Food and Consumer Product Safety Authority
Ministry of Economic Affairs,Agriculture and Innovation
Rob de Heus
Chris Hagen
Internal Audit Department
2
Introduction
• Starting point• Control versus audit• Definition of risk• Risks examples• Risk analysis• Sources of risk groups• Risk assessment• Turning wheels for a risk-based audit approach• Discussion
3
Starting point
Our suggestion: split up the document in
risk based planning of audits risk based planning of controls
Because:• Planning of controls is part of the first and second line of defense;
while audit is part of the third line of defense;• The manager is responsible for planning of controls, the auditor
for planning for audits;• Audits aim at the planned and implemented controls.• It’s just not the same!
4
Control versus audit (1)
first linethe first line of the control environment is the business operations which perform day today risk mangement activity
second lineoversight functions in the company, such as finance, HR risk management set directions, define policy and provide assurance
third lineinternal and external audit are the third line of defence, offering independent challengeto the levels of assurance provided by business operations and oversight functions.
6
Definition of riskIn common parlance people use the term risk for:CausesEventsUncertaintiesChancesImpactEffectsBottlenecksInadequate Controls
Our suggestion:
A risk is a threat / hazard / event / uncertainty with an underlying cause which causes an effect (or result).A risk is not the result or effect itself, because this approach does not give starting points for corrective actions. We can only do something about the causes and the events, but we can’t control or turn back the effects!
7
Risks (example 1)
cause causecausecause
impact
change
weighing
event uncertainty
effects/results /continuity/objectives
Can you think of controls to cope
with these issues?
Yes
Yes
No
8
Risks (example 2)Climbing the Mount Everest
broken materialbad dress
bad weatherillness
impact
change
weighing
expedition member falls into the abyss
objective is in danger there is food left
claimspublicity
Can you think of controls to cope
with these issues?
Yes
Yes
No
9
Risk analysis
Risk analysis consists of:
• Event identification (what threats / hazards / events / uncertainties can we identify?)
• Risk assessment (probability X impact)
Our suggestion:
Risk analysis is crucial for an adequate risk-based auditplan. We can start the RA with a closer view at al kind of risk sources (next sheets) after identification you can discuss the priority of each of the identified risk on the bases of impact and probability. This process of risk assessment shouldn’t be formalized
10
Sources of risk groups (1)
Environmental Risks
risks outside the organization; social developments; supervisors; legislation; natural disasters; political developments; suppliers; competition
Operational Risks
risks in the management and control of the organization; lack of risk management; weak control environment; style of leadership; culture; structure of rewards
Process Risks
risks at the process level;inefficient process; insufficient trained staff; insufficient availability of resources; insufficient quality of the product; surplus of resources/staff
Financial risks
risks within the business with a financial nature
11
Sources of risk groups (2)
Information Risks
the risk that wrong decisions are taken eg. insufficient or untimely information (it may be concerning operational, financial or strategic information); managers get too late information needed to steer; no progress information about projects; insufficient understanding of political developments to anticipate; information does not meet the need of information; prioritization based on false information; insufficient understanding of customers needs
IT risks (include specific risks around IT systems)
data integrity; continuity (backup recovery, physical security); privacy
Integrity
subject risks to the reputation of the organization; socially sensitive decisions; unlawful act; Fraud; unauthorized use; communication
13
Turning wheels for a risk-based audit plan
Year 1 Year 5
Once Each year
BroadNarrow
Superficial Thorough
Our suggestion:
After identifying events and assessing the risks we can plan the audits on a base of 4 dimensions (turning wheels)
Top Related