Anda di halaman 1dari 30

INTERNATIONAL CONSORTIUM ON

GOVERNMENTAL FINANCIAL MANAGEMENT


(ICGFM), 24TH ANNUAL INTERNATIONAL

CHALLENGES OF THE INTERNAL AUDITOR


IN THE DESIGN AND IMPLEMENTATION OF
INTERNAL CONTROL AND RISK
MANAGEMENT OF PUBLIC AGENCIES

FACILITATOR: MARIO ANDRADE


MIAMI, MAY, 2010 1
GOAL AND METHODOLOGY:

SHARE A MODEL OF INTERNAL CONTROL


BASED ON RISK MANAGEMENT,
APPLICABLE TO ANY PUBLIC OR PRIVATE
ENTITY; WITH OR WITHOUT GREATER
STATISTICAL INFORMATION..

IT WILL BE MOSTLY PRACTICE.

2
QUESTION 1

HOW MUCH DO YOU KNOW


ABOUT INTERNAL CONTROL?
1. A LOT
2. A LITTLE
3. NOTHING

3
QUESTION 2

HOW MUCH DO YOU KNOW


ABOUT INTEGRAL RISK
MANAGEMENT?
1. A LOT
2. A LITTLE
3. NOTHING

4
KEY FACTORS IN INTERNAL CONTROL
AND RISK MANAGEMENT
§
§ IT SHOULD BE LED BY THE HIGHEST AUTHORITY

§ IT COMMITS THE WHOLE ORGANIZATION


§ IT INVOLVES ALL PROCESSES AND ACTIVITIES


§ IT ALLOWS MEETING GOALS EFFICIENTLY AND ETHICALLY


§ IT PROVIDES RELIABLE, USEFUL INFORMATION


§ IT PROMOTES ENFORCEMENT OF STANDARDS


§ IT SAFEGUARDS RESOURCES

§ IT INCREASES GOVERNABILITY

§ IT IMPROVES ACCOUNTABILITY
§
§ IT DOES NOT ELIMINATE RISKS OF MISTAKES AND
IRREGULARITIES
§
§ IC MAY CHANGE IN A VERY SHORT TIME 5
“With self-discipline,
anything is possible.”
Teodoro Roosevelt

6
COMPONENTS OF INTERNAL CONTROL
AND RISK MANAGEMENT
CONTROL
ENVIRONMENT

C
I O
SETTING OF GOALS S

N IDENTIFICATION OF EVENTS U
M
F M P
U EVALUATION OF RISKS E
O
N
R R
I
M A C RESPONSE TO RISKS V
N I
A
D A
T
CONTROL ACTIVITIES S
T
I I I
O O
O
N N
N

MEETING GOALS – SATISFIED USERS 7


ELEMENTS OF THE CONTROL
ENVIRONMENT
§
1. INTEGRITY AND ETHICAL VALUES
3. PHILOSOPHY AND STYLE OF HIGHEST
LEADERSHIP
4. ADMINISTRATIVE BOARD AND COMMITTEES
5. ORGANIZATION AND PROCESSES
6. MANAGEMENT OF HUMAN RESOURCES
11.ACCOUNTABILITY
§

8
POINTS TO EVALUATE – CONTROL
ENVIRONMENT (1 of 2)
Approved code of ethics;

Ethics Committee

INTEGRITY AND Dissemination

ETHICAL VALUES Effective application;


Institutional indicators,
policies and impacts,
directives: ethics,evaulation
transparency, human resources, organization,
PHILOSOPHY AND planning, environment, innovation and technology,
STYLE OF RISKS;
LEADERSHIP
ADMINISTRATIVE Strategic planning;
Define roles clearly: leaders-strategic processes
BOARD AND Dissemination;
Committees: application;
Auditing, humanevaluation
resources, IT …
COMMITTEES Dissemination, appllication, evaluation

9
POINTS TO EVALUATE – CONTROL
ENVIRONMENT (2 of 2)

Map of processes, organizational chart,


ORGANIZATION authority, powers and responsibility


AND PROCESSES Processes, activities, indicators, reports
Systems and sub-systems: planning,
Dissemination, application, evaluation

recruitment, classification and valuing,


HUMAN evaluation, training…
Systems and tools
RESOURCES Manuals, instructions…

ACCOUNTABILITY Do not confuse application,


Dissemination, work reportsevaluation
with RdC
Dissemination, application, evaluation

10
QUESTION 3
HOW TO QUALIFY THE COMMITTMENT OF THE HIGHEST
AUTHORITY OF YOUR INSTITUTION TO STRENGTHEN
INTERNAL CONTROL?
§

1. VERY COMMITTED
2.
3. SOMEWHAT COMMITTED
4.
5. NO COMMITMENT

11
POINTS TO EVALUATION – INFORMATION AND
COMMUNICATION

INTEGRATED IT strategic plan


INFORMATION Integration of processes and information

SYSTEM Suppliers and users

Tools: COBIT-ITIL…

Intranet

INTERNAL Security policies, privileges, protocols

COMMUNICATION Accessibility, updating


Evaluation, impacts

Laws and standards of tranparency


EXTERNAL Utilization of the web portal

COMMUNICATION Social control


Evaluation, impacts

12
POINTS TO EVALUATE -- SUPERVISION

Defined, congruent authority and responsibilities


CONTINUING Set and incorporated into processes

SUPERVISION Evidences

Evaluations

Independence
INTERNAL NEW ROLE FOR THE INTERNAL AUDITOR

AUDITING Resources

Audit committee

Reports and follow-up

Coordination
EXTERNAL Independence

CONTROL Timeliness

13
QUESTION 4
WHAT DO YOU THINK THE ATTITUDE OF THE INTERNAL AUDITOR
SHOULD BE TOWARD THE DESIGN AND IMPLIMENTATION OF
INTERNATL CONTROL – IC?

1. RECOMMEND THE DESIGN AND IMPLIMENTATION


OF IC
2.
3. DISSEMINATE THE LEGAL AND CONCEPTUAL
FRAMEWORK OF IC
4.
5. PROMOTE (push) THE DESIGN, IMPLILMENTATION
AND SELF-EVALUATION OF IC


14
PROCESS FOR RISK MANAGEMENT

SETTING OF GOALS

IDENTIFICATION OF EVENTS

EVALUATION OF RISKS

RESPONSE TO RISKS

CONTROL ACTIVITIES

15
POINTS OF CONTROL – SETTING GOALS

1. STRATEGIC, OPERATIONAL, INFORMATIONAL AND


ENFORCEMENT GOALS

1. SPECIFIC GOALS AT EACH LEVEL


2. ALIGNMENT OF INSTITUTIONAL GOALS WITH


NATIONAL GOALS, MISSION…
3.
4. INDICATORS, REPORTS

5. DISSEMINATION
7. EVALUATION

16
POINTS OF CONTROL – IDENTIFICATION OF
EVENTS

1. PARTICIPATION OF INTERNAL AND EXTERNAL EXPERTS


2. STATISTICAL OR QUALITATIVE INFORMATION


3. EXTERNAL EVENTS: Polítical, social, economic,


environmental, technological
4.
5. INTERNAL EVENTS: Human, financial, and technological
resources; processes, infrastructure
6.
7. INVENTORY OF EVENTS ASSOCIATED WITH GOALS
8.
9.

17

GOAL. INCREASE USER SATAISFACTION BY 25%.
EXTERNAL EVENTS

1.
2. POLITICAL CONTROL

2. THREATS, BLACKMAIL, OFFERS


3. LACK OF CREDIBILITY
4.
5. BAD PRACTICES ACCEPTED BY SOCIETY AND PROFESSIONS
6.
7. OBSOLETE OR INSUFFICIENT LEGAL PROVISIONS
8.
9. LACK OF ALLOCATION OF RESOURCES
10.
11. LACK OF TRANSPARENCY OF THE SYSTEM
12.
13. INSUFFICIENT USE OF TECHNOLOGY AND NEW PROVISIONS
14.
15. NO COORDINATION AMONG LAW-ENFORCEMENT AGENCIES
16.
17. GOVERNMENT AGENCIES AND INEFFICIENT CONTROL
18.
19. SOCIETY WITHOUT TOOLS TO EXERCISE SOCIAL CONTROL 18
20.
GOAL. INCREASE USER SATAISFACTION BY 25%.
INTERNAL EVENTS
1.
2. DEFICIENT SYSTEM OF HUMAN RESOURCES

2. UNETHICAL BEHAVIOR OF PERSONNEL


3. LACK OF PROFESSIONAL COMPETENCE


4. LOW SALARIES
5.
6. INADEQUATE ORGANIZATION

6. ABSENCE OF PROCESSES AND PROCEDURES WITH INDICATORS


7.
8. LACK OF ADEQUATE, TIMELY SUPERVISION
9.
10. NO SANCTIONS APPLIED OR RULES MAKE APPLICATION DIFFICULT

9. LACK OF INVESTIGATION PLANS


10.
11. INVESTIGATION WITHOUT INTENSIVE USE OF TECHNOLOGY
12.
13. NEW FORMS OF INVESTIGATION HAVE NOT BEEN INCORPORATED
14.
15. INADEQUATE OR INSUFFICIENT RESOURCES AVAILABLE 19
POINTS OF CONTROL – EVALUATION OF RISKS

1. MEASURE PROBABILITY

2. MEASURE IMPACTS

3. PREPARE THE RISK MAP WITH THE PARTICIPATION


OF THOSE DIRECTLY INVOLVED
4.
5. RISK MANAGEMENT MUST BE STARTED EVEN
WITHOUT STATISTICAL INFORMATION


20

RISK MAP

E
X
Excess of acceptable risk P
Impact
Medium High

L
I
C
A
C
Low

Within acceptable risk


I
Ó
N
Low Medium High

Probability
21
“THE APPROACH THAT WE HAVE TAKEN IN FINANCIAL AND
BUSINESS RISK IS TO TRY TO QUANTIFY WHAT WE CAN AND NOT
NECESSARILY WORRY ABOUT EVERYTHING THAT WE CANNOT
CAPTURE IN OUR MEASUREMENTS”

DIRECTOR OF CORPORATE FINANCES


MICROSOFT CORP. 2006

22
POINTS OF EVALUATION – RESPONSE TO RISKS

1.ACCEPT

2.PREVENT
3.
4.SHARE
5.
6.REDUCE
7.
8.LEAVE EVIDENCE OF COMMITMENTS
9.
10.

23
POINTS TO EVALUATE – CONTROL ACTIVITIES

1.ACTIONS TO MITIGATE RISKS


2.
3.REDUCE MISTAKES OR IRREGULARITIES
4.
5.RAISE THE POSSIBILITY OF MEETING GOALS
6.
7.POINTS OF INTERNAL CONTROL, NOT ONLY FINANCIAL AND
ADMINISTRATIVE, BUT RATHER MISSION OPERATIONS
8.
9.POINTS OF SOCIAL CONTROL
10.
11.INSPECTIONS, VERIFICATIONS, CONCILIATIONS,
CONFIRMATIONS, SUPERVISION, INFORMATION,
ACCOUNTABILITY, SEPARATION OF FUNCTIONS, ELECTRONIC
AND MANUAL CONTROLS…
13.
14. 24
CONTROL ACTIVITIES
1.
2. CODE OF ETHICS FULLY APPLIED – EXAMPLE OF AUTHORITIES
3.
4. ETHICS COMMITTEE AT WORK TO HANDLE COMPLAINTS

5. FACILITATE THE RESPONSIBLE SUBMISSION OF COMPLAINTS


6.
7. TRANSPARENT SYSTEM OF HUMAN RESOURCE MANAGEMENT
8.
9. ORGANIZATION BY PROCESSES
10.
11. COMPLETE MANUAL OF PROCESSES AND PROCEDURES
12.
13. INTEGRATED SYSTEM OF INVESTIGATION AND ACCUSATION
14.
15. USE OF TECHNOLOGY IN THE PRE-PROCESS AND PROCESS STAGES
16.
17. OBJECTIVE, PERMANENT SUPERVISION
18.
19. USE OF INDICATORS AND INFORMATION SYSTEMS
20.
21. OBJECTIVE EVALUATIONS AND PROFESSIONAL CAREERS 25
22.
MATRIX FOR THE RISK MANAGEMENT PROCESS

• GOAL: Have r ecommendations met by 95%


• ACCEPTABLE RISK: 95%; RISK TOLERANCE: 5%

EVALUAT ION
RESPONSE
EVENTS PROBABILITY IMPACT CONT ROLS
TO RISKS
H M L H M L
Create an Audit Committee
Lack of support Approval of the PAR by the Board
3 3 R
from top leadership Establish sanctions for failure to
comply
Include political and operational
The report does not
3 3 R responsible people
reach workers
Put report on the Intranet-WEB
Involvement of audited entities in
Inadequate
formulating recommendations
promotion and 3 3 R
Use of the corrective Action Plan
motivation
Follow-up

H = High 3 RESPONSE:
M = Medium 2 P = Prevent A = Accept
26
L= Low 1 R = Reduce S = Share
QUESTION 5

DO YOU BELIEVE THAT YOU CAN


PROMOTE STRENGTHENING OF THE
INTERNAL CONTROL OF YOUR ENTITY?
1. YES
2. NOT VERY LIKELY
3. NO

4.

27

 Model for the design and self-


evaluation of a System of
Internal Control based on Risk
Management

 See Example

28

 NO ONE LIKES CONTROL, BUT IF ITS


POSITIVE EFFECTS ARE PROVEN,
PEOPLE CAN TOLERATE IT AND
SUPPORT ITS APPLICATION

29

 Thanks very much for your


attention!

 mgandradet@gmail.com


30