Continuous Business Risk Assessment

Continuous Continuous Business Business

Risk AssessmentRisk Assessment

About BYU

• Private, Church-sponsored• Founded 1875• Three campuses

– Provo, Utah (30,000)– Rexburg, Idaho (14,000)– Laie, Hawaii (2,000)

• Internal Audit: 11 professionals, – 10 associate (student) auditors

Why?Our current risk assessment model is

• It no longer enables us to keep up with emerging risks in a dynamic business environment;

• Assumes management/auditor omnipotence• One year cycle time is just tooooo long to formally

address risks• Relies on single method of harvesting risk information

(annual survey)• No method for prioritizing work• Annual audit plan becomes the “Hotel California” of audit

projects• Risks working with blinders on.

• Comply with IIA Performance Standards

• Ensure alignment with University mission and objectives

• Add value to our audit customers

• Are you following, unchanged, the audit plan you developed for 2003?

Questions

“Most often used measures (of internal audit effectiveness) are absolutely dysfunctional. I think of one: you do your annual audit plan and commit to the audit committee that you’re going to do X number of these audits for the coming year.”

--Dr. James Roth

Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Best Practices

•Extensive Staff Expertise•Challenging Work Environment•Organizational Alignment•Participative, Qualitative, Real-time Risk Assessment•An Array of Audit Services

February 2003 Internal Auditor

Array of Audit Services

• Risk-based audits – working with management to identify the business risks they face.

• Process audits – auditing an entire business process rather than an organizational unit and looking for ways to improve the process instead of simply trying to find control weaknesses.

• Pre-implementation reviews – participating on new-product or system-development teams and/or reviewing the project at certain defined milestones.

• Self-Assessment – hosting workshops, administering questionnaires, and conducting structured interviews to address soft controls.

• Internal-Control Education – formal training programs designed and taught by internal auditors, as well as ad-hoc training, when needed, during assurance or consulting projects.

Internal Audit Tools

• Control Self-Assessment Workshops• Client-Relationship Management

– Relationship Development– Client Training

• Control Model Mentoring• Computer-Aided Exception Identification (Continuous

Auditing)• Process Improvement Programs (Quality Improvement,

Continuous Improvement)– Team Facilitation– Improvement Models

Internal Audit Tools

• Process Mapping/Control Evaluation (SOx, FCPA)

• Risk-based Auditing• Maturity Model Evaluation/Implementation• Management Review• Risk Management Council• Improvement Models

– Accountability– Continuous Improvement

Continuous Business Risk Assessment

Continuous Risk Assessment is a participative process whereby we evaluate emerging risks on a continuous, qualitative, real-time basis rather than on an annual basis.

Participative

• Involve more than Internal Auditors• Seek out managers and employees who know

and understand emerging risks.

Continuous

• Periodic vs. Annual• As frequently as needed• Various sources of information (meeting,

conference, workshop, survey, interview)

Qualitative

• Relies on professional judgment• Includes political and strategic factors as well as

traditional measures• Involves more than one opinion

Real-Time

• Results in changes to the audit schedule NOW• Decisions made in close proximity to issue and

risk identification

Event Identification

Risk Assessment

Process Imp.

Action Plan

Mgt. Review

Risk Response

RiskRisk AssessmentProcess

Risk Evaluation &Response

Audit Population

Strengthening Control

Environment

Monitoring

Compliance

Risk-Based Audits &

Requested Services

Event/ProjectIdentification

Risk Assessment

Risk Response

PrioritizeProjects

Event/ProjectIdentification

Risk Assessment

Risk Response

PrioritizeProjects

RiskDatabase

Risk AssessmentTeam

Evaluate risk orproject proposal

Action

Detailed RiskAssessment

Report

Conduct DetailedRisk Assessment

Risk AssessmentTeam

Initiate project(project type, tool,objective, scope,

resources)

Risk AssessmentTeam

Prioritize projects andadjust audit schedule

EngagementPlan

Risk Information Sources

GeneralObservations

CI (CSA)Workshops

ClientRelationship Mgt

Mgt Requests

QualityImprovement

Program

Audit Results

Audit Committee

ID Task Name Start Finish DurationSep 2002 Oct 2002

26 27 28 29 30 1 2 3 4 5 6 7 8 9

1 3d9/30/20029/26/2002Task 1

2 3d 4h10/3/20029/30/2002Task 2

3 2d9/27/20029/26/2002Task 3

4 2d10/7/200210/3/2002Task 4

5 2d10/8/200210/7/2002Task 5

Risk Tracking Log

•Access Database

•Three Screens

•Input Log

•Evaluation Screen

•Strategic Considerations

Audit Project Portfolio

•Excel

•Categorized

What We Get

• Increased capability to systematically respond to business risks

• Increased ability to identify risks by expanding and improving risk information harvesting methods

• Improved utilization of Internal Audit resources

• Compliance with IIA Performance Standards

• Overall, a more mature risk assessment process

Standards Summary

• Risk-based plan of engagements• Develop at least annually• Determine priorities consistent with

organization’s goals• Consider input of senior management and

board• Identify significant exposures to risk• Consider consulting proposals

Impacts

• More time identifying, characterizing and evaluating risks.

• Need more flexible audit schedule.• Trust in consensus/professional opinion.

• Copy of slide presentation• Access database template (Tracking Log)

• david_galloway@byu.edu

Continuous Continuous BusinessBusiness

Risk AssessmentRisk Assessment

Continuous Business Risk Assessment

Documents

Transcript of Continuous Business Risk Assessment

Assessing Perceptions and Practices of Continuous ... · Keywords: Feedback, Continuous Assessment, Continuous Assessment Techniques, Perceptions, Practice 1. Introduction 1.1 Background

Continuous Assessment File

JSC “Megabank” · 4. Financial risk management Bank activities are inherent risks. The Bank performs risk management through a continuous process of identification, assessment

Continuous Improvement Matters: Institutional Assessment ... · Continuous Improvement Matters: Institutional Assessment Plan for ... Institutional assessment ... to conduct assessments

RISK ASSESSMENT [ASSESSMENT]

Risk Assessment & Data Protection Impact Assessment · Risk Assessment & Data Protection Impact Assessment 1 Guide Risk Assessment & Data Protection Impact Assessment Guide

Risk Assessment. Risk Assessment Topics What is Risk? Risk, Hazard and Exposure How is Risk Expressed? Risk Categories What is Risk Assessment?

LRSport · Web viewAlthough you also need to demonstrate in your notes some Dynamic risk assessment. Dynamic risk assessment – (sometimes referred to as ongoing or continuous risk

Conduct a continuous Risk Assessment in a Workplace ...

RISK ASSESSMENT RISK ASSESSMENT HAZOP STUDY

Risk Management Strategy“Risk Assessment” is a continuous process of identifying, analyzing, measuring and prioritizing risks / threats that may or may not occur. “Enterprise

Continuous Assessment Plan - Murray State Universitycoehsnet.murraystate.edu/.../files/EPPContinuousAssessment.pdf · Continuous Assessment Plan . September 2015 . ... 6. understand

Guide to Risk Assessment and Response...“Enterprise risk management is a structured, consistent, and continuous process across the whole organization for identifying, assessing,

RiskMon: Continuous and Automated Risk Assessment of Mobile ...

Continuous Monitoring in a Risk Management …...Agenda • Drivers for Continuous Monitoring • What is Continuous Monitoring • Continuous Monitoring in a Risk Management Framework

VISION ZERO 7visionzero.global/sites/default/files/2019-11... · 9 8 Risk Assessment Risk Assessment Risk Assessment Risk Assessment Risk Assessment (OSH) (Maintainance, Upkeep, Troubleshooting)

Braden Scale for Predicting Pressure Ulcer Risk Risk Assessment...Caustic Fluids (Stool, Urine, Gastric) Moisture Score Action 1 Continuously moist perineum • Continuous diarrhea

Environmental Health Risk Assessment—Guidelines for ...File/Environmental-health-Risk-Assessment.pdf · risk assessment. environmental health risk assessment

Creating a Fraud Risk Assessment and Implementing a ... · Creating a Robust Fraud Risk Assessment and Implementing a Continuous Monitoring Program CHRISTOPHER M. DILORENZO, CPA,

Bellarmine University Continuous Assessment