Risk assessments are the primary component when planning, executing and delivering value in an internal audit. They are the building blocks of your internal audit activities and operational audit program. Sonia Luna CPA, CIA, CEO of Aviva Spectrum and Monica Raffety, CIA
Senior Manager, Financial Controls at Kaiser Permanente will help you to:
Understand risk assessment tools available
Learn how and when to apply risk assessment techniques
Leverage different forms of quantitative and qualitative analysis techniques
Learn when to deviate from risk assessment templates with a memo or scoring
Understand what external auditors, management and the Board need to know when executing a risk assessment.
Understand how risk assessment impact the internal audit activities, from walkthroughs to testing
Risk Assessments Best Practice and Practical Approaches Webinar
1. Compliance Made Simple
Risk Assessments
Best Practice & Practical Approaches
Thursday, June 19, 2014
Presented by:
Sonia Luna & Monica Raffety
2. 2Compliance Made Simple
Bios
• Sonia Luna: has over 16 years of internal and external audit
experience. Worked at 2 of the Big 4 before leaving as an
audit manager to create Aviva Spectrum, in 2004. Aviva
Spectrum provides a wide variety of internal audit services
including SOX404, COSO 2013 transition, compliance audits
and quality assessment reviews.
• Monica Raffety: has over 15 years of internal audit and
compliance experience. She began her career in the
financial services industry where she held various internal audit
/ risk management roles. She is also a former President and
current Board of Governors member of the San Gabriel Valley
IIA Chapter.
Risk Assessments
3. 3Compliance Made Simple
Disclaimer
The comments, statements, views
and opinions expressed in this
webinar and other printed material
do not reflect the views or opinions
of the presenters’ current or past
employers.
Risk Assessments
4. 4Compliance Made Simple
Risk Assessment Planning Process
Establish the Purpose
and Identify Risks
Measure Risks
Review, Report, and
Communicate Results
Prioritize Risks & Develop
Audit Plan/Project
Risk
Assessment
Risk Assessments
5. 5Compliance Made Simple
Establish the Purpose
– Identify purpose and focus: Financial Misstatement, Fraud,
Other
– Collaborate with Internal Audit, Compliance, Business
Management, and IT Management: Risk Assessment
meetings, conduct interviews, complete risk assessment
questionnaires, perform site visits to validate understanding
of strategy, initiatives, products/services, and system
changes
– Establish ownership of the risk assessment process
– Establish risk assessment frequency: quarterly, annually
– Create format that is easy to review by stakeholders and
maintain
Risk Assessments
Risk Assessment- Establish the Purpose
7. 7Compliance Made Simple
Identify the Risks
– Review Regulatory Literature for your industry:
• Office of the Comptroller of the Currency (OCC) for risks
affecting Financial Institutions. Semiannual
Risk Perspective Fall 2013
• Centers of Medicare and Medicaid Services (CMS) for
risks affecting Health Care.
http://www.cms.gov/Medicare/Compliance-and-Audits
– Review past audit reports:
• Length of time since last audit, prior findings, # of findings
– Perform quantitative and qualitative analysis:
• Significant financial statement line items
• Threshold such as exceeding overall materiality (5% of
pre-tax income)
• Volume of transactions – dollar and #
• Identify risk factors
Risk Assessments
Risk Assessment- Identify the Risks
9. 9Compliance Made Simple
Measure the Risks
– Set risk levels for each auditable activity:
• Risk Factors such as: Financial risks, IT risks, Legal /
Compliance risks, Operational risks, Strategic risks,
Human Resource risks and Prior / Other Audit activities
– Assign a “Risk Score” to each audit activity:
• Based on likelihood/probability and impact (potential
losses) of inherent risks associated with the activity
– Assign a “Risk Rating” to each audit activity:
• High, Medium, or Low – to each audit activity / area
based on the level of risk associated with the activity
Risk Assessments
Risk Assessment- Measure the Risks
10. 10Compliance Made Simple Risk Assessments
Example Risk Assessment – Risk
Score Matrix
Impact: Risk impact on achieving
Organizational/Business Unit strategies and
objectives
Probability: The likelihood that a given risk will
occur, given current control/business environment
3. High 3. Probable
Represents a risk which materially or significantly
impacts the achievement of goals and objectives
Given the current control environment, the risk is likely
or very likely to occur and there is a possibility of
repeated incidents
2. Medium 2. Maybe
Represents a risk that may prevent achieving goals
and objectives
Given the current control/business environment, it is
possible that the risk may sometimes occur
1. Low 1. Remote
Represents a risk with little or no impact on
achieving goals and objectives
Given the current control/business environment, there
is only a remote possibility that the risk will occur
11. 11Compliance Made Simple Risk Assessments
Risk Assessment- Prioritize the Risks
and Develop Audit Plan/Project
Prioritize the Risks and Develop Audit Plan/Project
– Develop a risk-based audit plan based on the results of the
risk assessment - the assigned risk ratings help to determine
the frequency and scope of audit testing
– Example
• High risk areas may be audited annually
• Medium risk areas may be audited on a rotating basis
and every 2-3 years
• Low risk areas may be audited on rotating basis and
every 3-4 years.
12. 12Compliance Made Simple Risk Assessments
Risk Assessment- Review, Report, &
Communicate Results
Review, Report, & Communicate Results
– Look at the big picture:
• What risks are you controlling?
• Do you have many controls in areas that are low risk or have not
had a material misstatement or fraud event? If yes, why?
– Prepare a risk assessment package:
• Share with Executive Management and review quarterly or
annually.
– Identify items that may call for a re-assessment of risks:
• Examples: Systems implementations, acquisitions, divestitures,
changing business models, changing control/business
environment, new technology etc.
• Update your audit plan as needed
13. 13Compliance Made Simple
Template Materials
• Sample Risk Assessment Questionnaire
• Sample Risk Score Matrix
• Sample Risk Assessment Templates
• Sample Audit Plan
• Sample Change Management Questionnaire
Thank you to the Internal Audit Community that contributed these
templates!!
Please feel free to share your “scrubbed” or original templates with this
group.
Risk Assessments
14. 14Compliance Made Simple
COSO & Risk Assessments
New 17 Principles
Risk Assessments
Still the Same
only better,
more clear and
more relevant.
15. 15Compliance Made Simple
COSO 2013: Risk Assessment
Updates!
• Fraud Risk Assessment: Finally documented but conducted in
practice.
• Includes monitoring of risks as a “Must Have”.
Risk Assessments
18. 18Compliance Made Simple
Risk Assessment Case Study
Risk Assessments
Company Background:
– Public financial services company
– Three divisions A, B and C
– Objective Category for COSO framework =
External Financial Reporting (SOX 404)
19. 19Compliance Made Simple
Case study:
Control Analysis
Risk Assessments
• Mgmt documented its overview of its assessment of control
effectiveness.
• Management determined it has some revenue recognition
control deficiencies and need to reflect the severity of those
deficiencies. One of the revenue streams lacked good
controls. They noted deficiencies in one of their up and
coming divisions “DIVISION C” but there were NO KNOWN
financial statement errors!
• Root case analysis concluded that management failed to
implement control activities over the revenue recognition
process at Division C, which became a significant part of their
overall revenue and growth for the organization.
20. 20Compliance Made Simple
Case studies – Polling Question
Risk Assessments
QUESTION ?
How bad is it? Was this a ……
A)Control Deficiency,
B) Significant Deficiency
C) Material Weakness
D) Not a deficiency
21. 21Compliance Made Simple
Case Study: Conclusion
Risk Assessments
What COSO has to say:
A related weakness was noted in Principle #9 “Identifies &
Analyzes Significant Change”, because the company
never adopted key controls over this Division C that was
growing rapidly and Corporate office assumed it was doing
what they expected. The conclusion was a:
MATERIAL WEAKNESS for 2 Principles!
Principle #10 “Selects and Develops Control Activities” and
Principle #9 “ID & Analyzes Significant Change”
22. 22Compliance Made Simple
Case Study Solutions
• Create and implement a Risk Assessment Policy/Procedure
• Interim SOX 404 control analysis, including risk assessment
procedures
• Evaluate Materiality (prior to interim testing or just after).
Risk Assessments
24. 24Compliance Made Simple
Control Compliance Analysis
Risk Assessments
COSO Transition
1. Top Transition Failures (Case
Studies)
2. Audit Evidence required
3. Priority Driven by Principles
PCAOB, IIA & SEC Guidance
1. Latest PCAOB Internal Control
Standards
2. IIA Incorporated Top 7 IC Failures
3. SEC Guidance for Mgmt on
Internal Controls
info@avivaspectrum.com
Subject: CCA Reservation
25. 25Compliance Made Simple
Polling Question 2
Risk Assessments
Does your organization have a Risk
Assessment Policy/Procedure
document?
Risk Policy
A Yes, we have one
B No, wish I had one
C Don’t Know
26. 26Compliance Made Simple
Risk Assessment Impact of Reported
Changes
Risk Assessments
Change Management
Select
Yes, No,
NA
Yes
Yes
Yes
No
3. Process (including report) Changes
Are there any significant changes in the
business processes, including reporting
changes? (Process or Control narrative
should be updated for specific changes to
controls and/or business processes)
4. Significant Policy or Regulatory Changes
Are there any significant changes in
regulations, operating and/or financial
policies and/or procedures?
List any planned significant changes (organization, systems, process, policies and procedures and
others) that you anticipate in 201X that may affect or potentially affect the internal controls over
financial reporting for your business process, including the expected implementation date, impact
of such changes and related action items to ensure that the key control and/or business process
continue to operate effectively.
This section must be completed
For each item (1 - 4) select "Yes",
"No", or "NA" if a change occurred.
Comments (If the answer is "YES", identify
the personnel change, name of
application/system affected, business
process change, affected policy(ies) name(s),
date of change(s), and action items taken to
ensure the key control and/or business
process continue to operate effectively.)
1. Organizational Changes
Are there any significant changes in the key
personnel managing the process?
2. System/Technology Changes
Are there any significant changes in the
financial (application) systems, including
additions or modifications to existing
systems? Are there any significant
technology changes?
Benefits/Impact of Regular
Change Management
Reporting
• Identify areas that require
walkthrough or new areas
to be added to audit plan:
– Could lead to
postponed testing
– Updated audit plan
– Updated testing
strategy
– Updated risk
assessment
• Identify current and future
areas of risk:
– Significant changes in
people, process, or
technology
• Identify opportunities to
serve in an advisory role
– New
systems/technology
– New regulations that
may impact the
Organization
27. 27Compliance Made Simple
Polling Question 3
Risk Assessments
Is your organization conducting risk
based walkthroughs?
Walkthroughs
A Yes,
B No, wish we would
C Don’t Know
28. 28Compliance Made Simple Risk Assessments
• Caused audit procedure
layering
• More in-depth written
description of estimates and
use of judgment, especially
review controls
• Detailed documentation and
testing of system reports utilized
in performance of controls.
New PCAOB Auditing BAR!
29. 29Compliance Made Simple Risk Assessments
Level of precision in Plain English?
• How detailed is management’s review of
journal entries?
• Document your thought process
– Dollar Threshold
– Percentage of Revenue
– Geographic Location
– Lines of Business
– Other Risk Factors
– Timing
31. 31Compliance Made Simple
IT Spreadsheets – RA Process
Risk Assessments
Inventory your Excel files (Total in-versus-out of scope)!
Next tab reveals what you’re test!
34. 34Compliance Made Simple
Polling Question 4
Risk Assessments
For sampling controls to test do you find
your current risk assessment is
adequate? Sampling
A Yes, to a degree
B Yes, but needs some work
C No, we need new approach
35. 35Compliance Made Simple
Community & Sharing
Risk Assessments
Join Our LinkedIn Group
COSO Framework Discussion &
Webinars
http://www.linkedin.com/groups/2013-COSO-
Implementation-4888186/about
Technical Community sharing Ideas ,Templates, WEBINARS,
Advise and Learn from others implementing new framework.
Share your latest templates here!
36. 36Compliance Made Simple
Q & A session (5 – 8 Min)
Risk Assessments
Sonia Luna- President, CEO
Aviva Spectrum
www.linkedin.com/in/sonialuna
www.slideshare.net/soxppt
www.avivaspectrum.com/podca
sts
Hinweis der Redaktion
Sonia (LEAD): …our bios are attached in the registration but also included here…..
Sonia (LEAD):
Monica (LEAD): Discuss the top areas auditors generally focus their risk assessment efforts (see bullet points in ppt slide).
There are 4 key areas in developing a risk assessment.
We will speak in more detail on the following slides.
Sonia (Contribute): Add what clients request internal auditors to focus their energy during the risk assessment process.
Monica (LEAD): Purpose and Focus: Financial Misstatement and Fraud. Required by new COSO framework to look at both
Meet with Internal Audit, Compliance, Business Management, and IT Management: Risk Assessment Meetings, Conducting Interviews, Completing Risk Assessment questionnaires. Getting SSAE 16 Type II reports.
Identify, assess, and prioritize risks that impact the achievement of the Company’s strategic and business objectives
Develop a risk-based Internal Audit (IA) Plan that provides sufficient coverage of applicable audit areas
Monica (LEAD): By conducting risk questionnaires, not only can you identify potential risks, you can also add value by identifying areas where internal audit can serve in a consulting capacity. Also, this particular questionnaire builds in a change management process. However, it the questionnaires are distributed semi-annually or annually that might not be a sufficient frequency to understand all the changes occurring in your organization, especially if it is large, complex, or spread out across different regions or globally.
Sonia comment
Monica (LEAD)
Monica (LEAD): Vendor threats can include data breach at vendor, data breach at your organization due to vendor, hosted environment goes down or is unstable. Example of Health Care Risks – Prescription Drug Event Reconciliation, Coverage Gap Discount Program, Direct/Indirect Renumeration Reporting, third party risks due to delivery of service., impact on patient care, impact on revenue cycle,
Monica (LEAD)
Monica (LEAD): this provides the “x” and “y” axis of how to conduct your risk assessment scoring.
Sonia comment on scoring could go from 1-3 to 1-5 or 1-10 etc in the marketplace.
Monica (LEAD): By prioritizing your high-risk areas you can determine where to best allocate your resources and also drive value into your organization.
Monica (LEAD): By prioritizing your high-risk areas you can determine where to best allocate your resources and also drive value into your organization.
Monica (LEAD): First template to share and discuss.
Sonia contribute to state that COSO Implementation Group is here to serve its active members and appreciate Monica leading the charge in providing incredible template solutions to a complex and challenging process of Risk Assessments.
Sonia (LEAD): here it the simple layout of the 17 new principles COSO issued out in May 2013. There’s a wide variety of source material out there to help you transition to the new framework, however I would strongly suggest you visit the e-commerce site of the AICPA and order COSO transition and guidance materials from them. Website is located at: www.cpa2biz.com
Monica (Contribute): are you implementing COSO’s new framework in 2014, if yes, when. If no then when and how do you believe “success” would be measured in the transition by the Audit committee and also by mgmt.
Sonia (LEAD): Two main areas I noticed in the “refreshed” 2013 COSO framework was #1: Clarity in the language requiring management to assess fraud risk, although we (auditors and management) were conducting this in practice. More importantly item #2: for me was the biggest change my clients believed they were conducting effectively, but soon in a case study we’ll show you some challenges that may effect your own organization. Item #2 covers the monitoring process of when significant changes impact your organization and what you do to address those changes.
Monica (Contribute): have you implemented a change management process for ID new risks? If so what was your experience? Can you share best practices?
Sonia (LEAD): I wanted to share some insights of what we’re seeing in the COSO 2013 transition services. Here I only highlighted what I already mentioned earlier is a significant change in Principle #9, dealing with the ID and analysis of significant change. I’ve noted in a template we have provided for other clients, the page reference where COSO calls out in vol #4 the type of audit evidence an auditor may want to review/consider when transitioning to the new framework. Here I’ve simply noted for your reference that in page 76 of COSO’s vol #4 dealing with SOX considerations, there’s a clear indication that companies need to have a monitoring mechanism in place to ID/Analyze Changes in its environment.
Monica (Contribute): Have you seen or implemented a monitoring mechanism in an organization to ID significant changes? What were some lessons learned or best practice items.
Sonia (LEAD): One way of analyzing how points of focus impact principles is to utilized a bar stool analogy.
Sonia (LEAD): I wanted to share a quick case study so we can understand some interesting concepts in the new 2013 COSO Framework. This case study is straight from COSO guidance materials and we’ll cover later what volume and page number you can reference this case study yourself.
Here we have a public company that has three divisions, and they have a corporate office as well. The objective they are trying to reach is the external financial reporting objective that most public companies are trying to achieve and some would call the “SOX 404” objective. Now let’s take a look at what’s going on with this company that is trying to assess the effectiveness of their controls at Corporate and their divisions for SOX 404 compliance purposes.
Sonia (LEAD): Covering more background on this case, we discover that management documented some observations during its internal control assessment for SOX 404. However in this assessment they noted Division C lacked controls over revenue and it became a significant part of their operations whereas in prior year Division C was not material or reviewed heavily for SOX 404 controls. A root cause analysis determined a lack of controls being documented and tested in Division C.
Sonia (LEAD): Now let’s take a quick poll to see where you all think this Company should assess their overall effectiveness of their SOX 404 program again assuming that ALL OTHER CONTROLS are good to go and there were no other deficiencies.
SONIA (LEAD): the challenge in this case is most of us would be proud that one of our divisions is not growing and becoming significant to the contribution of the success of the entire organization. Remember there were no Financial Accounting errors in the numbers in this case study, what went wrong was control documentation! Therefore the company had concluded in this case study, which again you can read it for yourself on pages 110 – 111, a material weakness for Principles 10 which in their assessment they believe impacted Principle 9 because they could not ID this risk coming. It only was noted to the company when they looked at key controls in Principle #10. There are a few lessons here which are a) as you “test controls” in your sox 404 program and find failures, you MUST conduct a root cause analysis to determine if it impacted other principles which in this case the management team noticed it impacted their system of ID risks in principle #9.
Monica (CONTRIBUTE): Comment on how one could institute best practice “interim risk assessment analysis” or even policies on Risk Assessment procedures.
Sonia (LEAD): Here are some solutions and most of which are either common sense to most of you here with us today. However I do want to share an IIA standard that does point out that internal audit groups must have a risk assessment policy and procedure document which I’m stating as the very first bullet point to share as a solution to this case study.
Monica: Comment here to your opinion of having a risk assessment policy. Have you created one or used one in the past. Comment on how well it worked or not?
Yes, our Internal Audit department has a Risk Assessment Procedure document.
Sonia (LEAD) free video and other tools available discussion
Sonia (LEAD) Transition best practice alignment discussion
Sonia (LEAD): polling question.
Monica (LEAD): Additionally, if the organization or business is accustomed to reporting changes regularly, the plus side there should be fewer surprises.
Sonia (LEAD): now let’ find out how many of you conduct risk based walkthroughs?
Sonia (LEAD): this new audit alert #11 came out late last year and most of you I know missed this practice alert. I’ve put down the top three items here of what is changing in the day to day audit of internal controls which are:…….
Sonia (LEAD): They want to see you’ve considered what a thorough review requires given your specific environment factors and you’ve documented it
Monica (CONTRIBUTE): what have you noticed from either management or external auditors wanting more detailed information on how precise management is in their review? How does this impact your audit program and budget?
Sonia (LEAD): What the PCAOB wants (noted here in page 27 of Audit Alert #11), when it comes to key system reports, is the verification of those reports. Therefore, if in your AR analysis you use a few reports let’s say:
1) AR Client detail report
2) Client Invoice Analysis report by product type
3) Payment history - client detail report
Those reports may be included as key reports and must be tested/validated for accuracy and completeness and not to mention user access and change mgmt. controls.
Monica (Contribute): Explain what you have seen auditors request for IPE (Information Prepared by Entity) or “key system generated reports”.
Sonia (LEAD): now let’s talk about when system generated data or reports are really just auditor talk for “my key control depends on excel”. There is an risk based approach to deal with spreadsheets and how to test them. Our firm was the first to develop based upon ITGI guidance issued in 2006, how to risk rank your IT spreadsheets that are “in-scope” for SOX 404.
Sonia (LEAD):
Sonia (LEAD)
Sonia (LEAD): now here’s our final polling question to share with us and everyone on live with us today…..
Sonia (LEAD): I wanted to share some insight on a very fast growing technical community and more importantly thank Monica who is a member of the COSO Implementation community for being here with us and sharing her insights on risk assessments best practice items and practical approaches in this webinar.
Monica (Contribute): please chat what value you received from this LI group.
Sonia (LEAD): now we’ll open our live session to Questions for 5 to 8 minutes. Please enter your questions in the chat box….., and please let’s connect on LinkedIN as well for those of you a little shy to ask a question now or if you have questions later on when you head back into work mode.