do with modi ratio take like t diffe clai sets % of ent spurt ers, n wh ustry s as ither, of do s r r d m y s d m e e y 10 ate s, com he op If we would ves fo lia, m ted A mes ue fro rom a custo conce her in usine ies denc and a m h f ? r r t t n u b a n r o e s d ig e le to ajo tr se so s o the axon e a te phes So r pay s from ught peop er re Aus k We ly con ts rev ffere ucts e m tro RM r ith k t u ag a i t av n h d is rea ly tho some ide ot four' i of R lly on rates ave s g pro also man eal w g ris sts h catas ing E ? The k h d a e s n ly e s e s n sur eal a longs e 'big ut 10% gener gen ed to selli risk i ise ris ng to reati k ana trem sform ix thi draw c n g x f d o it to vi e m k is ss ra th 't r pr ra in ig a mbe from k is ab al ris bank s see usine y cred enter m ha aren rise r in on in. T an we aken d ma t a l s c b n r rp e nu on nk el is fro II tal illar I nal r erati itiona n ba pical , sur ely fo ape team t ente hom k dom how have edit a gle w a sc ty lia P ut ug op is at lly tio cr .I les ad sk ng pera tive, se tr ustra der a m sa ortun can e ny ri n. Wh usua nal r risk b ERM rom ill str ing to f u a o t A o o F w s ,o ec t si tio ely ersp beca ugh, con nts fr ous? team lly, m derati os tha pera arke fixing reats ams are g es. Le o e i a to m ri k th k te you mat wh o ce lp ri ho , cia finan ally t were paym st se so ris dition r cons cena s the it or lies t eats ti ll ris o rs, c we d r fo sk s f rd cred app it tr rise y side ot es ty wa g w g i o m a A n n i e w e e b tl n t ld . Iro ; if s r rp ri k. sp g side or set k is th numb et ris matt cific ven to ed fo initely o tha ente side ude' er na odelli n i s ri th er ks pe m ny ef rk nd is a iers t ris pital nit sa ma ats a out s ally d ly cov hat d olved at ma re ris mag o ano ution th ppl wha a c t d u su ow omic it an thre drive norm perb nd t be ev s th mpa ncy x n int strib m o kn con cred ising that re m su es a can urdle to co que to ru he di fr a d l o e t s t t h f i u g re o wo erate lm o prior shops ercise far fr ying g work gous wan not 'f goin ork, u a e w t gen he re aren' work sis ex ound he sa fram umon , if yo tions e also rame f t r u t k y y s y h l l a rapidly is Audit ibacross isk ig,among in bRisk to t growing u ather rglobe isk and in as e rpractice nais ariauditors abl Based operforms aexplain g r we str out gthe b i m y n i a s o f n this paper importance of why Risk Based Audit a standard o i d , i u r i i r t c p lita aralsostbuild yo a Risk Based a terprframework as used . P cank be art ian complete entot carryout le o isthat n k n i p e i audit. We m c s u fa se sc s all o sk n en a co ise r ss ri sure data Audit assessment program and from the ground up taking in each component. i the RM ays t how a e are terpr expre k mea eous E n is, eral w c on .Ther rue e r. IE; to ris ogen i y t Copyright nne oac-hAllerights sev emat natel sure hom reserved Causal Capital © 2014 a r m r a o h p i u e t p ic sc port o m metr tion a 't cap t o r y a p y tr can ibu pa r the in a distr f you i a s thi mpt hort, e att a. In s dat
31000 Risk Frameworks
A Working Case Study Version 1.00 (DRAFT) Martin Davies | Causal Capital © 2014
[email protected] Supporting Files
PHASE 1
Perhaps one of the largest dilemmas
company. A thumbs up if you prefer to be, then senior managers often
auditors face is being able to give
after an audit has taken place that expect auditors to express a level of
stakeholders of any business they
the audit went well and the results clarity or coverage on what has been
audit a level of confidence that they
are sound. If risk is the effect of captured during a risk assessment and
have captured and assessed 'all'
uncertainty on objectives, as the ISO what additional uncertainty remains on
material risks that threaten the
31000 global risk standard states it the assessment of uncertainty.
3 Auditor Axioms
Audit
2
Firstly, is it possible that we can audit every single aspect of any business observing perpetually the operation of each control and accurately capture all anomalies that may have occurred. Is that even feasible to ask of an auditor? This probably isn't possible to achieve but even if it was, is it a good use of an auditors time when we are paying for this time?
| Three Axioms of the Auditor’s Dilemma
Let's assume that this hundred percent ‘coverage fantasy’ was possible, perhaps then the
should
double
check
their
assessments and for every single item. Why not
perhaps fidelity of an assessment on uncertainty as being a
triple check the audit samples just to confirm
totally bizarre and unacceptable thing to demand. ‘Uncertainty
that what they have observed the first time
on uncertainty' if you prefer and while describing a position of quality in
round during their assessments is accurate.
such matters seems a completely unreasonable thing to ask of anyone,
Surely we need to be comfortable that we don't
it often plays out in management situations that are laden with painful
have any significant material errors in the audit
S Causal Capital - 31000 Frameworks
auditor
ome people would see the requirement to state clarity or
dialogues that go along the following kind of lines.
results we originally observed.
"You assessed various risks in our department but how confident do you feel that there aren't errors in your assessment? On the subject of significance, what is materially significant to begin with and what is
in any of our business processes and in the first place?
the level of accepted accuracy? Where do these two thresholds begin to become important to our stakeholders?
It is amazing that auditors attempt to press through with an audit when
Finally, is absence of evidence truly evidence of
such a wide scope is open but many of them do. Nonetheless, several
absence in our audits? That is, if the auditor
constructive outcomes or second tiers of investigation and importantly
was unable to discover material control
realization should be spawned on from the simple dialogue we have
weaknesses or evidence that such things have
expressed above.
occurred during an audit, how can we truly know and reliably that what we have in an audit
I have listed this ‘investigative realization' to the right and auditors
result that isn't just some kind of informal
should avoid entertaining it in defensive manner.
fallacy.
The three axioms of the auditor’s dilemma can be resolved by constructing a Risk Based audit Framework that progresses through an
Auditors need to establish a framework for carrying out a Risk Based Audit.
audit program in a manner that asserts a confidence level for assurance
2 Defining Scope
rather than simply capturing audit test results in an 'untargeted' way. There are many different Risk Frameworks in use today but perhaps the most famously used technique employed by auditors is the COSO framework. COSO is an association that has established a common internal control model against which companies may assess their control systems and it has been a guide for auditors for years. The new revision of the COSO brief was released in late 2012 and certainly
PHASE PHASE1 6
1 Why RBA
Definition of scope and risks being audited will ensure appropriate use of resources.
3 Mapping Auditors map the business unit they are to audit to ensure focused contextual relevance.
4 Risk Registration Risks are identified, assessed, evaluated and recorded in a database for review.
3
Audit
ISO 31000 Context
5 Ctl Identification Controls that manage risks are identified and a control network is investigated and recorded.
6 Ctl Investigation Auditors investigate the control effectiveness, residual risk and identify what to audit.
Audit sampling size and method | ISO 31000 Aligned to a Risk Based Audit Exercise it builds on the earlier publication. Personally, I favour ISO 31000 as a backbone template for designing risk frameworks and for no other reason than ISO 31000’s elegance in simplicity.
is established and the auditor tests for material weaknesses.
8 Audit Report A final audit report is written on the process of the audit, its outcome and its findings.
ISO 31000 is a generic risk standard that could be applied to Risk Based Audits or Enterprise Risk Management, in fact it
There are eight unique and discrete
could be used with any kind of risk assessment exercise and
phases for this comprehensive Risk
has directly influenced the style of this paper.
Based Audit framework.
The ISO 31000 clause 5 has been shown in Figure 2 above and
The eight activity centres flow in a natural
highlights the key activity flow that might be employed by an
waterfall manner, passing information from one
auditor attempting to assess risk. We extend this specific set
activity to the next and in doing so, the resulting
of processes into eight key activity centres for our Risk Based
outcome will lift the quality of an audit and resolve
Audit program and we will describe the activities over the
the auditor’s dilemma we opened with at the
remaining pages of this paper.
beginning of this paper.
Causal Capital - 31000 Frameworks
7 Audit Test
PHASE 1
Perhaps a good place to start with a Risk Based Audit
(Low, Medium, High) but specific financial amounts as an
framework is to answer why we entertain such a thing in
expression or measure of risk. This is especially the case
the first place.
Why not simply assess whether a
when control failure is implicated. Managers would like to
business unit is compliant or how well it is meeting
see the range of potential financial losses a business unit
internal company policy during an audit?
may face and how effective their staff are at controlling these threats.
Auditors face two key constraints when they plan their audits and decide how deep to go on an audit.
In Figure 3, two very different business departments are being represented.
Audit
4
Firstly, they have limited resources especially when it comes to time and secondly, executive management are increasingly demanding to know what the outcome of
One department has a very low
inherent risk profile, while the other quite a high inherent threat potential. This is definitely evident when the two business units are compared alongside each other.
control failure actually means for their business. Most managers aren’t interested in traffic light risk responses
Item Priority Questions 1 2 3
Causal Capital - 31000 Frameworks
4
How much time does the auditor have to audit? How risky is the department being audited? How dependent is the business on the department? What is the managers perception of the department?
| Example Departmental Risk Profiles Given that the auditor has only so many hours in the year
and transaction complexity are all key inherent risk profile
in which they can audit the entire business, they will find
areas that need to be understood.
that focusing more efforts on auditing the most risky
auditors may evaluate the entire departmental inherent
business units is likely to return more commercial value
exposure using an algorithm or model that will generate a
for their entire auditing work.
final inherent risk score for the department.
The types of preliminary areas of investigation an auditor might bestow on a business to identify which functions
More advanced
We will
explore some of the example methods for generating inherent risk exposure in Phase 4b of this paper.
are risky have been listed in the Inherent Departmental Profile Table (Figure 3). It is important to note that some lines of questioning have a higher weighting than others, such as; Unit Dependency (how many departments are dependent on this business unit), transaction volume, transaction size
| Audit Time Allocation Example In conclusion : Risk profiling the business allows for audit timing to be allocated more appropriately.
PHASE PHASE2 6
Defining the Audit Scope The concept of auditing a business unit can mean many alternate things to different people and there are a lot of different types of audits that auditors entertain, taking in; financial audits, operational audits, an audit for quality, functional audits, risk based audits and so on. Risk Based Audits generally take longer to prepare than a standard audit of compliance but this planning phase only has to be progressed through in its entirety the first
5
time an auditor audits a specific department for risk. | Changing the scope increases audit time
Audit
Once the Risk Based Audit is prepared, data only has to be refreshed in subsequent audit work.
| Features of an audit Before the auditor carries out any kind of audit they must
Worse, the auditor will focus on specific aspects of the
establish a scope for the audit. The scope will identify
business that don’t meet the audit objective, they will also
what activities are to be carried out during each phase of
expend additional and unnecessary management time on
the audit program and what is the expected outcome
audit
from each of these activities.
completeness is likely to be compromised.
It is amazing that so few auditors fail to set scope
Given all of this then, setting the scope of what is included
boundaries on their audits but unless they do, the audit
in an audit is perhaps the first place risk based auditors
is likely to slip its estimated schedule and deadline.
should begin.
and
finally,
the
audit
Audit Type
Changes Scope
report’s
1
Control coverage & ability to manage risk
Risk Based Audit
Emphasis on measuring risk
2
Meeting compliance objectives
Standard Audit Test
Binary response % of compliance
3
How well are prime directives being serviced
Quality Control Audit
Increases audit scope
4
Taxonomical Causal Event Analysis
Functional Audit
5
Business Performance and Efficiency
Complex, detailed and a narrow type of audit scope A complex audit that looks at Quality Control + Capacity efficiency, capacity & idle resources
| Examples of different types of audit scopes operating these controls. Quantitative models are usually entertained in a Risk Based Audit and some of these If we are to address the coverage aspect of the auditor’s
techniques will be discussed later on in this paper.
dilemma, then we must surely start with setting a scope. Risk Based Auditors will normally need to capture specific Key aspects of scope for a Risk Based Audit heavily
financial data such as sales values, potentially some
focuses on identifying risks, risk registration, capturing
forecasted data but unless audit efficiency is selected as
information on relevant control networks that may reduce
an audit requirement, confirming the accounts for control
risk and assessing how effectively staff have been
costs will require less focus during the audit program.
Causal Capital - 31000 Frameworks
Item Audit Scope Questions
processes
PHASE 2
Risk Taxonomies The development of a risk taxonomy or category of risks that are to be investigated during an audit is an essential part of the audit scoping process.
Yet, many auditors don’t
engage in this activity. However, I believe it is a critical piece of work that will allow an auditor to define up front what they are looking for during their assessment exercises.
Audit
6
| Top Level Risk Taxonomy A risk taxonomy brings the auditor into agreement with policy of the department. More so, a risk taxonomy will business unit management. It clearly describes what ensure that a homogenous definition of risk is established dysfunction is being audited for, it allows the auditor to across the entire company to allow for benchmarking formally state that they will be assessing the following initiatives to be launched at a later date. disorders within the business processes, systems and work. This definition card and all the associated contextual risk related information should really be captured in a database that In some cases mature auditors will establish the scope of risk definitions in the taxonomy and
is seen as a living document. This database will be appended to while the entire Risk Based Audit program is being executed.
capture what is included on a risk definition card. This card describes what a risk definition excludes, specific drivers that may cause the risk and associated recognised impacts which will
Causal Capital - 31000 Frameworks
eventually be sought for during audit sampling
| Risk Taxonomy in R-Project In Figure 9, a set of risk categories have been recorded in a tree like structure using R-Project. Audit scores will eventually be assessed across all business units of the company and sorted to show what is the most serious risk the entire business is facing. This method of recording risks and capturing risk related data across the enterprise allows for Risk Based Audit results to be aggregated, benchmarked and tracked through time. For the risk based auditor, this again may seem like a lot of additional work but this investigation and write up effort only needs to be carried out once during the planning phase of the Risk Based Audit program. | Risk Taxonomy Card
and as part of the planning phase of an audit, a risk based auditor would normally map the business unit they are going to audit. These business unit maps aren’t usually detailed flowchart diagrams because flow charts don’t
PHASE PHASE3 6
Before the risk registry can be constructed
Business Unit Mapping
really support risk based assessment. Yet, they are time consuming to develop. In Figure 11 we have used a Value Chain View to capture relevant details that will eventually assessment activities later on in the audit. Key business ‘objects’ to capture would include:
7
Audit
support the risk identification, evaluation and
Top processes that the department owns and runs in its daily or exception operations. | Mapping a Business Unit Specific IT systems and various services that the business unit utilises but may not own.
Any KPI policy information that defines
A list of actual contracts, products or facilities that the business unit is processing.
Complete
department
boundaries
of
ownership, what line managers can control | Value Chain View
and form decisions on.
There are many ways in which a business unit map can used to directly source this additional information layer. be drawn up. Some auditors favour schematic methods Phase
4a
explains
the
investigative
reasoning
while other auditors simply list key processes, systems, techniques that are performed in a Risk Based Audit. business unit inputs and outputs. In the COSO 2012 revision, several example mapping techniques have been explored and I recommend readers take a look at this publication.
Leading auditors often capture specific transaction volumes, processing times and latencies in a business map. They may typecast processes into levels of maturity and invariably look at whether there has been
Generally, risks and controls will not be identified at this a change in the standard deviation of performance of the point in the audit because the maps will themselves be business unit they are auditing.
Causal Capital - 31000 Frameworks
quality standards & commercial expectations.
PHASE 4a
Risk Registration
Audit
8
| The complete risk registry The risk registry is perhaps the most recognised central
The auditor may put Logical Investigative Questions to
component of a Risk Based Audit program, it is definitely
business unit management, they may consider direct
the leading feature that differentiates this type of audit
observed operating practices and historical write downs.
away from other standard compliance audits.
Quite often risks are identified alongside controls while
Causal Capital - 31000 Frameworks
the auditor is discussing various risks with different staff in the business. Sometimes line managers may indicate The risk registry can be developed by the auditor taking the business unit maps and investigating what could go
that a unique risk the business is facing is already controlled, nonetheless; the risk should still be captured!
wrong in different aspects of the business.
Item Logical Investigative Propositions
All risks should be recorded in a database or at the very
1
What happens if IT facilities became unavailable?
2
What type of exceptions occur in processing?
investigated and evaluated at a later stage of the Risk
3
What factors do staff watch and manage?
Based Audit program.
4
Are there specific limits set for the business unit?
Business unit managers may also offer suggestions for
5
What process activities need trained staff?
least a Microsoft Excel spreadsheet so that they can be
the size of potential risks or explain why certain risks should be seen as a low concern rather than high, this
6
Are business inputs timely & clean or erroneous?
7
Is there capacity to cope with transaction growth?
8
Is intellectual property kept onsite?
auditors may ask business managers to express what
9
How are cash transactions secured?
they see as a high or low risk, critical or not. This line of
information needs to be recorded in the risk registry too. At this point in time during the Risk Based Audit program,
questioning gauges the general prevailing risk appetite | Registering Risks in an Investigative Manner
business unit staff actually have.
Once the risks have been identified and registered in the risk registry, they need to be evaluated. Auditors have a tendency to evaluate risk as the frequency (usually represented on the y-axis of a chart) multiplied by the magnitude (the x-axis) but this form of evaluation is deterministic. Worse, some auditors simply state a risk as low, medium or a
traffic
Risk Based Auditors should consider quantitative evaluation
Monte Carlo models built from templates
light
representation of risk exposure.
Loss event data that is curve fitted
This also grossly misinterprets | Traffic Light Risk
the
potential
threat
for
a
specific risk and as a technique, F x M and the unquantified traffic light labelling of risks should be avoided. A more comprehensive and coherent way to estimate material exposure would be to use a statistical evaluation technique. Some of these models have been listed in Figure 16.
These statistical
approaches generally result in an independent and combined study of both the frequency and magnitude of events for each risk in the registry.
Linear correlation and inference models Bayesian trees with boot strapping
9
Audit
high,
Evaluation Methods
PHASE PHASE4b6
Risk Evaluation
Univariate time series & Garch Models ... | Evaluation Methods
When looking at the size of potential loss from risk, one way to represent this would be in the form of a parametric distribution of losses. This resulting curve will have a body or large area of expected loss which normally takes up 68.2% of observable experience in the normal distribution.
This parametric expression of
exposure will also contain tails, a left tail for small losses and right for extreme events, where both these tail events have a much lower likelihood of occurrence. In Figure 17, spot estimates have been made from assessment and then curve fitted so that a high confidence level of 99.5% confidence can be ascertained for all aggregated potential risks in the business unit. | Normal Distribution In Figure 18, tools such as R-Project can be used to
A risk based audit may also attempt to identify if specific
assess and then statistically describe a data series so
risks are correlated but this additional modelling study
that tail events with an appropriate confidence level can
is relatively more complex to perform. This is especially
be calculated swiftly.
the case when observed data has a high level of paucity.
Causal Capital - 31000 Frameworks
| Deterministic Point Estimates
PHASE 4b
One of the most popular techniques used by risk analysts for identifying potential outcomes from a set of
Risk Evaluation
assumed risk factors or variables would be to pass these
[ ] Monte Carlo is supported in either Excel and of
variables into a Monte Carlo simulation engine.
course more advanced software such as R-Project.
Monte Carlo modelling has many benefits which include
[ ] Monte Carlo generates outcomes which are not
some of the following:
deterministic in nature and can be represented in a parametric / coherent manner that displays both tail and
[ ] The Monte Carlo engine is ideal for modelling risk
curve body detailing as model results.
when there is only a small set of observed data points.
Causal Capital - 31000 Frameworks
Audit
10
In Figure 19, the five components of a typical Monte [ ] A Monte Carlo model can be used or mixed with a
Carlo model have been demonstrated.
large number of descriptive assumptions.
| Monte Carlo Example Which function model to use depends on many different factors including the time available for the study, the quality of data that has been obtained and the auditors comfort with the modelling technique to begin with. Whether inferred models, curve fitted models or assessment models are selected, the model outputs are often then passed into an additional Monte Carlo simulation engine to generate a parametric perspective of loss. | Model Selection
Like the risk registry, the auditor will also
identify
different
types
of
controls that are being used by the business
to
reduce
or
transfer
PHASE PHASE5 6
Control Identification
uncertainty in their daily operations. These controls should be connected to specific risks in the risk registry various
criteria
such
as
control
maturity or whether the control has been designed for Completeness, Accuracy, Validity or Security.
| Risk Centric Domain
11
Audit
and may also be ‘typecasted’ under
| Control List Control lists such as the one shown in Figure 22 need to
feasible for a risk to have more than one control and for
be connected to a risk in the risk registry but identified
a single control to be covering multiple risks across any
controls also need to be assigned to an owner. It is
part of the entire risk registry.
important to note that this owner may not be under the authority of staff being audited.
All of these interrelationships should be captured so that
Additionally, controls can be pre-event or post-event as
the auditor is evaluating the material and potential loss
shown in the bow-tie diagram example in Figure 23. In
from control weakness. In Figure 23, the probability of
our example, different root causes and causal factors
event or likelihood and the associated magnitude have
have different controls but it would also be totally
been represented across a timeline.
| BowTie Representation of Risk and Control
Causal Capital - 31000 Frameworks
the full extent of control failure can be appreciated when
PHASE 6
Control Investigation At this point in the Risk Based Audit program quite a lot of data has now been captured. Auditors will be able to describe the boundaries of the business unit, they should also have a good insight into potential material threats that the business faces and the controls that are being used to reduce, treat or transfer those threats
12
Audit
away from these business processes. Investigating control effectiveness is obviously a very important activity to engage in as it shows how inherent | Inherent and Residual Risk
and residual risk connect.
It also
identifies how the general operation of the control can be sampled and assessed. Auditors will look to establish a set of criteria that can be used to assess whether
the
control
has
been
operated effectively or compromised by staff. In Figure 25 to the left of this text, some example investigative
Causal Capital - 31000 Frameworks
questions have been listed. In Figure 26, a workshop exercise has driven out a set of controls for risks in | Control Assessment Questions
a risk registry. Auditors are then able to identify what they would test, question and assess to understand whether the control operation is normal
or
needing
remedial
attention. As all control question sets are connected to controls and controls to evaluated risks, the auditor is able to state the material outcome of present control operation and in a coherent manner. We are fast resolving the auditor’s
dilemma
by
carefully
capturing and modelling statistically all current positions of operation in |Example Control Registry
the business.
The audit test phase is the final audit activity that faces business unit staff and would normally result in the auditor sampling from finished product batches,
PHASE PHASE7 6
Audit Test
control sample output folders, transaction reports or other various outputs that have been generated from the business unit directly. To sample effectively, a known delivery must be ascertained. However, this
information
should
already
be
available from phase 6 of the Risk Based Audit program.
13
Audit
criteria for successful and unsuccessful
| Audit Tests When auditors are dealing with computer records that are extracted from processing systems, it is possible to run tests across the entire population of records. In other cases physical samples will also need to be taken across a wide range of transactional history and it may not be possible or feasible to sample and review every single record or transaction. For surveys or assessments that have to deal with large populations of data, the sample size can be reduced statistically as a proportion of the entire population. This saves audit time and sampling can be designed to still maintain a high level confidence during the audit testing phase.
binomial distribution and will be very accurate when the population is large. For smaller populations, such as 200 records, normal approximation is often set against the hypergeometric distribution. All the auditor needs to know to ascertain the correct sampling size is the following: (n as the sample size, N as the population size, p and q as proportions of the population for failure or success where p and q are set to 0.5 if they are not already known). Finally, a z value will be chosen as a confidence interval and typically z values of 95% (1.96) are seen as quite acceptable for typically high quality audit tests. | Sampling for a state In Figure 29, different confidence levels and populations sizes have been shown and the resulting sampling number calculated.
For a total population of
10,000 records, 623 samples would need to be taken to obtain a 99% confidence that the audit result was accurate. | Sampling Sizes for different populations and confidences
Causal Capital - 31000 Frameworks
The sample size can be determined using the normal approximation of the
PHASE 8
Once the auditor has completed the audit assessment and test report. This report should be able to stand by itself and capture various different information sets from all phases (1 to 8) of the
#
Risk Based Audit program.
1 Heading, signoff, contents
Intro
2 Executive + assurance statement
1&2
3 Summary of findings
1 to 8
The audit report may be many pages in length and would normally comprise of at least 10 sections which have been listed
The audit findings and management response are sections of the audit report that are developed once the audit has been completed and will allow both the auditor and business unit
Audit
Section Title
Source
4 Context and scope
in Figure 30 to the left.
14
Audit Report
activities, they will need to write up their audit findings in a
management to make assertions or explain why specific findings
1|2|3
5 Introduction, BU requirements
3
6 Analysis of risks
4
7 Evaluation approach
4b 5|6|7
8 Audit methodology 9 Findings and recommendations
have occurred from the audit exercise.
7
10 Management response Many Risk Based Auditors will establish a set of templates for
BU
| Audit Report Sections
audit report writing, just in an effort to reduce the time taken to generate this final report. In addition to an audit report, there is a trend for audit departments to publish rich reporting
information
such
as
risk
dashboards, heatmaps and risk prioritisation charts.
This is especially the case when
continuous risk based audit monitoring is in progress. In Figure 31, a dendrogram risk prioritisation
Causal Capital - 31000 Frameworks
chart has been generated from the R-Project program. | Risk Based Audit Dendrogram
It
allows
risks
to
be
truly
aggregated and prioritised to inform senior management what is the most serious group of threats facing a business unit. In Figure 32, a set of risk dashboards have been generated that show audit scores, results, risk values to be displayed alongside other
Key
Performance
Indicator
information. This type of comparative report is a balanced way of reporting audit results because it takes in the risk, return and also the business unit’s ability to sit within policy. | Risk Based Audit Dashboard So there we have it; a complete program for Risk Based
appropriately addressed. Additionally, we have built this
Audit in eight specific phases. All these phases need to be
audit program on the back of ISO 31000 but made
in play to ensure that the auditor’s dilemma is
adjustments to the standard to fit our unique risk management purpose.
is
possible
to
model
the
relationship between one and
RBA PHASE 6
It
more explanatory variables in either a simple linear regressed model or through more complex multiple regression structures. Risk Based Auditors use this
15
can infer potential risk outcomes from remote risk factors they have observed.
Audit
statistical technique so that they
In Figure 33, a Risk Analyst is able to propose different impacts from | Inferring Risk via Correlation
a system outage against the time of a particular outage. These type of modelling techniques allow for extreme loss and tail events to be estimated during risk evaluation exercises explained in Phase 4b of our Risk Based Audit paper.
Throughout the various phases (1 program, a large amount of data is observed, assessed and captured. This data should be housed in a database to allow for appropriate management, benchmarking and comparable audits to be carried out through time. Professional Risk Based Auditors are storing this type of data in a relationship Figure
34
database an
and
example
in
table
structure for such a system has been displayed. Take note on the relationships between the various | Risk Based Audit Database
tables in the database.
Causal Capital - 31000 Frameworks
to 8) of a typical Risk Based Audit
do with modi ratio take like t diffe clai sets % of ent spurt ers, n wh ustry s as ither, of do s r r d m y s d m e e y 10 ate s, com he op If we would ves fo lia, m ted A mes ue fro rom a custo conce her in usine ies denc and a m h f ? r r t t n u b a n r o e s d ig e le to ajo tr se so s o the axon e a te phes So r pay s from ught peop er re Aus k We ly con ts rev ffere ucts e m tro RM r ith k t u ag a i t av n h d is rea ly tho some ide ot four' i of R lly on rates ave s g pro also man eal w g ris sts h catas ing E ? The k h d a e s n ly e s e s n sur eal a longs e 'big ut 10% gener gen ed to selli risk i ise ris ng to reati k ana trem sform ix thi draw c n g x f d o it to vi e m k is ss ra th 't r pr ra in ig a mbe from k is ab al ris bank s see usine y cred enter m ha aren rise r in on in. T an we aken d ma t a l s c b n r rp e nu on nk el is fro II tal illar I nal r erati itiona n ba pical , sur ely fo ape team t ente hom k dom how have edit a gle w a sc ty lia P ut ug op is at lly tio cr .I les ad sk ng pera tive, se tr ustra der a m sa ortun can e ny ri n. Wh usua nal r risk b ERM rom ill str ing to f u a o t A o o F w s ,o ec t si tio ely ersp beca ugh, con nts fr ous? team lly, m derati os tha pera arke fixing reats ams are g es. Le o e i a to m ri k th k te you mat wh o ce lp ri ho , cia finan ally t were paym st se so ris dition r cons cena s the it or lies t eats ti ll ris o rs, c we d r fo sk s f rd cred app it tr rise y side ot es ty wa g w g i o m a A n n i e w e e b tl n t ld . Iro ; if s r rp ri k. sp g side or set k is th numb et ris matt cific ven to ed fo initely o tha ente side ude' er na odelli n i s ri th er ks pe m ny ef rk nd is a iers t ris pital nit sa ma ats a out s ally d ly cov hat d olved at ma re ris mag o ano ution th ppl wha a c t d u su ow omic it an thre drive norm perb nd t be ev s th mpa ncy x n int strib m o kn con cred ising that re m su es a can urdle to co que to ru he di fr a d l o e t s t t h f i u g re o wo erate lm o prior shops ercise far fr ying g work gous wan not 'f goin ork, u a e w t gen he re aren' work sis ex ound he sa fram umon , if yo tions e also rame f t r u t k y y in bably g ris anal g to s t as e risk big, h aril strib ou a risk i m y our pro litatin nario tartin a ca erpris le of k. Pri as d ent, ny i k p fac se sce s all s o skin n ent a cou ise ris ss ris surem data i i the RM ays t how a e are terpr expre k mea eous E n is, eral w c on .Ther rue e r. IE; to ris ogen i y t nne oach e hom sev emat natel sure a r m r sch portio mea etric n app aptu o c t o o pr y try aram ibuti can't p the in a distr f you i a s thi mpt hort, e att a. In s dat
Causal Capital http://CausalCapital.Blogspot.com