This document discusses risk based internal auditing and sampling techniques. It begins with an agenda and definitions of risk, risk management, and the three lines of defense model. It then covers topics like risk identification, evaluation, scoring, developing a risk based internal audit plan, criteria for rating observations, and tools used for auditing. Sampling techniques discussed include random selection, systematic selection, monetary unit sampling, haphazard selection and block selection. Guidelines are provided for determining appropriate sample sizes based on the frequency of control activities.
Internal Audit is a tool of control to measure and evaluate the effectiveness of the working of an organization primarily with accounting, financial and operational matters.
Internal Audit plays a constructive role by rendering service to the management with objective appraisal of systems, procedures, practices, compliance with policies.
LetzConsult presents a smarter ways for companies to find the most relevant Consultant for their business needs. Find the right consultants for your Company on LetzConsult.com
Operational Risk Management - Understanding Your Risk LandscapeEneni Oduwole
This presentation provides insights on how the proper implementation of Operational Risk Management can lead to effective risk profiling, analysis and mitigation. It introduces operational risk as a bedrock for meaningful risk management irrespective of which industry an organization plays in.
What is the purpose of internal auditing? How important is it to the business? How are internal audits planned and carried out? These slides show the relevance of internal audit to the business, how internal audits relate to the objectives and risks of the business, how they are planned and the work involved in an internal audit. Further advice is available from www.internalaudit.biz
In 2013, COSO released their update to the COSO 1992 framework. This framework is used widely by public companies for SEC compliance. After working on updating their compliance efforts, many users are having discussions with their financial auditors about the use of the new standard.
This presentation looks at the needs of the auditor in understanding internal control and its documentation.
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
Many leaders in today’s business environment have recognized the need for internal audit to play a larger role – one that expands on its historic focus on value preservation to encompass activities related to value creation. Leading integrated internal audit functions will need to stay ahead of the risk curve rather than simply follow the business, whilst preserving the core compliance and assurance activities senior management and the audit committee require. Audit functions that focus their efforts on significant risks are able to concentrate their audit resources on issues that drive the business. This 3-day course has been designed to help internal auditors understand what is needed to make the audit function totally risk based
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
Video & Presentation: http://www.proformative.com/events/strategic-risk-management-cfo-getting-risk-management-right
Enterprise Risk Management should be simple. Unfortunately, companies are responding to regulators and business imperatives to improve their risk management practices, all the while aligning with business strategy and performance as well as capital allocation. Leading practitioners are seeking insight and value from risk management and are using risk management to focus audit and compliance activities. In fact independent research commissioned by SAP and others suggests many successful ERM initiatives still make little use of the increasingly sophisticated technology available. This session will summarize recent research by SAP and others on the state of ERM and will provide simple, practical strategies for how Finance can drive risk management practices that build success and add value.
Speakers:
Bob Tizio, GRC Officer-Americas, SAP America Inc.
Bruce McCuaig, Director, Solution Marketing for Governance Risk & Compliance, SAP
Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com
Track: Finance Technology | Session: 5
Internal Audit is a tool of control to measure and evaluate the effectiveness of the working of an organization primarily with accounting, financial and operational matters.
Internal Audit plays a constructive role by rendering service to the management with objective appraisal of systems, procedures, practices, compliance with policies.
LetzConsult presents a smarter ways for companies to find the most relevant Consultant for their business needs. Find the right consultants for your Company on LetzConsult.com
Operational Risk Management - Understanding Your Risk LandscapeEneni Oduwole
This presentation provides insights on how the proper implementation of Operational Risk Management can lead to effective risk profiling, analysis and mitigation. It introduces operational risk as a bedrock for meaningful risk management irrespective of which industry an organization plays in.
What is the purpose of internal auditing? How important is it to the business? How are internal audits planned and carried out? These slides show the relevance of internal audit to the business, how internal audits relate to the objectives and risks of the business, how they are planned and the work involved in an internal audit. Further advice is available from www.internalaudit.biz
In 2013, COSO released their update to the COSO 1992 framework. This framework is used widely by public companies for SEC compliance. After working on updating their compliance efforts, many users are having discussions with their financial auditors about the use of the new standard.
This presentation looks at the needs of the auditor in understanding internal control and its documentation.
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
This presentation is my endeavor to bring to notice the new position that internal audit enjoys today in the corporate framework, expectations of the industry and emerging opportunities for the professionals.
Many leaders in today’s business environment have recognized the need for internal audit to play a larger role – one that expands on its historic focus on value preservation to encompass activities related to value creation. Leading integrated internal audit functions will need to stay ahead of the risk curve rather than simply follow the business, whilst preserving the core compliance and assurance activities senior management and the audit committee require. Audit functions that focus their efforts on significant risks are able to concentrate their audit resources on issues that drive the business. This 3-day course has been designed to help internal auditors understand what is needed to make the audit function totally risk based
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
Video & Presentation: http://www.proformative.com/events/strategic-risk-management-cfo-getting-risk-management-right
Enterprise Risk Management should be simple. Unfortunately, companies are responding to regulators and business imperatives to improve their risk management practices, all the while aligning with business strategy and performance as well as capital allocation. Leading practitioners are seeking insight and value from risk management and are using risk management to focus audit and compliance activities. In fact independent research commissioned by SAP and others suggests many successful ERM initiatives still make little use of the increasingly sophisticated technology available. This session will summarize recent research by SAP and others on the state of ERM and will provide simple, practical strategies for how Finance can drive risk management practices that build success and add value.
Speakers:
Bob Tizio, GRC Officer-Americas, SAP America Inc.
Bruce McCuaig, Director, Solution Marketing for Governance Risk & Compliance, SAP
Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com
Track: Finance Technology | Session: 5
Investors in Risk Management provides expert-driven risk maturity assessment services to assess and improve the risk management maturity using our Risk Management Maturity Model (RMMM) to mitigate the impact of uncertainty on business objectives.
Reporting to Management and Audit CommitteeManoj Agarwal
Reporting to Management and Audit Committee involve balancing the value add and assurance. It also involve certain skills to ensure that you can influence change.
Risk is the effect of uncertainty to on objectives. Risk can be negative or positive. When Risks are converted into opportunity, it create huge success.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
"Protectable subject matters, Protection in biotechnology, Protection of othe...
Risk Based Internal Audit and Sampling Techniques
1. Risk Based Internal Audit and
Sampling Techniques
-A Practical Approach
Presented by CA Manoj Agarwal
Sep 2, 2018, BCSC, WIRC of ICAI
2. Disclaimer
• All the contents of the
presentation constitute the
opinion of the speaker, and the
speaker alone; they do not
represent the views and
opinions of the speaker’s
employers, supervisors, nor do
they represent the view of
organizations, businesses or
institutions the speaker is, or
has been a part of.
• Images used may be subject to
copyright.
2
4. 4
What is Risk?
Risk, in traditional terms, is viewed as a ‘negative’.
The Chinese give a much better description of risk
• The first is the symbol for “danger”, while
• the second is the symbol for “opportunity”,
making risk a mix of danger and opportunity.
“Risk- let’s get this straight up front – is good.
The point of Risk management is not to
eliminate it; that would eliminate reward. The
point is to manage it – that is, choose to place
bets, where to hedge bets, and where to avoid
betting together.” - Thomas A. Stewart
5. 5
Risk & Risk Management
In economic terms, profit is the reward for entrepreneurship
or “Risk Taking”
As a lay investor, our investment planning is based on risk
perception – bank deposits, life insurance, debentures and
GoI bonds, Mutual Funds, Shares, Private Equity….
Risk management is an attempt to identify, measure and
monitor risks– so as to manage uncertainty.
6. 6
Risk Management
1 Understand the nature and extent of risks facing the
company
2 Understand the extent and categories of risks which it
regards as acceptable for a company to bear
3 Understand the likelihood of risks concerned materializing
4 Company’s ability to reduce the incidence and impact on
business of risks that do materialize
5 Costs of operating particular controls relative to benefits
7. 7
Classification of Risks
• Strategic Risks: A strategic risk is a risk that a company is exposed to
when pursuing its business objectives, or likely loss arising from a poor
strategic business decision. e.g. Too much dependence on one line of
business/ customer/ supplier; or a failed acquisition
• Operational Risks: Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and systems, or from
external events. e.g. excess purchase due to clerical error, extra discount
due to non updation of system
• Reporting Risks: Reporting Risks are risks a company is exposed to due to
inadequate/under/ over reporting compared to law / regulatory
requirement. e.g. Non disclosure of related party transactions.
• Compliance Risks: Risks a company is exposed to because of breach of
law / regulatory requirement. e.g. Non compliance in foreign country due
to ignorance.
8. 8
The Need for Risk Management
• Complex, ever changing macro environment
• Sustainable, profitable growth to meet stakeholder
expectation
• Trend towards greater transparency & enhanced levels of
corporate governance
# Move from survival to competitive advantage
12. 12
Eight Components of COSO ERM Model
ERM Process
Objective Setting
Strategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerance
Event Identification
Events – Factors Influencing Strategy and Objectives – Methodologies and Techniques
Event Interdependencies
Event Categories – Risks and Opportunities
Risk Assessment
Inherent and Residual Risk – Likelihood and Impact
Methodologies and Techniques – Correlation
Risk Response
Identify Risk responses – Evaluate Possible Risk Responses – Select Responses – Portfolio View
Information & Communication
Information – Strategic and Integrated Systems – Communication
Monitoring
Separate Evaluations – Ongoing Evaluations
Control Activities
Integration with Risk Response – Types of Control Activities – General Controls
Application Controls – Entity Specific
14. 14
Three groups (or lines) involved in effective risk management:
• Functions that own and manage risks.
• Functions that oversee risks.
• Functions that provide independent assurance.
Three Lines of Defence Model
15. 15
1st LoD: Operational Management
• Own and manage risks.
• Responsible for implementing corrective actions to address
process and control deficiencies.
16. 16
2nd LoD: Risk Management & Compliance Functions
• Risk management function
– Facilitates and monitors the implementation of effective risk
management practices by operational management
– Assists risk owners in defining the target risk exposure
– Reporting adequate risk-related information throughout the
organization.
• Compliance function
– Monitor various specific risks such as noncompliance with applicable
laws and regulations.
– Multiple compliance functions for specific types of monitoring, such as
health and safety, supply chain, environmental, or quality monitoring.
• Controllership function
– Monitors financial risks and financial reporting issues.
17. 17
3rd LoD: Internal Audit
• Comprehensive assurance based on the highest level of
independence and Objectivity
• Provides assurance on the effectiveness of governance, risk
management, and internal controls, including the manner in
which the first and second lines of defense achieve
• Risk management and control objectives.
• Reported to senior management and to the governing body,
usually covers
– A broad range of objectives, including efficiency and effectiveness of
operations; safeguarding of assets; reliability and integrity of reporting
processes; and compliance with laws, regulations, policies, procedures,
and contracts.
– All elements of the risk management and internal control framework,
which includes: internal control environment
– The overall entity, divisions, subsidiaries, operating units, and functions
— including business processes as well as supporting functions.
18. 18
External Auditors, Regulators, Other external Bodies
• Can have an important role in the organization’s overall
governance and control structure.
• Regulators sometimes set requirements intended to
strengthen the controls in an organization and on other
occasions perform an independent and objective function to
assess the whole or some part of the first, second, or third
line of defense with regard to those requirements.
20. Building a Risk aware enterprise
20
BOD
Oversightof
Risk Management
Risk Management
Committee
(1) Synthesizes issues forthe Board
(2) Establish ERM Policies & Tolerances
(3) Reviews significantrisk issues
(4) Ensures governance& Infrastructure
for managementof risk profile
Functional Head
(1) Own Risk Management& Mitigation
(2) Perform Risk assessments on periodic basis
(3) Provide assertions on risk exposure fortheirbusiness area.
Risk
Governance
Risk
Infrastructure
and
Management
Risk Ownership
21. Definition
21
“Internal audit is an independent management function, which involves a
continuous and critical appraisal of the functioning of an entity with a view to
suggest improvements thereto and add value to and strengthen the overall
governance mechanism of the entity, including the entity’s strategic risk
management and internal control system. Internal audit, therefore, provides
assurance that there is transparency in reporting, as a part of good governance.”
-The Internal Audit Standards Board of the ICAI
“Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes”
-Definition of Internal Auditing by Institute of Internal Auditors (IIA)
22. Risk Based Audits
22
Risk Based
Audit
Risk based Internal Audit (RBIA) is an internal methodology which is
primarily focused on the inherent risk involved in the activities or system
and provide assurance that risk is being managed by the management
within the defined risk appetite level.[1] It is the risk management
framework of the management and seeks at every stage to reinforce the
responsibility of management and BOD (Board of Directors) for managing
risk
http://en.wikipedia.org/wiki/Risk_based_audit
23. Risk Based Auditing: Approach
23
Identification
of Audit
Universe
Breaking up
into
Processes
Risk
Identification
Risk
Assessment
and
Evaluation
Risk Scoring
and Heat
Map
RBIA Plan
Execution of
RBIA Plan
1. Identification of Audit
Universe
2. Breaking Audit
universe into auditable
units.
3. Risk Identification
4. Risk Assessment &
evaluation
5. Risk Scoring/ Heat
Map
6. RBIA Plan
7. Execution
8. Reporting
24. Risk Identification
24
Risk Identification
Analysis of processes:
Will facilitate identification of the
operational risk
Brainstorming:
A group of employees put forward their ideas or
sensations of risk
Analysis of processes:
Will facilitate identification of the
operational risk
Interview:
Interview with various management level members
in order to elicit their concerns
Workshops:
Meeting the employees in order to identify the risks
and assess impact
Comparison with other organisations:
Benchmarking is the technique used for comparing
one’s own organisation with competitors
25. Risk Evaluation
25
After identifying and analysing the risk, next
step is the evaluate the risk.
Probability
•Almost certain
•Likely
•Moderate
•Unlikely
•Rare
What is the
consequence
if the risk
event occurs?
Impact
•Extreme
•Very High
•Moderate
•Low
•Negligible
What is
likelihood of
the risk event
occurring?
26. Components of Risk Evaluation
26
Evaluation
of Risk
Financial Risk
• Process complexity
• Volume
• Documentation
• Staffing
• Outsourcing
• Importance of MIS & safe-keeping
• Fraud control
• Auditors’ findings
• Budget variations
Operational Risk
• Size
• Industry Trends
• Credit risk
• Market risk
• Forex risk
• Settlement risk
Information Technology Risk
• Dependence on IT systems
• Scalability / Up gradation
• Documentation
• Confidentiality of the data
• Number of interfaces
• Vendor support
• Skills / Training
• External agencies involvement
Reputation Risk
• Impact of Process
• Extent of customer interaction
• Effect on Future Business Plans
• Reputation risk wrt operations
outsourcing
• Number of Regulators and Acts
• Complexity of Acts
• Applicability of international Laws
Regulatory Risk
Legal Risk
• Legal Action by Counter –
party
• Non enforcement of the
Legal rights
27. Example
27
• Likely: 3
• Unlikely: 2
• Remote: 1
Probability of
Occurrence
• Strategic: 10
• Customer Experience: 8
• Financial: 7
• Regulatory: 7
Impact
• High: 25 to 30
• Medium: 20 to 25
• Low: Below 20
Criticality
Classification
Criticality Classification = Probability of Occurrence * Impact
29. Risk Based internal Audit Plan
29
A Risk Based Plan will look like this
Sr Criticality Criticality
Score
Process Name Frequency
1 High 25-30 • Revenue
• Human Resource
Quarterly to Half
Yearly
2 Medium 20-25 • Accounts Payable
• Fixed Assets
• Compliances
Half Yearly to
Once in a year
3 Low Below 25 • Admin Functions Annual to Once
in Two Year
30. Risk Bases Audit Planning: Financial Coverage
30
Coverage of Key
Financial
Components in the
Audit Plan
31. Sample Criteria for Rating Observations
31
Risk Factors Critical Major Moderate
FINANCIAL
Potential Financial
Exposure > Rs 5 Cr Rs 1-5 Cr Rs 1 Lakh to < Rs 1 Cr
COMPLIANCE AND/OR AND/OR AND/OR
Legal & Regulatory
Prosecution or penalty
exposure > Rs 1 lakh Penalty exposure < Rs 1 Lakh
Any technical non-
compliance (not resulting
in penalty)
Fraud Vulnerability
Any observation on
probability of fraud NA NA
OPERATIONAL AND/OR AND/OR AND/OR
Policy & Procedures
Policy, procedures and
practice doesn’t exist
Policy, procedures in place but not
in practice
Policy, procedures not
documented but practice
exists
Transaction Error (incl
SLA)
> 20% of audit sample
selected 5% to 20% of audit sample selected
< 5% of audit sample
selected
Repeat audit finding Last rating Critical or Major Last rating Moderate NA
Customer Impact
Impacts > 1% of customer
base (complaints)
Impacts 0.5% to 1% of customer
base (complaints)
Impacts > 0.5% of
customer base
(complaints)
Systems & Tools
Loss or exposure of
confidential master or
transaction data, System
Availibility impacting
business performance
Lack of adequate system
validations/ acess control (incl
password management)/ controls
which might lead to fraud
System bugs or
functionality gaps
impacting efficiency,
speed of execution
32. Report Rating Criteria
32
Report Rating Critical Major Moderate
Acceptable Less than 4
Needs
Improvement 1 1 to 2 More than or = 4
Unsatisfactory 2 to 3 3 to 5
Poor More than 3 More than 5
Conversion factor:
1 Critical observation = 2 Major Observations= 4 Moderate Observations
33. Auditor’s Dilemma
33
Cost Dilemma Giving a level of
confidence that IA has
captured and
assessed
‘all’ material risk that
threaten
the company
34. Risk Based Audit
34
Type Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8
RBIA Framework Defining
Scope
Mapping Risk
Registration/
Identificatio
n
Control
Identifica
tion
Control
Investigation
Audit Test Audit
Report
Risk
profiling
Risk
taxonomies
Business unit
mapping
Risk register
Risk
evaluation
Control
owner
Volume
Value
Complexity
Cost
SOP
SOD
Past losses
IT
Risk
definition
card:
Description
Includes
Excludes
Driver
Impact
Processes
Systems
KPIs
Function
boundaries
Transactions
All risks
Risk type
Risk levels
Risk Sizes
Statistical
tools
Material
and
potential
loss from
control
weakness
Criteria to
assess
whether the
control has
been
operated
effectively or
compromised
by staff
What to
sample?
How
much to
sample?
35. My Risk Based Audit
35
Type Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8
RBIA Framework Defining
Scope
Mapping Risk
Registration/
Identificatio
n
Control
Identificatio
n
Control
Investigati
on
Audit
Test
Audit
Report
My IA Financial Scoping Mapping Top 3 Risks Control
identificatio
n
Checkpoin
ts
Testing Audit
report
Trial
balance
Common
size
statement
Identificatio
n of major
items groups
Identifica
tion of
Major
Items
with in
group
Compliance,
FA, Bank
Tools Pareto Rule Audit Tracker, Excel (Pivot, Sort, Index, vlookup),
Benford Law, Pareto Rule (80:20)
Audit
Report
36. Tools
Audit
Tracker
1. Contacts (of auditee/ audit team)
2. Status Tracker (Scope, Start Date, Completion date, Reason for
Pending, responsibility, Population, Sample, Sample
methodology, remarks)
3. Review Notes
4. Requirement Tracker (Requirement, Area, Responsibility,
Request Date, Received date, Time Lag in receipt of data, days
lapsed)
5. Checklist (Scope, Sub scope, Risk, Control, Checkpoints,
Population, Sample, Exceptions, Observations, Backup paper)
6. Query Sheet (Query, Financial Impact, Risk, recommendations,
Area, Annexure, Resolved, Response, Responsibility, Reportable/
Dropped, Backup paper)
7. Audit Completion Checklist
36
Control Failure Vs. impact of business control failure
Traffic Light vs. specific financial amounts
37. Tools
Audit Report 1. Cover letter,
2. Background and Objective of audit
3. Scope and approach
4. Detailed Observation (High, Medium, Low)
5. Other Points for Management Attention
6. Positive assurance
Audit
Presentation
1. Audit Summary (Area, Location, Audit Period, Audit Team,
Function Head, Scope, Field audit dates/ period)
2. Scope, Sampling and Limitation to scope
3. Positive Assurance
4. Key Observations
5. Other observations
37
39. SA 530: Audit Sampling
• Sampling Techniques
– Random Selection
– Systematic Selection
– Monetary Unit Sampling
– Haphazard Selection
– Block Selection
• Population
• Sample Size
39
40. Sample Size
Frequency of Control Activity
Minimum
Sample Size
Risk of failure
Lower Higher
Annual 1 1
Quarterly (Including Period end, e.g., +1 1+1 1+1
Monthly 2 3
Weekly 5 8
Daily 15 25
Recurring Manual Control (Multiples times per day) 25 40
40
* ICAI Guidance note on Audit of Internal Financial Controls over financial reporting
41. Simple Random
Sampling
In a simple random
sample (SRS) of a given
size, all such subsets of
the frame are given an
equal probability
41
42. Systematic
sampling
Systematic sampling (also
known as interval
sampling) relies on
arranging the study
population according to
some ordering scheme
and then selecting
elements at regular
intervals through that
ordered list
42
43. Stratified
sampling
When the population
embraces a number of
distinct categories, the
frame can be organized
by these categories into
separate "strata." Each
stratum is then sampled
as an independent sub-
population, out of which
individual elements can
be randomly selected.
43
44. Cluster sampling
Sometimes it is more
cost-effective to select
respondents in groups
('clusters'). Sampling is
often clustered by
geography, or by time
periods.
44
45. My Sampling Technique
• Dirty Sampling
– Data Analysis of 100% of population
• Against a set criteria
• Labeling sets of data passing a criteria
• Sampling from population failed to pass criteria.
• Transaction walkthrough
• Recycling of samples
45
46. Resources
• Risk Based Audit:
https://drive.google.com/file/d/0B9LJxar8oKPmQ0JxaEpJRmxMaVU/edit?
usp=sharing
• Risk Template: https://app.box.com/s/p7tns5kbrliny06mnouu
• www.auditnet.org for audit programs
• www.knowledgeleader.com for audit program
• www.cebglobal.com for audit trends
• www.globaliia.org
• www.coso.org
46
47. 1. Audit Client Categories
2. Role of Internal Audit
3. Value addition by internal audit
4. Revenue Assurance
5. Companies Act 2013 and Control Catalogues
6. Internal Controls in eCommerce Companies
7. How to create Internal Control Framework for your company
8. Creating An Internal Audit Plan
9. Governance for Approval Matrix
10. Right to Audit
11. Have you included vendor audit as part of your audit plan?
Manoj Agarwal
manojbagarwal@gmail.com
9820392252
Linkedin: https://in.linkedin.com/in/manojbagarwal
47
My Blogs and Post