DevelopingaRisk‐based p g AuditPlan Session121 Session121
-
Upload
independent -
Category
Documents
-
view
0 -
download
0
Transcript of DevelopingaRisk‐based p g AuditPlan Session121 Session121
©FloBiz & Associates, LLC
Developing a Risk‐based p gAudit Plan
May 7, 20121:30 – 5:00 pm
Session 121Session 121
Philip E. Flora, CISA, CIA, CCSA, CFE
P i i l
p
Principal
FloBiz & Associates, LLC
SPEAKER BIOGRAPHY
Phil Flora, CISA, is the principal/managing member for FloBiz & Associates LLC a company that provides training, internal audit and consulting services. He was the chief audit executive (CAE) at a not-for-profit public corporation for over 16 years. His experience includes banking, public accounting and cost accounting. He also has over 30 years of auditing/management experience.
In his 16 years as the CAE for Texas Guaranteed Student Loan Corporation (TG) Flora was responsible for the maintenance/development of the internal audit function that included leadership, risk assessment/audit planning, communication with management/board, staff hiring/development and other administrative/operational activities. He tranformed the function to enable audit coverage of the total organization. In cooperation with two other CAE’s he developed an internal audit leadership development program that assisted in the development of over 30 future audit leaders.
Session Objectives
© FloBiz & Associates, LLC
Session Objectives
• Identify standards related to risk assessmentIdentify standards related to risk assessment and audit planning
• Provide risk management framework examples for application/use in identifying organizational risks
• Determine ways that COBIT and Risk IT can beDetermine ways that COBIT and Risk IT can be used to facilitate the risk assessment process
2
Session Objectives
© FloBiz & Associates, LLC
Session Objectives (Continued)
• Identify challenges & opportunities in theIdentify challenges & opportunities in the information gathering process
• Provide risk assessment/audit planning• Provide risk assessment/audit planning process/steps for the total audit universe
/• Determine methods/approaches to communicate audit planning process results for review/approvalfor review/approval
• Provide reference materials for future use
3
Today's EnvironmentToday's Environment
© FloBiz & Associates, LLC
Today s EnvironmentToday s EnvironmentGlobal Financial Challenges
Organizations asked to do Morewith Less!
Control Changes to meet Business needs
High Unemployment Audit/IT AuditRole expanding
Information Security &Privacy continue as a focus
Ethical Environment Is a Must!
Should the Audit focus change from Compliance to Strategic Risks?
4
Pressures to meet Performance ExpectationsRisk Management Critical to Success
Risk© FloBiz & Associates, LLC
Risk
What is Your Organization’s Risk Appetite?What is Your Organization’s Risk Appetite?
8
© FloBiz & Associates, LLC
Risk Information GatheringRisk Information Gathering
How much is enough information?How much is enough information?
9
Risk Assessment Input
© FloBiz & Associates, LLC
Risk Assessment Input
How can IHow can I get your input?
Training, Awareness, Relationships &Training, Awareness, Relationships &
T h T !T h T !
10
Tone at the Top!Tone at the Top!
Information Gathering © FloBiz & Associates, LLC
Interviews
OpenOpen‐‐Ended, ClosedEnded, Closed‐‐Ended, Time Boxed, Leading?Ended, Time Boxed, Leading?
11
pp gg
Listening© FloBiz & Associates, LLC
Listening
It’s hard to learn while you are talking.
UnknownUnknown
12
Nuggets of Gold
© FloBiz & Associates, LLC
Nuggets of Gold
How do you get them?How do you get them?What are they? What are they?
13
Building Relationships
© FloBiz & Associates, LLC
Building Relationships
Gathering Valuable Risk Information!Gathering Valuable Risk Information!
14
Potential Risk Treatments
© FloBiz & Associates, LLC
Potential Risk Treatments• Risk Avoidance ‐ Includes not performing an activity that could carry riskactivity that could carry risk.
• Risk Mitigation/Reduction ‐ Involves methods that reduce the severity of the lossthat reduce the severity of the loss.
• Risk Acceptance/Retention ‐ Involves accepting th l h itthe loss when it occurs.
• Risk Transfer ‐Means causing another party to accept the risk, typically by contract or by hedging.
15
Source: Wikipedia, the free encyclopedia
Risk Assessment Process© FloBiz & Associates, LLC
Risk Assessment Process
Plan
SupportAnalysis
UnderstandingInputRisk
Technical
16
Business
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
Audit Plan (Engagement)( g g )1.A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence toin order to obtain sufficient appropriate audit evidence to form an opinion.Scope Notes: Includes the areas to be audited, the type of work planned the high‐level objectives and scope of thework planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the workg p2. A high‐level description of the audit work to be performed in a certain period of time.
S ISACA Gl K l d C
17
Source: ISACA Glossary – Knowledge Center
Annual Audit Plan
© FloBiz & Associates, LLC
Annual Audit Plan
The plan that is developed annually (possiblyThe plan that is developed annually (possibly updated more frequently based on significant business/organizational conditions). It is reviewed /discussed with Executive Management and approved by the Audit Committee/Board of Di Th l i b d h l f hDirectors. The plan is based on the results of the annual Internal Audit risk assessment and the audit resources available (that includes coaudit resources available (that includes co‐sourcing or outsourcing) based on IA expertise and primary risks
18
and primary risks.
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
RiskRisk
The combination of the probability of an event and its consequence (ISO/IEC 73)and its consequence. (ISO/IEC 73).
Source: ISACA Glossary – Knowledge Center
• Consider the Probability & Impact
19
Risk ‐ Defined© FloBiz & Associates, LLC
Risk Defined
• A probability or threat of a damage injuryA probability or threat of a damage, injury, liability, loss or other negative occurrence that is caused by external or internalis caused by external or internal vulnerabilities, and that may be neutralized through preemptive actionthrough preemptive action.Source: http://www.businessdictionary.com/definition/risk.html
20
Risk (Continued)
© FloBiz & Associates, LLC
Risk (Continued)
• Risk ‐ The effect of uncertainty on objectivesRisk The effect of uncertainty on objectives.
h id l l f• Assurance – A process that provides a level of confidence that objectives will be achieved i hi bl l l f i kwithin an acceptable level of risk.
Source: ISO 31000:2009
21
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
Risk AssessmentA process used to identify and evaluate risk and its potential effects.Scope Notes: Includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in placebusiness operations, defining the controls in place to reduce enterprise exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particularan evaluation of the probabilities of a particular eventSource: ISACA Glossary – Knowledge Center
22
y g
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
Risk CultureRisk CultureThe set of shared values and beliefs that governs attitudes toward risk‐taking, care and integrity,attitudes toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed.
Risk AppetiteThe amount of risk on a broad level that anThe amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.Source: ISACA Glossary Knowledge Center
23
Source: ISACA Glossary – Knowledge Center
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
Risk ManagementRisk Management
The coordinated activities to direct and control an enterprise with regard to risk In thean enterprise with regard to risk. In the International Standard, the term "control" is used as a synonym for "measure " (ISO/IECused as a synonym for measure. (ISO/IEC Guide 73:2002).Source: ISACA Glossary – Knowledge Center
24
Risk/Change Quote
© FloBiz & Associates, LLC
Risk/Change ‐ Quote
“Never be afraid to tryNever be afraid to try, remember… Amateurs built the ark Professionals builtthe ark Professionals built the Titanic.”
‐‐‐Unknown
25
Risk (Continued)
© FloBiz & Associates, LLC
Risk (Continued)
• Enterprise Risk Management (ERM) – ERM is a t i COSO h d fi d it ‘term in common use. COSO has defined it as: ‘a process, effected by an entity’s board of directors, management and other personnel,directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entityassurance regarding the achievement of entity objectives.Source: ERM COSO ‐ 2004
26
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
Risk FactorRisk Factor
A condition that can influence the frequency and/or magnitude and ultimately the businessand/or magnitude and, ultimately, the business impact of IT‐related events/scenarios
R id l i kResidual risk
The remaining risk after management has implemented a risk response (e.g. control applied).Source: ISACA Glossary – Knowledge Center
27
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
Risk Analysisy1.A process by which frequency and magnitude of IT risk scenarios are estimated.
2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset isthose assets and evaluating how vulnerable each asset is to those threats.
Scope Notes: It often involves an evaluation of theScope Notes: It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event.Source: ISACA Glossary Knowledge Center
28
Source: ISACA Glossary – Knowledge Center
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
Risk IndicatorRisk Indicator
A metric capable of showing that the enterprise is subject to or has a high probability of being subjectsubject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite
Risk toleranceRisk tolerance
The acceptable level of variation that management is willing to allow for any particular risk as theis willing to allow for any particular risk as the enterprise pursues its objectives.Source: ISACA Glossary – Knowledge Center
29
Source: ISACA Glossary Knowledge Center
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
ThreatThreatAnything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.Scope Notes: A potential cause of an unwanted incident (ISO/IEC 13335)(ISO/IEC 13335)
VulnerabilityA weakness in the design, implementation, operation orA weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat eventsS ISACA Gl K l d C t
30
Source: ISACA Glossary – Knowledge Center
Definitions
© FloBiz & Associates, LLC
Definitions (Continued)
COBITA complete, internationally accepted process framework for IT that supports business and IT executives and management in their definition and achievement of business goals and relatedtheir definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management p j gguidelines (activities, accountabilities, responsibilities and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation,
i i d i i f d IT l dcontinuous improvement and monitoring of good IT‐related practices.Source: ISACA Glossary – Knowledge Center
31
Standards Risk Related
© FloBiz & Associates, LLC
Standards – Risk Related• ISACA
S4 – Competence
S5 Planning (RiskS5 – Planning (Risk‐based)
S6 – Performance of Audit Work
S7 ‐ Reporting
32
Source: ISACA® ‐ IT Audit & Assurance Standards, Guidelines, & Tools/Techniques
Standards/Guidelines (Continued)
© FloBiz & Associates, LLC
Standards/Guidelines (Continued)
S9 – Irregularities & Illegal Actsg g
S10 ‐ IT Governance
S11 U f Ri k A t i A dit Pl iS11 ‐ Use of Risk Assessment in Audit Planning
S15 ‐ IT ControlsGuidelinesG2 ‐ Audit Evidence Requirements
G3 – Use of Computer Assisted Audit Techniques (CAATS)
33
Source: ISACA®
Standards/Guidelines (Continued)
© FloBiz & Associates, LLC
Standards/Guidelines (Continued)
ISACAS CG4 – Outsourcing of IS Activities to Other Organisationsg
G6 – Materiality Concepts for Auditing Information SystemsInformation Systems
G8 – Audit Documentation
G9 – Audit Considerations for Irregularities & Illegal Acts
34
Source: ISACA®
Standards/Guidelines (Continued)
© FloBiz & Associates, LLC
Standards/Guidelines (Continued)
ISACAISACAG10 ‐ Audit Sampling
G11 Eff f P i IS C lG11 – Effect of Pervasive IS Controls
G13 ‐ Use of Risk Assessment in Audit Planning
G14 – Application Systems ReviewG14 Application Systems Review
G15 ‐ Audit Planning Revised (Risk based)S S C ®
35
Source: ISACA®
Standards/Guidance (Continued)
© FloBiz & Associates, LLC
Standards/Guidance (Continued)
ISACAS CG18 ‐ IT Governance
G20 ReportingG20 – Reporting
G21 – Enterprise Resource Planning (ERP) S t R iSystems Review
G23 – System Development Life Cycle (SDLC) Review Reviews
Source: ISACA®
36
Standards/Guidance (Continued)
© FloBiz & Associates, LLC
Standards/Guidance (Continued)
ISACAISACAG30 – Competence
G32 B i C i i Pl (BCP) F ITG32 – Business Continuity Plan (BCP) From IT Perspective
G34 – Responsibility, Authority and Accountability
G38 ‐ Access ControlsSource: ISACA®
37
Standards/Guidance
© FloBiz & Associates, LLC
Standards/Guidance (Continued)
ISACAISACA
G39 – IT Organisation
G40 – Review of Security Management Practices
P1 ‐ IS Risk Assessment
P5 ‐ Control Risk Self‐assessmentSource: ISACA®
38
Standards/Guidance (Continued)
© FloBiz & Associates, LLC
Standards/Guidance (Continued)
ISACAISACA
P7 – Irregularities and Illegal Acts
P8 – Security Assessment ‐ Penetration Testing and Vulnerability Analysis
P10 – Business Application Change Control
Source: ISACA®
39
Standards/Guidance (Continued)
© FloBiz & Associates, LLC
Standards/Guidance (Continued)
Primary FocusyP1 – IS Risk Assessment Measurement ProcedureThis procedure is designed to provide
• A definition of IS audit risk assessment• Guidance on the use of an IS audit risk assessment methodology for use by internal audit functions
• Guidance on the selection of risk ranking criteria• Guidance on the selection of risk ranking criteria and the use of weightings
Source: ISACA®
40
Thought for the Day
© FloBiz & Associates, LLC
Thought for the Day
If it's there and you can see it — it's realIf it s there and you can see it it s real.
If it's not there and you can see it — it's i t lvirtual.
If it's there and you can't see it — it's transparent.
If it's not there and you can't see it — youIf it s not there and you can t see it you erased it !"
41
Standards (Continued)
© FloBiz & Associates, LLC
Standards (Continued)
IIA StandardIIA Standard
• 2000 ‐Managing the Internal Audit Activity2010 Pl i– 2010 – Planning
The chief audit executive must establish risk‐based plans to determine the priorities of thebased plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.organization s goals.
Source: IIA International Professional Practices Framework (IPPF)
42
Source: IIA ‐ International Professional Practices Framework (IPPF)
Standards (Continued)
© FloBiz & Associates, LLC
Standards (Continued)
IIA StandardIIA Standard
• 2000 ‐Managing the Internal Audit Activity2010 A1 Pl i– 2010.A1 – Planning
The internal audit activity’s plan of engagements must be based on a documented risk assessmentmust be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be consideredmanagement and the board must be considered in this process.
43
Source: IIA ‐ International Professional Practices Framework (IPPF)
Practice Advisory (Continued)
© FloBiz & Associates, LLC
Practice Advisory (Continued)
IIA Practice Advisory• 2120‐2 – Managing the Risk of the Internal Audit ActivityConsiderations (not all encompassing)‐ Considerations (not all encompassing)• Periodic review of the Audit Universe• Periodic review of the Audit Plan• Effective planning• Relevant risk information is captured & communicated appropriately across thecommunicated appropriately across the organization
Source: IIA ‐ International Professional Practices Framework (IPPF)
44
Risk & Consequences
© FloBiz & Associates, LLC
Risk & Consequences
It doesn't work to leap a twenty‐foot chasm in two ten foot jumpstwo ten‐foot jumps.
American Proverb
45
Frameworks Examples
© FloBiz & Associates, LLC
Frameworks ‐ Examples
COBIT 5 A Business Framework for the Governance and Management of Enterprise IT
46
g p
Frameworks, Standards © FloBiz & Associates, LLC
& Guidance
Risk ITRisk IT Three DomainsThree Domains
47
Risk IT Risk IT –– Three DomainsThree Domains
COSO Cube© FloBiz & Associates, LLC
Has your organization adopted COSO as their Has your organization adopted COSO as their
risk framework?risk framework?
49
risk framework?risk framework?
Frameworks
© FloBiz & Associates, LLC
Frameworks Continued)
Global Technology Audit Guides (GTAG 1 ‐16)Global Technology Audit Guides (GTAG 1 16)
http://www.theiia.org/guidance/standards‐and‐id /i f/ ti id /guidance/ippf/practice‐guides/
Guide to the Assessment of IT Risk (GAIT)http://www.theiia.org/guidance/standards‐and‐guidance/ippf/practice‐guides/
Source: IIA – IPPF – Practice Guides
50
Frameworks (Continued)
© FloBiz & Associates, LLC
Frameworks (Continued)
• Project Management Body of KnowledgeProject Management Body of Knowledge (PMBOK®) – Project Management Institute (PMI) ‐ http://www pmi org/PMBOK‐Guide‐and‐(PMI) http://www.pmi.org/PMBOK Guide andStandards.aspx
E i A hi S d d (TOGAF)• Enterprise Architecture Standards (TOGAF) ‐http://www3.opengroup.org/standards/ea
• ISO 31000 Risk Management Principles and Guidelines ‐ http://theirm.org/ISO31000guide.htm
51
Frameworks (Continued)
© FloBiz & Associates, LLC
Frameworks (Continued)
• Guide for Conducting Risk Assessments ‐ DraftGuide for Conducting Risk Assessments Draft – 800‐30 – Revision 1 – September – 2011 ‐http://csrc.nist.gov/publications/drafts/800‐30‐http://csrc.nist.gov/publications/drafts/800 30rev1/SP800‐30‐Rev1‐ipd.pdf
• Committee of Sponsoring Organizations (COSO)• Committee of Sponsoring Organizations (COSO) ‐http://www.coso.org/guidance.htm
52
Exercise # 1© FloBiz & Associates, LLC
Risk Assessment/Audit Planning Process
• Please refer to slides 3 – 86 & 101 ‐ 110 for ease e e to s des 3 86 & 0 0 oExercise 1
• This will be a group exercise with participantsThis will be a group exercise with participants working in groups of 4‐6
• Upon conclusion of the exercise each group• Upon conclusion of the exercise each group will briefly report out or share our group’s ideas/comments
• Please share your knowledge, experience & ideas
53
ideas
How Can You Use© FloBiz & Associates, LLC
COBIT and Risk IT in the Risk A t PAssessment Process
What are your ideas, approaches & opinions?What are your ideas, approaches & opinions?
54
Using COBIT & Risk IT© FloBiz & Associates, LLC
Using COBIT & Risk IT
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
55
Using COBIT & Risk IT© FloBiz & Associates, LLC
Using COBIT & Risk IT
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
56
Risk Management Basics© FloBiz & Associates, LLC
Risk Management Basics
• Common language – Definitions
• Define what is needed for your organization
• Identify who is responsible
57
Identify who is responsible
Risk Factors (Continued)
© FloBiz & Associates, LLC
Risk Factors (Continued)
• Financial impact – 20%Financial impact 20%
• Management – 15%
• Audits/Past performance – 13%
• Internal controls – 12%
• Compliance/Regulatory issues – 10%Compliance/Regulatory issues 10%
59
Risk Factors (Continued)
© FloBiz & Associates, LLC
Risk Factors (Continued)
• Customer service/satisfaction – 10%Customer service/satisfaction 10%
• Operational changes/complexity – 5%
• Special requests – 5%
• Public/Customer/Regulator perception – 5%
• Other – 5%Other 5%
60
Risk Factors (Continued)
© FloBiz & Associates, LLC
Risk Factors (Continued)
Other ExamplesOther Examples
• Environmental factors
• Reporting
• Strategic• Strategic
• Resource
61
Risk Factors (Continued)
© FloBiz & Associates, LLC
Risk Factors (Continued)
P1 ‐ IS Risk Measurement ProcedureP1 IS Risk Measurement Procedure• Financial Risk
• Strategic Risk
• Operational Risk
L l/C li Ri k• Legal/Compliance RiskSource: ISACA – IT Audit & Assurance Tools and Techniques
62
Risk Factors (Continued)
© FloBiz & Associates, LLC
Risk Factors (Continued)
Other ExamplesOther Examples
• Reputation
• Fraud
• Social Media• Social Media
• Outsourcing/Vendor
• Change/Change Management
63
Risk Factors (Continued)
© FloBiz & Associates, LLC
Risk Factors (Continued)
Other ExamplesOther Examples
• _____________________________________
• _____________________________________
•• _____________________________________
• _____________________________________
Please share your ideas & experiences!
64
Risk Quote© FloBiz & Associates, LLC
Risk Quote
Behold the turtle HeBehold the turtle. He makes progress only when he sticks his neckwhen he sticks his neck out.”
James Bryant ConantEducator, diplomat & chemist (1893 – 1978)
65
Risk /
© FloBiz & Associates, LLC
Assessment / Management• Identify & value assetsIdentify & value assets
• Conduct threat assessment
• Perform a vulnerability assessment
• Calculate impact
• Evaluate controls & impactEvaluate controls & impact
Source: Wikipedia, the free encyclopedia
67
Risk Management
© FloBiz & Associates, LLC
Risk Management
Does your organization have a mature risk Does your organization have a mature risk management process?management process?
68
management process?management process?
What to Audit?
© FloBiz & Associates, LLC
What to Audit?Auditable Areas
OrganizationAudit Universe& A dit Pl& Audit Plan
70
Risk Assessment© FloBiz & Associates, LLC
Gathering Information
Where do you go from here?Where do you go from here?
71
Audit Planning© FloBiz & Associates, LLC
Audit PlanningPerform
RARA
Annual
PlCompile
A l
Gap
Analysis Plan AnalyzeAnalysis
List Audits
72
Risk Assessment Process to © FloBiz & Associates, LLC
Facilitate Audit Planning• Identify the timelinesIdentify the timelines and estimated hours/ resources to completep
• Establish the risk factorsfactors
• Receive input/buy‐in from the senior leadership/board
73
Process
© FloBiz & Associates, LLC
Process (Continued)
• Develop the processDevelop the process
• Establish an audit universe (confirm through input)
• Determine who how & when input will beDetermine who, how & when input will be requested received
• Identify how the information gathered will be summarized
74
Analyzing the Risk Data Collected
© FloBiz & Associates, LLC
Analyzing the Risk Data Collected
Combine & FocusCombine & Focus
Different People Say the Same Thing Differently!Different People Say the Same Thing Differently!
75
Different People Say the Same Thing Differently!Different People Say the Same Thing Differently!
Process
© FloBiz & Associates, LLC
Process (Continued)
• Determine the reporting formatp g
• Communicate key aspects of the process to board, management, key staffboard, management, key staff
• Identify who will gather the information
G h i k i f i ( ll )• Gather risk information (all sources)
• Develop a list of potential audit/review i i i (i l d i d hactivities (include estimated hours to
complete)
76
Process
© FloBiz & Associates, LLC
Process (Continued)
• Receive input on areas of expertise from IAReceive input on areas of expertise from IA team members
• Calculate the initial risk rating for each item in the universe
• Perform gap analysis on the universe risk ratings – follow‐up on significant itemsratings follow up on significant items
77
Process
© FloBiz & Associates, LLC
Process (Continued)
• Compare audit risk assessments results withCompare audit risk assessments results with ERM – follow‐up on differences
• Compare/use the risk assessment results in• Compare/use the risk assessment results in development of the audit plan
• Communicate the risk assessment results in the audit plan
• Gather/update risk information on a continuing basis
78
Risks are not Always Evident
© FloBiz & Associates, LLC
Risks are not Always Evident
How to Identify Key Risks?Awareness, Relationships, Research, Business Acumen!Awareness, Relationships, Research, Business Acumen!
79
, p , ,, p , ,
Overwhelming Information
© FloBiz & Associates, LLC
Overwhelming Information
How to make the information gathered manageable?How to make the information gathered manageable?
81
Future Risks
© FloBiz & Associates, LLC
Future Risks
Consider Strategic & Reputation risks equally or with Consider Strategic & Reputation risks equally or with greater emphasis than Operational & Compliance risks!greater emphasis than Operational & Compliance risks!
82
greater emphasis than Operational & Compliance risks!greater emphasis than Operational & Compliance risks!
Business Shark
© FloBiz & Associates, LLC
Business Shark
Be Careful of People that Share Info about
all other Areas than the one where they have Responsibility!
83
all other Areas than the one where they have Responsibility!
Tips
© FloBiz & Associates, LLC
Tips
Please refer to the handouts identified as Please refer to the handouts identified as
Risk Assessment information/examples!Risk Assessment information/examples!
86
Risk Assessment information/examples!Risk Assessment information/examples!
Handouts
© FloBiz & Associates, LLC
HandoutsRisk Assessment Process1)Risk Assessment/Audit Planning Schedule
2)Ri k A O i2)Risk Assessment Overview
3)Risk Assessment Risk Factors3)Risk Assessment – Risk Factors
4)Risk Assessment Audit Committee/Board of4)Risk Assessment Audit Committee/Board of Directors Input Letter Request
87
Handouts (Continued)
© FloBiz & Associates, LLC
Handouts (Continued)
Risk Assessment ProcessRisk Assessment Process
5)Risk Assessment Input Form ‐ Board
6)Risk Assessment Management/Staff Input Letter RequestLetter Request
7)Risk Assessment Input Form – Management7)Risk Assessment Input Form – Management
88
Exercise # 2© FloBiz & Associates, LLC
Risk Assessment/Information Gathering
• Please refer to slides 3 – 86 & 101 ‐ 110 for ease e e to s des 3 86 & 0 0 oExercise 2
• This will be a group exercise with participantsThis will be a group exercise with participants working in groups of 4‐6
• Upon conclusion of the exercise each group• Upon conclusion of the exercise each group will briefly report out or share our group’s ideas/comments
• Please share your knowledge, experience & ideas
89
ideas
Preparation
© FloBiz & Associates, LLC
Preparation
Involve the audit team as much as possibleInvolve the audit team as much as possibleto increase the plan quality input & promote buyto increase the plan quality input & promote buy‐‐in!in!
90
to increase the plan quality input & promote buyto increase the plan quality input & promote buy‐‐in!in!
Annual Audit Plan
© FloBiz & Associates, LLC
Annual Audit Plan
• Team basedTeam based development
Add th t• Addresses the top areas in the risk universe
• Objective
• Subjective• Subjective
• Fluid
91
Audit Planning (C i d)
© FloBiz & Associates, LLC
Audit Planning (Continued)
If you feel comfortable about the risk assessment and audit plan you probably don’tassessment and audit plan you probably don t have enough information – please remember please remember this is not an exact science!this is not an exact science!
92
this is not an exact science!this is not an exact science!
Changing Audit Universe
© FloBiz & Associates, LLC
Changing Audit Universe
• What changes have you made to your auditWhat changes have you made to your audit universe? Has your approach changed?
• Has the number of auditable areas in your• Has the number of auditable areas in your universe increased, decreased or stayed the same over the last 3 years?same over the last 3 years?
• How do you use your organization's Enterprise Risk Management (ERM) andEnterprise Risk Management (ERM) and Business Impact Analysis (BIA) information in relation to annual audit planning?
93
relation to annual audit planning?
Risk Based Auditing
© FloBiz & Associates, LLC
Risk‐Based Auditing
• What percent of your audits are risk‐basedWhat percent of your audits are risk based assurance audits?
• Consulting engagements?
• Management requests?Management requests?
• Board/Audit Committee requests?
• Do you perform the same audit(s) each year no matter the results during the prior audit?
94
no matter the results during the prior audit?
Risk Assessment
© FloBiz & Associates, LLC
Risk Assessment
• How do you gather information? What is yourHow do you gather information? What is your process?
• Who do you receive input from during your annual risk assessment process?
• What percent of your audit universe/ auditable areas are covered in your auditauditable areas are covered in your audit plan?
95
Audit Planning
© FloBiz & Associates, LLC
Audit Planning
• What process do you follow to condense theWhat process do you follow to condense the risk assessment input and map it to a specific audit areas?
• Do you establish budgeted hours for each IT audit during the development of the annualaudit during the development of the annual audit plan?
• Do you provide a list of potential audits/• Do you provide a list of potential audits/ contingency audits with the proposed IT audit plan?
96
plan?
Audit Services
© FloBiz & Associates, LLC
Audit Services
What audit services do you provide?What audit services do you provide?
97
Audit Services
© FloBiz & Associates, LLC
Audit Services
• Assurance EngagementsAssurance Engagements
• Consulting/Advisory Engagements
• Special Projects
• Evaluation Teams (without decision‐makingEvaluation Teams (without decision making responsibilities)
P j t T /B d ( ffi i )• Project Team/Board (ex officio)
• General Training/Awareness Activities
98
Audit Services Other
© FloBiz & Associates, LLC
Audit Services ‐ Other
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
• _____________________________________
99
Tips/Lessons Learned
© FloBiz & Associates, LLC
Tips/Lessons Learned • KISS (Simple)( p )
• Time box the gathering process
• Remember the risk assessment contributes to the audit process it is not the end resultthe end result
• Develop relationships to improve input
100
to improve input
Tips
© FloBiz & Associates, LLC
Tips (Continued)
• Have the total team participatep p
• Revise the process to improve the input/ quality of information receivedquality of information received
• Be persistent
/• Gather info whenever/wherever it is provided/available
• Remember this is Internal Audit’s risk assessment based on all relevant info available
101
Tips
© FloBiz & Associates, LLC
Tips (Continued)
• Provide awareness/explain the process when / p popportunities arise
• Make the process a win‐winMake the process a win win
• Make small improvements annually unless the process has significant identified flawsprocess has significant identified flaws
• Provide information/awareness & gather f h h h ( l dinformation throughout the year (e.g. include
on the IA website)
102
Tips
© FloBiz & Associates, LLC
Tips (Continued)
• Receive input from all levels of theReceive input from all levels of the organization
• Use a simple numbering process
• Include future programs initiatives issuesInclude future programs, initiatives, issues
• Communicate how audit universe coverage will be accomplished without audits planned
103
Tips
© FloBiz & Associates, LLC
Tips (Continued)
• Benchmark/compare the process with otherBenchmark/compare the process with other like entities for improvement
• Maintain the confidentiality of input, if possible
104
Tips Information Gathering
© FloBiz & Associates, LLC
Tips Information Gathering
• Business ImpactBusiness Impact Analysis
• GLB Privacy Risk Assessment
• Trade Publications
• Facilitated Sessions
105
Tips Gathering (C i d)
© FloBiz & Associates, LLC
Tips – Gathering (Continued)
• PEST AnalysisPEST Analysis– Political
– Economic
– Social
– Technological
106
Tips Gathering (C i d)
© FloBiz & Associates, LLC
Tips – Gathering (Continued)
• Brainstorming (Other Critical Thinking Techniques)Brainstorming (Other Critical Thinking Techniques)– Internal Audit Team
– Business Partners
– Key Stakeholdersy
– Peers
– Industry groups
107
Tips Gathering (C i d)
© FloBiz & Associates, LLC
Tips – Gathering (Continued)
• Strategic PlanningStrategic Planning
• Competitors
• Turnover
• Legislation• Legislation
• IT Research Firms (e.g. Gartner, Forrester, McKinsey & Company, Deloitte, Accenture, etc.)
108
Tips Gathering (C i d)
© FloBiz & Associates, LLC
Tips – Gathering (Continued)
• SWOTSWOT– Strengths
– Weaknesses
– Opportunitiespp
– Threats
109
Sample Audit Plan Narrative
© FloBiz & Associates, LLC
Sample – Audit Plan Narrative
Please see Handout #8Please see Handout #8
110
Exercise # 3© FloBiz & Associates, LLC
Audit Planning Process ‐ Optional
• Please refer to slides 3 – 89 & (91 – 111 focus) ease e e to s des 3 89 & (9 ocus)for Exercise 3
• This will be a group exercise with participantsThis will be a group exercise with participants working in groups of 4‐6
• Upon conclusion of the exercise each group• Upon conclusion of the exercise each group will briefly report out or share our group’s ideas/comments
• Please share your knowledge, experience & ideas
112
ideas
How Audit Can Help With © FloBiz & Associates, LLC
ERM?• Serve as an advocateServe as an advocate for risk management
• Share information on organizational risks
• Provide input as a process isprocess is established
113
Help with ERM(C i d)
© FloBiz & Associates, LLC
Help with ERM(Continued)
• Assist with benchmarking & providingAssist with benchmarking & providing reference materials
• Participate in organizational awareness/ training for risk identification/reduction
• Review the risk management/ERM process
• Determine ERM is maintained as per policies/procedures
114
Help with ERM(C i d)
© FloBiz & Associates, LLC
Help with ERM(Continued)
• Audit/validate risk results for reasonablenessAudit/validate risk results for reasonableness
• Review the risk response activities to determine that they have the desired impact to reduce risk
• Determine that risk results are appropriately reported (Executive Management & Board)reported (Executive Management & Board)
115
Something to Consider!
© FloBiz & Associates, LLC
Something to Consider!
It is all right to forget your mistakesyour mistakes
If you remember their lessonstheir lessonsAnonymous
116
Audit Program© FloBiz & Associates, LLC
Risk ManagementObjective/ScopeObjective/Scope• Insurance
• Health & Safetyy
• Regulatory
• Business Continuity Planning
• Risk Management/ Enterprise Risk Management
f• Information Security
• Training/Awareness
Audit Program/Steps (Continued)
© FloBiz & Associates, LLC
Audit Program/Steps (Continued)
• Planning identify primary risks• Identify, review & summarize primary organizational information
Corporate policies/proced res– Corporate policies/procedures– Status reporting– Performance measuresPerformance measures– Strategic planning information– Insurance policies/coverage– Human resource policies– Health & safety information
118
– Training & awareness information
Audit Program/Steps (Continued)
© FloBiz & Associates, LLC
Audit Program/Steps (Continued)
• Identify, review & summarize primaryIdentify, review & summarize primary organizational information– Information securityy– Privacy– Communication/reputation– Other
• Identify who to interviewIdentify who to interview
• Identify who to survey
119
Audit Program/Steps (Continued)
© FloBiz & Associates, LLC
Audit Program/Steps (Continued)
• Potential interview/survey questionsPotential interview/survey questions– What do you see as the top (2‐5) organizational risks over the next 1‐3 yearsrisks over the next 1 3 years
– Identify primary (2‐5) risk management activities you see occurringyou see occurring
– Strengths related to risk management
– Opportunities for improvementOpportunities for improvement
– How is risk management success measured within the organization
120
the organization
Audit Program/Steps (Continued)
© FloBiz & Associates, LLC
Audit Program/Steps (Continued)
• Identify the primary organizational riskIdentify the primary organizational risk management processes
• Receive a walk‐through for 3‐5 of the primary risk management processes
• Flowchart the processes flowcharted
• List the primary controls
121
Audit Program/Steps (Continued)
© FloBiz & Associates, LLC
Audit Program/Steps (Continued)
• Test (2‐5) of the primary controlsTest (2 5) of the primary controls
• Document the testwork methodologyLi t t t bj ti /– List test objective/purpose
– Identify the test populationSelect the sample method– Select the sample method
– Identify the test stepsExtend testwork if necessary– Extend testwork if necessary
– Conclude on the testwork results
122
Audit Program/Steps (Continued)
© FloBiz & Associates, LLC
Audit Program/Steps (Continued)
• Testwork ‐ Potential Test AreasTestwork Potential Test Areas– Insurance
Training & awareness– Training & awareness
– Reporting
Id tifi ti / it i f hi h i k– Identification/monitoring of high risk areas
– Ethics/governance
O h– Other
123
Audit Program/Steps (Continued)
© FloBiz & Associates, LLC
Audit Program/Steps (Continued)
• Perform benchmarking/leading practicesPerform benchmarking/leading practices research & analysis– Identify resources/reference materials– Identify resources/reference materials
– Develop schedule of common best practices for inclusion in the report as an appendixinclusion in the report as an appendix
– Compare benchmarking results with the information review & testwork resultsinformation review & testwork results
124
Reference Materials
© FloBiz & Associates, LLC
Reference Materials
Please see the separate handout!
125
Questions & Contact Information
© FloBiz & Associates, LLC
Questions & Contact Information
Phil Flora
(512) 963‐4954 ‐Mobile
126
( )
Collaborate – Contribute – Connect
• www.isaca.org/knowledge-center • The Knowledge Center is a collection of
resources and online communities that connect ISACA members – globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!