Scribd Logo
Upload

Welcome to Scribd!

  • Internal Audit

    Uploaded by

    Haugesti Diana
    76 views15 pages
    .

    Original Title

    internal audit

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    .

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    76 views15 pages

    Internal Audit

    Uploaded by

    Haugesti Diana
    .

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Internal Audit

    Mini How To
    Twinning Contract MT 2003 / IB / AG/ 01/TL
    3 August 2004
    STE Benini

    General AUDIT process in Paying Agencies

    Process Mapping Risk Mapping Risk Evaluation Definition of PA`s Risk Portfolio

    Audit planning

    Negotiate with management The risk level accepted

    Audit Executions Audit Reports Audit Summaries

    Negotiate Risk Level Expectations With PA`s Management


    Assess maximum risk level which is objective to propose as acceptable In the case of a PA, this level will be probably a risk level compatible with the preservation of the PA`s accreditation by EU Risk level compatible with the mantainment of accreditation can be found in the ten EU`s guidelines for the relevant elements necessary for the accreditation process to be succesfully performed Internal Audit Manager (IAM) has the responisbility of the negotiation with the PA`s management IAM has to arrange some meeting with PA`s management IAM`s target is to define a written paper professionally known as mandate

    IAM`s Mandate
    The ability of the IAM is to find a common area between three different needings (see below)

    maximum Risk Level Acceptable

    Internal Audit Service Skills and resources

    Management`s Risk Expectations

    Internal Audit Manager behaviour should be as follows:


    To obtain a mandate which is located in the central overlap of the previous slide; To obtain a mandate which is realistic, considering the skills and the resources (goods and personell) of the Internal Audit Service (IAS) To match, if possible, the risk level expectations of the PA`s management To match, at any costs, the maximum risk level acceptable for the PA`s If the former target shows too difficult to be obtained, IAM should ask PA`s managing to acquire the necessary resources or decline its responsibility

    Control Risk and Self Assessment process


    Why a CRSA? Is CRSA the best way to do it? How I can perform a good CRSA? How many time I need to update my CRSA in the five years of the planning? CRSA is the last fashion of Internal Auditing, it is fast, effective and reasonably easy to do, it offers some advantages over the traditional approaches It depends on the level of detail you have to get in your risk mapping You have to be very methodical and to use standard forms for your relevations. Use Excel sheets, avoid Word. I suggest to build a risk database, starting from the Excel Sheets Generally It will be sufficient to do it yearly

    CRSA structure:

    Familiarization with auditated structure

    Processes individuation and description

    Summarize and report your conclusion

    Building the excel sheets to be filled in

    Conduct the interviews

    Familiarization
    Go and find manuals, procedures, integrative papers Conduct pre-mapping interviews Find and study every relevant rule which governs the process Get the organigrams Try to figure some workflows out Cross verify two or more manuals, procedures and integrative papers Make preparatory summaries of you findings Design a Processes Map After you have done it all, look for confirmation of your doubts by competent people into the auditated structure

    What I shall be looking for to describe a process?


    Who is responsible for the process? Where do it start? Where do it end? How many are the steps of the process? Which are the relations between this process and other relevant processes? Which type of process is this (Main Horizontal Process, Vertical Process, Support Process)? How may I design the form for process description?

    Example of Processes Map

    Maltese Paying System Processes Map


    Vertical Scheme (Authorization Function various delegated bodies)

    IACS (IACS office at MRAE) Delegated body


    Protocol and Folder Managing

    Distribution of Withdrawal Aid of Operative Programmes in the Fisheries Sector


    Technical Service (performed by separate unit into every authorization unit)

    Technical Service (performed by separate unit into every authorization unit)

    Execution of payments (Paying Agency) Accounting To EU (Paying Agency)

    Distribution of Carry Over Aid in the Fisheries Sector

    Technical Service (performed by separate unit into every authorization unit)

    Production and Marketing of Honey

    Technical Service (performed by separate unit into every authorization unit)

    Processed Products from Fruit and Vegetables

    Technical Service (performed by separate unit into every authorization unit)

    Area-Related Rural Development Measures: Less-Favoured Area

    Technical Service (performed by separate unit into every authorization unit)

    Management of Guarantees, Debtors and Sanctions (some parts) Management of Guarantees, Debtors and Sanctions (other parts)

    Rural Development Measures

    Technical Service (performed by separate unit into every authorization unit)

    Area-Related Rural Development Measures: Agri-Environment

    Technical Service (performed by separate unit into every authorization unit)

    Alimentary Aid for the Poor

    Technical Service (performed by separate unit into every authorization unit)

    Bovine and Ovine Aid Schemes (partially area related)

    Technical Service (performed by separate unit into every authorization unit)

    Market Arrangements in the Sector of Fresh Fruits and Vegetable Products

    IT department IT manager (MITTS)

    Delegated body

    Internal Audit (It Auditor)

    Support Processes

    What is a risk?
    Risk is everything can prevent you from doing something you have to do Risk can be actions, not actions, actions performed not so well, action based on misunderstanding Risk can be an unwanted heritage of your predecessors in this office Risk can be a consequency of somebody`s action outside an office (external risk) If you have a risk you have to put a control on it IAS has to map processes, then to map risks on processes, then to assess if the process owner known his risks and how he deals with them

    What is a control?
    Something that can prevent a risk to do its job on your work Something that you can afford to put in place Something effective and efficient Something that should be multipurpose (if one control covers more than one risks it`s a better thing) Something that isn`t redundant Something of reliable Something that can be: preventive, successive, on course

    Example of form for mapping

    Summarize and planning


    After you have done your job you will have to classify and count your risks Find your way to classify your risks (high, medium, low or 3,2,1 level risk ecc.) Count the risks for every processes and do a media between them Obtain for each process the risk level Summarize your results with graphs and a formal paper

    25 20 15 10 5 0 1st 2nd levele level risks risks 3rd level risks Process 1 Process 2 Process 3

    How I can measure the weight of my risks

    RISK WEIGHT=
    RISK MEASUREMENT MATRIX

    PROBABILITY+IMPACT

    m(2)
    PROBABILITY OF RISKS

    h(3)

    h(3)

    l(1)

    m(2)

    h(3)

    l(1)

    l(1)
    IMPACT OF RISK

    m(2)

    P 1 1 2 2 3 1 2 3 3

    I 1 2 2 1 1 3 3 2 3

    W 1 1 2 1 2 2 3 3 3

    You might also like