Risk Assessment

Have you seen your auditor today…do you need to?

Enterprise Risk Management (ERM) - Underlying principles:

Every entity, whether for-profit or not, exists to realize value for its stakeholders.

Source: Institute of Internal Auditors

The ERM Framework Entity objectives can be

viewed in the context of four categories:

Strategic Operations Reporting Compliance

The eight components of the frameworkare interrelated …

Source: Institute of Internal Auditors

Internal Auditors Play an important role in monitoring

ERM, but do NOT have primary responsibility for its implementation or maintenance.

Assist Management and the Board of Trustees in the process by: Monitoring Evaluating Examining Reporting Recommending improvements

Source: Institute of Internal Auditors

What are the Rules for Internal Auditors?

Graphic from Institute of Internal Auditors

Audit

Core

Act

ivit

ies

Shared ActivitiesM

gm

t Core A

ctivities

Risk Assessment

Risk assessment is the identification and analysis of risks. It forms a basis for determining how risks should be managed.

What is the purpose of a Risk Assessment?

Will allow SRH to understand the extent to which potential events might impact objectives.

Assess risks from two perspectives: Likelihood Impact

Measure risks based on Management input

Prioritize audit resources to focus on those areas with greatest risk exposure.

Impact vs. Probability

Control

Share Mitigate & Control

Accept

High Risk

Medium Risk

Medium Risk

Low Risk

Low

High

High

IMPACT

PROBABILITY

Source: Institute of Internal Auditors

Organizational Risk Assessment Process

Identify risk factors and give them weights

Identify objectives/assets/auditable activities

Analyze risks and assign ratings to the risks

Review the results with Management and the Board of Trustees

“Most of the things worth doing have been declared impossible before they were done.”

-Louis Brandeis

Source: Protiviti

Traditional Risk Universe Framework

Internal auditors can add value by:

Reviewing processes

Advising on internal controls and risk mitigation

Coordinating and analyzing annual risk assessments

Implementing a risk-based approach to the Annual Audit Plan taking into consideration the Annual Risk Assessment

Internal Audit Standards 2010.A1 – The Internal Audit Plan

should be based on an Annual Risk Assessment

2120.A1 – Internal Audit should evaluate the adequacy and effectiveness of controls

2210.A1 – Audits should be: Planned to identify and assess risks Based on the results of Annual Risk

Assessment

Risk Acronym: CARES Compliance with laws, regulations and

contracts Accomplishment of goals and objectives Reliability and integrity of financial and

operational information Efficient and effective operations Safeguarded Assets

Source: Institute of Internal Auditors