2. JACOB MCLEAN
Job Positions
Principal consultant and managing director of Kaizen Training & Management
Consultants Limited (KTMC); PECB Certified Trainer, PECB Certified ISO 9001
and ISO 14001 Master; PECB Certified Advanced Management System
Auditor; PECB ISO 22301 Lead Implementer and PECB Certified ISO 31000
Lead Risk Manager; PECB partner with 22 years of management systems
experience.
Contact Information
1 876 475 1963
jamclean@ktmcltd.com
www.ktmcltd.com
linkedin.com/in/Jacob-a-mclean
twitter.com/jacobamclean
3. 3
OVERVIEW
Content
• Understanding Risk
• Understanding the Management System Audit
• Risks related to Management System Auditing:
Finance and Accounting
ISO 19011:2011
ISO 17021-1:2015
• Risk-based Auditing
• Managing Risks Related to Audit Programmes and
Certification Audits
• Questions and Answers
4. 4
UNDERSTANDING RISK
• Risk is defined as the effect of uncertainty on objectives:
– An effect is a deviation from the expected — positive
and/or negative.
– Objectives can have different aspects (financial, health and
safety or environmental).
– Risk is often as a combination of the consequences of an
event and the associated likelihood of occurrence.
ISO 31000:2009
• This presentation will focus on the negative aspect of
risk, that is, failure of the audit to provide reasonable
assurance.
Risk
5. 5
UNDERSTANDING RISK
Audit Risk
From a financial perspective audit risk is the risk that an auditor
expresses an incorrect conclusion based on audit findings.
• Examples
– Issuing an unqualified audit report where a qualification is
reasonably justified;
– Issuing a qualified audit opinion where no qualification is
necessary;
– Failing to emphasize a significant matter in the audit
report;
– Providing an opinion on financial statements where no
such opinion may be reasonably given due to a significant
limitation of scope in the performance of the audit.
6. 6
UNDERSTANDING RISK
Audit Risk
• Risk is integral to the auditing of Management
Systems:
– Risk is inherent to the industry type;
– Related to the controls implemented in the Management
System;
– The audit process itself is based on test methods which
utilize sampling.
7. 7
UNDERSTANDING RISK
Audit Risk – Required Knowledge
The auditor should have knowledge of risk
management principles, methods and techniques
relevant to the discipline and sector, such that she/he
can evaluate and control the risks associated with the
audit programme:
— risk assessment and mitigation;
— risk treatment (adaptive, proactive and reactive
measures).
8. 8
UNDERSTANDING MANAGEMENT SYSTEM
AUDITING
• ISO 19011: 2011, Clause 3.1, defines an audit as a
systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which the audit criteria are
fulfilled.
Audit
9. 9
AUDIT RISK
• The risk associated with sampling is that the samples may not
be representative of the population from which they are
selected, and thus the auditor’s conclusion may be biased and
be different from that which would be reached if the whole
population was examined.
• There may be other risks depending on the variability within
the population sampled and the method chosen.
Sampling
10. 10
AUDIT RISK
Sampling
Audit sampling typically involves the following steps:
— establishing the objectives of the sampling plan;
— selecting the extent and composition of the population to be
sampled;
— selecting a sampling method;
— determining the sample size to be taken;
— conducting the sampling activity;
— compiling, evaluating, reporting and documenting results.
11. 11
AUDIT RISK
Sampling
• When a statistical sampling plan is developed, the level of
sampling risk that the auditor is willing to accept is an
important consideration.
• This is often referred to as the acceptable confidence level.
For example, a sampling risk of 5 % corresponds to an
acceptable confidence level of 95 %.
• A sampling risk of 5 % means the auditor is willing to accept
the risk that 5 out of 100 (or 1 in 20) of the samples examined
will not reflect the actual values that would be seen if the
entire population was examined.
12. 12
AUDIT RISK
Other Audit Risks
• Risks to the organization created by the audit:
- Risks to the organization may result from the presence of
the audit team members influencing health and safety,
environment and quality;
- Threats to the auditee’s products, services, personnel or
infrastructure (e.g. contamination in clean room facilities).
• Time constraints
• Independence
• Audit team dynamics
13. 13
AUDIT RISK AND MATERIALITY
Materiality
• Limiting audit risks in order to provide reasonable assurance
requires that an auditor places emphasis on processes and
systems which are material.
• Reasonable assurance is the level of confidence that the
financial statements are not materially misstated that
an auditor, exercising professional skill and care, is expected
to provide, having performed an audit.
14. 14
AUDIT RISK AND MATERIALITY
Materiality
• The concept of materiality is based on the significance of a
process, procedure or other elements of the Management
System.
• A single critical element or a combination of less significant
elements can be considered material depending on overall
impact of non-conformance of the Management System.
15. 15
AUDIT RISK AND MATERIALITY
Materiality: Financial vs Management System Audits
16. 16
AUDIT RISK AND MATERIALITY
International Standard on Auditing 320, Materiality in Planning and
Performing an Audit
• Misstatements, including omissions, are considered to be
material if they, individually or in the aggregate, could
reasonably be expected to influence the economic decisions
of users taken on the basis of the financial statements;
• Judgments about materiality are made in light of surrounding
circumstances, and are affected by the size or nature of a
misstatement, or a combination of both;
• Judgments about matters that are material to users of the
financial statements are based on a consideration of the
common financial information needs of users as a group.
• The possible effect of misstatements on specific individual
users, whose needs may vary widely, is not considered.
19. 19
AUDIT RISK AND MATERIALITY
Overall Materiality
• Overall materiality is the amount of errors that auditors are
prepared to accept in the documentation review as a whole
while still concluding that they provide a true and fair view of
the audit.
• The auditor should assess the magnitude of error, or
materiality level, before audit commencement, based on
understanding of the auditee, its business sector and industry.
20. 20
RISK IN THE OVERALL AUDIT PROCESS
Materiality, Audit Risk and Audit Planning
21. 21
RISK IN THE OVERALL AUDIT PROCESS
Materiality, Audit Risk and Audit Planning
Materiality must be built into each step of audit
planning:
• Initial Contact: Materiality is taken into account to
determine the duration of the audit as dictated by
inherent risks related to the organization (industry sector,
applicable laws and regulations, employee population,
number of work stations, number of Management
Systems, etc)
22. 22
RISK IN THE OVERALL AUDIT PROCESS
Materiality, Audit Risk and Audit Planning
• Stage 1 Audit: Identification of key processes and
their interactions to determine areas of focus during
the on-site audit.
• Stage 2 Audit (on-site audit): Adjust sampling plan
based on materiality of each process and asset.
• Other factors considered:
– Audit test methods: document review, interviews,
observation, technical verification, analysis.
– Audit team experience
23. 23
RISK IN THE OVERALL AUDIT PROCESS
Materiality, Audit Risk and Audit Planning
• The components of audit risks have a significant
impact on audit planning. Audits must be planned
such that:
– Inherent risk is duly assessed;
– Control risk is evaluated (planning, performing and
evaluating of documented information);
– The right mix of essential procedures are used to ensure
that detection risks and by extension, audit risk, is
reduced to the level acceptable to the auditor.
24. 24
MANAGEMENT ASSERTIONS
Definition of Management Assertion
• An assertion is an expressed or implied representation by
management about the financial statements of a business
and their components.
• The list of possible assertions represents all the various
manners in which a specific control could affect a particular
caption within the corporate income statement and balance
sheet.
• All of the assertions are directly tied to the Generally
Accepted Accounting Principles and used by management to
classify, measure, and disclose financial information affirming
that the financial statements are correct.
25. 25
MANAGEMENT ASSERTIONS
Examples of Management Assertion
• Completeness: All transactions and other events that
occurred during a specific time period were indeed recorded
for the period in which they took place.
• Existence and/or occurrence: All transactions for assets,
liabilities, and ownership interests exist for a specific date and
represent events that actually occurred during that period.
• Accuracy: All transactions, balances, and classifications have
been correctly processed and recorded for the correct time
period. Measurement and/or valuation: All transactions are
mathematically correct and appropriately recorded for in the
correct time period.
26. 26
MANAGEMENT ASSERTIONS
Examples of Management Assertion
• Ownership (rights and obligations): The rights (i.e., assets)
and obligations (i.e., liabilities) are correctly recorded for the
correct time period.
• Presentation and/or disclosure: All items in the financial
statements have been properly recorded and accounted for in
the correct time period.
• Measurement and/or valuation: All transactions are
mathematically correct and appropriately recorded in the
correct time period.
• Various: Any combination of multiple assertions listed above
is relevant and appropriate.
27. 27
MANAGEMENT ASSERTIONS
Perceived Risks and Audit Planning related to Initial Assessment
• Materiality risk assessment should be done on the
following which explicitly or implicitly contains
management assertions with the auditor utilizing his
knowledge and experience of the industry:
– Documented information
– Internal audit report
– Risk assessment report
– Actions to address risks and opportunities
– Management review
– Outcome of interviews with top management
29. 29
AUDIT RISK MODEL
Inherent Risk
• Inherent Risk is the risk of a material misstatement in the
financial statements arising due to error or omission as a
result of factors other than the failure of controls (factors that
may cause a misstatement due to absence or lapse of controls
are considered separately in the assessment of control risk).
• Inherent risk is generally considered to be higher where a high
degree of judgment and estimation is involved or where
transactions of the entity are highly complex.
30. 30
AUDIT RISK MODEL
• Control Risk is the risk of a material misstatement in the
financial statements arising due to absence or failure in the
operation of relevant controls of the entity.
• Organizations must have adequate internal controls in place
to prevent and detect instances of fraud and error.
• Control risk is considered to be high where the audit entity
does not have adequate internal controls to prevent and
detect instances of fraud and error in the financial
statements.
Control Risk
31. 31
AUDIT RISK MODEL
• Detection Risk is the risk that the auditors fail to detect a
material misstatement in the financial statements.
• An auditor must apply audit procedures to detect material
misstatements in the financial statements whether due to
fraud or error.
• Misapplication or omission of critical audit procedures may
result in a material misstatement remaining undetected by
the auditor.
Detection Risk
32. 32
AUDIT RISK MODEL
• Some detection risk is always present due to the inherent
limitations of the audit such as the use of sampling for the
selection of transactions.
• Detection risk can be reduced by auditors increasing the
number of sampled transactions for detailed testing.
Detection Risk
33. 33
RISK-BASED AUDITING
17021-1:2015, 4.8 Risk-based approach
Certification bodies need to take into account the risks
associated with providing competent, consistent and impartial
certification. Risks may include, but are not limited to, those
associated with:
– the objectives of the audit;
– the sampling used in the audit process;
– real and perceived impartiality;
– legal, regulatory and liability issues;
– the client organization being audited and its operating environment;
– impact of the audit on the client and its activities;
– health and safety of the audit teams;
– perception of interested parties;
– misleading statements by the certified client;
– use of marks.
34. 34
RISK-BASED AUDITING
ISO 19011:2011
• This International Standard introduces the concept of risk to
management systems auditing.
• The approach adopted relates both to the risk of the audit
process not achieving its objectives and to the potential of the
audit to interfere with the auditee’s activities and processes.
35. 35
RISK-BASED AUDITING
ISO 19011:2011
• An organization needing to conduct audits should establish an
audit programme that contributes to the determination of the
effectiveness of the auditee’s management system.
• The audit programme can include audits considering one or
more management system standards, conducted either
separately or in combination.
• The top management should ensure that the audit
programme objectives are established and assign one or more
competent persons to manage the audit programme.
36. 36
RISK-BASED AUDITING
ISO 19011:2011
• The extent of an audit programme should be based on the
size and nature of the organization being audited, as well as
on the nature, functionality, complexity and the level of
maturity of the management system to be audited.
• Priority should be given to allocating the audit programme
resources to audit those matters of significance within the
management system.
• These may include the key characteristics of product quality
or hazards related to health and safety, or significant
environmental aspects and their control.
37. 37
RISK-BASED AUDITING
ISO 19011:2011 - 5.3.1 Roles and responsibilities of the person
managing the audit programme
The person managing the audit programme should:
— establish the extent of the audit programme;
— identify and evaluate the risks for the audit programme;
— establish audit responsibilities;
— establish procedures for audit programmes;
— determine necessary resources;
— ensure the implementation of the audit programme, including the
establishment of audit objectives, scope and criteria of the
individual audits, determining audit methods and selecting the
audit team and evaluating auditors;
— ensure that appropriate audit programme records are managed and
maintained; — monitor, review and improve the audit programme.
38. 38
RISK-BASED AUDITING
ISO 19011:2011, 5.3.4 Identifying and evaluating audit programme
risks
There are many different risks associated with establishing, implementing,
monitoring, reviewing and improving an audit programme that may affect the
achievement of its objectives. The person managing the programme should
consider these risks in its development. These risks may be associated with
the following:
— planning, e.g. failure to set relevant audit objectives and determine the
extent of the audit programme; — resources, e.g. allowing insufficient
time for developing the audit programme or conducting an audit;
— selection of the audit team, e.g. the team does not have the collective
competence to conduct audits effectively;
— implementation, e.g. ineffective communication of the audit programme;
— records and their controls, e.g. failure to adequately protect audit records
to demonstrate audit programme effectiveness;
— monitoring, reviewing and improving the audit programme, e.g. ineffective
monitoring of audit programme outcomes.
39. 39
RISK-BASED AUDITING
ISO 19011:2011 - 5.3.5 Establishing procedures for the audit
programme
The person managing the audit programme should establish one or more
procedures, addressing the following, as applicable:
— planning and scheduling audits considering audit programme risks;
— ensuring information security and confidentiality;
— assuring the competence of auditors and audit team leaders;
— selecting appropriate audit teams and assigning their roles and
responsibilities;
— conducting audits, including the use of appropriate sampling methods;
— conducting audit follow-up, if applicable;
— reporting to the top management on the overall achievements of the audit
programme;
— maintaining audit programme records;
— monitoring and reviewing the performance and risks, and improving the
effectiveness of the audit programme.
40. 40
MANAGING RISKS IN MANAGEMENT SYSTEM
AUDITS
Risk Management Process
• Risk assessment: Identifying, analysing and evaluating
relevant risks associated with achieving audit objectives.
• Risk treatment options:
- Changing likelihood/consequence or both
- Risk avoidance
- Risk removing
- Risk retaining
• Monitoring and reviewing
42. 42
SUMMARY
Risk is integral in management systems auditing
therefore to be effective, the auditor must adopt the
risk-based auditing approach, applying relevant risk
management methodology throughout the audit
process.
43. 43
REFERENCES
• AICPA GAAS section 320, 10-14
• Coleman, L.B. (2015). Advanced Quality Auditing. Mil,
WI.,ASQ.
• ISO. (2009). Risk management principles and guidelines.
(ISO 31000:2009). Geneva, Switzerland
• ISO. (2011). Guidelines for auditing management systems. (ISO
19011:2011). Geneva, Switzerland
• ISO. (2015). Quality management systems –requirements. (ISO
9001:2015). Geneva, Switzerland
• Madison, D. Process Mapping, Process Improvement, and
Process Management (Kindle Locations 743-746). Paton
Professional. Kindle Edition.
• PECB Advanced Auditing Techniques Training Handbook