EXAMPLE OF RISK-BASED AUDIT PROGRAMME -...

EXAMPLE OF RISK-BASED AUDIT PROGRAMMEMinistry of Agriculture, Livestock, Fisheries,

Food and Natural Environment

AUTONOMOUS GOVERNMENT OF CATALONIA – SPAIN

art. 4.6 R(EC) 882/2004

Margarita Gómez PuigDeputy Director General

Internal Audits and Inspections

Generalitat de CatalunyaDepartament d'Agricultura, Ramaderia,Pesca, Alimentació i Medi Natural

1

PROCESS:

1. To identify our AUDIT UNIVERSE2. To establish a RISK ANALYSIS3. To estimate our HUMAN RESOURCES AVAILABLE for auditing4. To estimate our NEEDS OF HUMAN RESOURCES to carry out our

audit programme5. To BALANCE availabilities and needs and to PROPOSE an audit

programme.6. To APPROVE the audit programme

MULTI-ANNUAL AUDIT PROGRAMME


2

FIRST STEP:

To identify our AUDIT UNIVERSE: inventory of relevant audit areas for our competent authority


1- UNIVERSE


3

1. To identify the AUDIT UNIVERSE of Ministry of Agriculture, Livestock, Fisheries, Food and Natural Environment of CATALONIA


1- UNIVERSE

CATALONIA -autonomous government

Population = 7.5 M inhabitantsSurface area = 32.107 Km2

SPAIN:1 central government17 autonomous governments (autonomous communities)2 autonomous citiesxxx municipalities


4

1. To identify our AUDIT UNIVERSE:


MARM - MSPSI – AESAN

3

ANDALUSIA

17

XXXX….

SPANISH UNIVERSE: AREAS UNDER REGULATION 882/2004

1- UNIVERSE

MARM: Ministry of Environment, Rural and Marine of SpainMSPSI: Ministry of Health, Social Policy and Equality of SpainAESAN: Spanish Food Safety Agency

FOR SOME AREAS (control programmes) FOR OTHERS

AUTONOMOUS COMPETENT AUTHORITIES

CENTRALCOMPETENT AUTHORITIES

1

CATALONIA

2

BASQUE

COUNTRY

MARM – MSPSI -AESAN


5

1. To identify our AUDIT UNIVERSE:


CATALAN FOOD SAFETY AGENCY

PRIMARY PRODUCTION

Other competent authorities

PROCESSING AND DISTRIBUTION

MINISTRY OF AGRICULTURE, LIVESTOCK, FISHERIES, FOOD AND NATURAL ENVIRONMENT

CATALONIA’ S UNIVERSE

1- UNIVERSE

RETAIL CONSUMER

THIS IS our AUDIT UNIVERSE


6


According to the COSO internal control integrated framework, CONTROL SYSTEM in our Ministry, like any control system,

has 5 components:

CONTROL ACTIVITIESMONITORING

RISK ASSESSMENT

Progr. 1 (*)

OUR UNIVERSE822/04 Areas under the competences of Ministry of Agriculture, Livestock, Fisheries, Food and

Natural Environment of CATALONIA

INFORMATION & COMUNICATION

SYSTEMS

CONTROL ENVIRONMENT

Programme 2

Programme n

….

HR

-Staff

-Training

-Laboratories

HRMonitoring of

effectiveness of controls /

supervision

HR- Procedures;

- Evidences of controls on templates

- Reports on results

- Coordination and information

systems

HR TR

HR

- Actions in case of non compliance

- Sanctions

- Contingency plans

- Without prior warning

TRControl of specific requirements:

- systematized in planned arrangements

-effectively implemented, complying with planned arrangements

HR = horizontal requirements (178/2002, 882/2004)TR = technical requirements (specific regulation) 1- UNIVERSE

Programme 3

(*) cover 852/04


7

- Taking into account our internal organization and - Looking for efficiency (synergy):

- Several programmes that share part of their control system unique AUDIT PROJECT for

the common part.- A programme composed of several different control

systems several AUDIT PROJECTS.

BUT THE AUDIT UNIVERSE STAYS THE SAME


2 - RISK MAP


8


CONTROL ACTIVITIESRISK ASSESSMENT

Programme 1

OUR UNIVERSE882/04 Areas under the competences of Ministry of Agriculture, Livestock, Fisheries, Food and

Natural Environment of CATALONIA


SYSTEMS

CONTROL ENVIRONMENT

Programme 2

Programme n

HR / TR

HR = horizontal requirements (178/2002, 882/2004)TR = technical requirements (specific regulation)

HR Programme 3

TR

HR

HR / TR

HR / TR

1- UNIVERSE

According to the COSO internal control integrated framework, CONTROL SYSTEM in our Ministry, as any control system,

has 5 components:

TR ….

MONITORING


9

SECOND STEP:

To carry out a RISK ANALYSIS: IMPACT & VULNERABILITY


2 - RISK MAP


10

In order to:

- MAKE the risk assessment AS OBJECTIVE AS POSSIBLE (especially with subjective risks factors) and- INVOLVE the entire organization in the RISK ANALYSIS, making easier final approval by the top management


All Deputy Directors General involved in the management of different control programmes:

• Deputy Director General for Agriculture• Deputy Director General for Livestock• Deputy Director General for Fisheries• Deputy Director General for Agri-food Industries and Quality

and myself (Deputy Director General for Internal Audits and Inspections) individuallyassess all the risks (except risk factors (*) which are assessed just by auditors) and then we calculate the average score for each risk, which lets us calculate the IMPACT 1- UNIVERS

2 - RISK MAP


11

RISK FACTORS Maximum score

Impact on human health a1

Severity of adverse effects and probability a2

Public perception of risk a3

Economic impact a4

Risk to direct aid payments (EAGF) and other aids (EAFRD and national funds) by CROSS- COMPLIANCE requirement, in addition to risk to food safety (*) risk factor assessed by internal auditors) a5

Risk of limited previous scope of the internal audit(*) risk factor assessed by internal auditors)

a6

TOTAL 100

RISK FACTORS TO ASSESS IMPACT:


EAGF = European agricultural guarantee fundEAFRD: European agricultural Fund and Rural Development


12

RISK FACTORS Weight maximum CRITERIA score

What type of impact does this control system have on food safety (meaning human health)?

a1

Direct impactIndirect impactWithout impact

a1a1/ 2

0

What would be the severity and probability of adverse effects if there were a control system failure?

a2

Serious harm - high probabilitySerious harm- low probabilityLess severe damage - high probabilityLess severe damage - low probability No harm to human health

a2

a2/ 2

a2/ 2

a2/ 3

0


SCORES? WEIGHTS?

2 - RISK MAP


13


What is the PUBLIC PERCEPTION OF RISK as regards this control system?

a3

HIGH LOW NULL

a3

a3/ 2

0

What would be the

ECONOMIC IMPACT if there were a control system failure?

a4HIGH LOW

a4

a4/ 2


2 - RISK MAP


14


Risk to EAGF, EAFRD and national fund payments in addition to risk to food safety.

(*) risk factor assessed by internal auditors)

a5

WITH SYNERGIES OF RISKS:- Food safety risk- Risk to EAGF and EAFRD paying

agency (CROSS-COMPLIANCE)

WITHOUT SYNERGIES

a5

0

Risk of limited previous scope

(*) risk factor assessed by internal auditors)

a6

Never audited beforePrevious audit with limited scopePrevious audit with full scope

a6

a6/ 2

0


EAGF = European agricultural guarantee fundEARDF: European agricultural Fund and Rural Development

2 - RISK MAP


15

AREASFACTOR 1 FACTOR 2

DDG1 DDG2 DDG3 … average DDG1 DDG2 DDG3 … average

∑IMPACT

(maximum 100 for audit project)

Audit project 1 a1 a1 a1 ... a1 ... ...eg:

80

Audit project 2 a1/ 2 a1/ 2 a1/ 2… a1/ 2

… ... 85

Audit project 3 a1 a1/ 2 a1 … …. … … 70

Audit project 4 a1/ 2 a1/ 2 a1 … … … … 60

Audit project 5 … … … … … … … 40

Audit project n … …. ….

DDG1 =Deputy DG for AgricultureDDG2 = Deputy DG for LivestocksDDG3 = Deputy DG for FisheriesEtc…



16

VULNERABILITY ASSESSMENT of different control systems against their opposite: level of risk coverage

We use results from previous audits and follow up as source of information.

VULNERABILITY Maximum score

Level of risk coverage by structural elements of control (HORIZONTAL REQUERIMENTS) (*) b1

Level of risk coverage by compliance & effectiveness of planned arrangements (TECHNICAL REQUERIMENTS)

b2

Level of risk coverage by a suitable control system (TECHNICAL REQUERIMENTS) b3

TOTAL 100


(*) suitability of system as regard horizontal requirements, compliance and effectiveness


17

vulnerability CRITERIA Maximum score

What is the

vulnerability of the control systems?

To assess against their opposite (level of risk coverage for each control system).

Risk coverage by structural elements of control systems- If we have previous audit results:

x=100%90% <= x< 100%75%<= x < 90%50%<= x < 75%X < 50%

- if no data

Risk coverage by compliance and effectiveness of technical requirements - If we have previous audit results

x=100%90% <= x< 100%75%<= x < 90%50%<= x < 75%X < 50%

-if no data

Risk coverage by suitability of control systems with specific regulation

-If we have previous audit resultsx=100%90% <0 x< 100%…

-if no data

0b1 /5b1 /2b1 /1,5

b1b1 /2

0b2 /5b2/2

b2 /1,5b2

b2 /2

0b3 /5…

b3 /2



18

AREAS Structural VULNERABILITY

VULNERABILITY of compliance &

effectiveness

VULNERABILITY of suitability

∑VULNERABILITY(maximum 100 for audit

project)

Audit Project 1 b1 /2 b2 /2 b3 /5

eg:

40

Audit project 2 b1 b2 /5 b3 80

Audit Project 3 b1 /1,5b2 /5 0 35

Audit Project 4 b1 b2 /2 b3 /2 70

Audit project 5 b1 /1,5 b2 /5 b3 60

Audit project n … … … …



19


AREAS ∑IMPACT

∑VULNERABILITY

Audit Project 1 80 40Audit project 2 85 80Audit Project 3 70 35

Audit Project 4 60 70Audit project 5 40 60

Audit project n … …

100

90

80

70

60

50

40

30

20

10

00 10 20 30 40 50 60 70 80 90 100

IMPA

CT

VULNERABILITY

12

3

4

5


20

PRIORITIES ACCORDING TO RISK ANALYSIS:

1st: Areas with > impact & > vulnerability 2n: Areas with > impact & < vulnerability3rd: Areas with < impact & > vulnerability4th: Areas with < impact & < vulnerability

In addition, the risk analysis should allow us to make a decision regarding the scope of audits


100

90

80

70

60

50

40

30

20

10

00 10 20 30 40 50 60 70 80 90 100

IMPA

CT

VULNERABILITY

1 23

4

5


21

WE UPDATE OUR RISK MAP ANNUALLY:

- Audit universe

- IMPACT assessment

- VULNERABILITY assessment: taking into account new audits and follow up results, as well as other available inputs (FVO reports, etc…)



22

THIRD STEP:

To estimate HUMAN RESOURCES AVAILABLE for auditing


3- AVAILABILITIES


23

3. To estimate HUMAN RESOURCES AVAILABLE for auditing:

A = NUMBER of available auditorsB = DURATION of multi-annual programmeC = AVAILABLE WORKING DAYS (auditor / year)

365 Calendar Days / year- c1 Holiday, weekends, etc- c2 Training- c3 Days off , average premium seniority, etc

Σ C Available working days auditor / year

A x B x C = TOTAL AVAILABLE TIME FOR AUDITING


3- AVAILABILITIES


24

FOURTH STEP:

To estimate the NEEDS OF HUMAN RESOURCES


4 - NEEDS


25

4. Humans resources NEEDS:

4.1. We should estimate, for every single audit project, the TIME NEEDED:

xxx Time needed to study regulation from where set up audit criteriaxxx Time needed to study background: previous FVO reports…xxx Time needed to study procedures… to gather information and documentation

from auditeexxx Time needed to carry out audit on each audit objective and criteriaxxx Time needed to write draft reportxxx Time needed to assess observations to draft report and discussxxx Time needed to write final report

Σ x 1 Time estimated for each audit project

The first time: it is a simple realistic estimate: QUITE SUBJECTIVEBut we have designed a system to RECORD the working days spent on each audit project, so over time, we are able to calculate the AVERAGE time needed in each phase of each audit project: MORE OBJECTIVE SYSTEM

Σ x 1 + Σ x 2 + … = Σ x n


4 - NEEDS


26

But before we make this estimate, we should define our PROGRAMME STRATEGY PROPOSAL

DEGREE OF COVERAGE SCOPE

Number of audits to carry out

Aspects to be audited in each audit:- Audit objectives- Audit criteria:

- Horizontal audit criteria - Vertical audit criteria -written in a comparable way-

(to be developed in a second phase)


4 - NEEDS


27

Control system implemented

Activities and related results are SUITABLE to achieve objectives

According to Regulation (EC) 882/2004, audits have as OBJECTIVES to assess whether:

Activities and related results:- COMPLIED with planned arrangement - and are implemented EFFECTIVELY

GAP 2

FRAMEWORK:

Reg. (EC) 178/02Reg. (EC) 882/04Specific RegulationMANPC

CONTROL SYSTEM

PLANNED

GAP 1

suitability audit

Compliance &

effectivenessaudit

(quality) –1st level

4 - NEEDS

Taking the framework as point of reference, we should identify GAPS between the framework and

control system plannedWe should test whether the control system planned is

real, effective and properly implemented

audit of effectiveness (performance audit) – 2n levelOBJECTIVES OUTCOME

HOW: Through INDICATORS



284 - NEEDS

4.1. So, we estimate OUR NEEDS FOR THE DIFFERENT PROJECTSkeeping in mind the three objectives:

- SUITABILITY - COMPLIANCE - EFFECTIVENESS

But, ONLY WITHIN THE SCOPE OF OUR AUDIT UNIVERSE, focusing on elements / areas / issues under the responsibility of our competent authority



29

4.1. Then the needs for the different projects are estimated

4.2. Also we have to estimate the time needed for carrying out the FOLLOW UP Σ x up

4.3. As well as taking into account the UNEXPECTED Σ x u :

- Deviation between estimations and reality- Other projects not scheduled previously (unexpected)- etc….

TOTAL TIME NEEDED = Σ x n + Σ x up + Σ x u


4- NEEDS

4 - NEEDS


30

FIFTH STEP:

To balance AVAILABILITIES AND NEEDS


5 - BALANCE A-N


31

5. Balance between AVAILABILITIES AND NEEDS:

ALWAYS availabilities > = needsor


5 - BALANCE A-N

WE ADAPT RESOURCES TO

NEEDS(audit strategy)

WE ADAPT AUDIT STRATEGY TO RESOURCES

THIS IS UP TO THE AUDIT CLIENT


32


FINALLY, THE BEST STRATEGY WILL BE THE STRATEGY THAT LETS US BE:

- THE MOST EFFECTIVE, covering our risks areas as much as possible.

- THE MOST EFFICIENT with our available audit resources

- AND THAT LETS US GIVE AS MUCH ADDED VALUE AS POSSIBLE.

6- FINAL STRATEGY


33


In any case:

OUR STRATEGY SHOULD AGREE WITH THE APPROACH OF Reg. (EC) 882/2004 AND DECISION 677/2006 and cover objectives of:

SUITABILITY, COMPLIANCE AND EFFECTIVENESS

In our case, and taking into account our available resources and risk analysis

6- FINAL STRATEGY

For HIGH-RISK PROJECTS,our audit strategy from 2007 hasbeen to cover:

-horizontal requirements-technical requirements

For LOW-RISK PROJECTS, our audit strategy from 2007 has been to cover:

-horizontal requirements (*)

(*) in our second audit cycle (2011-2015), if we can rely on our horizontal elements, we may focus on some vertical elements

ALL COMPONENTS OF COSO MODEL

STRUCTURAL COMPONENTS


34


WHY?

Because with this approach:

- For all our control systems, we focus on the STRUCTURAL ELEMENTS(horizontal requirements Reg. (EC) 178/02 and Reg. (EC) 882/04), which are the basis of such systems and which allow us to rely on them.

-And additionally, for the risky areas, we focus on the SPECIFIC ELEMENTSof control systems (technical requirements) being able to give to our client a more accurate view of their potential risks on these areas

.

6- FINAL STRATEGY


35

RANKING BY RISK Needs YEAR 1YEAR 2 YEAR 3 YEAR 4 YEAR 5 ∑Project 2 (horizontal and vertical requirements) x1 x1 ... ... ... ... x1

Project 4 (horizontal and vertical requirements) x2 X2.1 x2.2 ... ... ... x2

Project 3 (horizontal and vertical requirements) x3 x3.1 x3.2 x3Project 1 (horizontal and vertical requirements) x4 ... ... x4Project 5 (horizontal requirements) x5 ... ... x5.1 x5.2 ... x5... ... ... ... ... ... ... ...Project n (horizontal requirements) xn ... … ... ... xn xnAUDITS ∑ x nFOLLOW UP xfu xfu xfu xfu xfu xfu ∑ x fuUNEXPEDTED xu xu xu xu xu xu ∑ x u

∑ TOTAL TIME NEEDS eg: 590 588 593 591 594 2956

available working days auditor / year C C C C C C

x auditors number A A A A A A

∑ TOTAL AVAILABLE TIME eg: 594 594 594 594 594 2970


Example of final schedule


36

NEVERTHELESS, TO DEFINE OUR AUDIT SCHEDULE we take into account, not only risk priorities, but also other elements such as:

- Respecting the IIA standard 1130. A1. “Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year”.

- The availability of an appropriate technical auditor profile. - The availability of a specifically trained auditor on the subject to

audit. - The convenience of leaving 2-3 years between two audits of the

same subject- Occasionally: the balance the audit pressure on different units.- Others…



37


6- FINAL COVERAGE

So the audit COVERAGE of our AUDIT PROGRAMME is…


38


CONTROL ACTIVITIESRISK ASSESSMENT

Programme 7

AUDIT COVERAGE of our multi-annual audit programmefor our competent authority


SYSTEMS

CONTROL ENVIRONMENT

Programme 3

Programme 2

Programme n

….

HR

-Staff

-Training

-Laboratories

HR

Control effectiveness / supervision

HR- Procedures;

- Evidences of controls on templates

- Reports on results

- Coordination systems

HR

TRHR

- Actions in case of non compliance

- Sanctions

- Contingency plans

- Without prior warning

TR

HR = horizontal requirements (178/2002, 882/2004)TR = technical requirements (specific regulation)

RANKING BY RISK

6- FINAL COVERAGE

According to the COSO internal control integrated framework, CONTROL SYSTEM in our Ministry, as any control system,

has 5 components:

MONITORING

(*) cover 852/04

Progr. 1 (*)

Progr. n-1


39


LAST STEP:

FINALLY THE BOARD OF DIRECTORS of our Ministry (*) decide about our audit programme.

Barcelona, November 2011

Legal noticeThis work is subject to a Creative Commons Attribution 3.0 licence. It allows the reproduction, distribution, public communication without any restriction providing that the author is always cited (Ministry of Agriculture, Livestock, Fisheries, Food and Natural Environment – Government of Catalonia -SPAIN-). If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. The complete licence can be consulted at http://creativecommons.org/licenses/by-sa/3.0/

(*) Minister, General Secretary and different Directors General

EXAMPLE OF RISK-BASED AUDIT PROGRAMME -...

Documents

Transcript of EXAMPLE OF RISK-BASED AUDIT PROGRAMME -...