RISK MANAGEMENT AND AUDIT SERVICES Harvard University AGENDA

  • Slides: 20
Download presentation
RISK MANAGEMENT AND AUDIT SERVICES Harvard University

RISK MANAGEMENT AND AUDIT SERVICES Harvard University

AGENDA q Risk Management and Audit Services Organization, Charter & Mission q Types of

AGENDA q Risk Management and Audit Services Organization, Charter & Mission q Types of Audits q FY 09 Audit Plan Approach q Audit Process and Your Audit Risk and. Audit. Services Risk. Management and 2

ORGANIZATION OVERVIEW Joint Committee on Inspection Vice President for Finance & Chief Financial Officer

ORGANIZATION OVERVIEW Joint Committee on Inspection Vice President for Finance & Chief Financial Officer Risk Management Committee Director, Risk Management & Audit Services Insurance Information Systems Financial, Operational & Compliance Risk and. Audit. Services Risk. Management and Strategic Planning 3

ORGANIZATION Risk and. Audit. Services Risk. Management and 4

ORGANIZATION Risk and. Audit. Services Risk. Management and 4

MISSION “To Assist University Management and Governing Boards in Identifying, Managing and Mitigating Risk

MISSION “To Assist University Management and Governing Boards in Identifying, Managing and Mitigating Risk and Ensuring Risk Management Processes are Integrated Into the University’s Business Practices and Academic and Research Activities” Risk and. Audit. Services Risk. Management and 5

WHAT WE OFFER TO THE UNIVERSITY Risk Management & Audit Services (RMAS) provides an

WHAT WE OFFER TO THE UNIVERSITY Risk Management & Audit Services (RMAS) provides an independent, objective assurance and consulting service which is used within Harvard University as an integral part of its risk management and control processes. RMAS helps the University leadership accomplish its objectives by bringing a systematic disciplined approach to evaluate & improve the effectiveness of risk management and control processes. We do this by: q Assessing the state of internal control, q Helping the University community understand & assess risk, q Evaluating the adequacy of techniques to manage risks, q Providing an assessment of risk management and control processes for operating effectiveness and efficiency, and q Identifying and recommending changes that add value. Risk and. Audit. Services Risk. Management and 6

RISK MANAGEMENT & AUDIT SERVICES’ ROLE q Independence Independent mental attitude to make objective

RISK MANAGEMENT & AUDIT SERVICES’ ROLE q Independence Independent mental attitude to make objective professional judgments q Objectivity Report matters as they are, rather than as one would like them to be q Value-added services Recommend cost effective measures to improve controls q Promoter of change Work with management to ensure implementation Risk and. Audit. Services Risk. Management and 7

OBJECTIVES The purpose of a system of internal controls is to ensure the: q

OBJECTIVES The purpose of a system of internal controls is to ensure the: q Achievement of operational goals and objectives q Effective and efficient use of resources q Compliance with significant policies, procedures, laws & regulations q Reliability and integrity of information q Safeguarding of assets Risk and. Audit. Services Risk. Management and 8

TYPES OF AUDITS Risk and. Audit. Services Risk. Management and 9

TYPES OF AUDITS Risk and. Audit. Services Risk. Management and 9

TYPES OF AUDITS q Financial & Operational Audits q q Department/sub-department/function reviews Review financial

TYPES OF AUDITS q Financial & Operational Audits q q Department/sub-department/function reviews Review financial and operational controls Integrated with IS to include systems University-wide audits q Information Systems q IT Governance audits q Evaluate system security, data integrity, reliability and availability q Assess IT policies and procedures for good information technology controls q Compliance q Assess compliance with policies and procedures q Assess compliance with laws and regulations q Special Projects/Consulting q Advisory services q Special investigations q Policy development q Post-Audit Appraisal (PAA) q Assess resolution of audit findings q Does not constitute a re-audit q Performed within 18 months of full audit Risk and. Audit. Services Risk. Management and 10

AUDIT PLANNING PROCESS Risk and. Audit. Services Risk. Management and 11

AUDIT PLANNING PROCESS Risk and. Audit. Services Risk. Management and 11

AUDIT PLANNING PROCESS – TWO PHASES q Risk Assessment Process q Identify University risks

AUDIT PLANNING PROCESS – TWO PHASES q Risk Assessment Process q Identify University risks and concerns q Prioritize risks based on exposure, impact and mitigating factors q Determine operations significantly impacted by these risks q Assess unit/operating entity risk based on risk factors (size, complexity, last time audited, etc. ) q Rank projects q Ensure appropriate representation across University q Communication Process q Present audit plan detail to areas, units and operations q Plan approved by Vice President for Finance and Joint Committee on Inspection Risk and. Audit. Services Risk. Management and 12

FY 09 RISK FOCUS q Financial Integrity q Safety q Globalization q Compliance (Research,

FY 09 RISK FOCUS q Financial Integrity q Safety q Globalization q Compliance (Research, Policy, Infrastructure) q Governance q Security/Privacy q Construction q Business Continuity Planning q Vendor/Contract Management Risk and. Audit. Services Risk. Management and 13

AUDIT PROCESS Risk and. Audit. Services Risk. Management and 14

AUDIT PROCESS Risk and. Audit. Services Risk. Management and 14

AUDIT PROCESS – FOUR DISTINCT PHASES PLANNING FIELDWORK COMMUNICATION OF RESULTS FOLLOW-UP q Announcement

AUDIT PROCESS – FOUR DISTINCT PHASES PLANNING FIELDWORK COMMUNICATION OF RESULTS FOLLOW-UP q Announcement Letter q Scoping q Objectives & Scope Document q Fact gathering q Apply analytical audit techniques: Testing, Analyzing, Interpreting, Corroborating, Documenting q Conclude on internal controls q Draft report – Issues in grid format q Final report – Summary and issues in grid format q Follow-up letters on significant findings within four months of audit q Post-Audit Appraisal (PAA) - Based on significance of full audit issues. Results published in a report. Risk and. Audit. Services Risk. Management and 15

FOUR DISTINCT PHASES TIMELINE PLANNING q Scoping interviews and data gathering – two weeks

FOUR DISTINCT PHASES TIMELINE PLANNING q Scoping interviews and data gathering – two weeks q Information and document requests to client q Client gathering of information & supporting documents – two weeks FIELDWORK q q q COMMUNICATION OF RESULTS FOLLOW-UP On site Ongoing communication on status of work Mid-audit status meeting, where appropriate Draft issues grid Exit meeting Four weeks q Draft report with summary – issues in grid format q Final report issuance q Four weeks q q Survey in two weeks; respond in two weeks Follow-up letters on significant issues within four months of audit Post-Audit Appraisal (PAA) - within 12 -18 months of full audit PAA follows same process as an audit Risk and. Audit. Services Risk. Management and 16

AUDIT PROCESS – ADDITIONAL DETAILS Fieldwork: q Auditors will request regular meetings with management

AUDIT PROCESS – ADDITIONAL DETAILS Fieldwork: q Auditors will request regular meetings with management to communicate progress and potential issues to date. q Auditors will schedule meetings with responsible individual to review questions on information received or request additional information. We ask that meetings be held and information be provided on a timely basis to ensure an effective and efficient audit process for all. q Auditors will close all facts, issues and findings with the responsible individual and work with that individual to determine “Agreed-to actions. ” Issues will be presented in writing to promote understanding and agreement. Risk and. Audit. Services Risk. Management and 17

AUDIT PROCESS – ADDITIONAL DETAILS Communication: q We will provide you with a draft

AUDIT PROCESS – ADDITIONAL DETAILS Communication: q We will provide you with a draft report with all findings and agreed-to actions in grid format at the end of fieldwork. We will arrange an exit meeting to review the draft and discuss the facts and actions. This is your final opportunity to respond to the facts and actions. Changes will be discussed and a revised grid will be provided within three business days. Your comment period on this revised grid is five business days. q A draft report with a summary and rating will be provided within seven business days of completing the revised grid. q Your comment period on the draft is five working days, as the comments should be related to the summary. To avoid misunderstandings, we ask that this communication be in writing, in one document, and include comments on all findings included in the report. q Generally, communication on the grid and the report will be verbal. If the report is extensive and comments are numerous, we ask that communication be in writing, in one document. Risk and. Audit. Services Risk. Management and 18

AUDIT/PROJECT RATINGS q Audits / projects are rated in the report summary section on

AUDIT/PROJECT RATINGS q Audits / projects are rated in the report summary section on the effectiveness of the organization’s or function’s system of internal control. q Good q Adequate q Needs Improvement q Inadequate q Audit / project issues are rated in terms of the probability, seriousness and impact of the occurrence of risk events. q High q Medium q Low Risk and. Audit. Services Risk. Management and 19

THANK YOU Thank you for: q Your assistance in planning the audit. q Your

THANK YOU Thank you for: q Your assistance in planning the audit. q Your help and cooperation in completing the fieldwork and developing the recommendations. Please visit our web site at http: //vpf-web. harvard. edu/rmas/ Risk and. Audit. Services Risk. Management and 20