Domain 1 Assurance Engagements - Risk & Control Assessments Flashcards
What are assurance engagements?
Objective examinations of evidence for the purpose of providing an independent assessment on governance, risk mgt and control processes for the organisation.
Internal auditors provide reasonable assurance that organisational goals are being accomplished.
These engagements are bounded work with a predefined audit scope that is fixed.
Is the internal auditors role different between assurance engagement and consulting engagement?
Yes due to different objectives and outcomes of these objectives.
Best audit practice not to assign the same auditor to perform assurance engagement and consulting engagement
Assurance engagements can include 15 topics
- Risk and control assessment
- Third party audits
- Related party audits
- Construction audits
- Security audits
- Privacy audits
- Performance audits
- KPI reviews
- Balances scorecard reviews
- Contract audits
- Financial audits
- Operational audits
- IT audits
- Compliance audits
- Quality audits
What is a major responsibility of the board, snr mgt and internal auditors?
Assessing risks and controls
Risk & Control Assessment is made up of which categories
Audit Objective
Audit Program
Tools to conduct risk and control assessments
Audit Objective of risk and control assessment
Determine whether an organisation risk assessment system allows the board and snr mgt to plan for and respond to existing risks and emerging risks
Audit Program
1) Determine whether board and snr mgt involve outside risk consultants and internal control experts
2) Determine whether board and snr mgt discuss and evaluate risks and consider control issues during pre-planning stages of introducing new products and services
3) Determine adequacy of de-risking approaches taken
4) Determine whether a chief risk officer and staff computes VAR for each type of risks for each business division and for entire business organisation
Value at risk (VAR)
Is the estimate of the maximum amount of loss that can occur in a given time period and at a given confidence level (95%).
Needs to be established for each risk type or risk category that is documented in risk descriptions and risk discussions.
Amount of VAR is the amount of risk capital needed to withstand a particular loss.
Monte Carlo method can be used to compute the VAR amount.
Risk appetite is directly related to VAR, meaning that the higher the risk appetite level, the larger the amount of VAR, implying more value is at risk.
Eg 95% confident that our org will have to incur $500k loss in next year.
Back testing
Can help in comparing and reconciling the estimated VAR to the actual VAR to make future estimates better.
Tools to conduct risk and control assessments
1) Risk Matrix
2) Risk Maps
3) Risk & Control map
4) Risk & Control matrix
5) Risk & Control Testing
Risk Matrix
Is a tool for ranking and displaying risks with their maximum and minimum values for consequences (impacts) and likelihoods (probabilities)
A matrix expresses the same thing as the level of risk
Risk matrix = consequences (impacts) x Likelihoods (probabilities)
