This document discusses risk assessments and their importance for audit planning. It provides definitions for risk and risk assessment, and explains how risk assessments allow entities to understand potential impacts on objectives. Risk assessments employ both qualitative and quantitative methods, relate risks to time horizons and objectives, and assess inherent and residual risks. The document also discusses how internal auditors can add value through risk-based audit planning and evaluating management's risk assessments and controls. Key components of risk assessments are outlined.

1. Risk Assessments for Audit Planning James P. Giordano, CPA, CFE, CCFS Audit Manager, Management Audits Office of Internal Audits

2. Risk & Assessment - Definitions Risk - the threat that an event, action, or non-action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully. Risk is measured in terms of consequences and likelihood. Risk assessment - the identification and analysis of risks to the achievement of business objectives. It forms the basis for determining how risks should be managed.

3. Risk Assessments Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: - Likelihood - Impact Are used to assess risks and can also used to measure the related business objectives.

4. Risk Assessments Employ a combination of both qualitative and quantitative methodologies. Relate time horizons to objective horizons. Assesses risk on both an inherent and a residual basis.

5. Inherent Risk Vs. Residual Risk Inherent Risk The risk that exists before you address it, i.e., the risk to your Facility or Network in the absence of any actions taken to alter either the likelihood or impact. Every company faces it, not all manage it effectively. Residual Risk Also know as ” vulnerability ” or “ exposure .” It is the risk that remains after your Facility or Network has attempted to mitigate the inherent risks.

6. Risk Analysis Control It Share or Transfer It Diversify or Avoid It Risk Management Process Level Activity Level Entity Level Risk Monitoring Identification Measurement Prioritization Risk Assessment

7. Internal control is a process, effected by management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations; Reliability of financial reporting; and Compliance with applicable laws and regulations. “ These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs.” Definition of Internal Control

8. Internal control is a process . It is a means to an end, not an end in itself. Internal control is effected by people . It’s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance , not absolute assurance, to an entity’s management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. While internal control is a process, its effectiveness is a state or condition of the process at one or more points in time. Internal control is a process . It is a means to an end, not an end in itself. It is effected by people . It’s not merely policy manuals and forms, but people at every level of an organization. It can be expected to provide only reasonable assurance , not absolute assurance, to an entity’s management and board. It is geared to the achievement of objectives in one or more separate but overlapping categories. While internal control is a process , its effectiveness is a state or condition of the process at one or more points in time. Internal Control Key Concepts

9. FACT: Internal control starts with a strong control environment . While internal auditors play a key role in the system of control, management is the primary owner of internal control. Internal control is integral to every aspect of business. Internal control makes the right things happen the first time. Internal controls should be built “into,” not “onto” business processes. Internal Control Myths and Facts MYTH: Internal control starts with a strong set of policies and procedures. Internal control: That’s why we have internal auditors! Internal control is a finance thing. Internal controls are essentially negative, like a list of “thou-shall-not's.” Internal controls take time away from our core activities of patient services, financial reporting, and supply chain, payroll and core business processes.

10. Implementing a risk-based approach to audit planning and executing the internal audit process. Ensuring that internal auditing resources are directed at those areas most important to the organization. Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of their risk treatment strategies. Internal Auditors add value by:

11. Reviewing critical control systems and risk management processes. Performing an effectiveness review of management's risk assessments and the internal controls. Providing advice in the design and improvement of control systems and risk mitigation strategies. Internal Auditors add value by:

12. Performing thorough risk assessments : Will help focus the annual audit plan in key business risks and support management’s decision making processes. Will make detailed audit procedures more efficient and focused on areas where problems may exist, or where positive action can be taken to improve a process. Benefits of Risk Assessments

13. It will assist in development of a multi-year internal/compliance audit plan. It helps to identify specific areas of concern that require immediate attention. It can be used to support internal Network/Facility initiatives. It can be utilized to dissuade unfocused internal initiatives It helps realigns priorities and refocuses existing resources. Why Do a Risk Assessment? Will help focus the annual audit plan in key business risks and support management’s decision making processes. Will make detailed audit procedures more efficient and focused on areas where problems may exist, or where positive action can be taken to improve a process.

14. Ascertain process goals and objectives; Determine who’s responsible/ accountable; Review the tenure of key employees; Document & flowchart process flows ; Review process maturity (documentation, monitoring); and Key performance indicators and 5-year trends. Risk Assessment Components

15. Risk Assessment Process Analyze Risks Risk Assessment Summary

16. The Keys to Success in Risk Assessment Buy-in and support from executive/ senior management and Board Solid Framework to organize activities Link risk management activities to other management activities, strategic planning Clearly articulated risk management goals and objectives Commonly understood risk language

17. Questions?

18. We Wish to Thank the following Corporations for Their Assistance Crowe Horwath LLP The Institute of Internal Auditors Deloitte HCPro, Inc.