Risk Advisory Services are designed to mitigate risks, improve operations, and help management in achieving its business objects. Risk advisory services are more consultative in nature than traditional audits and are requested by management, and not generated as a result of performing an annual risk assessment.
A Risk Advisory Project typically includes the following:
- A Risk Advisory Services Charter to document the engagement and establish an understanding with the client stakeholder about the proposed objectives, scope, respective responsibilities, deliverable, and other expectations.
- Once a Risk Advisory Service Charter has been approved by OHIA and the client, the engagement will be included in the audit plan and an entrance conference will be scheduled. OHIA will create a work program to document the procedures for collecting, analyzing, and interpreting information obtained and reviewed during the project. The established scope of an advisory project must be sufficient to achieve the agreed-upon objectives of the engagement.
- Fieldwork will follow the steps outlined in the work program and will address controls consistent with the engagement’s objectives. OHIA will communicate results with client stakeholders throughout this time via status updates.
- Communication to clients of the results of consulting engagements will typically be in a memo format that is reflective of a distinct consulting report structure. However, when governance, risk management, and control issues are identified and these issues are significant to Johns Hopkins Institutions, they must be communicated to senior management and the Audit Committees in a formal report.
- Management responses are not required unless the consulting engagement identified one or more of the following significant control issues, non-compliance with Institutional policies and procedures, or non-compliance with applicable laws and regulations.
- An exit conference will be scheduled to discuss the consulting memo with client management and other impacted parties.
- Follow-up on recommendations reflected in consulting memos will only be performed when the significant concerns, noted above, are identified.