Internal Audit Mini How To

Reviews

Shared by: club56

Tags

Internal Audit Mini How To, Internal Audit, Chapter Headlines, Level Expectations, Audit Reports, Internal Audit Report, Audit Course, Risk Mapping, How To, Technical Service

Stats

views:: 168
rating:: not rated
reviews:: 0
posted:: 11/14/2008
language:: English
pages:: 0

Public Domain

Internal Audit Mini How To Twinning Contract MT 2003 / IB / AG/ 01/TL 3 August 2004 STE Benini General AUDIT process in Paying Agencies Process Mapping Risk Mapping Risk Evaluation Definition of PA`s Risk Portfolio Audit planning Negotiate with management The risk level accepted Audit Executions Audit Reports Audit Summaries Negotiate Risk Level Expectations With PA`s Management • • Assess maximum risk level which is objective to propose as acceptable In the case of a PA, this level will be probably a risk level compatible with the preservation of the PA`s accreditation by EU Risk level compatible with the mantainment of accreditation can be found in the ten EU`s guidelines for the relevant elements necessary for the accreditation process to be succesfully performed Internal Audit Manager (IAM) has the responisbility of the negotiation with the PA`s management IAM has to arrange some meeting with PA`s management IAM`s target is to define a written paper professionally known as “mandate” • • • • IAM`s Mandate The ability of the IAM is to find a common area between three different needings (see below) maximum Risk Level Acceptable Internal Audit Service Skills and resources Management`s Risk Expectations Internal Audit Manager behaviour should be as follows: • To obtain a mandate which is located in the central overlap of the previous slide; To obtain a mandate which is realistic, considering the skills and the resources (goods and personell) of the Internal Audit Service (IAS) To match, if possible, the risk level expectations of the PA`s management To match, at any costs, the maximum risk level acceptable for the PA`s If the former target shows too difficult to be obtained, IAM should ask PA`s managing to acquire the necessary resources or decline its responsibility • • • • Control Risk and Self Assessment process • • • • Why a CRSA? Is CRSA the best way to do it? How I can perform a good CRSA? How many time I need to update my CRSA in the five years of the planning? • CRSA is the last fashion of Internal Auditing, it is fast, effective and reasonably easy to do, it offers some advantages over the traditional approaches It depends on the level of detail you have to get in your risk mapping You have to be very methodical and to use standard forms for your relevations. Use Excel sheets, avoid Word. I suggest to build a risk database, starting from the Excel Sheets Generally It will be sufficient to do it yearly • • • CRSA structure: Familiarization with auditated structure Processes individuation and description Summarize and report your conclusion Building the excel sheets to be filled in Conduct the interviews Familiarization • • • • • • • • • Go and find manuals, procedures, integrative papers Conduct pre-mapping interviews Find and study every relevant rule which governs the process Get the organigrams Try to figure some workflows out Cross verify two or more manuals, procedures and integrative papers Make preparatory summaries of you findings Design a Processes Map After you have done it all, look for confirmation of your doubts by competent people into the auditated structure What I shall be looking for to describe a process? • • • • • • • Who is responsible for the process? Where do it start? Where do it end? How many are the steps of the process? Which are the relations between this process and other relevant processes? Which type of process is this (Main Horizontal Process, Vertical Process, Support Process)? How may I design the form for process description? Example of Processes Map Maltese Paying System Processes Map Vertical Scheme (Authorization Function – various delegated bodies) IACS (IACS office at MRAE) Delegated body Protocol and Folder Managing Distribution of Withdrawal Aid of Operative Programmes in the Fisheries Sector Technical Service (performed by separate unit into every authorization unit) Technical Service (performed by separate unit into every authorization unit) Execution of payments (Paying Agency) Accounting To EU (Paying Agency) Distribution of Carry Over Aid in the Fisheries Sector Technical Service (performed by separate unit into every authorization unit) Production and Marketing of Honey Technical Service (performed by separate unit into every authorization unit) Processed Products from Fruit and Vegetables Technical Service (performed by separate unit into every authorization unit) Area-Related Rural Development Measures: Less-Favoured Area Technical Service (performed by separate unit into every authorization unit) Management of Guarantees, Debtors and Sanctions (some parts) Management of Guarantees, Debtors and Sanctions (other parts) Rural Development Measures Technical Service (performed by separate unit into every authorization unit) Area-Related Rural Development Measures: Agri-Environment Technical Service (performed by separate unit into every authorization unit) Alimentary Aid for the Poor Technical Service (performed by separate unit into every authorization unit) Bovine and Ovine Aid Schemes (partially area related) Technical Service (performed by separate unit into every authorization unit) Market Arrangements in the Sector of Fresh Fruits and Vegetable Products IT department IT manager (MITTS) Delegated body Internal Audit (It Auditor) Support Processes What is a risk? • • • • • • Risk is everything can prevent you from doing something you have to do Risk can be actions, not actions, actions performed not so well, action based on misunderstanding Risk can be an unwanted heritage of your predecessors in this office Risk can be a consequency of somebody`s action outside an office (external risk) If you have a risk you have to put a control on it IAS has to map processes, then to map risks on processes, then to assess if the process owner known his risks and how he deals with them What is a control? • • • • • • • Something that can prevent a risk to do its job on your work Something that you can afford to put in place Something effective and efficient Something that should be multipurpose (if one control covers more than one risks it`s a better thing) Something that isn`t redundant Something of reliable Something that can be: preventive, successive, on course Example of form for mapping Summarize and planning • • • • • After you have done your job you will have to classify and count your risks Find your way to classify your risks (high, medium, low or 3,2,1 level risk ecc.) Count the risks for every processes and do a media between them Obtain for each process the risk level Summarize your results with graphs and a formal paper 25 20 15 10 5 0 1st 2nd levele level risks risks 3rd level risks Process 1 Process 2 Process 3 How I can measure the weight of my risks RISK WEIGHT= RISK MEASUREMENT MATRIX PROBABILITY+IMPACT m(2) PROBABILITY OF RISKS h(3) h(3) l(1) m(2) h(3) l(1) l(1) IMPACT OF RISK m(2) P 1 1 2 2 3 1 2 3 3 I 1 2 2 1 1 3 3 2 3 W 1 1 2 1 2 2 3 3 3