Compliance Made Simple

Risk Assessments

Best Practice & Practical Approaches

Thursday, June 19, 2014

Presented by:

Sonia Luna & Monica Raffety

2Compliance Made Simple

Bios

• Sonia Luna: has over 16 years of internal and external audit experience. Worked at 2 of the Big 4 before leaving as an audit manager to create Aviva Spectrum, in 2004. Aviva Spectrum provides a wide variety of internal audit services including SOX404, COSO 2013 transition, compliance audits and quality assessment reviews.

• Monica Raffety: has over 15 years of internal audit and compliance experience. She began her career in the financial services industry where she held various internal audit / risk management roles. She is also a former President and current Board of Governors member of the San Gabriel Valley IIA Chapter.

Risk Assessments

3Compliance Made Simple

Disclaimer

The comments, statements, views and opinions expressed in this webinar and other printed material do not reflect the views or opinions of the presenters’ current or past employers.

Risk Assessments

4Compliance Made Simple

Risk Assessment Planning Process

Establish the Purpose and Identify Risks

Measure Risks

Review, Report, and Communicate Results

Risk Assessment

Risk Assessments

5Compliance Made Simple

Establish the Purpose – Identify purpose and focus: Financial Misstatement,

Fraud, Other– Collaborate with Internal Audit, Compliance,

Business Management, and IT Management: Risk Assessment meetings, conduct interviews, complete risk assessment questionnaires, perform site visits to validate understanding of strategy, initiatives, products/services, and system changes

– Establish ownership of the risk assessment process– Establish risk assessment frequency: quarterly,

annually– Create format that is easy to review by stakeholders

and maintain

Risk Assessments

Risk Assessment- Establish the Purpose

6Compliance Made Simple Risk Assessments

Risk Assessment Questionnaire Example

7Compliance Made Simple

Identify the Risks– Review Regulatory Literature for your industry:

• Office of the Comptroller of the Currency (OCC) for risks affecting Financial Institutions. Semiannual Risk Perspective Fall 2013

• Centers of Medicare and Medicaid Services (CMS) for risks affecting Health Care. http://www.cms.gov/Medicare/Compliance-and-Audits

– Review past audit reports: • Length of time since last audit, prior findings, # of findings

– Perform quantitative and qualitative analysis: • Significant financial statement line items• Threshold such as exceeding overall materiality (5% of pre-tax

income) • Volume of transactions – dollar and #• Identify risk factors

Risk Assessments

Risk Assessment- Identify the Risks

8Compliance Made Simple

Examples of Risk Categories

Risk Assessments

Financial Information Technology Legal / Regulatory / ComplianceCredit Risk Physical Events Risk Compliance Risk

Interest Rate Risk Capacity / Flexibility Risk Safety and Soundness Risk

Asset Quality Risk Systems Availability Risk FDICIA Risk

Liquidity Risk Information Security Risk Contractual / Third-Party Vendor Risk

Physical Asset Risk Fiduciary Risk

Counterparty Risk BSA/AML

Financial Reporting Risk

Concentration Risk

Price Risk

Transactions Risk

Human Resources / Management Experience Operations / Change / Complexity Prior / Other Audit – Internal, External & RegulatoryKey Personnel Risk Operational Risk Remediation Risk

Workforce Risk Cyber Threat Risk

Integrity Risk

Market / StrategicProduct / Services Risk

Reputation Risk

Market Structure Risk

Competition Risk

Political Risk

Acquisition Risk

Strategic Technology Risk

9Compliance Made Simple

Measure the Risks– Set risk levels for each auditable activity:

• Risk Factors such as: Financial risks, IT risks, Legal / Compliance risks, Operational risks, Strategic risks, Human Resource risks and Prior / Other Audit activities

– Assign a “Risk Score” to each audit activity: • Based on likelihood/probability and impact (potential

losses) of inherent risks associated with the activity– Assign a “Risk Rating” to each audit activity:

• High, Medium, or Low – to each audit activity / area based on the level of risk associated with the activity

Risk Assessments

Risk Assessment- Measure the Risks

10Compliance Made Simple Risk Assessments

Example Risk Assessment – Risk Score Matrix

Impact: Risk impact on achieving Organizational/Business Unit strategies and objectives

Probability: The likelihood that a given risk will occur, given current control/business environment

3. High 3. Probable

Represents a risk which materially or significantly impacts the achievement of goals and objectives

Given the current control environment, the risk is likely or very likely to occur and there is a possibility of repeated incidents

2. Medium 2. MaybeRepresents a risk that may prevent achieving goals and objectives

Given the current control/business environment, it is possible that the risk may sometimes occur

1. Low 1. Remote

Represents a risk with little or no impact on achieving goals and objectives

Given the current control/business environment, there is only a remote possibility that the risk will occur

11Compliance Made Simple Risk Assessments

Risk Assessment- Prioritize the Risks and Develop Audit Plan/Project

Prioritize the Risks and Develop Audit Plan/Project

– Develop a risk-based audit plan based on the results of the risk assessment - the assigned risk ratings help to determine the frequency and scope of audit testing

– Example

• High risk areas may be audited annually

• Medium risk areas may be audited on a rotating basis and every 2-3 years

• Low risk areas may be audited on rotating basis and every 3-4 years.

12Compliance Made Simple Risk Assessments

Risk Assessment- Review, Report, & Communicate Results

Review, Report, & Communicate Results– Look at the big picture:

• What risks are you controlling?• Do you have many controls in areas that are low risk or have

not had a material misstatement or fraud event? If yes, why?

– Prepare a risk assessment package:

• Share with Executive Management and review quarterly or annually.

– Identify items that may call for a re-assessment of risks:

• Examples: Systems implementations, acquisitions, divestitures, changing business models, changing control/business environment, new technology etc.

• Update your audit plan as needed

13Compliance Made Simple

Template Materials

• Sample Risk Assessment Questionnaire• Sample Risk Score Matrix• Sample Risk Assessment Templates• Sample Audit Plan• Sample Change Management Questionnaire

Thank you to the Internal Audit Community that contributed these templates!! Please feel free to share your “scrubbed” or original templates with this group.

Risk Assessments

Microsoft Excel Worksheet

14Compliance Made Simple

COSO & Risk AssessmentsNew 17 Principles

Risk Assessments

Still the Same only better, more clear and more relevant.

15Compliance Made Simple

COSO 2013: Risk Assessment Updates!

• Fraud Risk Assessment: Finally documented but conducted in practice.

• Includes monitoring of risks as a “Must Have”.

Risk Assessments

16Compliance Made Simple

Risk Assessment Evidence

Risk Assessments

Monitorin

g

17Compliance Made Simple

Principles: What “holds” a principle UP!

Risk Assessments

Princ

iple

18Compliance Made Simple

Risk Assessment Case Study

Risk Assessments

Company Background:

– Public financial services company– Three divisions A, B and C– Objective Category for COSO framework =

External Financial Reporting (SOX 404)

19Compliance Made Simple

Case study:Control Analysis

Risk Assessments

• Mgmt documented its overview of its assessment of control effectiveness.

• Management determined it has some revenue recognition control deficiencies and need to reflect the severity of those deficiencies. One of the revenue streams lacked good controls. They noted deficiencies in one of their up and coming divisions “DIVISION C” but there were NO KNOWN financial statement errors!

• Root case analysis concluded that management failed to implement control activities over the revenue recognition process at Division C, which became a significant part of their overall revenue and growth for the organization.

20Compliance Made Simple

Case studies – Polling Question

Risk Assessments

QUESTION ?How bad is it? Was this a ……

A)Control Deficiency,

B) Significant Deficiency

C) Material Weakness

D) Not a deficiency

21Compliance Made Simple

Case Study: Conclusion

Risk Assessments

What COSO has to say:

A related weakness was noted in Principle #9 “Identifies & Analyzes Significant Change”, because the company never adopted key controls over this Division C that was growing rapidly and Corporate office assumed it was doing what they expected. The conclusion was a:

MATERIAL WEAKNESS for 2 Principles!Principle #10 “Selects and Develops Control Activities” andPrinciple #9 “ID & Analyzes Significant Change”

22Compliance Made Simple

Case Study Solutions

• Create and implement a Risk Assessment Policy/Procedure• Interim SOX 404 control analysis, including risk

assessment procedures• Evaluate Materiality (prior to interim testing or just after).

Risk Assessments

23Compliance Made Simple

Transition Analysis – 6 mos.

Risk Assessments

24Compliance Made Simple

Control Compliance Analysis

Risk Assessments

COSO Transition

1. Top Transition Failures (Case Studies)

2. Audit Evidence required3. Priority Driven by

Principles

PCAOB, IIA & SEC Guidance

1. Latest PCAOB Internal Control Standards

2. IIA Incorporated Top 7 IC Failures

3. SEC Guidance for Mgmt on Internal Controls

info@avivaspectrum.comSubject: CCA Reservation 5

25Compliance Made Simple

Polling Question 2

Risk Assessments

Does your organization have a Risk Assessment Policy/Procedure document?

Risk Policy

A Yes, we have one

B No, wish I had one

C Don’t Know

26Compliance Made Simple

Risk Assessment Impact of Reported Changes

Risk Assessments

Change ManagementSelect

Yes, No, NA

Yes

Yes

Yes

No

3. Process (including report) Changes Are there any significant changes in the business processes, including reporting changes? (Process or Control narrative should be updated for specific changes to controls and/or business processes)

4. Significant Policy or Regulatory ChangesAre there any significant changes in regulations, operating and/or financial policies and/or procedures?

List any planned significant changes (organization, systems, process, policies and procedures and others) that you anticipate in 201X that may affect or potentially affect the internal controls over financial reporting for your business process, including the expected implementation date, impact of such changes and related action items to ensure that the key control and/or business process continue to operate effectively.

This section must be completedFor each item (1 - 4) select "Yes", "No", or "NA" if a change occurred.

Comments (If the answer is "YES", identify the personnel change, name of application/system affected, business process change, affected policy(ies) name(s), date of change(s), and action items taken to ensure the key control and/or business process continue to operate effectively.)

1. Organizational Changes Are there any significant changes in the key personnel managing the process?

2. System/Technology ChangesAre there any significant changes in the financial (application) systems, including additions or modifications to existing systems? Are there any significant technology changes?

Benefits/Impact of Regular Change Management Reporting• Identify areas that require

walkthrough or new areas to be added to audit plan:

– Could lead to postponed testing

– Updated audit plan– Updated testing strategy– Updated risk assessment

• Identify current and future areas of risk:

– Significant changes in people, process, or technology

• Identify opportunities to serve in an advisory role

– New systems/technology– New regulations that may

impact the Organization

27Compliance Made Simple

Polling Question 3

Risk Assessments

Is your organization conducting risk based walkthroughs?

Walkthroughs

A Yes,

B No, wish we would

C Don’t Know

28Compliance Made Simple Risk Assessments

• Caused audit procedure layering

• More in-depth written description of estimates and use of judgment, especially review controls

• Detailed documentation and testing of system reports utilized in performance of controls.

New PCAOB Auditing BAR!

29Compliance Made Simple Risk Assessments

Level of precision in Plain English?

• How detailed is management’s review of journal entries?

• Document your thought process– Dollar Threshold– Percentage of Revenue– Geographic Location– Lines of Business– Other Risk Factors– Timing

30Compliance Made Simple

IT dependent controls (pg#27)

Risk Assessments

31Compliance Made Simple

IT Spreadsheets – RA Process

Risk Assessments

Inventory your Excel files (Total in-versus-out of scope)!Next tab reveals what you’re test!

32Compliance Made Simple

Combined Risk ScoringIn-Scope Excel Files

Risk Assessments

33Compliance Made Simple

Testing Example

Risk Assessments

34Compliance Made Simple

Polling Question 4

Risk Assessments

For sampling controls to test do you find your current risk assessment is adequate? Sampling

A Yes, to a degree

B Yes, but needs some work

C No, we need new approach

35Compliance Made Simple

Community & Sharing

Risk Assessments

Join Our LinkedIn GroupCOSO Framework Discussion &

Webinars

http://www.linkedin.com/groups/2013-COSO-Implementation-4888186/about

Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework.

Share your latest templates here!

36Compliance Made Simple

Q & A session (5 – 8 Min)

Risk Assessments

Sonia Luna- President, CEOAviva Spectrumwww.linkedin.com/in/sonialuna www.slideshare.net/soxppt www.avivaspectrum.com/podcasts