Database Reference
In-Depth Information
The risk rating is submitted to the CAE to determine the risk treatment. The CAE
prepares the audit test plan based on the risks identified and rated to provide
reasonable assurance.
In order to ensure risks are identified, analyzed, and treated effectively, the
approach to risk assessment is systematically structured in Oracle GRC Manager.
All risk documentation is stored in a risk register within Oracle GRC Manager.
This documentation includes risk description, inherent and residual risk rating,
and mitigating controls. Risks are classified as global, regional, and local, and they
are directly linked to the InFission organization structure. Each risk is quantified in
terms of
impact
and
likelihood
described in the risk registers.
The GRC Manager Risk Register is reviewed by the CAE to include inherently high
risks in the internal Audit plan. However, only a limited number of low risks are
periodically included in the internal audit activity's plan to give them coverage and
confirm that their risks have not changed. Also, the internal audit plan establishes
a method for prioritizing outstanding risks not yet subject to an internal audit. The
residual risks remain unchanged where the inherent risks are ranked low and not
included in the audit plan. The CAE provides an independent risk assessment report
to the Audit Committee including the details of the risk analysis and causes of the
lack of or ineffectiveness of internal controls.
Assessing quantitative risks in Oracle GRC
Intelligence
During the risk assessment phase, InFission uses Oracle GRC Intelligence to review the
risks and evaluate the potential effects on the financial statements using quantitative
analysis. The risks that have been identified
qualitatively
by the management are linked
to the financial statement account considering the pervasiveness and magnitude of
the effect on the financial statements and the likelihood that they will occur (inherent
risk). Additionally, the risk that any mitigating controls might fail (control risk) are
tracked by associating the prior year issue log in Oracle GRC Intelligence Application.
Collectively, these two components represent the risk that a material misstatement of
the financial statements would occur. Thus, InFission can track this combination of
risks, commonly referred to as the Risk of Material Misstatement (ROMM) in Oracle
GRC Intelligence. Based on the assessment of inherent risk and control risk, InFission
can arrive at an assessment of misstatement risks.
The risk assessment can be conducted at both the overall financial statement
level and the account balance/transaction class/entity level utilizing Oracle
GRC Intelligence dashboards.
Search WWH ::
Custom Search