do with modi ratio take like t diffe clai sets % of ent spurt ers, n wh ustry s as ither, of do s r r d m y s d m e e y 10 ate s, com he op If we would ves fo lia, m ted A mes ue fro rom a custo conce her in usine ies denc and a m h f ? r r t t n u b a n r o e s d ig e le to ajo tr se so s o the axon e a te phes So r pay s from ught peop er re Aus k We ly con ts rev ffere ucts e m tro RM r ith k t u ag a i t av n h d is rea ly tho some ide ot four' i of R lly on rates ave s g pro also man eal w g ris sts h catas ing E ? The k h d a e s n ly e s e s n sur eal a longs e 'big ut 10% gener gen ed to selli risk i ise ris ng to reati k ana trem sform ix thi draw c n g x f d o it to vi e m k is ss ra th 't r pr ra in ig a mbe from k is ab al ris bank s see usine y cred enter m ha aren rise r in on in. T an we aken d ma t a l s c b n r rp e nu on nk el is fro II tal illar I nal r erati itiona n ba pical , sur ely fo ape team t ente hom k dom how have edit a gle w a sc ty lia P ut ug op is at lly tio cr .I les ad sk ng pera tive, se tr ustra der a m sa ortun can e ny ri n. Wh usua nal r risk b ERM rom ill str ing to f u a o t A o o F w s ,o ec t si tio ely ersp beca ugh, con nts fr ous? team lly, m derati os tha pera arke fixing reats ams are g es. Le o e i a to m ri k th k te you mat wh o ce lp ri ho , cia finan ally t were paym st se so ris dition r cons cena s the it or lies t eats ti ll ris o rs, c we d r fo sk s f rd cred app it tr rise y side ot es ty wa g w g i o m a A n n i e w e e b tl n t ld . Iro ; if s r rp ri k. sp g side or set k is th numb et ris matt cific ven to ed fo initely o tha ente side ude' er na odelli n i s ri th er ks pe m ny ef rk nd is a iers t ris pital nit sa ma ats a out s ally d ly cov hat d olved at ma re ris mag o ano ution th ppl wha a c t d u su ow omic it an thre drive norm perb nd t be ev s th mpa ncy x n int strib m o kn con cred ising that re m su es a can urdle to co que to ru he di fr a d l o e t s t t h f i u g re o wo erate lm o prior shops ercise far fr ying g work gous wan not 'f goin ork, u a e w t gen he re aren' work sis ex ound he sa fram umon , if yo tions e also rame f t r u t k y y s y h l l a rapidly is Audit ibacross isk ig,among in bRisk to t growing u ather rglobe isk and in as e rpractice nais ariauditors abl Based operforms aexplain g r we str out gthe b i m y n i a s o f n this paper importance of why Risk Based Audit a standard o i d , i u r i i r t c p lita aralsostbuild yo a Risk Based a terprframework as used . P cank be art ian complete entot carryout le o isthat n k n i p e i audit. We m c s u fa se sc s all o sk n en a co ise r ss ri sure data Audit assessment program and from the ground up taking in each component. i the RM ays t how a e are terpr expre k mea eous E n is, eral w c on .Ther rue e r. IE; to ris ogen i y t Copyright nne oac-hAllerights sev emat natel sure hom reserved Causal Capital © 2014 a r m r a o h p i u e t p ic sc port o m metr tion a 't cap t o r y a p y tr can ibu pa r the in a distr f you i a s thi mpt hort, e att a. In s dat

31000 Risk Frameworks

A Working Case Study Version 1.00 (DRAFT) Martin Davies | Causal Capital © 2014 [email protected] Supporting Files

PHASE 1

Perhaps one of the largest dilemmas

company. A thumbs up if you prefer to be, then senior managers often

auditors face is being able to give

after an audit has taken place that expect auditors to express a level of

stakeholders of any business they

the audit went well and the results clarity or coverage on what has been

audit a level of confidence that they

are sound. If risk is the effect of captured during a risk assessment and

have captured and assessed 'all'

uncertainty on objectives, as the ISO what additional uncertainty remains on

material risks that threaten the

31000 global risk standard states it the assessment of uncertainty.

3 Auditor Axioms

Audit

2

Firstly, is it possible that we can audit every single aspect of any business observing perpetually the operation of each control and accurately capture all anomalies that may have occurred. Is that even feasible to ask of an auditor? This probably isn't possible to achieve but even if it was, is it a good use of an auditors time when we are paying for this time?

| Three Axioms of the Auditor’s Dilemma

Let's assume that this hundred percent ‘coverage fantasy’ was possible, perhaps then the

should

double

check

their

assessments and for every single item. Why not

perhaps fidelity of an assessment on uncertainty as being a

triple check the audit samples just to confirm

totally bizarre and unacceptable thing to demand. ‘Uncertainty

that what they have observed the first time

on uncertainty' if you prefer and while describing a position of quality in

round during their assessments is accurate.

such matters seems a completely unreasonable thing to ask of anyone,

Surely we need to be comfortable that we don't

it often plays out in management situations that are laden with painful

have any significant material errors in the audit

S Causal Capital - 31000 Frameworks

auditor

ome people would see the requirement to state clarity or

dialogues that go along the following kind of lines.

results we originally observed.

"You assessed various risks in our department but how confident do you feel that there aren't errors in your assessment? On the subject of significance, what is materially significant to begin with and what is

in any of our business processes and in the first place?

the level of accepted accuracy? Where do these two thresholds begin to become important to our stakeholders?

It is amazing that auditors attempt to press through with an audit when

Finally, is absence of evidence truly evidence of

such a wide scope is open but many of them do. Nonetheless, several

absence in our audits? That is, if the auditor

constructive outcomes or second tiers of investigation and importantly

was unable to discover material control

realization should be spawned on from the simple dialogue we have

weaknesses or evidence that such things have

expressed above.

occurred during an audit, how can we truly know and reliably that what we have in an audit

I have listed this ‘investigative realization' to the right and auditors

result that isn't just some kind of informal

should avoid entertaining it in defensive manner.

fallacy.

The three axioms of the auditor’s dilemma can be resolved by constructing a Risk Based audit Framework that progresses through an

Auditors need to establish a framework for carrying out a Risk Based Audit.

audit program in a manner that asserts a confidence level for assurance

2 Defining Scope

rather than simply capturing audit test results in an 'untargeted' way. There are many different Risk Frameworks in use today but perhaps the most famously used technique employed by auditors is the COSO framework. COSO is an association that has established a common internal control model against which companies may assess their control systems and it has been a guide for auditors for years. The new revision of the COSO brief was released in late 2012 and certainly

PHASE PHASE1 6

1 Why RBA

Definition of scope and risks being audited will ensure appropriate use of resources.

3 Mapping Auditors map the business unit they are to audit to ensure focused contextual relevance.

4 Risk Registration Risks are identified, assessed, evaluated and recorded in a database for review.

3

Audit

ISO 31000 Context

5 Ctl Identification Controls that manage risks are identified and a control network is investigated and recorded.

6 Ctl Investigation Auditors investigate the control effectiveness, residual risk and identify what to audit.

Audit sampling size and method | ISO 31000 Aligned to a Risk Based Audit Exercise it builds on the earlier publication. Personally, I favour ISO 31000 as a backbone template for designing risk frameworks and for no other reason than ISO 31000’s elegance in simplicity.

is established and the auditor tests for material weaknesses.

8 Audit Report A final audit report is written on the process of the audit, its outcome and its findings.

ISO 31000 is a generic risk standard that could be applied to Risk Based Audits or Enterprise Risk Management, in fact it

There are eight unique and discrete

could be used with any kind of risk assessment exercise and

phases for this comprehensive Risk

has directly influenced the style of this paper.

Based Audit framework.

The ISO 31000 clause 5 has been shown in Figure 2 above and

The eight activity centres flow in a natural

highlights the key activity flow that might be employed by an

waterfall manner, passing information from one

auditor attempting to assess risk. We extend this specific set

activity to the next and in doing so, the resulting

of processes into eight key activity centres for our Risk Based

outcome will lift the quality of an audit and resolve

Audit program and we will describe the activities over the

the auditor’s dilemma we opened with at the

remaining pages of this paper.

beginning of this paper.

Causal Capital - 31000 Frameworks

7 Audit Test

PHASE 1

Perhaps a good place to start with a Risk Based Audit

(Low, Medium, High) but specific financial amounts as an

framework is to answer why we entertain such a thing in

expression or measure of risk. This is especially the case

the first place.

Why not simply assess whether a

when control failure is implicated. Managers would like to

business unit is compliant or how well it is meeting

see the range of potential financial losses a business unit

internal company policy during an audit?

may face and how effective their staff are at controlling these threats.

Auditors face two key constraints when they plan their audits and decide how deep to go on an audit.

In Figure 3, two very different business departments are being represented.

Audit

4

Firstly, they have limited resources especially when it comes to time and secondly, executive management are increasingly demanding to know what the outcome of

One department has a very low

inherent risk profile, while the other quite a high inherent threat potential. This is definitely evident when the two business units are compared alongside each other.

control failure actually means for their business. Most managers aren’t interested in traffic light risk responses

Item Priority Questions 1 2 3

Causal Capital - 31000 Frameworks

4

How much time does the auditor have to audit? How risky is the department being audited? How dependent is the business on the department? What is the managers perception of the department?

| Example Departmental Risk Profiles Given that the auditor has only so many hours in the year

and transaction complexity are all key inherent risk profile

in which they can audit the entire business, they will find

areas that need to be understood.

that focusing more efforts on auditing the most risky

auditors may evaluate the entire departmental inherent

business units is likely to return more commercial value

exposure using an algorithm or model that will generate a

for their entire auditing work.

final inherent risk score for the department.

The types of preliminary areas of investigation an auditor might bestow on a business to identify which functions

More advanced

We will

explore some of the example methods for generating inherent risk exposure in Phase 4b of this paper.

are risky have been listed in the Inherent Departmental Profile Table (Figure 3). It is important to note that some lines of questioning have a higher weighting than others, such as; Unit Dependency (how many departments are dependent on this business unit), transaction volume, transaction size

| Audit Time Allocation Example In conclusion : Risk profiling the business allows for audit timing to be allocated more appropriately.

PHASE PHASE2 6

Defining the Audit Scope The concept of auditing a business unit can mean many alternate things to different people and there are a lot of different types of audits that auditors entertain, taking in; financial audits, operational audits, an audit for quality, functional audits, risk based audits and so on. Risk Based Audits generally take longer to prepare than a standard audit of compliance but this planning phase only has to be progressed through in its entirety the first

5

time an auditor audits a specific department for risk. | Changing the scope increases audit time

Audit

Once the Risk Based Audit is prepared, data only has to be refreshed in subsequent audit work.

| Features of an audit Before the auditor carries out any kind of audit they must

Worse, the auditor will focus on specific aspects of the

establish a scope for the audit. The scope will identify

business that don’t meet the audit objective, they will also

what activities are to be carried out during each phase of

expend additional and unnecessary management time on

the audit program and what is the expected outcome

audit

from each of these activities.

completeness is likely to be compromised.

It is amazing that so few auditors fail to set scope

Given all of this then, setting the scope of what is included

boundaries on their audits but unless they do, the audit

in an audit is perhaps the first place risk based auditors

is likely to slip its estimated schedule and deadline.

should begin.

and

finally,

the

audit

Audit Type

Changes Scope

report’s

1

Control coverage & ability to manage risk

Risk Based Audit

Emphasis on measuring risk

2

Meeting compliance objectives

Standard Audit Test

Binary response % of compliance

3

How well are prime directives being serviced

Quality Control Audit

Increases audit scope

4

Taxonomical Causal Event Analysis

Functional Audit

5

Business Performance and Efficiency

Complex, detailed and a narrow type of audit scope A complex audit that looks at Quality Control + Capacity efficiency, capacity & idle resources

| Examples of different types of audit scopes operating these controls. Quantitative models are usually entertained in a Risk Based Audit and some of these If we are to address the coverage aspect of the auditor’s

techniques will be discussed later on in this paper.

dilemma, then we must surely start with setting a scope. Risk Based Auditors will normally need to capture specific Key aspects of scope for a Risk Based Audit heavily

financial data such as sales values, potentially some

focuses on identifying risks, risk registration, capturing

forecasted data but unless audit efficiency is selected as

information on relevant control networks that may reduce

an audit requirement, confirming the accounts for control

risk and assessing how effectively staff have been

costs will require less focus during the audit program.

Causal Capital - 31000 Frameworks

Item Audit Scope Questions

processes

PHASE 2

Risk Taxonomies The development of a risk taxonomy or category of risks that are to be investigated during an audit is an essential part of the audit scoping process.

Yet, many auditors don’t

engage in this activity. However, I believe it is a critical piece of work that will allow an auditor to define up front what they are looking for during their assessment exercises.

Audit

6

| Top Level Risk Taxonomy A risk taxonomy brings the auditor into agreement with policy of the department. More so, a risk taxonomy will business unit management. It clearly describes what ensure that a homogenous definition of risk is established dysfunction is being audited for, it allows the auditor to across the entire company to allow for benchmarking formally state that they will be assessing the following initiatives to be launched at a later date. disorders within the business processes, systems and work. This definition card and all the associated contextual risk related information should really be captured in a database that In some cases mature auditors will establish the scope of risk definitions in the taxonomy and

is seen as a living document. This database will be appended to while the entire Risk Based Audit program is being executed.

capture what is included on a risk definition card. This card describes what a risk definition excludes, specific drivers that may cause the risk and associated recognised impacts which will

Causal Capital - 31000 Frameworks

eventually be sought for during audit sampling

| Risk Taxonomy in R-Project In Figure 9, a set of risk categories have been recorded in a tree like structure using R-Project. Audit scores will eventually be assessed across all business units of the company and sorted to show what is the most serious risk the entire business is facing. This method of recording risks and capturing risk related data across the enterprise allows for Risk Based Audit results to be aggregated, benchmarked and tracked through time. For the risk based auditor, this again may seem like a lot of additional work but this investigation and write up effort only needs to be carried out once during the planning phase of the Risk Based Audit program. | Risk Taxonomy Card

and as part of the planning phase of an audit, a risk based auditor would normally map the business unit they are going to audit. These business unit maps aren’t usually detailed flowchart diagrams because flow charts don’t

PHASE PHASE3 6

Before the risk registry can be constructed

Business Unit Mapping

really support risk based assessment. Yet, they are time consuming to develop. In Figure 11 we have used a Value Chain View to capture relevant details that will eventually assessment activities later on in the audit. Key business ‘objects’ to capture would include:

7

Audit

support the risk identification, evaluation and

Top processes that the department owns and runs in its daily or exception operations. | Mapping a Business Unit Specific IT systems and various services that the business unit utilises but may not own.

Any KPI policy information that defines

A list of actual contracts, products or facilities that the business unit is processing.

Complete

department

boundaries

of

ownership, what line managers can control | Value Chain View

and form decisions on.

There are many ways in which a business unit map can used to directly source this additional information layer. be drawn up. Some auditors favour schematic methods Phase

4a

explains

the

investigative

reasoning

while other auditors simply list key processes, systems, techniques that are performed in a Risk Based Audit. business unit inputs and outputs. In the COSO 2012 revision, several example mapping techniques have been explored and I recommend readers take a look at this publication.

Leading auditors often capture specific transaction volumes, processing times and latencies in a business map. They may typecast processes into levels of maturity and invariably look at whether there has been

Generally, risks and controls will not be identified at this a change in the standard deviation of performance of the point in the audit because the maps will themselves be business unit they are auditing.

Causal Capital - 31000 Frameworks

quality standards & commercial expectations.

PHASE 4a

Risk Registration

Audit

8

| The complete risk registry The risk registry is perhaps the most recognised central

The auditor may put Logical Investigative Questions to

component of a Risk Based Audit program, it is definitely

business unit management, they may consider direct

the leading feature that differentiates this type of audit

observed operating practices and historical write downs.

away from other standard compliance audits.

Quite often risks are identified alongside controls while

Causal Capital - 31000 Frameworks

the auditor is discussing various risks with different staff in the business. Sometimes line managers may indicate The risk registry can be developed by the auditor taking the business unit maps and investigating what could go

that a unique risk the business is facing is already controlled, nonetheless; the risk should still be captured!

wrong in different aspects of the business.

Item Logical Investigative Propositions

All risks should be recorded in a database or at the very

1

What happens if IT facilities became unavailable?

2

What type of exceptions occur in processing?

investigated and evaluated at a later stage of the Risk

3

What factors do staff watch and manage?

Based Audit program.

4

Are there specific limits set for the business unit?

Business unit managers may also offer suggestions for

5

What process activities need trained staff?

least a Microsoft Excel spreadsheet so that they can be

the size of potential risks or explain why certain risks should be seen as a low concern rather than high, this

6

Are business inputs timely & clean or erroneous?

7

Is there capacity to cope with transaction growth?

8

Is intellectual property kept onsite?

auditors may ask business managers to express what

9

How are cash transactions secured?

they see as a high or low risk, critical or not. This line of

information needs to be recorded in the risk registry too. At this point in time during the Risk Based Audit program,

questioning gauges the general prevailing risk appetite | Registering Risks in an Investigative Manner

business unit staff actually have.

Once the risks have been identified and registered in the risk registry, they need to be evaluated. Auditors have a tendency to evaluate risk as the frequency (usually represented on the y-axis of a chart) multiplied by the magnitude (the x-axis) but this form of evaluation is deterministic. Worse, some auditors simply state a risk as low, medium or a

traffic

Risk Based Auditors should consider quantitative evaluation

Monte Carlo models built from templates

light

representation of risk exposure.

Loss event data that is curve fitted

This also grossly misinterprets | Traffic Light Risk

the

potential

threat

for

a

specific risk and as a technique, F x M and the unquantified traffic light labelling of risks should be avoided. A more comprehensive and coherent way to estimate material exposure would be to use a statistical evaluation technique. Some of these models have been listed in Figure 16.

These statistical

approaches generally result in an independent and combined study of both the frequency and magnitude of events for each risk in the registry.

Linear correlation and inference models Bayesian trees with boot strapping

9

Audit

high,

Evaluation Methods

PHASE PHASE4b6

Risk Evaluation

Univariate time series & Garch Models ... | Evaluation Methods

When looking at the size of potential loss from risk, one way to represent this would be in the form of a parametric distribution of losses. This resulting curve will have a body or large area of expected loss which normally takes up 68.2% of observable experience in the normal distribution.

This parametric expression of

exposure will also contain tails, a left tail for small losses and right for extreme events, where both these tail events have a much lower likelihood of occurrence. In Figure 17, spot estimates have been made from assessment and then curve fitted so that a high confidence level of 99.5% confidence can be ascertained for all aggregated potential risks in the business unit. | Normal Distribution In Figure 18, tools such as R-Project can be used to

A risk based audit may also attempt to identify if specific

assess and then statistically describe a data series so

risks are correlated but this additional modelling study

that tail events with an appropriate confidence level can

is relatively more complex to perform. This is especially

be calculated swiftly.

the case when observed data has a high level of paucity.

Causal Capital - 31000 Frameworks

| Deterministic Point Estimates

PHASE 4b

One of the most popular techniques used by risk analysts for identifying potential outcomes from a set of

Risk Evaluation

assumed risk factors or variables would be to pass these

[ ] Monte Carlo is supported in either Excel and of

variables into a Monte Carlo simulation engine.

course more advanced software such as R-Project.

Monte Carlo modelling has many benefits which include

[ ] Monte Carlo generates outcomes which are not

some of the following:

deterministic in nature and can be represented in a parametric / coherent manner that displays both tail and

[ ] The Monte Carlo engine is ideal for modelling risk

curve body detailing as model results.

when there is only a small set of observed data points.

Causal Capital - 31000 Frameworks

Audit

10

In Figure 19, the five components of a typical Monte [ ] A Monte Carlo model can be used or mixed with a

Carlo model have been demonstrated.

large number of descriptive assumptions.

| Monte Carlo Example Which function model to use depends on many different factors including the time available for the study, the quality of data that has been obtained and the auditors comfort with the modelling technique to begin with. Whether inferred models, curve fitted models or assessment models are selected, the model outputs are often then passed into an additional Monte Carlo simulation engine to generate a parametric perspective of loss. | Model Selection

Like the risk registry, the auditor will also

identify

different

types

of

controls that are being used by the business

to

reduce

or

transfer

PHASE PHASE5 6

Control Identification

uncertainty in their daily operations. These controls should be connected to specific risks in the risk registry various

criteria

such

as

control

maturity or whether the control has been designed for Completeness, Accuracy, Validity or Security.

| Risk Centric Domain

11

Audit

and may also be ‘typecasted’ under

| Control List Control lists such as the one shown in Figure 22 need to

feasible for a risk to have more than one control and for

be connected to a risk in the risk registry but identified

a single control to be covering multiple risks across any

controls also need to be assigned to an owner. It is

part of the entire risk registry.

important to note that this owner may not be under the authority of staff being audited.

All of these interrelationships should be captured so that

Additionally, controls can be pre-event or post-event as

the auditor is evaluating the material and potential loss

shown in the bow-tie diagram example in Figure 23. In

from control weakness. In Figure 23, the probability of

our example, different root causes and causal factors

event or likelihood and the associated magnitude have

have different controls but it would also be totally

been represented across a timeline.

| BowTie Representation of Risk and Control

Causal Capital - 31000 Frameworks

the full extent of control failure can be appreciated when

PHASE 6

Control Investigation At this point in the Risk Based Audit program quite a lot of data has now been captured. Auditors will be able to describe the boundaries of the business unit, they should also have a good insight into potential material threats that the business faces and the controls that are being used to reduce, treat or transfer those threats

12

Audit

away from these business processes. Investigating control effectiveness is obviously a very important activity to engage in as it shows how inherent | Inherent and Residual Risk

and residual risk connect.

It also

identifies how the general operation of the control can be sampled and assessed. Auditors will look to establish a set of criteria that can be used to assess whether

the

control

has

been

operated effectively or compromised by staff. In Figure 25 to the left of this text, some example investigative

Causal Capital - 31000 Frameworks

questions have been listed. In Figure 26, a workshop exercise has driven out a set of controls for risks in | Control Assessment Questions

a risk registry. Auditors are then able to identify what they would test, question and assess to understand whether the control operation is normal

or

needing

remedial

attention. As all control question sets are connected to controls and controls to evaluated risks, the auditor is able to state the material outcome of present control operation and in a coherent manner. We are fast resolving the auditor’s

dilemma

by

carefully

capturing and modelling statistically all current positions of operation in |Example Control Registry

the business.

The audit test phase is the final audit activity that faces business unit staff and would normally result in the auditor sampling from finished product batches,

PHASE PHASE7 6

Audit Test

control sample output folders, transaction reports or other various outputs that have been generated from the business unit directly. To sample effectively, a known delivery must be ascertained. However, this

information

should

already

be

available from phase 6 of the Risk Based Audit program.

13

Audit

criteria for successful and unsuccessful

| Audit Tests When auditors are dealing with computer records that are extracted from processing systems, it is possible to run tests across the entire population of records. In other cases physical samples will also need to be taken across a wide range of transactional history and it may not be possible or feasible to sample and review every single record or transaction. For surveys or assessments that have to deal with large populations of data, the sample size can be reduced statistically as a proportion of the entire population. This saves audit time and sampling can be designed to still maintain a high level confidence during the audit testing phase.

binomial distribution and will be very accurate when the population is large. For smaller populations, such as 200 records, normal approximation is often set against the hypergeometric distribution. All the auditor needs to know to ascertain the correct sampling size is the following: (n as the sample size, N as the population size, p and q as proportions of the population for failure or success where p and q are set to 0.5 if they are not already known). Finally, a z value will be chosen as a confidence interval and typically z values of 95% (1.96) are seen as quite acceptable for typically high quality audit tests. | Sampling for a state In Figure 29, different confidence levels and populations sizes have been shown and the resulting sampling number calculated.

For a total population of

10,000 records, 623 samples would need to be taken to obtain a 99% confidence that the audit result was accurate. | Sampling Sizes for different populations and confidences

Causal Capital - 31000 Frameworks

The sample size can be determined using the normal approximation of the

PHASE 8

Once the auditor has completed the audit assessment and test report. This report should be able to stand by itself and capture various different information sets from all phases (1 to 8) of the

#

Risk Based Audit program.

1 Heading, signoff, contents

Intro

2 Executive + assurance statement

1&2

3 Summary of findings

1 to 8

The audit report may be many pages in length and would normally comprise of at least 10 sections which have been listed

The audit findings and management response are sections of the audit report that are developed once the audit has been completed and will allow both the auditor and business unit

Audit

Section Title

Source

4 Context and scope

in Figure 30 to the left.

14

Audit Report

activities, they will need to write up their audit findings in a

management to make assertions or explain why specific findings

1|2|3

5 Introduction, BU requirements

3

6 Analysis of risks

4

7 Evaluation approach

4b 5|6|7

8 Audit methodology 9 Findings and recommendations

have occurred from the audit exercise.

7

10 Management response Many Risk Based Auditors will establish a set of templates for

BU

| Audit Report Sections

audit report writing, just in an effort to reduce the time taken to generate this final report. In addition to an audit report, there is a trend for audit departments to publish rich reporting

information

such

as

risk

dashboards, heatmaps and risk prioritisation charts.

This is especially the case when

continuous risk based audit monitoring is in progress. In Figure 31, a dendrogram risk prioritisation

Causal Capital - 31000 Frameworks

chart has been generated from the R-Project program. | Risk Based Audit Dendrogram

It

allows

risks

to

be

truly

aggregated and prioritised to inform senior management what is the most serious group of threats facing a business unit. In Figure 32, a set of risk dashboards have been generated that show audit scores, results, risk values to be displayed alongside other

Key

Performance

Indicator

information. This type of comparative report is a balanced way of reporting audit results because it takes in the risk, return and also the business unit’s ability to sit within policy. | Risk Based Audit Dashboard So there we have it; a complete program for Risk Based

appropriately addressed. Additionally, we have built this

Audit in eight specific phases. All these phases need to be

audit program on the back of ISO 31000 but made

in play to ensure that the auditor’s dilemma is

adjustments to the standard to fit our unique risk management purpose.

is

possible

to

model

the

relationship between one and

RBA PHASE 6

It

more explanatory variables in either a simple linear regressed model or through more complex multiple regression structures. Risk Based Auditors use this

15

can infer potential risk outcomes from remote risk factors they have observed.

Audit

statistical technique so that they

In Figure 33, a Risk Analyst is able to propose different impacts from | Inferring Risk via Correlation

a system outage against the time of a particular outage. These type of modelling techniques allow for extreme loss and tail events to be estimated during risk evaluation exercises explained in Phase 4b of our Risk Based Audit paper.

Throughout the various phases (1 program, a large amount of data is observed, assessed and captured. This data should be housed in a database to allow for appropriate management, benchmarking and comparable audits to be carried out through time. Professional Risk Based Auditors are storing this type of data in a relationship Figure

34

database an

and

example

in

table

structure for such a system has been displayed. Take note on the relationships between the various | Risk Based Audit Database

tables in the database.

Causal Capital - 31000 Frameworks

to 8) of a typical Risk Based Audit

do with modi ratio take like t diffe clai sets % of ent spurt ers, n wh ustry s as ither, of do s r r d m y s d m e e y 10 ate s, com he op If we would ves fo lia, m ted A mes ue fro rom a custo conce her in usine ies denc and a m h f ? r r t t n u b a n r o e s d ig e le to ajo tr se so s o the axon e a te phes So r pay s from ught peop er re Aus k We ly con ts rev ffere ucts e m tro RM r ith k t u ag a i t av n h d is rea ly tho some ide ot four' i of R lly on rates ave s g pro also man eal w g ris sts h catas ing E ? The k h d a e s n ly e s e s n sur eal a longs e 'big ut 10% gener gen ed to selli risk i ise ris ng to reati k ana trem sform ix thi draw c n g x f d o it to vi e m k is ss ra th 't r pr ra in ig a mbe from k is ab al ris bank s see usine y cred enter m ha aren rise r in on in. T an we aken d ma t a l s c b n r rp e nu on nk el is fro II tal illar I nal r erati itiona n ba pical , sur ely fo ape team t ente hom k dom how have edit a gle w a sc ty lia P ut ug op is at lly tio cr .I les ad sk ng pera tive, se tr ustra der a m sa ortun can e ny ri n. Wh usua nal r risk b ERM rom ill str ing to f u a o t A o o F w s ,o ec t si tio ely ersp beca ugh, con nts fr ous? team lly, m derati os tha pera arke fixing reats ams are g es. Le o e i a to m ri k th k te you mat wh o ce lp ri ho , cia finan ally t were paym st se so ris dition r cons cena s the it or lies t eats ti ll ris o rs, c we d r fo sk s f rd cred app it tr rise y side ot es ty wa g w g i o m a A n n i e w e e b tl n t ld . Iro ; if s r rp ri k. sp g side or set k is th numb et ris matt cific ven to ed fo initely o tha ente side ude' er na odelli n i s ri th er ks pe m ny ef rk nd is a iers t ris pital nit sa ma ats a out s ally d ly cov hat d olved at ma re ris mag o ano ution th ppl wha a c t d u su ow omic it an thre drive norm perb nd t be ev s th mpa ncy x n int strib m o kn con cred ising that re m su es a can urdle to co que to ru he di fr a d l o e t s t t h f i u g re o wo erate lm o prior shops ercise far fr ying g work gous wan not 'f goin ork, u a e w t gen he re aren' work sis ex ound he sa fram umon , if yo tions e also rame f t r u t k y y in bably g ris anal g to s t as e risk big, h aril strib ou a risk i m y our pro litatin nario tartin a ca erpris le of k. Pri as d ent, ny i k p fac se sce s all s o skin n ent a cou ise ris ss ris surem data i i the RM ays t how a e are terpr expre k mea eous E n is, eral w c on .Ther rue e r. IE; to ris ogen i y t nne oach e hom sev emat natel sure a r m r sch portio mea etric n app aptu o c t o o pr y try aram ibuti can't p the in a distr f you i a s thi mpt hort, e att a. In s dat

Causal Capital http://CausalCapital.Blogspot.com