Internal Audit Indonesia's

Juli 14, 2010

Risk Assessment Audit Work Program

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 9:08 am

Audit Objectives

The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the risk assessment component of the COSO framework. Inadequate or ineffective controls in this area may give rise to financial and operational risks.

Risks addressed in this audit work program include:

  • Management does not have a business planning process in place that examines existing objectives and establishes new objectives when necessary.
  • Management has not established business plans and budgets with realistic goals, and incentives for achievement of plans are not balanced.
  • Objectives are not communicated at the appropriate levels and are not understood and adopted by the responsible parties.
  • Management has not established a process to periodically review and update entity-wide strategic plans and objectives.
  • Activity-level objectives are not linked with entity-wide objectives and strategic plans.
  • Activity-level objectives are not consistent with each other (e.g., objectives for the sales organization are not consistent with the manufacturing organization).
  • Management does not identify risks related to each of the established objectives.
  • Management does not have mechanisms in place to identify business risks resulting from entering new markets or lines of business or from offering new products and services.
  • Management does not identify financial reporting risks that result from operations or compliance with laws and regulations.
  • Management does not identify fraud risk factors, including management override of controls.
  • Management does not estimate the significance of the risks identified, assess the likelihood of the risks occurring, and determine the need for action.
  • Risks are not evaluated as part of the business planning process.
  • Senior management does not develop plans to mitigate significant identified risks.
  • The responsibilities and expectations for the entity’s business activities and the entity’s philosophy about identification and acceptance of business risk are not clearly communicated to the executives in charge of separate functions.
  • Risks are not reviewed periodically with the appropriate corporate governance functions (e.g., executive management, disclosure committee, audit committee and legal).
  • The business planning process does not include a broad spectrum of personnel with collective knowledge of all areas of the entity.
  • The business planning process does not include consideration of changes in the business environment, including the industry, competitors, the regulatory environment, and customers.
  • Changes in risks are not identified in a timely manner.
  • Changes are not appropriately communicated to the proper level of management (depending on the significance).
  • Management has not identified the resources needed to achieve the objectives and does not have plans to acquire the necessary resources.
  • Budgets and forecasts are not updated throughout the year to reflect changing conditions.
Project Work Step
I. Audit Procedures
A. Strategic Plan
1. Obtain a copy of the five-year rolling strategic plan for (insert year) and (insert year).
2. Through inspection, verify that the strategic plan was updated for (insert year).
B. Individual Bonuses
1. Inquire with the VP-HR as to the process for determining bonus payouts.
2. Obtain documentation (policies, guidelines) related to the Incentive Compensation Plan that is in place.
C. Employee Goals
1. Inquire with VP of HR concerning the process for employees to follow for determining Critical Success Factors.
2. Obtain documentation (i.e. policies, guidelines, or communications from HR) regarding the CSF process.
D. Strategy
1. Obtain agendas, meeting minutes, documentation and plans resulting from the (insert year) offsite strategy meeting.
2. Verify that the attendees of the meeting included the top X individuals of the company.
3. Through inspection, verify that the company’s performance in relation to the strategic plan as well as strategic developments and their related benefits and risks were discussed.
D. Budget and Forecast
1. Generate a random sample of two months from the period selected for testing, (insert date) to (insert date).
2. Obtain copies of the X Report verifying it was completed for the months selected for testing.
3. Inquire with Finance personnel to verify that senior and executive management review the monthly X Report.
E. Scope
1. Obtain documentation related to the financial statement risk analysis.
F. Fraud Risk Assessment
1. Through inquiry, determine how the fraud risk assessment is performed.
2. Obtain a copy of the fraud risk assessment meeting minutes and supporting documentation.
3. Verify potential fraud scenarios and mitigating controls were discussed.
G. Mitigation of Financial Reporting Risk
1. Obtain copies of the company’s SOX documentation.
2. Through inspection, verify that plans to mitigate risks in Financial Reporting are included in the SOX documentation.
H. Disclosure
1. Generate a random sample of two quarters from the period selected for testing.
2. Obtain a copy of the Disclosure Committee member’s certification of the Quarterly Report.
3. Through inspection, verify that the Disclosure Committee performed a review of controls and information to determine disclosure requirements as evidenced via signed certification.
I. Organizational Structure
1. Obtain the Company’s documentation concerning the X System.
2. Obtain evidence that the roles within the company have been assigned complexity levels in order to determine the appropriate organizational structure.
J. Five Year Plan
1. Obtain a copy of the five-year rolling strategic plan for (insert year) and (insert year).
2. Through inspection, verify that the strategic plan was updated for (insert year).
II. Reporting Procedures
A. Compile results from this process review into a report for management to review.
B. Schedule a meeting with management and appropriate process owners to discuss results.
C. Receive sign-off from management on the report results and document action steps to address process deficiencies.

Tinggalkan sebuah Komentar »

Belum ada komentar.

RSS feed for comments on this post. TrackBack URI

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:


You are commenting using your account. Logout /  Ubah )

Foto Google+

You are commenting using your Google+ account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )


Connecting to %s

Buat situs web atau blog gratis di

%d blogger menyukai ini: