across groups
Utilize value driver analysis to provide proper alignment
Key Tasks and
Milestones
•
•
•
•
•
•
Plan for Risk Assessment with other compliance groups, identify &
Evaluate Risks
Develop value driver analysis
Develop Combined Risk Assurance Map
Create Internal Audit Plan
Develop, and present budget and resource requirements
Obtain audit plan, budget, and resources approval
•
•
•
•
Combined Risk Assurance Map Developed
Value Driver Analysis Complete
High risk/relevance of issues identified
Audit plan approved
Potential
Performance
Measures
Estimated Resource •
Needs
500 Hours
The Initiative Details and Performance Measures above is provided for illustrative purposes only and is not specific to any
company.
52
PricewaterhouseCoopers
Risk assessment planning framework
Leverage a value driver analysis
Value driver analyses are used to ensure Internal Audit plans are aligned with your strategic objectives.
53
Risk assessment planning framework
Perform
Company
Analysis
Evaluate risk - Risk
rankings are developed
for each value creating
process
Evaluate
Risk
Prioritize
Projects
Refine
Scope
Risk Ranking
1.
Value crating process 1
High
2.
Value creating process 2
High
3.
Value creating process 3
High
4.
Value creating process 4
Medium
5.
Value creating process 5
Medium
5
Impact on Shareholder Value
Low
Moderate
Major
Critical
Priority Matrix
4
Insignificant
Value Creating Processes
Develop
Value
Driver
Analysis
1
1, 2
4
3
3
5
2
5
4
3
2
1
Optimized
Managed
Defined
Repeatable
Ad-hoc
Current Process & Control Maturity
Audit universe is prioritized based on impact on shareholder value drivers, and the current and targeted
maturity of processes, programs and initiatives.
54
Risk assessment planning framework
Synergize risk assurance functions
Response
Challenge
X
External Audit SO
Int
e
Treasury
t
en
em
ag
an
M
Co Health &
Safety
mp
lia
nc
e
CS
Legal
at R
i
r
a
t
cre
e
S
Co.
rn
a
Assurance Need
lA
ud
it
k
Ris
•
No single view of assurance across Organization
•
Differing perspectives on risk (audit vs business,
inherent vs residual, BU vs Group)
Internal Audit
Health & Safety
Risk
Compliance
SOX
Treasury
Legal
CSR
External Audit
Co Secretary
• Collaboration between assurance providers
• Develop common view of risk to Organization
•
Potential for duplication and gaps in assurance
• Present to Board how key risks are being
covered by assurance providers
•
Little Board/AC level visibility of the linkage between
sources of assurance
• THIS IS MORE THAN developing
improvements in risk-based internal auditing
55
Risk assessment planning framework
Example Audit Strategy
Risk
Level
Audit Testing Strategy
15-25
Data Mining Techniques, Detailed Testing of Transactions,
Walkthroughs, Re-performance to Test Operational Effectiveness of
Controls
9-15
Data Mining Techniques, Detailed Testing of Transactions,
Walkthroughs, Re-performance to Test Operational Effectiveness of
Controls
3-9
Data Mining, Analytics, Limited Testing, Enhanced Walkthroughs
1
Scope Out
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 56
Risk assessment planning framework
Aligning Internal Audit with the organization – “Top 10” list of
internal audit projects – What will you do in 2013?
Define internal audit projects tied to Corporate Strategy / Direction.
More robust coverage of risk
•Emerging risks, scenario planning and stress testing, leveraging risk management lessons learned from the
financial crisis, deep dives on areas of risk, review of other risk assurance activities, facilitating increased
enterprise risk management maturity, assurance maps.
Compliance Risks
•Sector or geography specific compliance audits.
•Assurance over sustainability and corporate social responsibility.
•FCPA, fraud and forensics
•Reviews of areas with changing regulations
•Executive compensation reviews
Operational Risks
•Customer experience
•Operational--Deliver insight and impact. Incorporate lean and six sigma approaches where aligned with
corporate culture, share internal and external best practices.
•Audit coverage of the extended enterpriseInformation Technology Risks
•IT risk assessment/diagnostic, IT governance, security & privacy, system implementations and optimizations,
mobile applications & devices, sourcing, social network and cloud
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 57
Risk assessment planning framework
Combined Risk Assurance Map
CAA
Assurance Provision
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Remove Duplicate
Assurance Activity
Investigations Proactive Safety
Monitoring
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Review Other Assurance
Providers
Quality Audit /
Compliance
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Results
External Audit
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Internal Audit
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
IT Steering Group
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Airports Forum
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Network
Development Forum
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Environmental
Management Group
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Safety Review Board
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Performance Review
Meeting
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Assurance Provider
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Airline Management
Board
Environment
Suppliers & Key Relationships
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Corrective Action
Risk Management
Processes
Revenue & Reputation
Communicatons
Operations
Regulator & Stakeholders
Planning
Legal
4th Line
Commercial
Labour Relations / Staff
3rd Line
Legal
Information Technology
2nd Line
Procurement
International Operations
1st Line
IT
Financial Reporting
Finance Processing
Regulatory
Oversight
Operations
Economic Environment
Hedging / Liquidity Management
Independent
Treasury
Competetive Environment
Maintain Current
Plan
Opportunity to Remove / Refocus
Effort
Functional Oversight
Human Resources
Crisis Management
Assurance Gap
Management
Finance
Assurance Need
Business Continuity
High
Assurance
Medium Assurance
Performance Provider
Mgt Assurance
Overall provision
Obtain Independent
Assurance
Provider Assessment
√
√
√
√
√
√
√
58
Risk assessment planning framework
Checking In
A risk assessment framework is used to create an audit plan. Which of the
following would be an appropriate action?
A.Maintain ongoing dialogue with management and the audit committee.
B.Ensure that the schedule of audit priorities remains unchanged.
C.Employ only quantitative methods to determine risk weightings.
D.Revise the risk assessment and audit priorities as warranted.
• Include strategies for adjusting and adapting plan during the year
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 59
Risk assessment planning framework
Checking In
When you use a risk assessment process to create an audit schedule, which of
the following should give attention to first?
A. The external auditors have requested assistance for their upcoming annual
audit.
B.A new accounts payable system is currently undergoing testing by the
information technology department.
C.Management has requested an investigation of possible lapping in
receivables.
D.The existing accounts payable system has not been audited over the past
year.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 60
Risk assessment planning framework
Checking In
Which of the following is not a role of internal audit in best practice
governance activities?
A.Support the board in enterprise-wide risk assessment.
B.Ensure the timely implementation of audit recommendations.
C.Monitor compliance with the corporate code of conduct.
D.Discuss areas of significant risks.
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 61
State of the profession
What does Senior Leadership and the Audit Committee think
about risk management and Internal Audit?
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 62
State of the Profession
Designing for the new floor
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 63
State of the Profession
Meeting the challenge of a higher floor
Navigate the new risk
Landscape
Provide deeper insights
Cut through the clutter
Does internal audit provide a point of
view to help the business improve its
responses to risk?
How effectively does internal audit
communicate with stakeholders?
Questions
How well aligned is internal audit’s
plan with the critical risks facing the
organization?
What internal audit should do to rise to the new floor
• Think and act strategically
Internal audit understands the
organization’s strategy, initiatives,
and related risks; audit activities are
derived from a top-down risk
assessment and aligned with
stakeholder expectations.
• Leverage the second line of
defense Internal audit contributes
to and coordinates with risk
management efforts, providing
insight to the overall risk
management process and focusing
audit efforts appropriately.
• Align resource allocations
Internal audit provides services
linked to critical areas of risk, not
only those related to existing talent
and expertise. It stays aligned in a
constantly changing environment.
Risk Assessments
PricewaterhouseCoopers
• Understand the business Internal
audit’s business acumen is clearly
evident in all it does, fostering the
desire for internal audit involvement
in the most significant business
initiatives.
• Leverage specialists Internal audit
uses specialists —both internal and
external—to support work in areas
where it does not have the breadth
and depth of expertise to effectively
provide a point of view.
• Deliver advice and best
practices Internal audit provides
deep insights in all of its activities, as
well as proactively offering advice on
the design of future processes.
• Build trust through ongoing
dialogue Significant attention is
given to face-to-face communication
with stakeholders, including the
audit committee. In these meetings,
additional perspective is provided
around the management of critical
risks.
• Simplify reporting, make it
consumable Internal audit reports
contain concise messages clearly
linked to underlying business risks.
• Connect the dots Internal audit
identifies common themes and
trends across the organization,
enabling the business to close gaps.
September 2012
Slide 64
State of the Profession
Risks are generally not perceived as well managed
15 most-cited risks
Economic
uncertainty
Talent and
Regulations and
government policies
Reputation
and brand
Fraud and ethics
Competition
Commercial
market shifts
Business
continuity
Financial
markets
Energy and
commodity costs
Mergers,
acquisitions, and
JVs
Data privacy
and security
Government
spending/taxation
labor
Least well managed risks
Risk Assessments
PricewaterhouseCoopers
New product
introductions
45%
are comfortable
with how well
their critical
risks are being
managed
Large
program risk
Most well managed risks
September 2012
Slide 65
State of the Profession
Coordinated lines of defense
Senior management
1st
Board/audit committee
2nd
3rd
Line of defense:
Line of defense:
Line of defense:
Functional and line
management are
responsible for
operationalizing risk
management and
internal controls
Risk management
and compliance
functions are
responsible for
establishing and
monitoring policies
and standards
Internal audit is
responsible for
providing objective
assurance and advice
on governance, risk,
and compliance
Only 50%
believe IA is well coordinated with other risk and compliance
functions
Risk Assessments
PricewaterhouseCoopers
September 2012
Slide 66
Audit committee expectations
Transformational change demands stronger response
• Rapid, pervasive change is quickly transforming the profession
• Emerging expectations are raising significant issues for audit leaders
• A clear gap exists between the current focus of many internal audit
functions and where they need to set their sights in order to deliver greater
value
• Over the past five years, internal auditors have been concentrating on
financial and compliance risks
• Now it’s time for internal auditors to transform their thinking
• The profession is at a crossroads, and CAEs must move urgently to
strengthen capabilities to meet changing stakeholder needs
Slide 67
Audit committee expectations
Audit committees continue to raise expectations for internal audit
•
The vast majority of CAE’s report functionally to the audit committee
•
It has become increasingly common for audit committee members to serve on more
than one audit committee
•
Fortune 500 companies report that audit committee members have brought ideas
from other internal audit functions in the past year
•
Audit committee members are speaking up, asking questions, and offering
guidance on a host of topics:
− Approach to annual risk assessments
− Scope of audit coverage
− Audit ratings
− Audit tracking and follow up
− Internal audit quality assurance
Slide 68
Audit committee expectations
To develop a solid working relationship with its audit committee today,
an internal audit function must
• Provide an objective set of eyes and ears across the organization
• Provide internal audit assurance on risks and controls
• Focus on operational, business, and strategic risk
• Presume committee members are knowledgeable, alert, and adept
• Position internal audit as a trusted strategic advisor to the committee
Slide 69
Audit committee expectations
A five-step plan for an internal audit function to develop a stronger
relationship with its audit committee
1
2
3
4
5
Communicate regularly with the audit committee chair
Build audit committee awareness of organizational risks
Get to know the audit committee, including new members
Provide audit committee members with broad exposure to the internal audit team
Position internal audit as the “go-to” educational resource for the audit committee
Slide 70
Questions and Discussion
Slide 71
Panel members
Slide 72
Thank you
© 2012 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network
of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal
entity.