Risk Analysis is a very important tool for the auditor's work and the quality of the service, as it implies a diagnosis of the same to ensure their possible manifestation or not.
In this article we present elements that give light to the previous statement and the essential link of Risk studies to the Audit service.
Introduction
The profound changes that occur today, their complexity and the speed with which they occur, are the roots of the uncertainty and risk that organizations confront. Mergers, global competition and technological advances, deregulations and new regulations, the increase in demand from consumers and residents, the social and environmental responsibility of organizations as well as transparency generate an operational environment, each day more risky and complicated, emerging in addition new challenges with which to deal, as a result of the problems that arise in organizations that operate outside the law or ethical conduct.
Risk management in a broad framework implies that the strategies, processes, people, technology and knowledge are aligned to handle all the uncertainty that an organization faces.
On the other hand, risks and opportunities always go hand in hand, and the key is to determine the potential benefits of these over risks.
Risks
It is important in every organization to have a tool that guarantees the correct evaluation of the risks to which the processes and activities of an entity are subjected and through control procedures the performance of the same can be evaluated.
If we consider then that the Audit is “a systematic process, practiced by auditors in accordance with established technical standards and procedures, consisting of objectively obtaining and evaluating the evidence on the statements contained in legal acts or events of a technical, economic nature, administrative and others, in order to determine the degree of correspondence between these statements, the legal provisions in force and the established criteria. " It is the one in charge of the independent evaluation of its activities. Consequently, the Audit must function as an activity designed to add value and improve the operations of an organization, as well as contribute to the fulfillment of its objectives and goals;providing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and direction processes.
The Audit services comprise the objective evaluation of the evidence, carried out by the auditors, to provide an independent conclusion that allows qualifying the compliance with the policies, regulations, standards (including international auditing standards), legal provisions or other legal requirements; regarding a system, process, sub-process, activity, task or other matter of the organization to which they belong.
Unlike some authors, who define the execution of audits in stages, we believe that it is an activity dedicated to providing services that consistently adds values depending on the efficiency and effectiveness in the development of different tasks and activities which must be fulfilled. systematically in a chain of values that gradually must be taken into account through sub-processes that identify the logical continuity of the process, to finally provide the expected quality of service.
Seeing the need in the business environment for this type of tools and taking into account that one of the main causes of problems within the sub-processes is the inadequate forecast of risks, it is then necessary to study the Risks that may appear in each sub-process of Audit, this will serve as support to prevent an adequate performance of them.
In this regard, it is necessary to take into account the following:
- The evaluation of the risks inherent in the different Audit sub-processes The evaluation of the threats or causes of the risks The controls used to minimize the threats or risks The evaluation of the elements of the risk analysis.
Generally speaking of Risk and Risk concepts in the evolution of Internal Control Systems, in which three types of Risk are assumed:
Control Risk: Which is the one that exists and that is caused by lack of control of the activities of the company and can generate deficiencies in the Internal Control System.
Detection Risk: It is one that is assumed by the auditors who, in their review, do not detect deficiencies in the Internal Control System.
Inherent Risk: Are those that are inherent to the characteristics of the Internal Control System.
However, Risks are present in any system or process that is executed, whether in production or service processes, in financial and market operations, for this reason we can affirm that the Audit is not exempt from this concept.
In each Sub-Process, as its stages are also called, the auditor has to carry out tasks or verifications, in which risks are assumed that these are not carried out in the proper way, of course these Risks cannot be defined in the same So the risks that are defined for Internal control.
The auditor's criterion in relation to the extent and intensity of the tests, both compliance and substantive, is associated with the risk that significant errors or deviations remain undetected in the company's accounting and may not be detected by the auditor in their sampling tests. Risk tends to be minimized when the effectiveness of the audit procedures applied increases.
The purpose of an audit of the Financial Statements is not to discover fraud, however, there is always the possibility of obtaining erroneous figures as a result of an action in bad faith, since there may be operations planned to conceal a criminal act. Among a great diversity of situations, it is possible to mention the following:
- Deliberate omission of transaction records Falsification of records and documents Giving the auditor false information
Below are some situations that may indicate the existence of errors or irregularities.
a) When the auditor has doubts about the integrity of the company's officials; If the mistrust is only in relation to the competition and not to the honesty of the company's executives, the auditor should bear in mind that it could encounter risk situations due to errors or irregularities in the administration.
b) When the auditor detects that key positions such as cashier, accountant, administrator or manager have a high percentage of turnover, there is the possibility that administrative procedures, including accounting procedures, may present flaws that may lead to errors or irregularities.
c) Clutter in an entity's accounting department involves late reporting, inadequate transaction records, incomplete files, unreconciled accounts, etc. This situation, as it is easy to understand, causes errors, perhaps made in good faith, or even with fraudulent acts. Management has the obligation to establish and maintain administrative procedures that allow adequate control of operations.
Within the audits, the data preparation or processing function must be verified, where the following aspects must be checked, among others:
- existence of a method to ensure that the data received for evaluation are complete, accurate and authorized; use standardized procedures for all operations and examine them to ensure that such procedures are followed; existence of a method to ensure prompt detection of errors and misconduct operation of the Computer System; there must be standardized procedures to prevent or warn accidental errors, caused by operator failures or malfunction of machines and programs.
Risk Control Systems
We could base the Risk Control structure on two pillars: the Common Management Systems and the Internal Audit Services, whose definitions, objectives, characteristics and functions are set out below.
Common Management Systems
Definition
The Common Management Systems develop the internal standards and their method for the valuation and control of risks and represent a common culture in business management, sharing accumulated knowledge and setting criteria and guidelines for action.
goals
1. Identify possible risks, which although they are associated with any business, should try to be mitigated and become aware of them.
2. Optimize daily management, applying procedures aimed at financial efficiency, cost reduction, homogenization and compatibility of information and management systems.
3. Encourage synergy and value creation of the different business groups working in a collaborative environment.
4. Reinforce the corporate identity, respecting all the Managements, their shared values.
5. Achieve growth through strategic development that seeks innovation and new options in the medium and long term.
The Systems cover the entire organization on three levels:
a) all Business Units and areas of activity;
b) all levels of responsibility;
c) all types of operations.
Risk management
Audit Services
Internal auditors must participate, together, with the other areas of the organization in continuous improvement processes related to:
- the identification of the relevant risks, both external and internal and specific to the organization, based on the definition of the organization's key domains or points; the estimation of the frequency with which the identified risks occur, as well as the assessment of the probable loss they may cause; and the determination of the most suitable specific control objectives, duly articulated with the global and sectoral objectives set forth in the entity's mission.
Internal auditors must evaluate the quantity and quality of risk exposures related to the administration, custody and protection of the organization's available resources, operations and information systems, taking into account the need to guarantee the following objectives at a reasonable level:
- reliability and integrity of financial and operational information, effectiveness and efficiency of operations, control of resources of all kinds available to the entity; and compliance with laws, regulations, policies, and contracts.
Consulting services
During Consulting engagements, internal auditors must consider the risk compatible with the engagement objectives and be alert to the existence of other significant risks.
Internal auditors must incorporate the knowledge of risk obtained from Consulting work in the processes of identification, analysis and evaluation of significant risk exposures in the organization.
Risks inherent in the automated information systems environment
Risks can come from:
- Deficiencies in general activities of the automated information system; development and maintenance of programs; technological support of systems software; operations; physical security; and control over access to programs.
Risks can increase the potential for errors or irregularities in specific applications, in databases, in master files, or in specific processing activities.
The nature of the risks and the characteristics of the Internal Control integrated into the automated information system includes the following:
- Lack of trace of transactions.
- Some automated information systems are designed so that a complete transaction trace that could be useful for Internal Audit purposes exists only for a short period of time or only in computer-readable form. A complex application system includes a large number of procedures that may not leave a complete trace, therefore, errors in the logic of an application program can be difficult to detect in a timely manner by manual procedures.
- Lack of segregation of duties.
Some control procedures that are normally performed by personnel through manual systems on an individual basis, can be concentrated in an automated information system. It should be taken into account that the same worker should not have access to automated programs, information processing and data obtained through the computer, because the simultaneous performance of these functions are incompatible.
Internal audit
Definition
The Internal Audit function is structured around the Joint Audit Services, which comprise the audit teams of the Business Units and Corporate Services, which act in a coordinated manner, reporting to the Audit Committee.
General objectives
1. Prevent the audit risks of the Managements, Projects and Activities of the group, such as fraud, loss of assets, operational inefficiencies and, in general, risks that may affect the good performance of business.
2. Control the application and promote the development of adequate and efficient management standards and procedures, in accordance with the Common Corporate Management Systems.
3. Create value, promoting the construction of synergies and the monitoring of best management practices.
4. Coordinate the criteria and approaches of the work with the external auditors, seeking the greatest efficiency and profitability of both functions.
Specific objectives
- Evaluate Audit Risk, in accordance with an objective procedure. Define types of standard Audit and Internal Control work in order to develop the corresponding Work Plans with the appropriate scope for each situation. This typology is linked to the Audit Risk Assessment, determines the Work Plans to be used and implies a type of appropriate Recommendations and Reports, and therefore must be used explicitly in said documents. Guide and coordinate the planning process of the audit and internal control work of the Managements and Business Units, define a procedure for notification of said work and communication with the affected parties and establish a coding system for the work for proper control and monitoring.Define the process of communicating the results of each audit work, the people it affects and the format of the documents in which it is materialized Review the application of the plans, the adequate performance and supervision of the work, the timely distribution of the results and the follow-up of the recommendations and their corresponding implementation.
Risk and Relative Importance.
- The expected assessments of inherent and control risks and the identification of significant audit areas The establishment of materiality levels for audit purposes The possibility of misstatements or fraud The identification of complex accounting areas including those that they involve accounting estimates.
Job program
The auditor shall develop and document a work program that outlines the nature, timing, and scope of the planned audit procedures that are required to implement the overall audit plan. The work program serves as a set of instructions to assistants involved in the audit and as a means of monitoring and recording the proper execution of the work.
In preparing the work program, the auditor should consider the specific assessments of inherent and control risks and the required level of assurance that the substantive procedures will need to provide. It should also consider the times for tests of controls and substantive procedures, the coordination of any assistance expected from the entity, the availability of assistants and the inclusion of other auditors or experts.
The auditor should consider the materiality and risk relationships of the engagement when planning and developing an audit service to reduce the risk of expressing an inappropriate conclusion. The relative importance is judged, taking into account both quantitative and qualitative factors, in relation to the reasonable prospect of a matter modifying or influencing the decisions of the user to whom the auditor's report is directed. It needs to understand and assess what factors can influence the decisions of the user to whom the report is directed. This is a matter of professional judgment in the specific circumstances of the audit work ordered.
Definition of Risk concepts associated with the Audit
The risk of orderly work is the risk that the auditor will express an inappropriate conclusion. The auditor then plans and performs the work in a way that reduces the risk of expressing an inappropriate conclusion to an acceptable level. In general, these risks can be represented by the components, explained above and associated with the audit;
a) Inherent risk - the risks associated with the nature of the issue;
b) Control risk - the risk that controls on the subject do not exist or operate ineffectively; and,
c) Detection risk - the risk that the auditor's procedures do not detect the important aspects that may affect the subject.
1. Obtaining and Evaluating Evidence.
The auditor should obtain sufficient and appropriate evidence in the audit to be able to draw reasonable conclusions on which to base his report.
Evidence in the audit: Means the information obtained by the auditor to reach the conclusions on which his report is based. The evidence in the audit will include source documents and accounting records, corroborative information from other sources, procedures on the management of areas or divisions, and management indicators. Evidence in the audit is obtained from an appropriate mix of tests of control, substantive procedures, analysis of projections and analysis of key indicators of success.
Control tests: Means tests performed to obtain evidence in the audit on the adequacy of the design and effective operation of the accounting and internal control systems; the fulfillment of the proposed goals and objectives; and the degree of effectiveness, economy and efficiency and the management of the entity.
Substantive procedures: Means tests carried out to obtain evidence in the audit to find material misstatements in the financial statements or in its operations, and they are of two types: a) tests of details of transactions and balances; and b) analytical procedures.
Sufficient and appropriate evidence in the audit: Sufficiency and appropriateness are interrelated and apply to the evidence in the audit obtained from both tests of control and substantive procedures. Sufficiency is the measure of the amount of evidence in the audit; Appropriate is the measure of the quality of evidence in the audit and its relevance to a particular assertion and its reliability. Typically, the auditor finds it necessary to rely on audit evidence, which is persuasive rather than definitive, and will often look for evidence in the audit from different sources or of a different nature to support the same assertion.
To obtain the conclusions on the subject, the auditor normally does not examine all the available information since conclusions can be reached on the balance of an account, the processes, operations, transactions or controls, through the exercise of his judgment or sampling statistical. The auditor's judgment as to what is sufficient and appropriate evidence in the audit is influenced by factors such as:
- The auditor's evaluation of the nature and level of inherent risk both in the financial statement area and at the level of the account balance or class of transactions or operations Nature of the accounting and internal control systems and the risk assessment of control. Relative importance of the item or transaction under examination. Experience obtained in previous audits. Results of audit procedures, including fraud or errors that may have been found. Source and reliability of available information.
Source from which it is obtained: The reliability of the evidence in the audit is influenced by its source: internal or external, and by its nature: visual, documentary or verbal. While the reliability of the evidence in the audit depends on the individual circumstance, the following generalizations will help to evaluate the reliability of the evidence in the audit:
- Evidence in the audit from external sources, for example confirmation or representation received from a third party, is more reliable than that generated internally. Evidence in the audit generated internally is more reliable when the related accounting and internal control systems are effective. Evidence in the audit obtained directly by the auditor is more reliable than that obtained from the entity. Evidence in the audit in the form of documents and written representations is more reliable than verbal representations.
Evidence in the audit is more persuasive when items of evidence from different sources or of a different nature are consistent. In these circumstances, the auditor may obtain a higher cumulative degree of confidence than would be obtained from pieces of evidence in the audit when considered individually. Conversely, when the audit evidence obtained from one source is inconsistent with that obtained from another, the auditor should determine the additional procedures necessary to resolve the inconsistency.
2. Documentation
The auditor must document the matters that are important to support the conclusions expressed in the audit report and leave evidence that the audit was carried out in accordance with the technical work standards indicated by professional bodies.
Documentation means the material, working papers prepared by and for, or obtained or retained by the auditor in connection with the performance of the audit. Working papers can be in the form of data stored on paper, film, electronic media, or other media and serve the following purposes:
- They help in the planning and execution of the work, They help in the supervision and review of the work; y Record the evidence in the audit resulting from the work performed, to support the report.
The auditor should prepare working papers that are sufficiently complete and detailed to provide a comprehensive understanding of the audit.
The auditor must record in working papers the planning, nature, timing and scope of the audit procedures performed; as well as the results and conclusions drawn from the evidence obtained. The working papers would include the auditor's reasoning on all significant matters requiring an exercise of judgment, along with the conclusions. In areas that involve difficult questions of principle or judgment, the working papers will record the relevant facts that were known to the auditor at the time the conclusions were reached.
The extension of working papers is a case of professional judgment, since it is neither necessary nor practical to document all the matters that the auditor examines. In assessing the extent of the engagement papers to be prepared and retained, it may be helpful for the auditor to consider what it would take to provide another auditor with no prior audit experience a chance to understand the work performed and the basis of the principled decisions made but not the detailed aspects of the audit.
The form and content of working papers are affected by issues such as:
- The subject of the work The form of the auditor's report The nature and complexity of the business The nature and condition of the entity's accounting and internal control systems The needs in the particular circumstances, management, supervision, and review of the work performed by assistants Specific audit methodology and technology used in the course of work.
Working papers are designed and organized to meet the circumstances and needs of the auditor for each particular audit. The use of standardized working papers can improve the efficiency with which such working papers are prepared and reviewed; they facilitate the delegation of work at the same time that they provide a means to control its quality, consulting the corresponding Audit procedure manuals established in the organizations.
To improve the efficiency of the audit, the auditor may use other analyzes conceived by the auditor and other documents obtained and prepared by the auditee. In such circumstances, the auditor would need to be satisfied that those materials have been properly prepared.
Risk Management
Risk is a real world condition in which there is exposure to adversity, made up of a combination of surrounding circumstances, where there is the possibility of losses.
For this reason, all companies that produce goods or services must undertake studies that guarantee the identification of Risks as a fundamental element to guarantee the quality of the service or the final product.
Procedural Techniques to Manage Risks
- Avoid risks: A risk is avoided when it is not accepted in the organization. This technique can be more negative than positive. If risk avoidance was overused, the business would be deprived of many profit opportunities (for example: risking an investment) and would probably not reach its objectives Risk reduction: Risks can be reduced, for example with: security programs, security guards, alarms and estimation of future losses with the advice of experts. Risk conservation: It is perhaps the most common method to face risks, since many times a positive action is not to transfer it or reduce its action. Each organization must decide which risks are retained, or transferred based on its contingency margin,a loss can be a financial disaster for an organization being easily sustained by another organization. Risk sharing: When risks are shared, the possibility of loss is transferred from the individual to the group.
Definition of Risk Management
Risk management is a scientific approach to risk behavior, anticipating possible accidental losses with the design and implementation of procedures that minimize the occurrence of losses or the financial impact of losses that may occur.
Risk Control: Technique designed to minimize the possible costs caused by the risks to which the organization is exposed, this technique covers the rejection of any exposure to loss of a particular activity and the reduction of the potential of possible losses.
As we can see, the bibliographies consulted collect different Risk criteria, but none of them studies, much less delves into the subject of the Risks that are assumed in each Audit sub-process, an aspect of vital importance to guarantee its quality.
In case studies analyzed, we observed that when the specific tasks and activities of the Audit process are not known, the final results do not correspond to those expected by those who order the Audit, having as a cause, the lack of foresight of the tasks to be carried out. carry out in each of the sub-processes, and of course the measures to avoid the commission of errors and failures that put at risk the systemic and phased compliance of each sub-process, simulating the exercise of a series production.
In studies carried out, we have been able to observe that risks from any Audit sub-process undoubtedly deteriorate the quality of its service.
It is not usual that Units dedicated to the audit service, much less, those dedicated to Internal Audit services, work in order to diagnose and evaluate the possible risks in the execution of the different sub-processes involved in an Audit service.
It is not possible to diagnose risks from a table, as this cannot be schematic, much less be a substitute formula. In each organization, a study should be carried out and the strategy of its value chain and the type of service to be performed should be drawn up.
For this, it would be necessary to know how the value chain is working in that organization, since it is essential to maintain the achievement of the tasks and to fulfill and enforce the maintenance of the logistical flow of the sub-processes, since one depends on the other.
Then, we would have that the Chain of Values in all the Audit threads, must be represented in the following way.
Below we detail the result of the study carried out on the Supervisions carried out in a period of 2 years to different professionals in the exercise of certain audits.
It can be observed that the diagnosis was necessary to carry out, starting from the logistic flow of the Value Chain from each Audit sub-process in an Internal Audit organization, where we indicate the most important tasks to be carried out in each of these, in this service, which as a fundamental process is carried out by this organization, and we mention risks in compliance, of different tasks, and possible in any organization that provides audit services.
| Threads | Chores | Control risks |
| Previous Exploration | 1. Know the characteristics of the entity. | 1. Conceive planning for unnecessary exams. |
| 2. Achieve understanding of the control environment. | 2. Extension of tests due to ignorance of the control environment. | |
| 3. Understand the flow of operations. | 3. Ignorance of a history of deficiencies or alleged criminal acts as a result of previous audits. | |
| 4. Study Archived Working Papers from the previous audit. | 4. The auditor is not able to identify the operational nature of the business, its organization, location of its facilities, sales, productions, services rendered, its financial structure, purchase and sale operations and many other matters that could be significant in what is going to be audited | |
| 5. Not conceiving an adequate planning of the work to be carried out and / or not directing it towards the issues that are of greatest interest in accordance with the planned objectives | ||
| Planning | 1. Define the aspects that should be objects of verification, by the expectations that the exploration gave, as well as determine the areas, functions and critical matters. | 1. Extension of tests without meeting the necessary objectives to carry out the ordered Audit. |
| 2. Analyze the reiteration of deficiencies and their causes. | 2. The general strategy for the exam is not developed. | |
| 3. Define the forms or means of verification to be used. | 3. Inability to create or adapt the Audit Program. | |
| 4. Definition of the specific objectives of the Audit. | ||
| 5. Determination of the auditors and other specialists required, taking into account the proposed objectives, the magnitude of the work and its complexity. | ||
| 6. Flexible programs specifically tailored, in accordance with the objectives set, which respond to the verification of the three E's (Economy, efficiency and effectiveness). | ||
| 7. Determination of the time that will be used to carry out the Audit, as well as the estimated cost. | ||
| Execution | 1. Obtain sufficient, competent and relevant evidence to support the judgments and conclusions. | 1. Failure to conduct the examination in accordance with generally accepted auditing standards. |
| 2. Comply with the actions foreseen in the elaborated planning. | 2. Failure to ensure the responsible and competent person about the reasonableness of the different financial statements. | |
| 3. Prepare working papers for all the exams taken. | 3. The auditor is not prepared to doubt the validity and completeness of the evidence. | |
| 4. Carry out the review in accordance with generally accepted auditing standards. | 4. That the sample taken is not sufficient to support the results of the examination carried out and the fulfillment of the programmed objectives. | |
| 5. Failure to evaluate the evidence applying reliable techniques that ensure its validity and reasonableness. | ||
| 6. Failure to identify the level of materiality and probable risk of evidence. | ||
| 7. The documentary evidence does not clearly express the objective of the scope of the checks carried out. | ||
| 8. The findings are not clearly defined and lack reasonableness to support the examination result, conclusion, and recommendation to demonstrate the nature and scope of the work performed. | ||
| 9. Don't limit yourself to matters that are relevant and important. | ||
| 10. The checks and their results are not sufficiently clear, understandable and detailed for a third party to be able to substantiate conclusions and recommendations through their review. | ||
| Reports | 1. Comply with the techniques for preparing the Report. | 1. That the working papers corresponding to Notes to the Report do not express reasonableness to support the significant findings by the results of the verifications. |
| 2. Definition of the Evaluation of the Audit developed. | 2. That the working papers corresponding to Notes to the Report do not express the results sufficiently clear, understandable and detailed. | |
| 3. Timely communication of the Report. | 3. Non-compliance with the audit objectives, its scope and methodology. | |
| 4. Carry out a discussion on the Report on the results of the Audit carried out. | 4. Not correctly evaluating the results presented, according to established legislation. | |
| 5. Failure to define responsibilities for breaches that affect the smooth running of the organization. | ||
| 6. Failure to facilitate follow-up to determine if appropriate corrective action is taken. | ||
| 7. The content of the Report is not used in a timely manner by those responsible and interested | ||
| 8. Non-participation of managers and authorized officials to discuss the results of the Report. | ||
| File Preparation | 1. Organize the documentation of all the work papers originated in the performance of the audit, corresponding to all the stages. | 1. That the auditor does not have all the evidence that supports the development of each of the stages. |
| Exploration | 2. Failure to prepare the audit work papers. | |
| Planning | 3. Completion of extemporaneous tasks | |
| Execution | 4. Inadequate organization of the filing of working papers. | |
| Report | 5. Impossibility for a third party to check the Report and the correspondence with the examinations. | |
| 2. Recognize the indexing of each paper, brands, etc. | ||
| Supervision | 1. Carry out Supervision visits at any stage of the audit. | 1. That the auditors have impediments that limit a clear and precise understanding of the stage being supervised. |
| 2. Preparation of the Supervision Report. | 2. The recommendations left in previous supervisions are not fulfilled. | |
| 3. That the supervisions are not carried out at the necessary time required by the Audit and / or the auditor performing the work. | ||
| 4. Little preparation of the supervisor to assess the development of an activity and / or audit. | ||
| Evaluation of Audit professionals | 1.Evaluate the work of the personnel who directly work in an audit. | 1. An incorrect evaluation. |
| 2. Correctly analyze each of the indicators. | 2. Not evaluating fairly (does not encourage good individual results). | |
| 3. Comply with and enforce the established evaluation scale. | 3. Failure to comply with the evaluation (does not allow the evaluated person to become aware of the limitations that are indicated). |
It would then be necessary to design or implement an internal procedure that minimizes the financial impact that may occur, which could be excess expenses of: food, lodging, salaries, transportation, office supplies, communication, and others. It would give us the possibility of knowing the valuation in advance and conceiving plans that contribute to the reduction of losses, which in audit techniques would be the extension of unnecessary tests, and additional time invested, which would imply the requirement of differentiated treatments, and of course financial losses. If the necessary measures are taken to reduce the occurrence, then we would be talking about reducing losses in the Audit.In this chapter we previously addressed the need to assess the accounting control risks, which will help the auditor to carry out adequate planning.When conceiving the possible Risks in the execution of the different sub-processes of the Audit of an internal or external organization, the evaluation of the same, in order to know the Impact, and the treatment that this requires, as well as the Probability of Occurrence. Measurement and Risk AssessmentRisk Measurement and AssessmentRisk Measurement and Assessment
It is necessary then, after knowing the possible risks, take into account:
a) Probability of occurrence of Risk
b) Impact upon occurrence of Risk.
For it:
- the probabilities of occurrence must be determined in:
a) Uncommon (FP)
b) Moderate (M)
c) Frequent (F)
Uncommon: when the Risk occurs only in exceptional circumstances.
Moderate: It can happen at some point.
Common: Expected to occur in most circumstances.
- The Impact before the occurrence would be considered as:
a) Mild (L)
b) Moderate (M)
c) Large (G)
Mild: Tolerable harm. Low financial loss.
Moderate: Requires a differentiated treatment: Medium financial loss.
Large: Requires differentiated treatment. High financial loss.
The Risk assessment would be:
Acceptable: (Low risk). When current controls can be maintained, following routine procedures.
Moderate: (Medium Risk). They are considered Acceptable risks with Control Measures. Damage reduction actions must be undertaken and the responsibilities for their implementation and supervision must be specified.
Unacceptable: (High Risk). Impact and Likelihood reduction actions must be taken immediately to mitigate the severity of the risk. The person in charge and the date of the systematic review will be specified.
If we wanted to evaluate the Impact of Risks in a sub-process, we would only have to analyze the Diagnosis made.
As an example, we will analyze the Previous Exploration sub-process diagnosed in the case study carried out, to arrive at it.
Let's see:
| Threads | Chores | Control risks |
| Previous Exploration | ü To know the characteristics of the entity.ü To understand the control environment.ü To understand the flow of operations.ü To study Working Papers filed from the previous audit. | 1. The auditor is not able to identify the operational nature of the business, its organization, location of its facilities, sales, productions, services rendered, its financial structure, purchase and sale operations and many other matters that could be significant in what is to be audited 2. Not conceiving an adequate planning of the work to be carried out and / or not directing it towards the issues that are of greatest interest in accordance with the planned objectives Conceive planning for unnecessary exams. 4. Extension of tests due to ignorance of the control environment 5. Ignorance of a history of deficiencies or alleged criminal acts as a result of previous audits. |
When evaluating them we would have:
| RISKS | RISKS EVALUATION | |||||||||
| Not. | Risk | AND | I | Impact (6) | Probability (7) | Risk level | ||||
| L | M | G | F | M | Pf | |||||
| one | The auditor is not able to identify the operational nature of the business, its organization, location of its facilities, sales, productions, services rendered, its financial structure, purchase and sale operations and many other matters that could be significant in what it is going to be audited | X | X | X | Acceptable with control measures | |||||
| two | Not conceiving an adequate planning of the work to be carried out and / or not directing it towards the issues that are of greatest interest in accordance with the planned objectives. | X | X | X | Acceptable with control measures | |||||
| 3 | Conceive planning for unnecessary exams. | X | X | X | Acceptable with control measures | |||||
| 4 | Extension of tests due to ignorance of the control environment. | X | X | X | Unacceptable | |||||
| 5 | Ignorance of a history of deficiencies or alleged criminal acts as a result of previous audits. | X | X | X | Acceptable with Control Measures |
A well-known and widely used technique, as a work tool, is graphic representation, and following the previous example, let's observe:
Illustration. Risk Levels (Matrix)
| F | Unacceptable | Unacceptable | Unacceptable | |
| Probability | M | Moderate | Moderate | Unacceptable |
| Pf | Acceptable | Moderate | Unacceptable | |
| L | M | G | ||
| Impact |
As can be seen, the previous graph illustrates the quadrants where these Risks are located according to their Impact and Probability of Occurrence, and their color identifies its Evaluation, which does not mean that the Measurement Plan does not take all of them into account. the Risks, since the monitoring of all those identified and the Action Plan of each one must be maintained.
The Action Plan would be in correspondence with the type of risk, with the organization where the service is carried out, with the type of audit, with the sub-process that is carried out and of course with the auditor or assistant that executes it. Vital importance is the domain of the activity, the monitoring in the successive execution on the management of future actions and the systematic supervision at different times of the audits in correspondence on the incidence of past or repeated risks in the sub-processes that have the greatest impacts. have been observed.
Due to the impact that the occurrence of the risks observed in the investigation produces today, an Action Plan must be drawn up in which it is proposed, fundamentally
- The design of an Organizational Execution System for each of the audit sub-processes Train audit professionals in theoretical-practical training that guarantees quality in the exercise of their functions Evaluate the results of the supervisions Maintain surveillance of the possible commission of risks in the systematic development of the audit exercise Monitor compliance with the Value Chain by each professional, etc.
In conclusion, it is vitally important to establish a control system in this Value Chain, where all the sub-processes in Auditing are necessary to achieve an effective and efficient service, with the expected quality requirements. An efficient risk management would then be a scientific approach to its behavior, anticipating possible accidental losses with the design and implementation of procedures that minimize the occurrence of losses or the financial impact of the losses that may occur.
Responsible:
- Audit Department Supervisor Group Head Auditor
Standards:
- It consists of a Guide, with certain aspects to be evaluated, for each sub-process, which must conclude with an evaluation, which must be classified according to the probability of occurrence and the Impact before it. It must also be summarized, represented in a graph, in order to develop the consequent Action Plan to reduce the probability of occurrence.
Controls:
The behavior of each thread and for each work area must be evaluated frequently.
