DevelopingaRisk‐based p g AuditPlan Session121 Session121

©FloBiz & Associates, LLC

Developing a Risk‐based p gAudit Plan

May 7, 20121:30 – 5:00 pm

Session 121Session 121

Philip E. Flora, CISA, CIA, CCSA, CFE

P i i l

p

Principal

FloBiz & Associates, LLC

SPEAKER BIOGRAPHY

Phil Flora, CISA, is the principal/managing member for FloBiz & Associates LLC a company that provides training, internal audit and consulting services. He was the chief audit executive (CAE) at a not-for-profit public corporation for over 16 years. His experience includes banking, public accounting and cost accounting. He also has over 30 years of auditing/management experience.

In his 16 years as the CAE for Texas Guaranteed Student Loan Corporation (TG) Flora was responsible for the maintenance/development of the internal audit function that included leadership, risk assessment/audit planning, communication with management/board, staff hiring/development and other administrative/operational activities. He tranformed the function to enable audit coverage of the total organization. In cooperation with two other CAE’s he developed an internal audit leadership development program that assisted in the development of over 30 future audit leaders.

Session Objectives

© FloBiz & Associates, LLC

Session Objectives

• Identify standards related to risk assessmentIdentify standards related to risk assessment and audit planning

• Provide risk management framework examples for application/use in identifying organizational risks

• Determine ways that COBIT and Risk IT can beDetermine ways that COBIT and Risk IT can be used to facilitate the risk assessment process

2

Session Objectives


Session Objectives (Continued)

• Identify challenges & opportunities in theIdentify challenges & opportunities in the information gathering process

• Provide risk assessment/audit planning• Provide risk assessment/audit planning process/steps for the total audit universe

/• Determine methods/approaches to communicate audit planning process results for review/approvalfor review/approval

• Provide reference materials for future use

3

Today's EnvironmentToday's Environment


Today s EnvironmentToday s EnvironmentGlobal Financial Challenges

Organizations asked to do Morewith Less!

Control Changes to meet Business needs

High Unemployment Audit/IT AuditRole expanding

Information Security &Privacy continue as a focus

Ethical Environment Is a Must!

Should the Audit focus change from Compliance to Strategic Risks?

4

Pressures to meet Performance ExpectationsRisk Management Critical to Success

Risk© FloBiz & Associates, LLC

Risk

What is it?What is it?

5


Risk

What Does it Look Like?What Does it Look Like?

6


Risk

How do you Deal with It?How do you Deal with It?

7


Risk

What is Your Organization’s Risk Appetite?What is Your Organization’s Risk Appetite?

8


Risk Information GatheringRisk Information Gathering

How much is enough information?How much is enough information?

9

Risk Assessment Input


Risk Assessment Input

How can IHow can I get your input?

Training, Awareness, Relationships &Training, Awareness, Relationships &

T h T !T h T !

10

Tone at the Top!Tone at the Top!

Information Gathering © FloBiz & Associates, LLC

Interviews

OpenOpen‐‐Ended, ClosedEnded, Closed‐‐Ended, Time Boxed, Leading?Ended, Time Boxed, Leading?

11

pp gg

Listening© FloBiz & Associates, LLC

Listening

It’s hard to learn while you are talking.

UnknownUnknown

12

Nuggets of Gold


Nuggets of Gold

How do you get them?How do you get them?What are they? What are they?

13

Building Relationships


Building Relationships

Gathering Valuable Risk Information!Gathering Valuable Risk Information!

14

Potential Risk Treatments


Potential Risk Treatments• Risk Avoidance ‐ Includes not performing an activity that could carry riskactivity that could carry risk.

• Risk Mitigation/Reduction ‐ Involves methods that reduce the severity of the lossthat reduce the severity of the loss.

• Risk Acceptance/Retention ‐ Involves accepting th l h itthe loss when it occurs.

• Risk Transfer ‐Means causing another party to accept the risk, typically by contract or by hedging.

15

Source: Wikipedia, the free encyclopedia

Risk Assessment Process© FloBiz & Associates, LLC

Risk Assessment Process

Plan

SupportAnalysis

UnderstandingInputRisk

Technical

16

Business

Definitions


Definitions (Continued)

Audit Plan (Engagement)( g g )1.A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence toin order to obtain sufficient appropriate audit evidence to form an opinion.Scope Notes: Includes the areas to be audited, the type of work planned the high‐level objectives and scope of thework planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the workg p2. A high‐level description of the audit work to be performed in a certain period of time.

S ISACA Gl K l d C

17

Source: ISACA Glossary – Knowledge Center

Annual Audit Plan


Annual Audit Plan

The plan that is developed annually (possiblyThe plan that is developed annually (possibly updated more frequently based on significant business/organizational conditions). It is reviewed /discussed with Executive Management and approved by the Audit Committee/Board of Di Th l i b d h l f hDirectors. The plan is based on the results of the annual Internal Audit risk assessment and the audit resources available (that includes coaudit resources available (that includes co‐sourcing or outsourcing) based on IA expertise and primary risks

18

and primary risks.

Definitions



RiskRisk

The combination of the probability of an event and its consequence (ISO/IEC 73)and its consequence. (ISO/IEC 73).


• Consider the Probability & Impact

19

Risk ‐ Defined© FloBiz & Associates, LLC

Risk Defined

• A probability or threat of a damage injuryA probability or threat of a damage, injury, liability, loss or other negative occurrence that is caused by external or internalis caused by external or internal vulnerabilities, and that may be neutralized through preemptive actionthrough preemptive action.Source: http://www.businessdictionary.com/definition/risk.html

20

Risk (Continued)


Risk (Continued)

• Risk ‐ The effect of uncertainty on objectivesRisk The effect of uncertainty on objectives.

h id l l f• Assurance – A process that provides a level of confidence that objectives will be achieved i hi bl l l f i kwithin an acceptable level of risk.

Source: ISO 31000:2009

21

Definitions



Risk AssessmentA process used to identify and evaluate risk and its potential effects.Scope Notes: Includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in placebusiness operations, defining the controls in place to reduce enterprise exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particularan evaluation of the probabilities of a particular eventSource: ISACA Glossary – Knowledge Center

22

y g

Definitions



Risk CultureRisk CultureThe set of shared values and beliefs that governs attitudes toward risk‐taking, care and integrity,attitudes toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed.

Risk AppetiteThe amount of risk on a broad level that anThe amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.Source: ISACA Glossary Knowledge Center

23


Definitions



Risk ManagementRisk Management

The coordinated activities to direct and control an enterprise with regard to risk In thean enterprise with regard to risk. In the International Standard, the term "control" is used as a synonym for "measure " (ISO/IECused as a synonym for measure. (ISO/IEC Guide 73:2002).Source: ISACA Glossary – Knowledge Center

24

Risk/Change Quote


Risk/Change ‐ Quote

“Never be afraid to tryNever be afraid to try, remember… Amateurs built the ark Professionals builtthe ark Professionals built the Titanic.”

‐‐‐Unknown

25

Risk (Continued)


Risk (Continued)

• Enterprise Risk Management (ERM) – ERM is a t i COSO h d fi d it ‘term in common use. COSO has defined it as: ‘a process, effected by an entity’s board of directors, management and other personnel,directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entityassurance regarding the achievement of entity objectives.Source: ERM COSO ‐ 2004

26

Definitions



Risk FactorRisk Factor

A condition that can influence the frequency and/or magnitude and ultimately the businessand/or magnitude and, ultimately, the business impact of IT‐related events/scenarios

R id l i kResidual risk

The remaining risk after management has implemented a risk response (e.g. control applied).Source: ISACA Glossary – Knowledge Center

27

Definitions



Risk Analysisy1.A process by which frequency and magnitude of IT risk scenarios are estimated.

2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset isthose assets and evaluating how vulnerable each asset is to those threats.

Scope Notes: It often involves an evaluation of theScope Notes: It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event.Source: ISACA Glossary Knowledge Center

28


Definitions



Risk IndicatorRisk Indicator

A metric capable of showing that the enterprise is subject to or has a high probability of being subjectsubject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite

Risk toleranceRisk tolerance

The acceptable level of variation that management is willing to allow for any particular risk as theis willing to allow for any particular risk as the enterprise pursues its objectives.Source: ISACA Glossary – Knowledge Center

29

Source: ISACA Glossary Knowledge Center

Definitions



ThreatThreatAnything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.Scope Notes: A potential cause of an unwanted incident (ISO/IEC 13335)(ISO/IEC 13335)

VulnerabilityA weakness in the design, implementation, operation orA weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat eventsS ISACA Gl K l d C t

30


Definitions



COBITA complete, internationally accepted process framework for IT that supports business and IT executives and management in their definition and achievement of business goals and relatedtheir definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management p j gguidelines (activities, accountabilities, responsibilities and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation,

i i d i i f d IT l dcontinuous improvement and monitoring of good IT‐related practices.Source: ISACA Glossary – Knowledge Center

31

Standards Risk Related


Standards – Risk Related• ISACA

S4 – Competence

S5 Planning (RiskS5 – Planning (Risk‐based)

S6 – Performance of Audit Work

S7 ‐ Reporting

32

Source: ISACA® ‐ IT Audit & Assurance Standards, Guidelines, & Tools/Techniques

Standards/Guidelines (Continued)



S9 – Irregularities & Illegal Actsg g

S10 ‐ IT Governance

S11 U f Ri k A t i A dit Pl iS11 ‐ Use of Risk Assessment in Audit Planning

S15 ‐ IT ControlsGuidelinesG2 ‐ Audit Evidence Requirements

G3 – Use of Computer Assisted Audit Techniques (CAATS)

33

Source: ISACA®




ISACAS CG4 – Outsourcing of IS Activities to Other Organisationsg

G6 – Materiality Concepts for Auditing Information SystemsInformation Systems

G8 – Audit Documentation

G9 – Audit Considerations for Irregularities & Illegal Acts

34

Source: ISACA®




ISACAISACAG10 ‐ Audit Sampling

G11 Eff f P i IS C lG11 – Effect of Pervasive IS Controls

G13 ‐ Use of Risk Assessment in Audit Planning

G14 – Application Systems ReviewG14 Application Systems Review

G15 ‐ Audit Planning Revised (Risk based)S S C ®

35

Source: ISACA®

Standards/Guidance (Continued)



ISACAS CG18 ‐ IT Governance

G20 ReportingG20 – Reporting

G21 – Enterprise Resource Planning (ERP) S t R iSystems Review

G23 – System Development Life Cycle (SDLC) Review Reviews

Source: ISACA®

36




ISACAISACAG30 – Competence

G32 B i C i i Pl (BCP) F ITG32 – Business Continuity Plan (BCP) From IT Perspective

G34 – Responsibility, Authority and Accountability

G38 ‐ Access ControlsSource: ISACA®

37

Standards/Guidance



ISACAISACA

G39 – IT Organisation

G40 – Review of Security Management Practices

P1 ‐ IS Risk Assessment

P5 ‐ Control Risk Self‐assessmentSource: ISACA®

38




ISACAISACA

P7 – Irregularities and Illegal Acts

P8 – Security Assessment ‐ Penetration Testing and Vulnerability Analysis

P10 – Business Application Change Control

Source: ISACA®

39




Primary FocusyP1 – IS Risk Assessment Measurement ProcedureThis procedure is designed to provide

• A definition of IS audit risk assessment• Guidance on the use of an IS audit risk assessment methodology for use by internal audit functions

• Guidance on the selection of risk ranking criteria• Guidance on the selection of risk ranking criteria and the use of weightings

Source: ISACA®

40

Thought for the Day


Thought for the Day

If it's there and you can see it — it's realIf it s there and you can see it it s real.

If it's not there and you can see it — it's i t lvirtual.

If it's there and you can't see it — it's transparent.

If it's not there and you can't see it — youIf it s not there and you can t see it you erased it !"

41

Standards (Continued)



IIA StandardIIA Standard

• 2000 ‐Managing the Internal Audit Activity2010 Pl i– 2010 – Planning

The chief audit executive must establish risk‐based plans to determine the priorities of thebased plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.organization s goals.

Source: IIA International Professional Practices Framework (IPPF)

42

Source: IIA ‐ International Professional Practices Framework (IPPF)




IIA StandardIIA Standard

• 2000 ‐Managing the Internal Audit Activity2010 A1 Pl i– 2010.A1 – Planning

The internal audit activity’s plan of engagements must be based on a documented risk assessmentmust be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be consideredmanagement and the board must be considered in this process.

43


Practice Advisory (Continued)


Practice Advisory (Continued)

IIA Practice Advisory• 2120‐2 – Managing the Risk of the Internal Audit ActivityConsiderations (not all encompassing)‐ Considerations (not all encompassing)• Periodic review of the Audit Universe• Periodic review of the Audit Plan• Effective planning• Relevant risk information is captured & communicated appropriately across thecommunicated appropriately across the organization


44

Risk & Consequences


Risk & Consequences

It doesn't work to leap a twenty‐foot chasm in two ten foot jumpstwo ten‐foot jumps.

American Proverb

45

Frameworks Examples


Frameworks ‐ Examples

COBIT 5 A Business Framework for the Governance and Management of Enterprise IT

46

g p

Frameworks, Standards © FloBiz & Associates, LLC

& Guidance

Risk ITRisk IT Three DomainsThree Domains

47

Risk IT Risk IT –– Three DomainsThree Domains

Risk IT Val IT & COBIT®


Risk IT, Val IT & COBIT®

48

COSO Cube© FloBiz & Associates, LLC

Has your organization adopted COSO as their Has your organization adopted COSO as their

risk framework?risk framework?

49

risk framework?risk framework?

Frameworks


Frameworks Continued)

Global Technology Audit Guides (GTAG 1 ‐16)Global Technology Audit Guides (GTAG 1 16)

http://www.theiia.org/guidance/standards‐and‐id /i f/ ti id /guidance/ippf/practice‐guides/

Guide to the Assessment of IT Risk (GAIT)http://www.theiia.org/guidance/standards‐and‐guidance/ippf/practice‐guides/

Source: IIA – IPPF – Practice Guides

50

Frameworks (Continued)



• Project Management Body of KnowledgeProject Management Body of Knowledge (PMBOK®) – Project Management Institute (PMI) ‐ http://www pmi org/PMBOK‐Guide‐and‐(PMI) http://www.pmi.org/PMBOK Guide andStandards.aspx

E i A hi S d d (TOGAF)• Enterprise Architecture Standards (TOGAF) ‐http://www3.opengroup.org/standards/ea

• ISO 31000 Risk Management Principles and Guidelines ‐ http://theirm.org/ISO31000guide.htm

51




• Guide for Conducting Risk Assessments ‐ DraftGuide for Conducting Risk Assessments Draft – 800‐30 – Revision 1 – September – 2011 ‐http://csrc.nist.gov/publications/drafts/800‐30‐http://csrc.nist.gov/publications/drafts/800 30rev1/SP800‐30‐Rev1‐ipd.pdf

• Committee of Sponsoring Organizations (COSO)• Committee of Sponsoring Organizations (COSO) ‐http://www.coso.org/guidance.htm

52

Exercise # 1© FloBiz & Associates, LLC

Risk Assessment/Audit Planning Process

• Please refer to slides 3 – 86 & 101 ‐ 110 for ease e e to s des 3 86 & 0 0 oExercise 1

• This will be a group exercise with participantsThis will be a group exercise with participants working in groups of 4‐6

• Upon conclusion of the exercise each group• Upon conclusion of the exercise each group will briefly report out or share our group’s ideas/comments

• Please share your knowledge, experience & ideas

53

ideas

How Can You Use© FloBiz & Associates, LLC

COBIT and Risk IT in the Risk A t PAssessment Process

What are your ideas, approaches & opinions?What are your ideas, approaches & opinions?

54

Using COBIT & Risk IT© FloBiz & Associates, LLC

Using COBIT & Risk IT

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

55

Using COBIT & Risk IT© FloBiz & Associates, LLC

Using COBIT & Risk IT

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

56

Risk Management Basics© FloBiz & Associates, LLC

Risk Management Basics

• Common language – Definitions

• Define what is needed for your organization

• Identify who is responsible

57

Identify who is responsible

Risk Assessment


Risk AssessmentArt ? Science ?

58

Risk Factors (Continued)



• Financial impact – 20%Financial impact 20%

• Management – 15%

• Audits/Past performance – 13%

• Internal controls – 12%

• Compliance/Regulatory issues – 10%Compliance/Regulatory issues 10%

59




• Customer service/satisfaction – 10%Customer service/satisfaction 10%

• Operational changes/complexity – 5%

• Special requests – 5%

• Public/Customer/Regulator perception – 5%

• Other – 5%Other 5%

60




Other ExamplesOther Examples

• Environmental factors

• Reporting

• Strategic• Strategic

• Resource

61




P1 ‐ IS Risk Measurement ProcedureP1 IS Risk Measurement Procedure• Financial Risk

• Strategic Risk

• Operational Risk

L l/C li Ri k• Legal/Compliance RiskSource: ISACA – IT Audit & Assurance Tools and Techniques

62





• Reputation

• Fraud

• Social Media• Social Media

• Outsourcing/Vendor

• Change/Change Management

63





• _____________________________________

• _____________________________________

•• _____________________________________

• _____________________________________

Please share your ideas & experiences!

64

Risk Quote© FloBiz & Associates, LLC

Risk Quote

Behold the turtle HeBehold the turtle. He makes progress only when he sticks his neckwhen he sticks his neck out.”

James Bryant ConantEducator, diplomat & chemist (1893 – 1978)

65

Where Do We Go From Here?


Where Do We Go From Here?

66

Risk /


Assessment / Management• Identify & value assetsIdentify & value assets

• Conduct threat assessment

• Perform a vulnerability assessment

• Calculate impact

• Evaluate controls & impactEvaluate controls & impact

Source: Wikipedia, the free encyclopedia

67

Risk Management


Risk Management

Does your organization have a mature risk Does your organization have a mature risk management process?management process?

68

management process?management process?

Which Animal Poses a © FloBiz & Associates, LLC

Greater Risk?

69

What to Audit?


What to Audit?Auditable Areas

OrganizationAudit Universe& A dit Pl& Audit Plan

70

Risk Assessment© FloBiz & Associates, LLC

Gathering Information

Where do you go from here?Where do you go from here?

71

Audit Planning© FloBiz & Associates, LLC

Audit PlanningPerform

RARA

Annual

PlCompile

A l

Gap

Analysis Plan AnalyzeAnalysis

List Audits

72

Risk Assessment Process to © FloBiz & Associates, LLC

Facilitate Audit Planning• Identify the timelinesIdentify the timelines and estimated hours/ resources to completep

• Establish the risk factorsfactors

• Receive input/buy‐in from the senior leadership/board

73

Process


Process (Continued)

• Develop the processDevelop the process

• Establish an audit universe (confirm through input)

• Determine who how & when input will beDetermine who, how & when input will be requested received

• Identify how the information gathered will be summarized

74

Analyzing the Risk Data Collected


Analyzing the Risk Data Collected

Combine & FocusCombine & Focus

Different People Say the Same Thing Differently!Different People Say the Same Thing Differently!

75

Different People Say the Same Thing Differently!Different People Say the Same Thing Differently!

Process


Process (Continued)

• Determine the reporting formatp g

• Communicate key aspects of the process to board, management, key staffboard, management, key staff

• Identify who will gather the information

G h i k i f i ( ll )• Gather risk information (all sources)

• Develop a list of potential audit/review i i i (i l d i d hactivities (include estimated hours to

complete)

76

Process


Process (Continued)

• Receive input on areas of expertise from IAReceive input on areas of expertise from IA team members

• Calculate the initial risk rating for each item in the universe

• Perform gap analysis on the universe risk ratings – follow‐up on significant itemsratings follow up on significant items

77

Process


Process (Continued)

• Compare audit risk assessments results withCompare audit risk assessments results with ERM – follow‐up on differences

• Compare/use the risk assessment results in• Compare/use the risk assessment results in development of the audit plan

• Communicate the risk assessment results in the audit plan

• Gather/update risk information on a continuing basis

78

Risks are not Always Evident


Risks are not Always Evident

How to Identify Key Risks?Awareness, Relationships, Research, Business Acumen!Awareness, Relationships, Research, Business Acumen!

79

, p , ,, p , ,

Who to Survey? Interview?


Who to Survey? Interview?

80

Overwhelming Information


Overwhelming Information

How to make the information gathered manageable?How to make the information gathered manageable?

81

Future Risks


Future Risks

Consider Strategic & Reputation risks equally or with Consider Strategic & Reputation risks equally or with greater emphasis than Operational & Compliance risks!greater emphasis than Operational & Compliance risks!

82

greater emphasis than Operational & Compliance risks!greater emphasis than Operational & Compliance risks!

Business Shark


Business Shark

Be Careful of People that Share Info about

all other Areas than the one where they have Responsibility!

83

all other Areas than the one where they have Responsibility!

Value of Information


Value of Information

84

Information


Information

hat? hy? hen?

85

Tips


Tips

Please refer to the handouts identified as Please refer to the handouts identified as

Risk Assessment information/examples!Risk Assessment information/examples!

86

Risk Assessment information/examples!Risk Assessment information/examples!

Handouts


HandoutsRisk Assessment Process1)Risk Assessment/Audit Planning Schedule

2)Ri k A O i2)Risk Assessment Overview

3)Risk Assessment Risk Factors3)Risk Assessment – Risk Factors

4)Risk Assessment Audit Committee/Board of4)Risk Assessment Audit Committee/Board of Directors Input Letter Request

87

Handouts (Continued)


Handouts (Continued)

Risk Assessment ProcessRisk Assessment Process

5)Risk Assessment Input Form ‐ Board

6)Risk Assessment Management/Staff Input Letter RequestLetter Request

7)Risk Assessment Input Form – Management7)Risk Assessment Input Form – Management

88


Risk Assessment/Information Gathering

• Please refer to slides 3 – 86 & 101 ‐ 110 for ease e e to s des 3 86 & 0 0 oExercise 2




89

ideas

Preparation


Preparation

Involve the audit team as much as possibleInvolve the audit team as much as possibleto increase the plan quality input & promote buyto increase the plan quality input & promote buy‐‐in!in!

90

to increase the plan quality input & promote buyto increase the plan quality input & promote buy‐‐in!in!

Annual Audit Plan


Annual Audit Plan

• Team basedTeam based development

Add th t• Addresses the top areas in the risk universe

• Objective

• Subjective• Subjective

• Fluid

91

Audit Planning (C i d)


Audit Planning (Continued)

If you feel comfortable about the risk assessment and audit plan you probably don’tassessment and audit plan you probably don t have enough information – please remember please remember this is not an exact science!this is not an exact science!

92

this is not an exact science!this is not an exact science!

Changing Audit Universe


Changing Audit Universe

• What changes have you made to your auditWhat changes have you made to your audit universe? Has your approach changed?

• Has the number of auditable areas in your• Has the number of auditable areas in your universe increased, decreased or stayed the same over the last 3 years?same over the last 3 years?

• How do you use your organization's Enterprise Risk Management (ERM) andEnterprise Risk Management (ERM) and Business Impact Analysis (BIA) information in relation to annual audit planning?

93

relation to annual audit planning?

Risk Based Auditing


Risk‐Based Auditing

• What percent of your audits are risk‐basedWhat percent of your audits are risk based assurance audits?

• Consulting engagements?

• Management requests?Management requests?

• Board/Audit Committee requests?

• Do you perform the same audit(s) each year no matter the results during the prior audit?

94

no matter the results during the prior audit?

Risk Assessment


Risk Assessment

• How do you gather information? What is yourHow do you gather information? What is your process?

• Who do you receive input from during your annual risk assessment process?

• What percent of your audit universe/ auditable areas are covered in your auditauditable areas are covered in your audit plan?

95

Audit Planning


Audit Planning

• What process do you follow to condense theWhat process do you follow to condense the risk assessment input and map it to a specific audit areas?

• Do you establish budgeted hours for each IT audit during the development of the annualaudit during the development of the annual audit plan?

• Do you provide a list of potential audits/• Do you provide a list of potential audits/ contingency audits with the proposed IT audit plan?

96

plan?

Audit Services


Audit Services

What audit services do you provide?What audit services do you provide?

97

Audit Services


Audit Services

• Assurance EngagementsAssurance Engagements

• Consulting/Advisory Engagements

• Special Projects

• Evaluation Teams (without decision‐makingEvaluation Teams (without decision making responsibilities)

P j t T /B d ( ffi i )• Project Team/Board (ex officio)

• General Training/Awareness Activities

98

Audit Services Other


Audit Services ‐ Other

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

• _____________________________________

99

Tips/Lessons Learned


Tips/Lessons Learned • KISS (Simple)( p )

• Time box the gathering process

• Remember the risk assessment contributes to the audit process it is not the end resultthe end result

• Develop relationships to improve input

100

to improve input

Tips


Tips (Continued)

• Have the total team participatep p

• Revise the process to improve the input/ quality of information receivedquality of information received

• Be persistent

/• Gather info whenever/wherever it is provided/available

• Remember this is Internal Audit’s risk assessment based on all relevant info available

101

Tips


Tips (Continued)

• Provide awareness/explain the process when / p popportunities arise

• Make the process a win‐winMake the process a win win

• Make small improvements annually unless the process has significant identified flawsprocess has significant identified flaws

• Provide information/awareness & gather f h h h ( l dinformation throughout the year (e.g. include

on the IA website)

102

Tips


Tips (Continued)

• Receive input from all levels of theReceive input from all levels of the organization

• Use a simple numbering process

• Include future programs initiatives issuesInclude future programs, initiatives, issues

• Communicate how audit universe coverage will be accomplished without audits planned

103

Tips


Tips (Continued)

• Benchmark/compare the process with otherBenchmark/compare the process with other like entities for improvement

• Maintain the confidentiality of input, if possible

104

Tips Information Gathering


Tips Information Gathering

• Business ImpactBusiness Impact Analysis

• GLB Privacy Risk Assessment

• Trade Publications

• Facilitated Sessions

105

Tips Gathering (C i d)


Tips – Gathering (Continued)

• PEST AnalysisPEST Analysis– Political

– Economic

– Social

– Technological

106




• Brainstorming (Other Critical Thinking Techniques)Brainstorming (Other Critical Thinking Techniques)– Internal Audit Team

– Business Partners

– Key Stakeholdersy

– Peers

– Industry groups

107




• Strategic PlanningStrategic Planning

• Competitors

• Turnover

• Legislation• Legislation

• IT Research Firms (e.g. Gartner, Forrester, McKinsey & Company, Deloitte, Accenture, etc.)

108




• SWOTSWOT– Strengths

– Weaknesses

– Opportunitiespp

– Threats

109

Sample Audit Plan Narrative


Sample – Audit Plan Narrative

Please see Handout #8Please see Handout #8

110


Audit Planning Process ‐ Optional

• Please refer to slides 3 – 89 & (91 – 111 focus) ease e e to s des 3 89 & (9 ocus)for Exercise 3




112

ideas

How Audit Can Help With © FloBiz & Associates, LLC

ERM?• Serve as an advocateServe as an advocate for risk management

• Share information on organizational risks

• Provide input as a process isprocess is established

113

Help with ERM(C i d)


Help with ERM(Continued)

• Assist with benchmarking & providingAssist with benchmarking & providing reference materials

• Participate in organizational awareness/ training for risk identification/reduction

• Review the risk management/ERM process

• Determine ERM is maintained as per policies/procedures

114

Help with ERM(C i d)


Help with ERM(Continued)

• Audit/validate risk results for reasonablenessAudit/validate risk results for reasonableness

• Review the risk response activities to determine that they have the desired impact to reduce risk

• Determine that risk results are appropriately reported (Executive Management & Board)reported (Executive Management & Board)

115

Something to Consider!


Something to Consider!

It is all right to forget your mistakesyour mistakes

If you remember their lessonstheir lessonsAnonymous

116

Audit Program© FloBiz & Associates, LLC

Risk ManagementObjective/ScopeObjective/Scope• Insurance

• Health & Safetyy

• Regulatory

• Business Continuity Planning

• Risk Management/ Enterprise Risk Management

f• Information Security

• Training/Awareness

Audit Program/Steps (Continued)



• Planning identify primary risks• Identify, review & summarize primary organizational information

Corporate policies/proced res– Corporate policies/procedures– Status reporting– Performance measuresPerformance measures– Strategic planning information– Insurance policies/coverage– Human resource policies– Health & safety information

118

– Training & awareness information




• Identify, review & summarize primaryIdentify, review & summarize primary organizational information– Information securityy– Privacy– Communication/reputation– Other

• Identify who to interviewIdentify who to interview

• Identify who to survey

119




• Potential interview/survey questionsPotential interview/survey questions– What do you see as the top (2‐5) organizational risks over the next 1‐3 yearsrisks over the next 1 3 years

– Identify primary (2‐5) risk management activities you see occurringyou see occurring

– Strengths related to risk management

– Opportunities for improvementOpportunities for improvement

– How is risk management success measured within the organization

120

the organization




• Identify the primary organizational riskIdentify the primary organizational risk management processes

• Receive a walk‐through for 3‐5 of the primary risk management processes

• Flowchart the processes flowcharted

• List the primary controls

121




• Test (2‐5) of the primary controlsTest (2 5) of the primary controls

• Document the testwork methodologyLi t t t bj ti /– List test objective/purpose

– Identify the test populationSelect the sample method– Select the sample method

– Identify the test stepsExtend testwork if necessary– Extend testwork if necessary

– Conclude on the testwork results

122




• Testwork ‐ Potential Test AreasTestwork Potential Test Areas– Insurance

Training & awareness– Training & awareness

– Reporting

Id tifi ti / it i f hi h i k– Identification/monitoring of high risk areas

– Ethics/governance

O h– Other

123




• Perform benchmarking/leading practicesPerform benchmarking/leading practices research & analysis– Identify resources/reference materials– Identify resources/reference materials

– Develop schedule of common best practices for inclusion in the report as an appendixinclusion in the report as an appendix

– Compare benchmarking results with the information review & testwork resultsinformation review & testwork results

124

Reference Materials


Reference Materials

Please see the separate handout!

125

Questions & Contact Information


Questions & Contact Information

Phil Flora

[email protected]

(512) 963‐4954 ‐Mobile

126

( )

Thank you!y

Collaborate – Contribute – Connect

• www.isaca.org/knowledge-center • The Knowledge Center is a collection of

resources and online communities that connect ISACA members – globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!

http://www.isaca.org/knowledge-center�

DevelopingaRisk‐based p g AuditPlan Session121 Session121

Documents

Transcript of DevelopingaRisk‐based p g AuditPlan Session121 Session121