Performance Audits and Risk Assessments The Institute of Internal - PowerPoint PPT Presentation

Performance Audits and Risk Assessments The Institute of Internal Auditors Beach Cities Chapter Presented By: Jim Godsey, Partner Mark Cousineau, Senior Manager March 19, 2015

Agenda • Introductions and Overview • What is a Performance Audit • Four Phase Approach • Risk Assessment • Fraud Overview

Purpose of Performance Audits • Program Results • Need for Improved Performance – Reduced Resources – Increased Service Demands – Diminished Reserves 1

Four-Phase Process • Startup / Management • Fact Finding • Analysis • Reporting 2

Start-up and Management • Identify key issues • Finalize audit plan • Develop interview list • Request documents • Define progress reporting and deliverables 3

Fact Finding – Document Review • Gain breadth and depth of coverage • Ensure confidential conversations • Utilize standard questions and let discussions evolve naturally • Build rapport with the interviewees 4

Fact Finding – Interviews • Review historical performance and policy and political environment to understand how organization got to where it is today • Document recent changes and impact on delivery • Define service delivery requirements • Identify relevant best practices and industry trends 5

Fact Finding – Walkthroughs • Understanding the processes • Document information flow • Identify internal controls • Identify relevant regulations, policies, and procedures • Conduct sampling and testing • Look for opportunities to streamline 6

Fact Finding – Surveys • Confidential • Online • Broad participation • Low cost • Easy to administer 7

Analysis • Assess economy, efficiency, and effectiveness • Compare to best practices • Perform gap analysis • Identify alternatives • Define costs and benefits • Prepare findings and recommendations 8

Reporting • Prepare draft report • Prepare final report • Develop implementation plan • Incorporate management response • Present to leadership and stakeholders 9

Risk Assessment Process

Risk Assessment – Internal Control • What is an Internal Control?: “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to: • Operations • Reporting • Compliance” Source: COSO Internal Control Framework 10

Risk Assessment – Optimal Risk Taking Insufficient Optimal Excessive Risk-Taking Risk-Taking Risk-Taking Expected Enterprise Value “Sweet Spot” Risk Level Source: COSO Risk Assessment in Practice 11

Risk Assessment Overview • What is a Risk Assessment? – Understanding the risk associated with a process and the impact the risk would have on the organization from an operational, financial, and strategic perspective if the risk would be realized • Risk Assessment vs. Compliance Audits? • Why do a Risk Assessment?: – Identify the “Sweet Spot” – Internal Audit plan based on risk – Limited personnel – Assistance with prioritization – Goes beyond compliance – Eliminates redundancy 12

Risk Assessment Overview • Types of Risk Assessment: – Entity Wide – Departmental – Procedural – Regulatory Specific 13

Risk Assessment Framework Business Risks (Inherent Risks) Customized Audit Universe Checklists & COSO Control Risks Develop Risk Perform Risk Definitions of Ratings Assessment Risk Ratings Internal Audit Revisit Annually Assess Risk Plan Based on /Major Change Risk 14

15 Risk Assessment Heat Map Human Resources Procurement Department /Process Department /Process Public Reputation L Public Reputation L Financial M H Financial M Operational H Operational M Legal /Regulatory Legal /Regulatory L Strategic H M Strategic M Technology /Systems H Technology /Systems M People /Culture H People /Culture M Fraud Fraud H 75 Inherent Risk Rating 88 Inherent Risk Rating 0 2 0 2 Control Environment S W Control Environment S Risk Assessment W Risk Assessment S Control Activities W Control Activities Information & Communication M W Information & Communication Monitoring M M Monitoring 58 COSO Control Rating 96 COSO Control Rating

Fraud Overview

Fraud Overview • Internal controls are only as good as the personnel performing the activities. 1% Never 25% 25% Would if they could Looking 49% Stealing Source: ACFE 16

Fraud Overview • 2014 ACFE Report To The Nations – Organizations lose approximately 5% of revenue due to fraud • Asset Misappropriation – 85.4% with median loss of $130,000 • Corruption – 36.8% with median loss of $200,000 • Financial Statements – 9.0% with median of $1 million – Fraud duration 18 months – Men (66.8%) vs. Women (33.2%) – 40% of cases were detected via Tip /Hotline 17

22 Fraud Overview 18

23 Fraud Overview 19

24 Fraud Overview 20

25 Fraud Overview 21

26 Fraud Overview 22

Questions? Jim Godsey, Partner Mark Cousineau, Senior Manager 777 S. Figueroa Street, Ste 2500 777 S. Figueroa Street, Ste 2500 Los Angeles, CA 90017 Los Angeles, CA 90017 P: 213.408.8666 P: 213.408.8674 E: jgodsey@mgocpa.com E: mcousineau@mgocpa.com