Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Post on 26-May-2015
252 Views
Preview:
DESCRIPTION
Transcript
PETCO Enterprise-WideRisk Assessment & Internal Audit Plan
Presenters:Jim BrighamWendy CoolingZach Couasnon
March 9, 2011
Risks Assessments – Part I – Data Gathering (8:00 am – 9:10 am)1. Background
A. Evolution of Audit Planning ProcessB. IIA Standards and Other GuidanceC. Internal Audit CharterD. Scope of WorkE. Risk Assessment Definitions
2. Risk Assessment ApproachA. Identify Key RisksB. Evaluate Key Risks
Risks Assessments – Part II – Reporting (9:20 am – 10:15 am)2.Risk Assessment Approach (continued)
C.Develop Internal Audit PlanD.Monitor Risks and Learn
Learning Objectives
1. Background
1.A Evolution of Audit Planning Process
Source: Corporate Executive Board, Audit Director Roundtable, Enterprise Risk Audit Planning, 2006
Performance Standard 2120.A1The internal audit activity must evaluate risk exposures relating to the organization's governance, operations and information systems regarding:
Reliability and integrity of financial and operational information
Effectiveness and efficiency of operations
Safeguarding of assets
Compliance with laws, regulations and contracts
Practice Advisory Standard 2120-1 Assessing the Adequacy of Risk Management Processes
Position Paper Role of Internal Auditing in Enterprise-wide Risk Management
Practice Guides GAIT for Business and IT Risk
GTAG 6 – Managing and Auditing IT Vulnerabilities
GTAG 10 – Business Continuity Management
1.B IIA Standards and Other Guidance
MissionThe mission of the lnternal Audit Department (the "Department") is to provide independent, objectiveassurance and consulting services designed to add value and improve the Company's operations.The Department helps PETCO accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk evaluation, internal control, and corporategovernance processes.
Scope (in part)To accomplish our mission, the Department will ensure:
Risks are appropriately identified, understood and properly managed The efficiency and effectiveness of internal controls are evaluated Significant financial, managerial, and operating information is accurate, reliable, and timely Compliance with laws, regulations, and PETCO policies
Responsibility (in part)The responsibilities of the Department include the following:
Develop a flexible risk-based annual audit plan, including any risks or control concerns identified by management, and submit the plan and budget to senior management and the Audit Committee for review and approval. Report to the Audit Committee as to whether the Department provides sufficient coverage of
PETCO operations, available resources are effectively utilized toward the highest exposure of risk, and the scope and authority of the Department is sufficiently unrestricted.
1.C Internal Audit Charter
The scope of PETCO's Risk Assessment included the identification and prioritization of the risks that may impact PETCO’s ability to achieve its objectives as well as the development of the 2011 Internal Audit Plan.
Key activities included:
Implementation of a structure, framework and methodology for PETCO’s Risk Assessment and 2011 Internal Audit Plan
Survey of Management to identify:Business objectives and processesUnderstanding of risk Perceived risks to PETCOPerceived risks within business units
Exploration of the risks within each identified process or activity
Assignment of risk ratings based on the potential likelihood and impact to PETCO
1.D Scope of Work
RiskAn uncertain future event which could adversely affect the achievement of an organization’s objectives.
Risk LikelihoodThe probability that a risk can occur. Factors to consider when assessing risk likelihood are: the source of the threat, capability of the source, nature of the vulnerability and existence and effectiveness of current controls. Likelihood can be described as high, medium and low.
High: An event is expected to occur in most circumstances Medium: An event will probably occur in many circumstances Low: An event may occur at some time
Risk ImpactThe potential effect that a risk could have on the organization if it arises. The severity of impact also can be categorized as high, medium and low.
High: Serious impact on operations or reputationMedium: Significant impact on operations or reputationLow: Less significant impact on operations or reputation
1.E Risk Assessment Definitions
The combination of likelihood and impact gives us the value for each risk factor.
See chart below.
Risk Assessment ProcessThe process of identifying and analyzing inherent and residual risks to the achievement of an organization’s objectives.
Audit Universe An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. The audit universe is now determined by risk. The risk-based approach to auditing results in planning that is driven by the organization's risk register. The audit universe will be periodically revised to reflect changes in the overall risk profile.
RiskIt is an uncertain future event which could adversely affect the achievement of an organization’s objectives.Risk LikelihoodIt is the probability that a risk can occur. The factors that should be taken into account in the determination of likelihood are: the source of the threat, capability of the source, nature of the vulnerability and existence and effectiveness of current controls. Likelihood can be described as high, medium and low.• High: An event is expected to occur in most circumstances • Medium: An event will probably occur in many circumstances • Low: An event may occur at some time
Risk ImpactIt is the potential effect that a risk could have on the organization if it arises. It is worth mentioning that not all threats will have the same impact as each system in the organization is worth differently. The magnitude of impact also can be categorized as high, medium and low.• High: Serious impact on operation, reputation, or funding status • Medium: Significant impact on operations, reputation, or funding status • Low: Less significant impact on operations, reputation, or funding status
The combination of likelihood and impact gives us the value for each risk factor
1.E Risk Assessment Definitions
Risk Evaluation Criteria
Risk Likelihood
Risk Impact
Specific risks were identified within each area and, based upon evaluation of each, a rating was assigned. The ratings were developed based on an analysis of the likelihood and associated impact if the risks were not mitigated and are not necessarily a reflection of current performance in a given area.
This analysis was performed based on our collective knowledge of PETCO prior to and during this assessment, and our industry experience. Each risk was classified as either high, medium, or low based on the following definitions:
High – requires significant management focus and awareness
Medium – requires possible focus and consideration by management
Low – significant focus and action not required by management at this point in time
Some risks are inherently high due to the magnitude and severity of the impact to the organization. A high risk rating does not necessarily imply poor controls. Not all risks identified are areas in which Internal Audit can perform a review. For areas in which an Internal Audit review is appropriate, project names and areas of focus were developed.
1.E Risk Assessment Definitions
2. Risk Assessment Approach
2.A Identify Risks
Identify Risks
Evaluate
Key Risks
Develop Internal Audit Plan
Monitor
Risks and Learn
Identify Risks - Overview
Data Gathering for Risk Universe Prior Year Sources (December)
Risk Assessments
Audit Director Roundtable Audit Plan Hotspots
Annual PETCO Leadership Meeting Takeaways
Financial Audit Reports
External Auditor Management Letter Comments
Industry 10-Ks (Item 1A. Risk Factors)
Accounting's Financial Reporting Risk Assessment
& Fraud Risk Assessment
Surveys (January)
Overall Company Risk Survey
Store-Focused Risk Survey
Identify Risks - ADR
Audit Director Roundtable - http://audit.executiveboard.com
Identify Risks - ADR
Identify Risks – PETCO Leadership Meeting Takeaways
Identify Risks – Industry 10-Ks
Go to www.sec.gov
Identify Risks – Industry 10-Ks
Identify Risks – 10-Ks
A decline in consumer spending or a change in consumer preferences could reduce our sales or profitability and harm our business.
Risk The economy
The pet products and services retail industry is very competitive and continued competitive forces may adversely impact our business and financial results.
Risk Competition
Failure to successfully manage and execute our marketing initiatives could have a negative impact on our business.
Risk Marketing/Advertising effectiveness
Failure to successfully manage our inventory could harm our business.Risk Inventory shrinkage
Identify Risks – 10-Ks
If our information systems fail to perform as designed or are interrupted for a significant period of time, our business could be harmed.
Risk Disaster recovery and business continuity
If we fail to protect the integrity and security of customer and associate information, we could be exposed to litigation and our business could be adversely impacted.
Risk Security of personally identifiable information (ex. employee and customer information)
Information gathered from surveys
In your opinion, list the top three risks to achieving PETCO's 2011 goals and objectives within your department
List areas of our Company that you would like to see included in the 2011 Internal Audit Plan
Has your department implemented any new technology within the last 12 months? Examples include software, database management systems, existing system upgrades, new-to-you (shared technology from another department).
Will any key business processes performed by your department change significantly within FY2011? Please list and describe changes if applicable.
How could someone internally or externally misappropriate assets from your specific department resources?
Identify Risks – Surveys
2.B Evaluate Key Risks
Identify Risks
Evaluate
Key Risks
Develop Internal Audit Plan
Monitor
Risks and Learn
Evaluate Key Risks - Overview
Still Data Gathering to Evaluate Key Risks Surveys (January)
Overall Company Risk Survey
Store-Focused Risk Survey
Industry Experience & Knowledge
Professional Judgment
Leadership Meeting Takeaways (Early February)
External Auditor Feedback (Late February)
Evaluate Key Risks - Surveys
Internal Audit utilizes an internal HTML based survey tool to collect management opinions on business risks faced by the organization.
Consists of around 53 questions 10% open ended questions 90% “Rate the Risk” style questions
Sent to director level and above roles
Survey is voluntary
Allowed two weeks for completion
Evaluate Key Risks - Survey Administration
An email is sent from to all director level and above associates A link to the internal HTML based survey is included in the email No reminders are sent
Evaluate Key Risks - Survey Administration
Once the link is clicked, the survey opens up in a browser window
ID is also captured from the login ID used to authenticate to the network
Shown are examples of open ended style of questions
Evaluate Key Risks - Survey Administration
Shown are examples of “Rate the Risk” style questions. Only one answer can be selected for each
Risk ratings are later scored to generate the heat map
Currently, IA only requires survey takers to assess risk impact only
Evaluate Key Risks - Survey Administration
IA always allows for additional comments, sometimes we get some very interesting feedback!
Upon submission, survey selections are logged
Specified IA associates receive survey results from each associate directly to their inbox
Evaluate Key Risks - Survey Response Scoring
Evaluate Key Risks
Dramatic Pause
Evaluate Key Risks - Initial Risk Heat Map
Questions
What about unknown
risks?
What about strategic
risks?
Break 9:10 am – 9:20 am
2. Risk Assessment Approach
(continued)
2.C Develop Internal Audit Plan
Identify Risks
Evaluate
Key Risks
Develop Internal Audit Plan
Monitor
Risks and Learn
Develop Internal Audit Plan - Overview
Reporting Four Key Considerations during Reporting
Initial Risk Heat Map
Available Hours
Hours consumed by required audits
Budget available for outsourced audits
Align Assessed Risks to Vision, Key Business Objectives, 6Ps
and Audit Plan
Consult with Management and Audit Committee members
Prepare Final Key Deliverables
Risk Heat Map
Internal Audit Plan
Develop Internal Audit Plan - Initial Risk Heat Map
Develop Internal Audit Plan – Available Hours & Required Audits
Alignment of Assessed Risks
Linkage to Vision, Key Business Objectives,
6Ps and Audit Plan
11
Develop Internal Audit Plan
Develop Internal Audit Plan – Alignment of Assessed Risks
Develop Internal Audit Plan – Alignment of Assessed Risks
Develop Internal Audit Plan – Alignment of Assessed Risks
Develop Internal Audit Plan – Alignment of Assessed Risks
NOTE: Not all risks identified are areas in which Internal Audit can perform a review. Risks in bold are covered by the 2011 Audit Plan.
Develop Internal Audit Plan – Final Risk Heat Map
Develop Internal Audit Plan – Audit Plan Rationale
Risk-Based Audit Plan
Overall Company Risk
Survey
Store Focused Risk
Survey
Internal Audit Experience
Financial Reporting (SOX) Risk
Assessment**
Fraud Risk Assessment**
Risks were identified in each of the retail focus areas and were prioritized based on feedback from management
Audit projects were defined to address each risk identified (in some cases, one project addresses multiple risks)
Projects were prioritized based on the significance of the risk(s) they address
** Accounting prepares the Fraud Risk Assessment and the Financial Reporting (SOX) Risk Assessments.
Develop Internal Audit Plan
Dramatic Pause
2.D Monitor Risks and Learn
Identify Risks
Evaluate
Key Risks
Develop Internal Audit Plan
Monitor
Risks and Learn
Monitor Risks and Learn - Overview
Reassess Key Risks Continuously Through Audit Plan Execution
Industry/Regulatory Developments
Evolving Strategic Direction of PETCO
Risk Assessment ApproachIdentify RisksGather Data From Prior Year Sources
Risks AssessmentsFinancial Reporting Risk Assessment** Fraud Risk Assessment**ADR Audit Plan Hotspot ReportsPETCO Leadership Meeting TakeawaysOther Company 10-KsSurveys (Overall Company & Store-Focused) With Open Ended Questions
Evaluate Key RisksSurveys (Overall Company & Store-Focused) Where Management Evaluates RisksPETCO Leadership Meeting TakeawaysIndustry Experience & KnowledgeProfessional Judgment
Develop Internal Audit PlanAlign Assessed Risks to Vision, 6Ps and Audit
PlanConsult with Management and Audit Committee Prepare Final Key Deliverables Risk Heat Map Internal Audit Plan
Monitor Risks and LearnReassess Key Risks Continuously Through
Audit Plan Execution Industry/Regulatory Developments Evolving Strategic Direction of PETCO
Identify Risks
Evaluate
Key Risks
Develop Internal Audit Plan
Monitor
Risks and Learn
Continuous - Can Occur Anytime During This ProcessManagement InterviewsAudit Committee FeedbackExternal Auditor Feedback
Questions
Contact information
Jim Brigham – jimbr@petco.com
Wendy Cooling – wendyco@petco.com
Zach Couasnon – zacharyc@petco.com
Break 10:15 am – 10:30 am
top related