Risk Assessments Best Practice and Practical Approaches Webinar


Published on

Risk assessments are the primary component when planning, executing and delivering value in an internal audit. They are the building blocks of your internal audit activities and operational audit program. Sonia Luna CPA, CIA, CEO of Aviva Spectrum and Monica Raffety, CIA
Senior Manager, Financial Controls at Kaiser Permanente will help you to:
Understand risk assessment tools available
Learn how and when to apply risk assessment techniques
Leverage different forms of quantitative and qualitative analysis techniques
Learn when to deviate from risk assessment templates with a memo or scoring
Understand what external auditors, management and the Board need to know when executing a risk assessment.
Understand how risk assessment impact the internal audit activities, from walkthroughs to testing

Published in: Business, Economy & Finance
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Sonia (LEAD): …our bios are attached in the registration but also included here…..
  • Sonia (LEAD):
  • Monica (LEAD): Discuss the top areas auditors generally focus their risk assessment efforts (see bullet points in ppt slide).
    There are 4 key areas in developing a risk assessment.
    We will speak in more detail on the following slides.

    Sonia (Contribute): Add what clients request internal auditors to focus their energy during the risk assessment process.
  • Monica (LEAD): Purpose and Focus: Financial Misstatement and Fraud. Required by new COSO framework to look at both
    Meet with Internal Audit, Compliance, Business Management, and IT Management: Risk Assessment Meetings, Conducting Interviews, Completing Risk Assessment questionnaires. Getting SSAE 16 Type II reports.

    Identify, assess, and prioritize risks that impact the achievement of the Company’s strategic and business objectives
    Develop a risk-based Internal Audit (IA) Plan that provides sufficient coverage of applicable audit areas
  • Monica (LEAD): By conducting risk questionnaires, not only can you identify potential risks, you can also add value by identifying areas where internal audit can serve in a consulting capacity. Also, this particular questionnaire builds in a change management process. However, it the questionnaires are distributed semi-annually or annually that might not be a sufficient frequency to understand all the changes occurring in your organization, especially if it is large, complex, or spread out across different regions or globally.
    Sonia comment
  • Monica (LEAD)
  • Monica (LEAD): Vendor threats can include data breach at vendor, data breach at your organization due to vendor, hosted environment goes down or is unstable. Example of Health Care Risks – Prescription Drug Event Reconciliation, Coverage Gap Discount Program, Direct/Indirect Renumeration Reporting, third party risks due to delivery of service., impact on patient care, impact on revenue cycle,
  • Monica (LEAD)
  • Monica (LEAD): this provides the “x” and “y” axis of how to conduct your risk assessment scoring.
    Sonia comment on scoring could go from 1-3 to 1-5 or 1-10 etc in the marketplace.
  • Monica (LEAD): By prioritizing your high-risk areas you can determine where to best allocate your resources and also drive value into your organization.
  • Monica (LEAD): By prioritizing your high-risk areas you can determine where to best allocate your resources and also drive value into your organization.
  • Monica (LEAD): First template to share and discuss.
    Sonia contribute to state that COSO Implementation Group is here to serve its active members and appreciate Monica leading the charge in providing incredible template solutions to a complex and challenging process of Risk Assessments.
  • Sonia (LEAD): here it the simple layout of the 17 new principles COSO issued out in May 2013. There’s a wide variety of source material out there to help you transition to the new framework, however I would strongly suggest you visit the e-commerce site of the AICPA and order COSO transition and guidance materials from them. Website is located at: www.cpa2biz.com
    Monica (Contribute): are you implementing COSO’s new framework in 2014, if yes, when. If no then when and how do you believe “success” would be measured in the transition by the Audit committee and also by mgmt.

  • Sonia (LEAD): Two main areas I noticed in the “refreshed” 2013 COSO framework was #1: Clarity in the language requiring management to assess fraud risk, although we (auditors and management) were conducting this in practice. More importantly item #2: for me was the biggest change my clients believed they were conducting effectively, but soon in a case study we’ll show you some challenges that may effect your own organization. Item #2 covers the monitoring process of when significant changes impact your organization and what you do to address those changes.
    Monica (Contribute): have you implemented a change management process for ID new risks? If so what was your experience? Can you share best practices?
  • Sonia (LEAD): I wanted to share some insights of what we’re seeing in the COSO 2013 transition services. Here I only highlighted what I already mentioned earlier is a significant change in Principle #9, dealing with the ID and analysis of significant change. I’ve noted in a template we have provided for other clients, the page reference where COSO calls out in vol #4 the type of audit evidence an auditor may want to review/consider when transitioning to the new framework. Here I’ve simply noted for your reference that in page 76 of COSO’s vol #4 dealing with SOX considerations, there’s a clear indication that companies need to have a monitoring mechanism in place to ID/Analyze Changes in its environment.
    Monica (Contribute): Have you seen or implemented a monitoring mechanism in an organization to ID significant changes? What were some lessons learned or best practice items.
  • Sonia (LEAD): One way of analyzing how points of focus impact principles is to utilized a bar stool analogy.
  • Sonia (LEAD): I wanted to share a quick case study so we can understand some interesting concepts in the new 2013 COSO Framework. This case study is straight from COSO guidance materials and we’ll cover later what volume and page number you can reference this case study yourself.

    Here we have a public company that has three divisions, and they have a corporate office as well. The objective they are trying to reach is the external financial reporting objective that most public companies are trying to achieve and some would call the “SOX 404” objective. Now let’s take a look at what’s going on with this company that is trying to assess the effectiveness of their controls at Corporate and their divisions for SOX 404 compliance purposes.
  • Sonia (LEAD): Covering more background on this case, we discover that management documented some observations during its internal control assessment for SOX 404. However in this assessment they noted Division C lacked controls over revenue and it became a significant part of their operations whereas in prior year Division C was not material or reviewed heavily for SOX 404 controls. A root cause analysis determined a lack of controls being documented and tested in Division C.
  • Sonia (LEAD): Now let’s take a quick poll to see where you all think this Company should assess their overall effectiveness of their SOX 404 program again assuming that ALL OTHER CONTROLS are good to go and there were no other deficiencies.
  • SONIA (LEAD): the challenge in this case is most of us would be proud that one of our divisions is not growing and becoming significant to the contribution of the success of the entire organization. Remember there were no Financial Accounting errors in the numbers in this case study, what went wrong was control documentation! Therefore the company had concluded in this case study, which again you can read it for yourself on pages 110 – 111, a material weakness for Principles 10 which in their assessment they believe impacted Principle 9 because they could not ID this risk coming. It only was noted to the company when they looked at key controls in Principle #10. There are a few lessons here which are a) as you “test controls” in your sox 404 program and find failures, you MUST conduct a root cause analysis to determine if it impacted other principles which in this case the management team noticed it impacted their system of ID risks in principle #9.
    Monica (CONTRIBUTE): Comment on how one could institute best practice “interim risk assessment analysis” or even policies on Risk Assessment procedures.
  • Sonia (LEAD): Here are some solutions and most of which are either common sense to most of you here with us today. However I do want to share an IIA standard that does point out that internal audit groups must have a risk assessment policy and procedure document which I’m stating as the very first bullet point to share as a solution to this case study.
    Monica: Comment here to your opinion of having a risk assessment policy. Have you created one or used one in the past. Comment on how well it worked or not?
    Yes, our Internal Audit department has a Risk Assessment Procedure document.
  • Sonia (LEAD) free video and other tools available discussion
  • Sonia (LEAD) Transition best practice alignment discussion
  • Sonia (LEAD): polling question.
  • Monica (LEAD): Additionally, if the organization or business is accustomed to reporting changes regularly, the plus side there should be fewer surprises.
  • Sonia (LEAD): now let’ find out how many of you conduct risk based walkthroughs?
  • Sonia (LEAD): this new audit alert #11 came out late last year and most of you I know missed this practice alert. I’ve put down the top three items here of what is changing in the day to day audit of internal controls which are:…….
  • Sonia (LEAD): They want to see you’ve considered what a thorough review requires given your specific environment factors and you’ve documented it
    Monica (CONTRIBUTE): what have you noticed from either management or external auditors wanting more detailed information on how precise management is in their review? How does this impact your audit program and budget?
  • Sonia (LEAD): What the PCAOB wants (noted here in page 27 of Audit Alert #11), when it comes to key system reports, is the verification of those reports. Therefore, if in your AR analysis you use a few reports let’s say:
    1) AR Client detail report
    2) Client Invoice Analysis report by product type
    3) Payment history - client detail report
    Those reports may be included as key reports and must be tested/validated for accuracy and completeness and not to mention user access and change mgmt. controls.
    Monica (Contribute): Explain what you have seen auditors request for IPE (Information Prepared by Entity) or “key system generated reports”.
  • Sonia (LEAD): now let’s talk about when system generated data or reports are really just auditor talk for “my key control depends on excel”. There is an risk based approach to deal with spreadsheets and how to test them. Our firm was the first to develop based upon ITGI guidance issued in 2006, how to risk rank your IT spreadsheets that are “in-scope” for SOX 404.
  • Sonia (LEAD):
  • Sonia (LEAD)
  • Sonia (LEAD): now here’s our final polling question to share with us and everyone on live with us today…..
  • Sonia (LEAD): I wanted to share some insight on a very fast growing technical community and more importantly thank Monica who is a member of the COSO Implementation community for being here with us and sharing her insights on risk assessments best practice items and practical approaches in this webinar.

    Monica (Contribute): please chat what value you received from this LI group.
  • Sonia (LEAD): now we’ll open our live session to Questions for 5 to 8 minutes. Please enter your questions in the chat box….., and please let’s connect on LinkedIN as well for those of you a little shy to ask a question now or if you have questions later on when you head back into work mode.
  • Risk Assessments Best Practice and Practical Approaches Webinar

    1. 1. Compliance Made Simple Risk Assessments Best Practice & Practical Approaches Thursday, June 19, 2014 Presented by: Sonia Luna & Monica Raffety
    2. 2. 2Compliance Made Simple Bios • Sonia Luna: has over 16 years of internal and external audit experience. Worked at 2 of the Big 4 before leaving as an audit manager to create Aviva Spectrum, in 2004. Aviva Spectrum provides a wide variety of internal audit services including SOX404, COSO 2013 transition, compliance audits and quality assessment reviews. • Monica Raffety: has over 15 years of internal audit and compliance experience. She began her career in the financial services industry where she held various internal audit / risk management roles. She is also a former President and current Board of Governors member of the San Gabriel Valley IIA Chapter. Risk Assessments
    3. 3. 3Compliance Made Simple Disclaimer The comments, statements, views and opinions expressed in this webinar and other printed material do not reflect the views or opinions of the presenters’ current or past employers. Risk Assessments
    4. 4. 4Compliance Made Simple Risk Assessment Planning Process Establish the Purpose and Identify Risks Measure Risks Review, Report, and Communicate Results Prioritize Risks & Develop Audit Plan/Project Risk Assessment Risk Assessments
    5. 5. 5Compliance Made Simple Establish the Purpose – Identify purpose and focus: Financial Misstatement, Fraud, Other – Collaborate with Internal Audit, Compliance, Business Management, and IT Management: Risk Assessment meetings, conduct interviews, complete risk assessment questionnaires, perform site visits to validate understanding of strategy, initiatives, products/services, and system changes – Establish ownership of the risk assessment process – Establish risk assessment frequency: quarterly, annually – Create format that is easy to review by stakeholders and maintain Risk Assessments Risk Assessment- Establish the Purpose
    6. 6. 6Compliance Made Simple Risk Assessments Risk Assessment Questionnaire Example
    7. 7. 7Compliance Made Simple Identify the Risks – Review Regulatory Literature for your industry: • Office of the Comptroller of the Currency (OCC) for risks affecting Financial Institutions. Semiannual Risk Perspective Fall 2013 • Centers of Medicare and Medicaid Services (CMS) for risks affecting Health Care. http://www.cms.gov/Medicare/Compliance-and-Audits – Review past audit reports: • Length of time since last audit, prior findings, # of findings – Perform quantitative and qualitative analysis: • Significant financial statement line items • Threshold such as exceeding overall materiality (5% of pre-tax income) • Volume of transactions – dollar and # • Identify risk factors Risk Assessments Risk Assessment- Identify the Risks
    8. 8. 8Compliance Made Simple Examples of Risk Categories Risk Assessments Financial Information Technology Legal / Regulatory / Compliance Credit Risk Physical Events Risk Compliance Risk Interest Rate Risk Capacity / Flexibility Risk Safety and Soundness Risk Asset Quality Risk Systems Availability Risk FDICIA Risk Liquidity Risk Information Security Risk Contractual / Third-Party Vendor Risk Physical Asset Risk Fiduciary Risk Counterparty Risk BSA/AML Financial Reporting Risk Concentration Risk Price Risk Transactions Risk Human Resources / Management Experience Operations / Change / Complexity Prior / Other Audit – Internal, External & Regulatory Key Personnel Risk Operational Risk Remediation Risk Workforce Risk Cyber Threat Risk Integrity Risk Market / Strategic Product / Services Risk Reputation Risk Market Structure Risk Competition Risk Political Risk Acquisition Risk Strategic Technology Risk
    9. 9. 9Compliance Made Simple Measure the Risks – Set risk levels for each auditable activity: • Risk Factors such as: Financial risks, IT risks, Legal / Compliance risks, Operational risks, Strategic risks, Human Resource risks and Prior / Other Audit activities – Assign a “Risk Score” to each audit activity: • Based on likelihood/probability and impact (potential losses) of inherent risks associated with the activity – Assign a “Risk Rating” to each audit activity: • High, Medium, or Low – to each audit activity / area based on the level of risk associated with the activity Risk Assessments Risk Assessment- Measure the Risks
    10. 10. 10Compliance Made Simple Risk Assessments Example Risk Assessment – Risk Score Matrix Impact: Risk impact on achieving Organizational/Business Unit strategies and objectives Probability: The likelihood that a given risk will occur, given current control/business environment 3. High 3. Probable Represents a risk which materially or significantly impacts the achievement of goals and objectives Given the current control environment, the risk is likely or very likely to occur and there is a possibility of repeated incidents 2. Medium 2. Maybe Represents a risk that may prevent achieving goals and objectives Given the current control/business environment, it is possible that the risk may sometimes occur 1. Low 1. Remote Represents a risk with little or no impact on achieving goals and objectives Given the current control/business environment, there is only a remote possibility that the risk will occur
    11. 11. 11Compliance Made Simple Risk Assessments Risk Assessment- Prioritize the Risks and Develop Audit Plan/Project Prioritize the Risks and Develop Audit Plan/Project – Develop a risk-based audit plan based on the results of the risk assessment - the assigned risk ratings help to determine the frequency and scope of audit testing – Example • High risk areas may be audited annually • Medium risk areas may be audited on a rotating basis and every 2-3 years • Low risk areas may be audited on rotating basis and every 3-4 years.
    12. 12. 12Compliance Made Simple Risk Assessments Risk Assessment- Review, Report, & Communicate Results Review, Report, & Communicate Results – Look at the big picture: • What risks are you controlling? • Do you have many controls in areas that are low risk or have not had a material misstatement or fraud event? If yes, why? – Prepare a risk assessment package: • Share with Executive Management and review quarterly or annually. – Identify items that may call for a re-assessment of risks: • Examples: Systems implementations, acquisitions, divestitures, changing business models, changing control/business environment, new technology etc. • Update your audit plan as needed
    13. 13. 13Compliance Made Simple Template Materials • Sample Risk Assessment Questionnaire • Sample Risk Score Matrix • Sample Risk Assessment Templates • Sample Audit Plan • Sample Change Management Questionnaire Thank you to the Internal Audit Community that contributed these templates!! Please feel free to share your “scrubbed” or original templates with this group. Risk Assessments
    14. 14. 14Compliance Made Simple COSO & Risk Assessments New 17 Principles Risk Assessments Still the Same only better, more clear and more relevant.
    15. 15. 15Compliance Made Simple COSO 2013: Risk Assessment Updates! • Fraud Risk Assessment: Finally documented but conducted in practice. • Includes monitoring of risks as a “Must Have”. Risk Assessments
    16. 16. 16Compliance Made Simple Risk Assessment Evidence Risk Assessments
    17. 17. 17Compliance Made Simple Principles: What “holds” a principle UP! Risk Assessments
    18. 18. 18Compliance Made Simple Risk Assessment Case Study Risk Assessments Company Background: – Public financial services company – Three divisions A, B and C – Objective Category for COSO framework = External Financial Reporting (SOX 404)
    19. 19. 19Compliance Made Simple Case study: Control Analysis Risk Assessments • Mgmt documented its overview of its assessment of control effectiveness. • Management determined it has some revenue recognition control deficiencies and need to reflect the severity of those deficiencies. One of the revenue streams lacked good controls. They noted deficiencies in one of their up and coming divisions “DIVISION C” but there were NO KNOWN financial statement errors! • Root case analysis concluded that management failed to implement control activities over the revenue recognition process at Division C, which became a significant part of their overall revenue and growth for the organization.
    20. 20. 20Compliance Made Simple Case studies – Polling Question Risk Assessments QUESTION ? How bad is it? Was this a …… A)Control Deficiency, B) Significant Deficiency C) Material Weakness D) Not a deficiency
    21. 21. 21Compliance Made Simple Case Study: Conclusion Risk Assessments What COSO has to say: A related weakness was noted in Principle #9 “Identifies & Analyzes Significant Change”, because the company never adopted key controls over this Division C that was growing rapidly and Corporate office assumed it was doing what they expected. The conclusion was a: MATERIAL WEAKNESS for 2 Principles! Principle #10 “Selects and Develops Control Activities” and Principle #9 “ID & Analyzes Significant Change”
    22. 22. 22Compliance Made Simple Case Study Solutions • Create and implement a Risk Assessment Policy/Procedure • Interim SOX 404 control analysis, including risk assessment procedures • Evaluate Materiality (prior to interim testing or just after). Risk Assessments
    23. 23. 23Compliance Made Simple Transition Analysis – 6 mos. Risk Assessments
    24. 24. 24Compliance Made Simple Control Compliance Analysis Risk Assessments COSO Transition 1. Top Transition Failures (Case Studies) 2. Audit Evidence required 3. Priority Driven by Principles PCAOB, IIA & SEC Guidance 1. Latest PCAOB Internal Control Standards 2. IIA Incorporated Top 7 IC Failures 3. SEC Guidance for Mgmt on Internal Controls info@avivaspectrum.com Subject: CCA Reservation
    25. 25. 25Compliance Made Simple Polling Question 2 Risk Assessments Does your organization have a Risk Assessment Policy/Procedure document? Risk Policy A Yes, we have one B No, wish I had one C Don’t Know
    26. 26. 26Compliance Made Simple Risk Assessment Impact of Reported Changes Risk Assessments Change Management Select Yes, No, NA Yes Yes Yes No 3. Process (including report) Changes Are there any significant changes in the business processes, including reporting changes? (Process or Control narrative should be updated for specific changes to controls and/or business processes) 4. Significant Policy or Regulatory Changes Are there any significant changes in regulations, operating and/or financial policies and/or procedures? List any planned significant changes (organization, systems, process, policies and procedures and others) that you anticipate in 201X that may affect or potentially affect the internal controls over financial reporting for your business process, including the expected implementation date, impact of such changes and related action items to ensure that the key control and/or business process continue to operate effectively. This section must be completed For each item (1 - 4) select "Yes", "No", or "NA" if a change occurred. Comments (If the answer is "YES", identify the personnel change, name of application/system affected, business process change, affected policy(ies) name(s), date of change(s), and action items taken to ensure the key control and/or business process continue to operate effectively.) 1. Organizational Changes Are there any significant changes in the key personnel managing the process? 2. System/Technology Changes Are there any significant changes in the financial (application) systems, including additions or modifications to existing systems? Are there any significant technology changes? Benefits/Impact of Regular Change Management Reporting • Identify areas that require walkthrough or new areas to be added to audit plan: – Could lead to postponed testing – Updated audit plan – Updated testing strategy – Updated risk assessment • Identify current and future areas of risk: – Significant changes in people, process, or technology • Identify opportunities to serve in an advisory role – New systems/technology – New regulations that may impact the Organization
    27. 27. 27Compliance Made Simple Polling Question 3 Risk Assessments Is your organization conducting risk based walkthroughs? Walkthroughs A Yes, B No, wish we would C Don’t Know
    28. 28. 28Compliance Made Simple Risk Assessments • Caused audit procedure layering • More in-depth written description of estimates and use of judgment, especially review controls • Detailed documentation and testing of system reports utilized in performance of controls. New PCAOB Auditing BAR!
    29. 29. 29Compliance Made Simple Risk Assessments Level of precision in Plain English? • How detailed is management’s review of journal entries? • Document your thought process – Dollar Threshold – Percentage of Revenue – Geographic Location – Lines of Business – Other Risk Factors – Timing
    30. 30. 30Compliance Made Simple IT dependent controls (pg#27) Risk Assessments
    31. 31. 31Compliance Made Simple IT Spreadsheets – RA Process Risk Assessments Inventory your Excel files (Total in-versus-out of scope)! Next tab reveals what you’re test!
    32. 32. 32Compliance Made Simple Combined Risk Scoring In-Scope Excel Files Risk Assessments
    33. 33. 33Compliance Made Simple Testing Example Risk Assessments
    34. 34. 34Compliance Made Simple Polling Question 4 Risk Assessments For sampling controls to test do you find your current risk assessment is adequate? Sampling A Yes, to a degree B Yes, but needs some work C No, we need new approach
    35. 35. 35Compliance Made Simple Community & Sharing Risk Assessments Join Our LinkedIn Group COSO Framework Discussion & Webinars http://www.linkedin.com/groups/2013-COSO- Implementation-4888186/about Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework. Share your latest templates here!
    36. 36. 36Compliance Made Simple Q & A session (5 – 8 Min) Risk Assessments Sonia Luna- President, CEO Aviva Spectrum www.linkedin.com/in/sonialuna www.slideshare.net/soxppt www.avivaspectrum.com/podca sts