1

Risk Risk Assessments for Assessments for Audit Planning Audit Planning

James P. Giordano, CPA, CFE, CCFSJames P. Giordano, CPA, CFE, CCFS

Audit Manager, Management Audits Audit Manager, Management Audits

Office of Internal Audits Office of Internal Audits

2

Risk & Assessment - DefinitionsRisk - the threat that an event, action, or non-

action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully. Risk is measured in terms of consequences and likelihood.

Risk assessment - the identification and analysis of risks to the achievement of business objectives. It forms the basis for determining how risks should be managed.

3

Risk Assessments

Allows an entity to understand the extent to which potential events might impact objectives.

Assesses risks from two perspectives:- Likelihood- Impact

Are used to assess risks and can also used to measure the related business objectives.

4

Employ a combination of both qualitative and quantitative methodologies.

Relate time horizons to objective horizons.

Assesses risk on both an inherentinherent and a residualresidual basis.

Risk Assessments

5

Inherent Risk

The risk that exists before you address it, i.e., the risk to your Facility or Network in the absence of any actions taken to alter either the likelihood or impact. Every company faces it, not all manage it effectively.

Residual Risk

Also know as ”vulnerability” or “exposure.” It is the risk that remains after your Facility or Network has attempted to mitigate the inherent risks.

Inherent Risk Vs. Residual Risk

6

Risk Analysis

Control It

Share orTransfer It

Diversify orAvoid It

RiskManagement

ProcessLevel

ActivityLevel

Entity Level

RiskMonitoring

Identification

Measurement

Prioritization

RiskAssessment

7

Internal control is a process, effected by management and other Internal control is a process, effected by management and other personnel, designed to provide reasonable assurance regarding personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:the achievement of objectives in the following categories:

Effectiveness and efficiency of operations;Effectiveness and efficiency of operations; Reliability of financial reporting; andReliability of financial reporting; and Compliance with applicable laws and regulations.Compliance with applicable laws and regulations.

“These distinct but overlapping categories address different needs and allow a directed focus to meet the

separate needs.”

Definition of Internal Control

8

• Internal control is a Internal control is a processprocess. It is a means to an end, not an . It is a means to an end, not an end in itself.end in itself.

• It is effected by It is effected by peoplepeople. It’s not merely policy manuals and . It’s not merely policy manuals and forms, but people at every level of an organization.forms, but people at every level of an organization.

• It can be expected to provide only It can be expected to provide only reasonable assurancereasonable assurance, , not absolute assurance, to an entity’s management and not absolute assurance, to an entity’s management and board.board.

• It is geared to the achievement of It is geared to the achievement of objectivesobjectives in one or more in one or more separate but overlapping categories.separate but overlapping categories.

• While internal control is a processWhile internal control is a process, , its its effectivenesseffectiveness is a state is a state or condition of the process at one or more points in time.or condition of the process at one or more points in time.

Internal Control Key Concepts

9

FACT:

Internal control starts with a strong control environment.

While internal auditors play a key role in the system of control, management is the primary owner of internal control.

Internal control is integral to every aspect of business.

Internal control makes the right things happen the first time.

Internal controls should be built “into,” not “onto” business processes.

Internal Control Myths Internal Control Myths and Factsand Facts

MYTH:

Internal control starts with a strong set of policies and procedures.

Internal control: That’s why we have internal auditors!

Internal control is a finance thing.

Internal controls are essentially negative, like a list of “thou-shall-not's.”

Internal controls take time away from our core activities of patient services, financial reporting, and supply chain, payroll and core business processes.

10

Internal Auditors add value by:• Implementing a risk-based approach to Implementing a risk-based approach to

audit planning and executing the audit planning and executing the internal audit process. internal audit process.

• Ensuring that internal auditing Ensuring that internal auditing resources are directed at those areas resources are directed at those areas most important to the organization.most important to the organization.

• Challenging the basis of Challenging the basis of management’smanagement’s risk assessments and evaluating the risk assessments and evaluating the adequacy and effectiveness of adequacy and effectiveness of theirtheir risk risk treatment strategies. treatment strategies.

11

Internal Auditors add value by:• Reviewing critical control systems and Reviewing critical control systems and

risk management processes.risk management processes.

• Performing an effectiveness review of Performing an effectiveness review of management's risk assessments and management's risk assessments and the internal controls.the internal controls.

• Providing advice in the design and Providing advice in the design and improvement of control systems and improvement of control systems and risk mitigation strategies.risk mitigation strategies.

12

Performing thorough risk assessmentsPerforming thorough risk assessments: :

• Will help focus the annual audit plan in key Will help focus the annual audit plan in key business risks and support management’s business risks and support management’s decision making processes.decision making processes.

• Will make detailed audit procedures more Will make detailed audit procedures more efficient and focused on areas where problems efficient and focused on areas where problems may exist, or where positive action can be taken may exist, or where positive action can be taken to improve a process.to improve a process.

Benefits of Risk Assessments

13

Why Do a Risk Assessment?

1.1. It will assist in development of a multi-year It will assist in development of a multi-year internal/compliance audit plan.internal/compliance audit plan.

2.2. It helps to identify specific areas of concern that It helps to identify specific areas of concern that require immediate attention.require immediate attention.

3.3. It can be used to support internal Network/Facility It can be used to support internal Network/Facility initiatives.initiatives.

4.4. It can be utilized to dissuade unfocused internal It can be utilized to dissuade unfocused internal initiativesinitiatives

5.5. It helps realigns priorities and refocuses existing It helps realigns priorities and refocuses existing resources.resources.

14

• Ascertain process goals and objectives;

• Determine who’s responsible/ accountable;

• Review the tenure of key employees;

• Document & flowchart process flows;

• Review process maturity (documentation, monitoring); and

• Key performance indicators and 5-year trends.

Risk Assessment Components

15

DiscussionsWith Management

CustomizeRiskAssessment Approach

PerformRiskAssessment

Communicate & Provide Materials to Participants

AnalyzeResults

DevelopOutput

DiscussionsWith Management

CustomizeRiskAssessment Approach

PerformRiskAssessment

Communicate & Provide Materials to Participants

AnalyzeResults

DevelopOutput

Risk Assessment Process

2. Source

3. Measure

1. Identify

Analyze Risks

CommunicationDevelopStrategy

Implement

Audit

Analyze

Risk Assessment Summary

16

The Keys to Success in Risk Assessment

Buy-in and support from executive/ senior Buy-in and support from executive/ senior management and Boardmanagement and BoardSolid Framework to organize activitiesSolid Framework to organize activitiesLink risk management activities to other Link risk management activities to other management activities, strategic planningmanagement activities, strategic planningClearly articulated risk management goals Clearly articulated risk management goals and objectivesand objectivesCommonly understood risk languageCommonly understood risk language

17

Questions?Questions?

18

We Wish to Thank the We Wish to Thank the following Corporations following Corporations for Their Assistancefor Their Assistance Crowe Horwath LLP

The Institute of Internal Auditors

Deloitte

HCPro, Inc.