Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Compliance Made Simple
Risk Assessments
Best Practice & Practical Approaches
Thursday, June 19, 2014
Presented by:
Sonia L...
2Compliance Made Simple
Bios
• Sonia Luna: has over 16 years of internal and external audit
experience. Worked at 2 of the...
3Compliance Made Simple
Disclaimer
The comments, statements, views
and opinions expressed in this
webinar and other printe...
4Compliance Made Simple
Risk Assessment Planning Process
Establish the Purpose
and Identify Risks
Measure Risks
Review, Re...
5Compliance Made Simple
Establish the Purpose
– Identify purpose and focus: Financial Misstatement, Fraud,
Other
– Collabo...
6Compliance Made Simple Risk Assessments
Risk Assessment Questionnaire
Example
7Compliance Made Simple
Identify the Risks
– Review Regulatory Literature for your industry:
• Office of the Comptroller o...
8Compliance Made Simple
Examples of Risk Categories
Risk Assessments
Financial Information Technology Legal / Regulatory /...
9Compliance Made Simple
Measure the Risks
– Set risk levels for each auditable activity:
• Risk Factors such as: Financial...
10Compliance Made Simple Risk Assessments
Example Risk Assessment – Risk
Score Matrix
Impact: Risk impact on achieving
Org...
11Compliance Made Simple Risk Assessments
Risk Assessment- Prioritize the Risks
and Develop Audit Plan/Project
Prioritize ...
12Compliance Made Simple Risk Assessments
Risk Assessment- Review, Report, &
Communicate Results
Review, Report, & Communi...
13Compliance Made Simple
Template Materials
• Sample Risk Assessment Questionnaire
• Sample Risk Score Matrix
• Sample Ris...
14Compliance Made Simple
COSO & Risk Assessments
New 17 Principles
Risk Assessments
Still the Same
only better,
more clear...
15Compliance Made Simple
COSO 2013: Risk Assessment
Updates!
• Fraud Risk Assessment: Finally documented but conducted in
...
16Compliance Made Simple
Risk Assessment Evidence
Risk Assessments
17Compliance Made Simple
Principles: What “holds” a principle UP!
Risk Assessments
18Compliance Made Simple
Risk Assessment Case Study
Risk Assessments
Company Background:
– Public financial services compa...
19Compliance Made Simple
Case study:
Control Analysis
Risk Assessments
• Mgmt documented its overview of its assessment of...
20Compliance Made Simple
Case studies – Polling Question
Risk Assessments
QUESTION ?
How bad is it? Was this a ……
A)Contro...
21Compliance Made Simple
Case Study: Conclusion
Risk Assessments
What COSO has to say:
A related weakness was noted in Pri...
22Compliance Made Simple
Case Study Solutions
• Create and implement a Risk Assessment Policy/Procedure
• Interim SOX 404 ...
23Compliance Made Simple
Transition Analysis – 6 mos.
Risk Assessments
24Compliance Made Simple
Control Compliance Analysis
Risk Assessments
COSO Transition
1. Top Transition Failures (Case
Stu...
25Compliance Made Simple
Polling Question 2
Risk Assessments
Does your organization have a Risk
Assessment Policy/Procedur...
26Compliance Made Simple
Risk Assessment Impact of Reported
Changes
Risk Assessments
Change Management
Select
Yes, No,
NA
...
27Compliance Made Simple
Polling Question 3
Risk Assessments
Is your organization conducting risk
based walkthroughs?
Walk...
28Compliance Made Simple Risk Assessments
• Caused audit procedure
layering
• More in-depth written
description of estimat...
29Compliance Made Simple Risk Assessments
Level of precision in Plain English?
• How detailed is management’s review of
jo...
30Compliance Made Simple
IT dependent controls (pg#27)
Risk Assessments
31Compliance Made Simple
IT Spreadsheets – RA Process
Risk Assessments
Inventory your Excel files (Total in-versus-out of ...
32Compliance Made Simple
Combined Risk Scoring
In-Scope Excel Files
Risk Assessments
33Compliance Made Simple
Testing Example
Risk Assessments
34Compliance Made Simple
Polling Question 4
Risk Assessments
For sampling controls to test do you find
your current risk a...
35Compliance Made Simple
Community & Sharing
Risk Assessments
Join Our LinkedIn Group
COSO Framework Discussion &
Webinars...
36Compliance Made Simple
Q & A session (5 – 8 Min)
Risk Assessments
Sonia Luna- President, CEO
Aviva Spectrum
www.linkedin...
Prochain SlideShare
Chargement dans…5
×

Risk Assessments Best Practice and Practical Approaches Webinar

Risk assessments are the primary component when planning, executing and delivering value in an internal audit. They are the building blocks of your internal audit activities and operational audit program. Sonia Luna CPA, CIA, CEO of Aviva Spectrum and Monica Raffety, CIA
Senior Manager, Financial Controls at Kaiser Permanente will help you to:
Understand risk assessment tools available
Learn how and when to apply risk assessment techniques
Leverage different forms of quantitative and qualitative analysis techniques
Learn when to deviate from risk assessment templates with a memo or scoring
Understand what external auditors, management and the Board need to know when executing a risk assessment.
Understand how risk assessment impact the internal audit activities, from walkthroughs to testing

  • Soyez le premier à commenter

Risk Assessments Best Practice and Practical Approaches Webinar

  1. 1. Compliance Made Simple Risk Assessments Best Practice & Practical Approaches Thursday, June 19, 2014 Presented by: Sonia Luna & Monica Raffety
  2. 2. 2Compliance Made Simple Bios • Sonia Luna: has over 16 years of internal and external audit experience. Worked at 2 of the Big 4 before leaving as an audit manager to create Aviva Spectrum, in 2004. Aviva Spectrum provides a wide variety of internal audit services including SOX404, COSO 2013 transition, compliance audits and quality assessment reviews. • Monica Raffety: has over 15 years of internal audit and compliance experience. She began her career in the financial services industry where she held various internal audit / risk management roles. She is also a former President and current Board of Governors member of the San Gabriel Valley IIA Chapter. Risk Assessments
  3. 3. 3Compliance Made Simple Disclaimer The comments, statements, views and opinions expressed in this webinar and other printed material do not reflect the views or opinions of the presenters’ current or past employers. Risk Assessments
  4. 4. 4Compliance Made Simple Risk Assessment Planning Process Establish the Purpose and Identify Risks Measure Risks Review, Report, and Communicate Results Prioritize Risks & Develop Audit Plan/Project Risk Assessment Risk Assessments
  5. 5. 5Compliance Made Simple Establish the Purpose – Identify purpose and focus: Financial Misstatement, Fraud, Other – Collaborate with Internal Audit, Compliance, Business Management, and IT Management: Risk Assessment meetings, conduct interviews, complete risk assessment questionnaires, perform site visits to validate understanding of strategy, initiatives, products/services, and system changes – Establish ownership of the risk assessment process – Establish risk assessment frequency: quarterly, annually – Create format that is easy to review by stakeholders and maintain Risk Assessments Risk Assessment- Establish the Purpose
  6. 6. 6Compliance Made Simple Risk Assessments Risk Assessment Questionnaire Example
  7. 7. 7Compliance Made Simple Identify the Risks – Review Regulatory Literature for your industry: • Office of the Comptroller of the Currency (OCC) for risks affecting Financial Institutions. Semiannual Risk Perspective Fall 2013 • Centers of Medicare and Medicaid Services (CMS) for risks affecting Health Care. http://www.cms.gov/Medicare/Compliance-and-Audits – Review past audit reports: • Length of time since last audit, prior findings, # of findings – Perform quantitative and qualitative analysis: • Significant financial statement line items • Threshold such as exceeding overall materiality (5% of pre-tax income) • Volume of transactions – dollar and # • Identify risk factors Risk Assessments Risk Assessment- Identify the Risks
  8. 8. 8Compliance Made Simple Examples of Risk Categories Risk Assessments Financial Information Technology Legal / Regulatory / Compliance Credit Risk Physical Events Risk Compliance Risk Interest Rate Risk Capacity / Flexibility Risk Safety and Soundness Risk Asset Quality Risk Systems Availability Risk FDICIA Risk Liquidity Risk Information Security Risk Contractual / Third-Party Vendor Risk Physical Asset Risk Fiduciary Risk Counterparty Risk BSA/AML Financial Reporting Risk Concentration Risk Price Risk Transactions Risk Human Resources / Management Experience Operations / Change / Complexity Prior / Other Audit – Internal, External & Regulatory Key Personnel Risk Operational Risk Remediation Risk Workforce Risk Cyber Threat Risk Integrity Risk Market / Strategic Product / Services Risk Reputation Risk Market Structure Risk Competition Risk Political Risk Acquisition Risk Strategic Technology Risk
  9. 9. 9Compliance Made Simple Measure the Risks – Set risk levels for each auditable activity: • Risk Factors such as: Financial risks, IT risks, Legal / Compliance risks, Operational risks, Strategic risks, Human Resource risks and Prior / Other Audit activities – Assign a “Risk Score” to each audit activity: • Based on likelihood/probability and impact (potential losses) of inherent risks associated with the activity – Assign a “Risk Rating” to each audit activity: • High, Medium, or Low – to each audit activity / area based on the level of risk associated with the activity Risk Assessments Risk Assessment- Measure the Risks
  10. 10. 10Compliance Made Simple Risk Assessments Example Risk Assessment – Risk Score Matrix Impact: Risk impact on achieving Organizational/Business Unit strategies and objectives Probability: The likelihood that a given risk will occur, given current control/business environment 3. High 3. Probable Represents a risk which materially or significantly impacts the achievement of goals and objectives Given the current control environment, the risk is likely or very likely to occur and there is a possibility of repeated incidents 2. Medium 2. Maybe Represents a risk that may prevent achieving goals and objectives Given the current control/business environment, it is possible that the risk may sometimes occur 1. Low 1. Remote Represents a risk with little or no impact on achieving goals and objectives Given the current control/business environment, there is only a remote possibility that the risk will occur
  11. 11. 11Compliance Made Simple Risk Assessments Risk Assessment- Prioritize the Risks and Develop Audit Plan/Project Prioritize the Risks and Develop Audit Plan/Project – Develop a risk-based audit plan based on the results of the risk assessment - the assigned risk ratings help to determine the frequency and scope of audit testing – Example • High risk areas may be audited annually • Medium risk areas may be audited on a rotating basis and every 2-3 years • Low risk areas may be audited on rotating basis and every 3-4 years.
  12. 12. 12Compliance Made Simple Risk Assessments Risk Assessment- Review, Report, & Communicate Results Review, Report, & Communicate Results – Look at the big picture: • What risks are you controlling? • Do you have many controls in areas that are low risk or have not had a material misstatement or fraud event? If yes, why? – Prepare a risk assessment package: • Share with Executive Management and review quarterly or annually. – Identify items that may call for a re-assessment of risks: • Examples: Systems implementations, acquisitions, divestitures, changing business models, changing control/business environment, new technology etc. • Update your audit plan as needed
  13. 13. 13Compliance Made Simple Template Materials • Sample Risk Assessment Questionnaire • Sample Risk Score Matrix • Sample Risk Assessment Templates • Sample Audit Plan • Sample Change Management Questionnaire Thank you to the Internal Audit Community that contributed these templates!! Please feel free to share your “scrubbed” or original templates with this group. Risk Assessments
  14. 14. 14Compliance Made Simple COSO & Risk Assessments New 17 Principles Risk Assessments Still the Same only better, more clear and more relevant.
  15. 15. 15Compliance Made Simple COSO 2013: Risk Assessment Updates! • Fraud Risk Assessment: Finally documented but conducted in practice. • Includes monitoring of risks as a “Must Have”. Risk Assessments
  16. 16. 16Compliance Made Simple Risk Assessment Evidence Risk Assessments
  17. 17. 17Compliance Made Simple Principles: What “holds” a principle UP! Risk Assessments
  18. 18. 18Compliance Made Simple Risk Assessment Case Study Risk Assessments Company Background: – Public financial services company – Three divisions A, B and C – Objective Category for COSO framework = External Financial Reporting (SOX 404)
  19. 19. 19Compliance Made Simple Case study: Control Analysis Risk Assessments • Mgmt documented its overview of its assessment of control effectiveness. • Management determined it has some revenue recognition control deficiencies and need to reflect the severity of those deficiencies. One of the revenue streams lacked good controls. They noted deficiencies in one of their up and coming divisions “DIVISION C” but there were NO KNOWN financial statement errors! • Root case analysis concluded that management failed to implement control activities over the revenue recognition process at Division C, which became a significant part of their overall revenue and growth for the organization.
  20. 20. 20Compliance Made Simple Case studies – Polling Question Risk Assessments QUESTION ? How bad is it? Was this a …… A)Control Deficiency, B) Significant Deficiency C) Material Weakness D) Not a deficiency
  21. 21. 21Compliance Made Simple Case Study: Conclusion Risk Assessments What COSO has to say: A related weakness was noted in Principle #9 “Identifies & Analyzes Significant Change”, because the company never adopted key controls over this Division C that was growing rapidly and Corporate office assumed it was doing what they expected. The conclusion was a: MATERIAL WEAKNESS for 2 Principles! Principle #10 “Selects and Develops Control Activities” and Principle #9 “ID & Analyzes Significant Change”
  22. 22. 22Compliance Made Simple Case Study Solutions • Create and implement a Risk Assessment Policy/Procedure • Interim SOX 404 control analysis, including risk assessment procedures • Evaluate Materiality (prior to interim testing or just after). Risk Assessments
  23. 23. 23Compliance Made Simple Transition Analysis – 6 mos. Risk Assessments
  24. 24. 24Compliance Made Simple Control Compliance Analysis Risk Assessments COSO Transition 1. Top Transition Failures (Case Studies) 2. Audit Evidence required 3. Priority Driven by Principles PCAOB, IIA & SEC Guidance 1. Latest PCAOB Internal Control Standards 2. IIA Incorporated Top 7 IC Failures 3. SEC Guidance for Mgmt on Internal Controls info@avivaspectrum.com Subject: CCA Reservation
  25. 25. 25Compliance Made Simple Polling Question 2 Risk Assessments Does your organization have a Risk Assessment Policy/Procedure document? Risk Policy A Yes, we have one B No, wish I had one C Don’t Know
  26. 26. 26Compliance Made Simple Risk Assessment Impact of Reported Changes Risk Assessments Change Management Select Yes, No, NA Yes Yes Yes No 3. Process (including report) Changes Are there any significant changes in the business processes, including reporting changes? (Process or Control narrative should be updated for specific changes to controls and/or business processes) 4. Significant Policy or Regulatory Changes Are there any significant changes in regulations, operating and/or financial policies and/or procedures? List any planned significant changes (organization, systems, process, policies and procedures and others) that you anticipate in 201X that may affect or potentially affect the internal controls over financial reporting for your business process, including the expected implementation date, impact of such changes and related action items to ensure that the key control and/or business process continue to operate effectively. This section must be completed For each item (1 - 4) select "Yes", "No", or "NA" if a change occurred. Comments (If the answer is "YES", identify the personnel change, name of application/system affected, business process change, affected policy(ies) name(s), date of change(s), and action items taken to ensure the key control and/or business process continue to operate effectively.) 1. Organizational Changes Are there any significant changes in the key personnel managing the process? 2. System/Technology Changes Are there any significant changes in the financial (application) systems, including additions or modifications to existing systems? Are there any significant technology changes? Benefits/Impact of Regular Change Management Reporting • Identify areas that require walkthrough or new areas to be added to audit plan: – Could lead to postponed testing – Updated audit plan – Updated testing strategy – Updated risk assessment • Identify current and future areas of risk: – Significant changes in people, process, or technology • Identify opportunities to serve in an advisory role – New systems/technology – New regulations that may impact the Organization
  27. 27. 27Compliance Made Simple Polling Question 3 Risk Assessments Is your organization conducting risk based walkthroughs? Walkthroughs A Yes, B No, wish we would C Don’t Know
  28. 28. 28Compliance Made Simple Risk Assessments • Caused audit procedure layering • More in-depth written description of estimates and use of judgment, especially review controls • Detailed documentation and testing of system reports utilized in performance of controls. New PCAOB Auditing BAR!
  29. 29. 29Compliance Made Simple Risk Assessments Level of precision in Plain English? • How detailed is management’s review of journal entries? • Document your thought process – Dollar Threshold – Percentage of Revenue – Geographic Location – Lines of Business – Other Risk Factors – Timing
  30. 30. 30Compliance Made Simple IT dependent controls (pg#27) Risk Assessments
  31. 31. 31Compliance Made Simple IT Spreadsheets – RA Process Risk Assessments Inventory your Excel files (Total in-versus-out of scope)! Next tab reveals what you’re test!
  32. 32. 32Compliance Made Simple Combined Risk Scoring In-Scope Excel Files Risk Assessments
  33. 33. 33Compliance Made Simple Testing Example Risk Assessments
  34. 34. 34Compliance Made Simple Polling Question 4 Risk Assessments For sampling controls to test do you find your current risk assessment is adequate? Sampling A Yes, to a degree B Yes, but needs some work C No, we need new approach
  35. 35. 35Compliance Made Simple Community & Sharing Risk Assessments Join Our LinkedIn Group COSO Framework Discussion & Webinars http://www.linkedin.com/groups/2013-COSO- Implementation-4888186/about Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework. Share your latest templates here!
  36. 36. 36Compliance Made Simple Q & A session (5 – 8 Min) Risk Assessments Sonia Luna- President, CEO Aviva Spectrum www.linkedin.com/in/sonialuna www.slideshare.net/soxppt www.avivaspectrum.com/podca sts

×