Auditing management calculation system
Abstract : Obligation of periodical internal and external audits is common for all management systems. Standard ISO 19011 provides guidance on auditing of management systems including the principles for auditing, managing an audit programme and conducting the management system audits. ISO 19011:2011 introduces the concept of risk in management system audits but it does not give specific guidance for the risk assessment and risk management process of the organization. This paper proposes a model for management system auditing based on risk assessment. The adopted model refers to the risks concerning the achievement of audit goals, together with risks of the audit to interfere with audited activities and processes of the organization.
? This document refers to a management structure comprised of a board of directors and senior management. The Committee recognises that significant differences exist in legislative and regulatory frameworks between countries.
? In this document, references to the board of directors presume appropriate involvement of its audit committee, when one exists.
? When the risk management function has not informed the board of directors about the existence of a significant divergence of views between senior management and the risk management function regarding the level of risk faced by the bank, the head of internal audit should inform the board about this divergence.
? According to the holistic approach, the overall audit risk should be calculated differently if single risks have mutual impact to each other (where the resulting risk level is much higher if there is some kind of interrelationship between the assessed risks).
? Risks of environmental accidents and impacts arising, or likely to arise, as consequences of incidents, accidents and potential emergency situations, previous environmental problems that the organization has contributed to.
? The organization is facing legal proceedings related to OH&S (depending on the severity and impact of risk involved).
? Environmental aspects with significant nature and gravity (typically manufacturing or processing type organizations with significant impacts in several of the environmental aspects)
• Internal audit should review management’s process for stress testing its capital levels, taking into account the frequency of such exercises, their purpose (e.g., internal monitoring vs. regulator imposed), the reasonableness of scenarios and the underlying assumptions employed, and the reliability of the processes used.
• The audit committee may invite the head of internal audit, the head of compliance, senior management, in particular the chief executive officer and other officials deemed relevant for the purpose of fulfilling its responsibilities to attend meetings of the committee.
• It is a sound practice that the head of internal audit and members of the audit committee have a private session, i.e. in the absence of management, to discuss issues of interest.
? The reliance on numerous principles is characteristic for auditing. These principles should be harmonized with the management system policy, and should help the management to conduct an effective and reliable audit, which provides information needed for the improvement of organizations performance.
? Auditee’s level of performance, as reflected in the occurrence of failures or incidents or customer complaints.
? The proposed model was successfully tested and validated in praxis so it can be concluded that it offers the possibility for effective and efficient audit risk management in organizations of various types and sizes.
? The greatest advantage of this model is based on a fact that every risk can be considered separately and also can be combined with other risks.
|