1 / 25

Risk Assessment

Risk Assessment. for Efficiency and Impact Niki Raggi and Corrie Stokes, Austin, Texas. Session Objectives. Cover Austin’s current approach (and recent changes) to using risk assessment to maximize audit efficiency and impact

warren
Download Presentation

Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Assessment for Efficiency and Impact Niki Raggi and Corrie Stokes, Austin, Texas

  2. Session Objectives • Cover Austin’s current approach (and recent changes) to using risk assessment to maximize audit efficiency and impact • Discuss real-life examples of project risk assessment in the City of Austin • Share the templates used to document this work

  3. Our Definition Risk assessment is a process used to determine the most significant and vulnerable aspects of the audited area, both for the annual plan and within an audit project

  4. Risk Assessment in GAGAS • In planning the audit, auditors should assess significance and audit risk and apply these assessments in defining the audit objectives... (6.07) • Auditors should obtain an understanding of the …visibility, sensitivity, and relevant risks associated with the program under audit (6.13) • Review should determine if the audit plan adequately addresses relevant risks (6.52) Lady GAGAS

  5. Background: About Austin’sOffice of the City Auditor • City Auditor appointed by Council for a 5-year term • 26 permanent staff, divided into two units: Audit Services (4 managers, 14 auditors): • Conduct planned performance audits and respond to special requests from Council (~30 per year) Integrity Services (1 manager, 3 investigators) • Conduct investigations of allegations of fraud, waste, and abuse by City employees or contractors (~60 cases each year) • Conduct risk response and other integrity projects as time permits

  6. Background: OCA Evolution 1990 Existing internal audit department transitioned to a performance audit shop reporting to Council 2009 Turnover of 80% of the management team Council hires new City Auditor who brings a different approach/perspective, for example: • “We did 80 audits per year where I came from!” • “Audit reports should be no more than 5 pages” 2010 New City Auditor forms new management team and conducts an “Initial Assessment” which resulted in identifying several areas for improvement: • Projects could be managed better • Reports not always timely • Reports often lengthy and not reader-friendly

  7. Background: OCA Planning and Audit Process ONGOING RISK ASSESSMENT ANNUALLY AT THE PROJECT LEVEL Strategic Audit Plan: Environmental scan and review other sources of risks to identify risks that may affect the City Planning Phase: Focus on key processes and related key risks and perform a formal Risk Assessment, to identify focus for fieldwork Reporting Phase: Articulate essential messages to convey high risks and defer unaddressed risks for further study Fieldwork Phase: Continue to focus on what really matters What’s the “so what”? Are we adding value? ONGOING RISK ASSESSMENT

  8. Changes to OCA’s Risk Assessment Process ONGOING RISK ASSESSMENT ANNUALLY AT THE PROJECT LEVEL Change #1: Start audits with targeted risks from the Annual Planning Process Change #2: Give Management credit for managing high risks Change #3: Defer unaudited high risks for future work/consideration ONGOING RISK ASSESSMENT Change #4: Focus on key risks in the key processes only Change #5: Standardize the planning process through templates and steps

  9. Change 1: start audits with targeted risk from Annual Planning process Pre-2010: • Developed an annual audit plan with general audit topic areas and broad objectives • Used significant resources to conduct a 3-year comprehensive risk assessment of all City activities

  10. Change 1: Start audits with targeted risk from Annual Planning process Post-2010: Audits are identified annually through the Strategic Audit Plan

  11. Change 2: Give management credit for managing high risks • Pre-2010 Example: • Despite management managing high risks, we continued to review all aspects of the remittance process • Result: 2800 hours spent 10 mostly wimpy recommendations aggravated management

  12. Change 2: give management credit for managing high risks • Post-2010 Example: • Recognized that high risks were being management in alignment with best practices and ended our work • Result: 360 hours spent 0 recommendations credit to management/goodwill

  13. Change 3: Defer unaudited high risks for future work/consideration • Pre-2010: • Did not have a formal process for disposing of risks • Tended to try to cover any and all risks identified (concerned that we wouldn’t be back to an area for a long time) • Post-2010: • Use an issues log on each project • Incorporate “referrals” into integrity work and next audit plan

  14. Data from Available Systems Budget & Financial Information Reported Performance Prior Audits/ Evaluations Organizational Charts Benchmarks Best Practices Interviews Similar Audits by Other Entities Contracts/ Agreements Policies & Procedures Laws/ Regulations RISK & VULNERABILITY ASSESSMENT OBJECTIVE(S), SCOPE, & METHODOLOGIES FOR FIELDWORK Change 4: focus on the key risks in the key processes only • Pre-2010: • Trained and skilled in risk assessment • Started with very broad objectives • Did not limit risk assessment to key processes • Did not always limit fieldwork to a subset of risks

  15. Change 4: Focus on the key risks in the key processes only 2009 One Stop Shop Audit • Monster Risk/ Vulnerability Matrix

  16. Change 4: focus on the key risks in the key processes only • Post-2010: • Start with a more focused objective/issue • Approach planning by identifying the key processes related to the audit objective then focusing on the key risks within those processes • Ongoing risk assessment in addition to a formal risk assessment at the end of planning • WHAT ARE THE AUDITED ENTITY’S KEY OBJECTIVES, WHICH RELATE TO THE AUDIT OBJECTIVES? WHAT ARE THE KEY PROCESSES NEEDED TO ACHIEVE THE KEY OBJECTIVES? WHAT ARE THE KEY RISKS AND KEY CONTROLS RELATED TO THE KEY PROCESSES?

  17. Change 4: Focus on the key risks in the key processes only • 2003 Affordable Housing Audit • Broad preliminary objective • Planning phase of 1,400 hours • Fieldwork objective still broad • 77 pages reports • 12 recommendations • Total project took 3,000 hours What support or assistance is provided to organizations developing affordable housing to increase probability of success? How well has rental housing development assistance performed in the last 6 years? • 2011 Affordable Housing Audit • More focused preliminary objective • Planning phase of 600 hours • Identified two highest risk areas • 14 pages report • 2 recommendations • Total project took 1,150 hours Determine if key performance and financial controls are in place for bond and grant funded housing projects • Evaluate whether A&D and RHDA programs had procedures in place to ensure that: • HUD and City program guidelines for long-term monitoring are complied with and; • GO Bond goals are being met. Exercise: find the finding!

  18. Change 5: Standardize the planning process through planning steps and templates Pre-2010: Spending too much time on: • Reinventing how to perform planning steps for every audit • Reinventing how to document every step each time it was performed

  19. Change 5: Standardize the planning process through planning steps and templates

  20. Change 5: Standardize the planning process through planning steps and templates

  21. Planning June-August 2009 Assessment August 2009- January 2010 Acceptance June- August 2011 Deployment August - October 2011 Design/Build/Test January 2010-June 2011 OCA’s Risk Assessment Process in Action Customer Care & Billing Audit II: Background • In 2009, City contracted with IBM for $52 M • Billing system collects payments for all City utilities • Payments collected are approximately $2 B per year CC&B Audit I CC&B Audit II

  22. CC & B II – Risk and Vulnerability Assessment

  23. Recap/Lessons Learned Change 1: start with targeted risks in your annual plan identifying audits is an art not a science Change 2: give management credit for managing high risks its okay to walk away Change 3: defer unaudited high risks for future consideration you don’t have to audit everything at once Change 4: focus on key risks in the key processes only focus on what really matters (“where’s the beef?”) Change 5: standardize the planning process don’t reinvent the wheel; save your creativity for fieldwork

More Related