Executive Summary
-
Agree on a common framework for the risk-based auditing and monitoring program.
-
Assess risks across the enterprise and then prioritize them by looking at the likelihood of occurrence and impact for the organization.
-
Develop a risk-based auditing and monitoring plan from the identified risk priorities.
-
Execute a corrective action plan developed by management to mitigate risks and/or resolve risks.
-
Assess the auditing and monitoring process for effectiveness.
Getting Started
In designing risk-based auditing and monitoring activities, it is important that the internal auditor works closely with the organization’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimize and mitigate risks for the organization. These discussions should also include leadership from the legal, compliance, and risk management functions, if they are not already a part of the senior leadership team.
This process should include performing periodic audits to determine compliance with respect to applicable regulatory and legal requirements, and to provide assurance that management controls are in place for the detection and/or prevention of noncompliant behavior. Additionally, risk-based auditing and monitoring should include mechanisms to determine that management has implemented corrective action through an ongoing performance management process to address any noncompliance.
Once the common framework for the risk-based auditing and monitoring program has been established, four key tasks must be performed:
-
Assessment and prioritization of risks, conducted enterprise-wide;
-
Development of a risk-based auditing and monitoring plan;
-
Execution of a corrective action plan developed by management to mitigate risks and/or resolve risks;
-
Periodic assessment of the overall process for effectiveness.
Risk Assessment
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) helped to define “risk” as any event that can keep an organization from achieving its objectives.1 According to the COSO model, risk is viewed in four major areas:
-
operational (processes and procedures);
-
financial (data rolling up to internal/external statements);
-
regulatory (federal, state, local, organizational policy);
-
reputation (institutional).
There are several ways in which risk assessments in these areas can be conducted. These include the use of:
-
focus groups to assist in the identification of risks;
-
interviews of key leadership and the board;
-
surveys;
-
reviews of previous audit findings, external audits conducted in the organization, and identifying what is occurring within the industry and the local market, etc.
Once risks have been identified, a prioritization process is needed to identify the likelihood of the risk occurring, the ability of management to mitigate risk (i.e. are there controls in place for risk, regardless of the likelihood of those risks of occurring?), and the impact of risk on the organization. Risk prioritization is an ongoing process and should include periodic reviews during the year to ensure that previous prioritization methods, when applied in real time, are still applicable for the risk.
It is important that senior leadership participate in, and agree with, the determination of the high-risk priorities for the audit and monitoring plan. This will ensure management buy-in and focus on risk priorities. Also, with managers involved at the development stage of the plan, they will be educated as to the type of activities being planned and the resources needed to conduct these activities. Hence, during the plan year, if there are changes, management will understand the need for additional resources or a change in focus in the plan as the business environment and priorities may change.
- Page 1 of 5
- Next section Developing the Plan
www.qfinance.com