Food and Consumer Product Safety Authority

Ministry of Economic Affairs,Agriculture and Innovation

Rob de Heus

Chris Hagen

Internal Audit Department

2

Introduction

• Starting point• Control versus audit• Definition of risk• Risks examples• Risk analysis• Sources of risk groups• Risk assessment• Turning wheels for a risk-based audit approach• Discussion

3

Starting point

Our suggestion: split up the document in

risk based planning of audits risk based planning of controls

Because:• Planning of controls is part of the first and second line of defense;

while audit is part of the third line of defense;• The manager is responsible for planning of controls, the auditor

for planning for audits;• Audits aim at the planned and implemented controls.• It’s just not the same!

4

Control versus audit (1)

first linethe first line of the control environment is the business operations which perform day today risk mangement activity

second lineoversight functions in the company, such as finance, HR risk management set directions, define policy and provide assurance

third lineinternal and external audit are the third line of defence, offering independent challengeto the levels of assurance provided by business operations and oversight functions.

5

controlfirst and second

line

Internal auditthird line

Control versus audit (2)

6

Definition of riskIn common parlance people use the term risk for:CausesEventsUncertaintiesChancesImpactEffectsBottlenecksInadequate Controls

Our suggestion:

A risk is a threat / hazard / event / uncertainty with an underlying cause which causes an effect (or result).A risk is not the result or effect itself, because this approach does not give starting points for corrective actions. We can only do something about the causes and the events, but we can’t control or turn back the effects!

7

Risks (example 1)

cause causecausecause

impact

change

weighing

event uncertainty

effects/results /continuity/objectives

Can you think of controls to cope

with these issues?

Yes

Yes

No

8

Risks (example 2)Climbing the Mount Everest

broken materialbad dress

bad weatherillness

impact

change

weighing

expedition member falls into the abyss

objective is in danger  there is food left

claimspublicity

Can you think of controls to cope

with these issues?

Yes

Yes

No

9

Risk analysis

Risk analysis consists of:

• Event identification (what threats / hazards / events / uncertainties can we identify?)

• Risk assessment (probability X impact)

Our suggestion:

Risk analysis is crucial for an adequate risk-based auditplan. We can start the RA with a closer view at al kind of risk sources (next sheets) after identification you can discuss the priority of each of the identified risk on the bases of impact and probability. This process of risk assessment shouldn’t be formalized

10

Sources of risk groups (1)

Environmental Risks

risks outside the organization; social developments; supervisors; legislation; natural disasters; political developments; suppliers; competition

Operational Risks

risks in the management and control of the organization; lack of risk management; weak control environment; style of leadership; culture; structure of rewards

Process Risks

risks at the process level;inefficient process; insufficient trained staff; insufficient availability of resources; insufficient quality of the product; surplus of resources/staff

Financial risks

risks within the business with a financial nature

11

Sources of risk groups (2)

Information Risks

the risk that wrong decisions are taken eg. insufficient or untimely information (it may be concerning operational, financial or strategic information); managers get too late information needed to steer; no progress information about projects; insufficient understanding of political developments to anticipate; information does not meet the need of information; prioritization based on false information; insufficient understanding of customers needs

IT risks (include specific risks around IT systems)

data integrity; continuity (backup recovery, physical security); privacy

Integrity

subject risks to the reputation of the organization; socially sensitive decisions; unlawful act; Fraud; unauthorized use; communication

12

Risk assessment

Broad

Impact

Probability

High priority

risksinput for auditplan

13

Turning wheels for a risk-based audit plan

Year 1 Year 5

Once Each year

BroadNarrow

Superficial Thorough

Our suggestion:

After identifying events and assessing the risks we can plan the audits on a base of 4 dimensions (turning wheels)

14

DISCUSSION!