Document Sample
Risk_Assessment_Planning_Format Powered By Docstoc
					                                                           Internal Audit


From:       R Dharmarajan
Date:       February 10, 2010
Re:         Risk Assessment Heat Map and Planning Format


1. Conduct a risk assessment of the Company’s operations.
      A. Determine mission, goals, objectives, and size
      B. Research literature to identify potential management risks
      C. Brainstorm initial risks, expected management controls
      D. Interview third party officials to identify other potential risks
                  Legislature Fiscal Staff
                  Executive Department Staff
                  Other Auditors
                  Interest Groups
                  Regulatory Agencies
      E. Brainstorm further risks and refine original risks

2. Develop and Audit Scope Analysis that includes:
      A. Audit
      B. Background
      C. Audit Scope – what topics the audit would review
      D. Contribution – what the audit would accomplish
      E. Resource Requirements- preliminary time and cost estimates

3. Management Meeting to Select the Prioritize Audits
      A. Evaluation of potential audit topics
      B. Consider audit user needs and expectations
      C. Establish audit priorities and cyclical audit requirements
      D. Decide which audit topics are to proceed to the detailed planning phase

                                       RISK ASSESSMENT MATRIX
                                         SUBJECT: (Department)

             Control            Effects of Inadequate   Control             Risk Level
Risk         Techniques         Controls or Controls    Methods Cited       Hi, Med,
             (Expected)         Not Applied             by Management       Low

                            Obtain More Information on Company Operations
     Detailed Company Budget
     Policies and Procedures
     Organization Charts
     Performance Measures

                                    Interview Company Management
     Focus Questions on Identified Risks and Management Controls
     Use Standardized Questionnaire

                                    If Management Indicates Controls:
       Are Not In Place:                                Are in Place:
* Review List Of Expected Controls               * Review Relevant Documents
    With Management to Confirm they              * Conduct Tours
    Do Not Exist                                 * Review A Small Number Of Records
                                                   Or Transactions

                                              Finalize Matrix
     Assign High, Medium, Or Low Risk
     Determine Audit Ability
     Record Testing Methods/Audit Steps For High Risk Area

                                 Test Potential Audit Steps to Determine:
     Whether Testing Methodologies Are Sound
     Whether Information Is Available
     Estimated Time Needed To Complete the Audit Steps

        The following questionnaire should be useful to access the degree of internal controls exercised
by management in the Company.

A.      Control Environment
        The control environment defines the tone of the Company and the way it operates. Some basic
        concerns are:

                         The Control Environment                                Yes       No       W/P
(1) Does the Company have a written mission statement (a concise written
statement concerning purpose goals and objectives of the Company)?
(2) Is there an organization chart for the Company?
(3) Are there written management plans for the Company (workplans,
program plans, policies and procedures, other)?
(4) Is there a written delegation of authority in the Company to identify the
chain-of-command and reporting responsibilities?
(5) Are employees aware of their responsibilities pursuant to the work
plans? (Do employees have common sense knowledge of the Company’s
(6) Do job descriptions reflect what the employees do and do they have the
competencies to perform their required tasks?
(7) Are performance evaluations on file and up to date?
(8) Are department supervisors held accountable for staff performance?
(9) What is the size of the staff?
(10) How does the Company recruit qualified people?
(11) Does the Company do background and resume checks?
(12) How does the agency foster integrity amoung its employees?
(13) Does the Company have adequate employee training (compute
average training per staff person)?
(14) Is there an adequate separation of duties (no employee should have
sole responsibility for a significant activity from beginning to end)?
(15) Are the objectives for internal controls documented?
(16) Do the departments hold regular staff meeting?
(17) Are reports distributed timely?

B.      Risk Assessment
Risk Assessment is a process to determine how management deals with the risks posing a threat
to the accomplishment of its objectives. This process identifies risk and analyzes its likelihood of
occurrence and impact. This process will allow management to determine how much risk they
are willing to accept and set priorities accordingly.

(1) The objectives of the Institution and statement as to what the objectives are trying to achieve.
       Describe each department being assessed.
       List all people and organizations (internal and external) that are associated with this
        function and how they are associated.
       Outline the Company’s activities and briefly describe the procedures involved in
        performing each activity.
       Describe what would happen if the procedures above were not performed or done poorly.
        What is the risk associated with each activity?
       Describe the existing controls and potential problems.

(2) Company’s methods for evaluating adequacy of Internal Controls and program
       Techniques used such as observation, discussion, evaluation or testing of controls.
       Are there any inadequate procedures in place? Are improvements suggested?

(3) Identify the risk factors the Company evaluated.
    These should be simple, clear, meaningful, definable and be answerable. Such as:
       The extent of regulation on the Company and the risk of non-compliance or the negative
        aspects of adverse publicity as well as those of lack of public awareness.
       The liquidity of its assets.
       The extent of computer data processing.
       The extent of government to meet objectives.
       The size of the Company. Etc.

(4) What is the likelihood of the risk occurring?
    If the Company has good internal controls the risk of occurrence will be low. If adequate
    controls are not in place the risk of occurrence will be high.

(5) What is the impact on the Company if an adverse event happens?
    What are the impacts of:
       An erroneous decision from the use of incorrect or unreliable data.
       Erroneous record-keeping, inappropriate accounting, fraudulent reporting, loss and
       Failure to adequately safeguard assets.
C.      Control Activities
        Control activities are the policies and procedures in place to assure that management’s directives
        are carried out. These activities include a system of approvals, authorizations, verifications,
        reconciliations, reviews of operating performance, security, and segregation of duties. We should
        ask the following questions:

                                Control Activities                                     Yes     No         W/P
(1) Are procedures kept in a manual that is current and readily available?
(2) Are policies and procedures consistent with statutory and Company
(3) Are policies and procedures easy to understand?
(4) Do the policies and procedures in place address approvals, authorizations,
verifications, reconciliations, assist security and the separation of duties?
(5) Is the budget system incorporated in the Company’s planning process? (E.g.,
is performance compared to budget and forecasts?)
(6) Are there approved spending and operating plans in use?
(7) Do performance reports show a comparison with planned performance and
past performance?
(8) Are program achievement reports used as a management tool?
(9) Are problem areas identified and corrective action plans prepared?
(10) Are financial and program achievement reports scrutinized by third parties
or higher level management?
(11) Are audit findings corrected promptly?
(12) Has the scope of prior reviews been very limited?

D.      Information Network and Communications System
        Each department should have an effective system in place to capture and store relevant
        information timely and accurately.
                                Information System                                      Yes      No       W/P
(1) Is the Company highly dependent of ECP systems?
(2) Is data safeguarded to prevent unauthorized access, changes, or loss?
(3) Is there a process to document the application development and life cycle?
(4) Are ECP applications reviewed and updated periodically?
(5) Is input promptly reviewed for authorization, completeness, accuracy, and
(6) Is output promptly reviewed for usefulness, completeness, accuracy, and
(7) Does information provide reports on the Company’s goals and objectives?
(8) Are there clear and open channels of communications within the Company and
its customers?
E.      Monitoring
        To ensure that internal control systems are performing as intended the Company should monitor
operations. This can be done by reviewing ongoing operations and by having separate evaluations by
management, often with the assistance of the internal or external auditors. The degree of ongoing
monitoring lessens the need for separate evaluations. When problems are identified they should be
promptly reported to upper management and appropriate remedial action taken.

                                  Monitoring                                       Yes       No         W/P
(1) When was the last internal control review?
(2) When was the last external review?
(3) Does the Company have a system for tracking corrective actions?
(4) Is there a corrective action plan (steps to be taken to eliminate identified
(5) Does this plan assign responsibility?
(6) Does this plan establish time frames?
(7) Is this corrective action plan responsive to the audit recommendations?
(8) Is this corrective action plan workable and cost-beneficial? (Was cost
benefit evaluated?)
(9) Is there and ongoing monitoring plan in effect? (This would include
worker performance review.)
(10) Does this plan assign responsibility to one employee for overall

E.      Compliance Concerns
        Compliance concerns would be any laws, rules, or regulations that specifically pertain to the
        Institution. List all laws and rules that apply and briefly describe the compliance concerns.

       Compliance Issue                  Law, Rule or Regulation                   W/P Reference

Shared By: