Course Name: Internal Auditing and Controls Module: 3 Module Title: Risk Management, Control Frameworks and Governance

Lectures and handouts by: Chuck Campbell

Copyright The Certified General Accountants Association of British Columbia. All rights reserved.

Risk management, control frameworks, and governance Module 3

As you learned in Module 1, the scope of internal auditing has expanded over the past several decades. From a limited focus on compliance and financial integrity, it first grew to encompass the assessment of effectiveness, efficiency and economy of operations. In recent years, the focus has widened further to consider risk management and governance. In this module you will learn about the importance of managing risk, control frameworks and control self-assessment. You will also consider the role of governance and that of the audit committee.

Internal Auditing & Controls

Module 3
Part 1 Topic 3.1 Risk management Part 2 Topic 3.2 Role of the internal auditor Topic 3.3 Risk assessment process Part 3 Topic 3.4 Control frameworks Topic 3.5 Auditing using control frameworks Part 4 Topic 3.6 Control self-assessment and continuous auditing Part 5 Topic 3.7 Governance Topic 3.8 Role of the audit committee Topic 3.9 The Sarbanes-Oxley Act of 2002 Part 6 Module summary Learning objectives Recent examination questions
3

Internal Auditing & Controls Module 3

Part 1
Topic 3.1 Risk management

The relationship between risk and control

Risk is the possibility (uncertainty) of an event occurring that will have a (negative) impact on the achievement of objectives.

The relationship between risk and control

Risk is the possibility (uncertainty) of an event occurring that will have a (negative) impact on the achievement of objectives. Enterprise risk is, therefore, the uncertainty of an event occurring that may reduce the likelihood of an organization achieving its objectives.

The relationship between risk and control (contd)

Enterprise risk management is defined as a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The relationship between risk and control (contd)

Effective control provides reasonable assurance that the entity will achieve its objectives (by reducing uncontrolled risks to an acceptable level) and, therefore, includes the identification and management of risks.

The relationship between risk and control (contd)

Risk models enable management to identify the risks faced by the enterprise, establish risk tolerances (risk limits) for these risks and test controls to ensure that the uncontrolled risks remain within the organizations established risk tolerances.

Benefits of enterprise risk management

aligning risk management and strategy; enhancing risk response decisions; reducing operational surprises and losses; identifying and managing multiple and crossenterprise risks; seizing opportunities; improving deployment of capital.
10

Limitations to enterprise risk management

human judgement in decision making may be faulty; decisions on responding to risk (including establishing controls) must take into account the relative costs and benefits; breakdowns can occur due to simple errors or mistakes; controls can be circumvented by collusion;

11

Limitations to enterprise risk management (continued)

management has the ability to override risk management decisions (including controls); decisions must often be made in conditions of uncertainty and without complete information.

For these reasons the board and management cannot have absolute assurance as to the achievement of objectives.

12

Identifying risks using risk models

A number of risk models or risk frameworks have been developed to help identify the risks related to an organizations activities and plans. The risks faced by businesses vary from organization to organization and should be identified by the organizations management.

13

Risk and the Butterfly Risk Tool

Reading 3-2 introduces a new tool to enable both internal auditors and management to better identify risk events as part of the organizations risk analysis. The Butterfly Risk Tool considers the sources of risk and the potential consequences of those risks to the organization. Control activities should be designed to address the sources of risk and reduce the likelihood and impact of adverse consequences.
14

Setting appropriate risk limits

Risk tolerances or risk limits define the amount of residual, uncontrolled risk that the board and management are prepared to consider as acceptable. For example, a company could determine the amount of foreign currency risk that it was prepared to accept and implement processes to hedge exposures in excess of that amount. The amount of exposure that the company was prepared to accept would be its risk tolerance, risk limit or risk appetite.

15

Techniques for mitigating or reducing risks

Management has a number of alternative techniques which can be used to manage the risks faced by an organization. These include: avoiding the risk;

16

Techniques for mitigating or reducing risks (contd)

Management has a number of alternative techniques which can be used to manage the risks faced by an organization. These include:

avoiding the risk; diversification;

17

Techniques for mitigating or reducing risks (contd)

Management has a number of alternative techniques which can be used to manage the risks faced by an organization. These include:

avoiding the risk; diversification; controlling the risk;

18

Techniques for mitigating or reducing risks (contd)

Management has a number of alternative techniques which can be used to manage the risks faced by an organization. These include:

avoiding the risk; diversification; controlling the risk; sharing the risk (through insurance, for example)

19

Techniques for mitigating or reducing risks (contd)

Management has a number of alternative techniques which can be used to manage the risks faced by an organization. These include:

avoiding the risk; diversification; controlling the risk; sharing the risk (through insurance, for example) transferring the risk;

20

Techniques for mitigating or reducing risks (contd)

Management has a number of alternative techniques which can be used to manage the risks faced by an organization. These include:

avoiding the risk; diversification; controlling the risk; sharing the risk (through insurance, for example) transferring the risk; accepting the risk.

21

Internal Auditing & Controls Module 3

Part 2
Topic 3.2 Role of the internal auditor Topic 3.3 Risk assessment process

22

The role of internal auditing in the assessment and management of risks

Internal auditing includes assisting the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. The internal auditor should monitor and evaluate the effectiveness of the organizations risk management system.

23

The role of internal auditing in the assessment and management of risks (contd)
The purpose of internal auditing (in the context of risk management) is to assess the appropriateness and adequacy of managements actions to avoid, share, transfer and control risks to keep them within the defined control limits or tolerances. The IIA has issued a practice guide to assist internal auditors in assessing managements risk management processes. This is found as On-line Reading 3.2-1.

24

The role of internal auditing in the absence of a formal risk management process

If an organization has not established a risk management process, the internal auditor should bring this to the attention of management together with suggestions for establishing such a process.

25

The role of internal auditing in the absence of a formal risk management process

If an organization has not established a risk management process, the internal auditor should bring this to the attention of management together with suggestions for establishing such a process. If requested, internal auditors can play a proactive role in assisting with the initial establishment of a risk management process for the organization.

26

The role of internal auditing in the absence of a formal risk management process

If an organization has not established a risk management process, the internal auditor should bring this to the attention of management together with suggestions for establishing such a process. If requested, internal auditors can play a proactive role in assisting with the initial establishment of a risk management process for the organization. Internal auditors can facilitate or enable risk management processes but they should not own or be responsible for the management of the risks identified.
27

Principles of risk management

1.

2.

3.

4.

Risk management creates and protects value (and must be most rigorous when risks are greatest). Risk management is an integral part of organizational processes. Risk management is part of decisionmaking. Risk management expressly addresses uncertainty.
28

Principles of risk management

5.

6.

7.

8.

Risk management is systematic, structured, and timely. Risk management is based on the best available information. Risk management is tailored to the specific organization. Risk management takes human and cultural factors into account.
29

Principles of risk management

9.

10.

11.

Risk management is transparent and inclusive. Risk management is dynamic, iterative, and responsive to change. Risk management facilitates continual improvement and enhancement of the organization.

30

10

ISO 31000 on risk management

Risk management should:

address uncertainty; constitute an integral part of business process and decision-making; be based on the best available information and tailored to the organization; take human and cultural factors into account; be dynamic, iterative and responsive to change; mature further as the organization gets better at risk management; create and protect value.
31

Differences between traditional and risk-based internal auditing

Risk-based auditing starts by reviewing the organizational objectives, then considers the business risks that impact the achievement of those objectives and examines the methodologies in place to mitigate those risks. Risks can be avoided, shared or transferred, rather than controlled. Risk-based auditing also explicitly accepts that there will always be some risk that must be accepted, but the acceptable amount must be kept within the limits established by the board and management.

32

Differences between traditional and risk-based internal auditing (contd)

Traditional auditing began with a consideration of controls, focusing only on the design and effectiveness of the controls in meeting traditional control objectives of ensuring accurate financial information, compliance with laws and policies, safeguarding of assets and achievement of effectiveness, efficiency and economy of operations.

33

11

Managing the risk of the internal audit activity

The risks to internal audit activities fall into three broad categories:

audit failure; false assurance; and reputation risks.

Internal audit departments should proactively manage their risks in these areas, particularly by monitoring compliance with professional and ethical standards.
34

Internal Auditing & Controls Module 3

Part 3
Topic 3.4 Control frameworks Topic 3.5 Auditing using control frameworks

35

Risk and control frameworks

Risk and control models or frameworks have been developed by a number of organizations, firms and individuals as a means of providing a common language to be used in the identification and mitigation of risks. Risk frameworks focus on the risks faced by enterprises; control frameworks focus on the controls to mitigate the risks.

36

12

Different definitions of control objectives

COSO (the American Committee of Sponsoring Organizations of the Treadway Commission), CoCo (the CICA Criteria of Control Committee), and the IIA have similar, but different, definitions of control. All three definitions consider control to consist of actions taken to support people in the achievement of the organizations objectives.

37

Different definitions of control objectives (contd)

The objectives of control set out by COSO relate to the effectiveness and efficiency of operations, the reliability of reporting and compliance with applicable laws, regulations and internal policies. CoCo uses virtually identical language to describe its view of control objectives.

38

Different definitions of control objectives (contd)

The IIA Standards list four objectives: reliability and integrity of financial and operational information, effectiveness and efficiency of operations, safeguarding of assets, and compliance (with laws, regulations and contracts). These can all be considered to fall within the objectives set out in the COSO and CoCo frameworks.

39

13

Components of effective internal control

COSO states than in an effective internal control system, the following five components work to support the achievement of an organizations mission, strategies and related business objectives:

the control environment; risk assessment; control activities; information and communication; monitoring activities.
40

The nature of control

CoCos Guidance on Control makes observations on the nature of control:

five

Control is effected by people throughout an organization. Those who are accountable for activities should be accountable for controlling those activities. Organizations are constantly interacting and adapting. Control can never supply absolute assurance only reasonable assurance. Effective control requires a balance between autonomy and integration, and between the status quo and adapting to change.

41

Limitations of control (contd)

Control cannot give absolute assurance only reasonable assurance because:
1. 2.

Controls must be cost-effective. There are inherent limitations to control. These include: the decision-making processes may be faulty (or based on incomplete or uncertain information). controls tend to be directed at routine, recurring transactions. some human error is inevitable. there is always the possibility of collusive circumvention of controls. there is always the possibility of management over-ride of controls.

42

14

The CoCo framework

The CoCo framework:

is generally broader than most other frameworks; classifies criteria of control into four groups:

purpose; commitment; capability; monitoring and learning.

recognizes soft controls (such as trust).

43

Control frameworks and internal auditing

The development of control frameworks has led to a broader understanding of control and managements responsibility for controlling the activities that they manage. It has brought management more into the control assessment process and created greater controlconsciousness in management. It has recognized the existence and potential effectiveness of soft controls and included them in evaluation.

44

Control frameworks and internal auditing (contd)

Using the COSO control framework is a six-step process:
1. 2. 3. 4. 5. 6.

Understand the control framework to be used. Determine existing control strengths and weaknesses. Define key issues and reportable conditions. Validate testimonial evidence. Complete the assessment. Identify and recommend corrective action.

45

15

Internal Auditing & Controls Module 3

Part 4
Topic 3.6 Control self-assessment and continuous auditing

46

Control self-assessment defined

Control self-assessment can be broadly defined as any activity where the people responsible for a business area, task, or objective using some demonstrable approach analyze the status of control and risk to provide additional assurance related to the achievement of one or more business objectives.

47

Purposes of control self-assessment

Identification of risks and exposures. Assessment of the control processes that mitigate or manage those risks. Developing action plans to reduce risks to acceptable levels. Determining the likelihood of achieving business objectives.

48

16

Starting points for CSA

CSA can start with any of the following:
1.

Objectives Risks Processes Controls

2.

3.

4.

49

Alternative processes in CSA

1.

Facilitated team workshops gather information from work teams representing different levels in the organization.

50

Alternative processes in CSA

1.

Facilitated team workshops gather information from work teams representing different levels in the organization. Surveys uses a questionnaire format in circumstances where:

2.

Respondents are too numerous or geographically dispersed; Management style discourages open, candid discussion; Workshops are viewed as too expensive.

51

17

Alternative processes in CSA

1.

Facilitated team workshops gather information from work teams representing different levels in the organization. Surveys uses a questionnaire format in circumstances where:

2.

Respondents are too numerous or geographically disbursed; Management style discourages open, candid discussion; Workshops are viewed as too expensive.

3.

Management-produced analysis generally prepared by a team in a staff or support role within the activity.
52

Steps in the control self-assessment process (facilitated team workshops)

As developed by Gulf Canada Resources, control self-assessment (CSA) consisted of the following phases:
1. Identify business objectives and customize the

process for the participating workshop team.

2. Conduct a workshop with management and 3. Prepare

staff from the unit being assessed. a summary report and feedback.

provide

53

Steps in the control self-assessment process (facilitated team workshops)

(contd)

Phases in control self-assessment (contd)

4. Analyze and review results, comparing them

with those from other workshops.

5. Report results to management. 6. Report

summary committee.

results

to

the

audit

7. Provide follow-up and assistance in dealing

with the issues identified.

54

18

Different viewpoints on CSA

Is it really internal auditing? Maybe . . . but it is not sufficient in itself some testing of the operating effectiveness of key controls should be performed in addition to CSA in areas of significant enterprise risk where CSA is used.

55

Advantages of control selfassessment

Advantages of control self-assessment include: increases management and employee awareness of controls;

56

Advantages of control selfassessment

Advantages of control self-assessment include: increases management and employee awareness of controls; brings the focus of those who know the processes to bear on control issues;

57

19

Advantages of control selfassessment

Advantages of control self-assessment include: increases management and employee awareness of controls; brings the focus of those who know the processes to bear on control issues; gains acceptance of recommendations;

58

Advantages of control selfassessment

Advantages of control self-assessment include: increases management and employee awareness of controls; brings the focus of those who know the processes to bear on control issues; gains acceptance of recommendations; provides potential cost savings in later years.
59

Disadvantages of control selfassessment

Disadvantages of control self-assessment include: lack of objectivity and independence of evaluations;

60

20

Disadvantages of control selfassessment

Disadvantages of control self-assessment include: lack of objectivity and independence of evaluations; costly to implement (in the first few years);

61

Disadvantages of control selfassessment

Disadvantages of control self-assessment include: lack of objectivity and independence of evaluations; costly to implement (in the first few years); may become mechanical in time;

62

Disadvantages of control selfassessment

Disadvantages of control self-assessment include:

lack of objectivity and independence of evaluations; costly to implement (in the first few years); may become mechanical in time; requires an open management style to be effective.

63

21

Continuous auditing
Another technique that auditors can use to monitor risks and evaluate the effectiveness of internal controls in known as continuous auditing. This technique usually relies upon technology to monitor risk and controls automatically. This is explained further in Reading 3-8.

64

Internal Auditing & Controls Module 3

Part 5
Topic 3.7 Governance Topic 3.8 Role of the audit committee Topic 3.9 The Sarbanes-Oxley Act of 2002

65

The concept of governance

Governance is the combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.

66

22

The concept of governance

Corporate governance means the process and structures used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value, which includes ensuring the financial viability of the business. The process and structure define the division of power and establish mechanisms for achieving accountability among shareholders, the board of directors and management. The direction and management of the business should take into account the impact on other stakeholders such as employees, customers, suppliers and communities.

67

The concept of governance

Governance refers to the responsibilities and actions of members of governing bodies in their stewardship capacity (to protect the interests of the entitys stakeholders). Accountability is the obligation to answer for a responsibility. Boards of directors (or their equivalents) are accountable to the entitys stakeholders for the performance of their governance role.
68

Control and governance role of the board of directors

CoCos Guidance for Directors provides the following list of control and governance responsibilities for private sector Boards of Directors: 1. approve and monitor mission, vision and strategy;

69

23

Control and governance role of the board of directors

CoCos Guidance for Directors provides the following list of control and governance responsibilities for private sector Boards of Directors: 1. approve and monitor mission, vision and strategy; 2. approve and monitor the organizations ethical values;

70

Control and governance role of the board of directors

CoCos Guidance for Directors provides the following list of control and governance responsibilities for private sector Boards of Directors: 1. approve and monitor mission, vision and strategy; 2. approve and monitor the organizations ethical values; 3. monitor management control;

71

Control and governance role of the board of directors

CoCos Guidance for Directors provides the following list of control and governance responsibilities for private sector Boards of Directors: 1. approve and monitor mission, vision and strategy; 2. approve and monitor the organizations ethical values; 3. monitor management control; 4. evaluate the performance of senior management;

72

24

Control and governance role of the board of directors

CoCos Guidance for Directors provides the following list of control and governance responsibilities for private sector Boards of Directors: 1. approve and monitor mission, vision and strategy; 2. approve and monitor the organizations ethical values; 3. monitor management control; 4. evaluate the performance of senior management; 5. oversee external communications;

73

Control and governance role of the board of directors

CoCos Guidance for Directors provides the following list of control and governance responsibilities for private sector Boards of Directors: 1. approve and monitor mission, vision and strategy; 2. approve and monitor the organizations ethical values; 3. monitor management control; 4. evaluate the performance of senior management; 5. oversee external communications; 6. assess the boards own effectiveness.
74

Control and governance role of the board of directors

The Board of Directors

is the focal point for all governance activities. is ultimately accountable and responsible for the performance and affairs of the organization, its effective risk management practices and its risk limits. oversees all organizational activities but does not have direct management of any of them. establishes the tone at the top and implements best governance practices for the organization.
75

25

Control and governance role of management

Management

sets strategic direction and establishes the entitys value system. provides assurance that risks are managed as part of a risk management process, that operations are monitored, results are measured and corrective actions are implemented in a timely fashion. deploys strategy, enforces internal control and provides direct supervision over operational areas. accountable for implementing and monitoring the risk management and control processes.
76

Role of internal audit in relation to governance

Internal audit should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

promoting appropriate ethics and values within the organization;

77

Role of internal audit in relation to governance

Internal audit should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

promoting appropriate ethics and values within the organization; ensuring effective organizational performance management and accountability;

78

26

Role of internal audit in relation to governance

Internal audit should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

promoting appropriate ethics and values within the organization; ensuring effective organizational performance management and accountability; effectively communicating risk and control information to appropriate areas of the organization;
79

Role of internal audit in relation to governance

Internal audit should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

promoting appropriate ethics and values within the organization; ensuring effective organizational performance management and accountability; effectively communicating risk and control information to appropriate areas of the organization; effectively coordination the activities of and communicating information among the board, external and internal auditors and management.
80

Role of internal audit in relation to governance

Internal audit can:

evaluate whether companywide governance components work together as expected. analyze the level of reporting transparency among parts of the governance structure. compare governance best practices. identify compliance with recognized and applicable governance codes.

Guidance from the IIA states that internal auditors may participate in the establishment of governance processes.
81

27

The role of the audit committee of the board of directors

The responsibilities of the boards audit committee usually include the following:
1.

oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc.

82

The role of the audit committee of the board of directors

The responsibilities of the boards audit committee usually include the following:
1.

2.

oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function

83

The role of the audit committee of the board of directors

The responsibilities of the boards audit committee usually include the following:
1.

2. 3.

oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function oversight of the internal financial controls

84

28

The role of the audit committee of the board of directors

The responsibilities of the boards audit committee usually include the following:
1.

2. 3. 4.

oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function oversight of the internal financial controls oversight of the corporate Code of Conduct

85

The role of the audit committee of the board of directors

The responsibilities of the boards audit committee usually include the following:
1.

2. 3. 4. 5.

oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function oversight of the internal financial controls oversight of the corporate Code of Conduct liaison with the organizations external auditors
86

Audit committee charter

Best practices include an audit committee charter, drawn up by the audit committee and approved by the board. It would typically include:

PURPOSE AUTHORITY COMPOSITION MEETINGS RESPONSIBILITIES

(See Exhibit 3-2 for an example charter)

87

29

Impact of Sarbanes-Oxley Act of 2002 on corporate governance

The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse.

88

Impact of Sarbanes-Oxley Act of 2002 on corporate governance

The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities.

89

Impact of Sarbanes-Oxley Act of 2002 on corporate governance

The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities. CEOs and CFOs must now attest to their belief in the accuracy of published financial information.

90

30

Impact of Sarbanes-Oxley Act of 2002 on corporate governance

The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities. CEOs and CFOs must now attest to their belief in the accuracy of published financial information. External auditors (in the United States) will have to provide opinions on the controls over financial reporting within their publicly traded audit clients.
91

Impact of Sarbanes-Oxley Act of 2002 on corporate governance

The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities. CEOs and CFOs must now attest to their belief in the accuracy of published financial information. External auditors (in the United States) will have to provide opinions on the controls over financial reporting within their publicly traded audit clients. These changes have increased the responsibility of boards and their audit committees and have resulted in much greater significance being placed on the internal audit functions within those companies affected by the law.

92

Internal Auditing & Controls Module 3

Part 6
Module summary Learning objectives Recent examination questions

93

31

Module 3 Learning Objectives

1. Explain enterprise risk management and

how risk models can help identify specific risks and set appropriate tolerance limits. (Level 1)

94

Module 3 Learning Objectives

2. Explain the role of the internal auditor in the

risk management process and how this role changes when there is no established risk management process. (Level 1)

95

Module 3 Learning Objectives

3. Explain how auditors use risk assessment

to assist in audit planning and compare this approach with traditional approaches to internal auditing. (Level 1)

96

32

Module 3 Learning Objectives

4. Explain

the definition, nature, inherent limitations, and criteria of control as set out by the Committee of Sponsoring Organizations (COSO), and compare the COSO control framework with other frameworks. (Level 2)

97

Module 3 Learning Objectives

5. Describe the impact of the development of

control frameworks on internal auditing and outline the steps in using a control framework as the basis of assessing control in an organization. (Level 2)

98

Module 3 Learning Objectives

6. Explain

the control self-assessment process, identify its advantages and disadvantages, and outline how continuous monitoring can improve the effectiveness of internal control. (Level 2)

99

33

Module 3 Learning Objectives

7. Outline the IIA performance standards on

governance, the governance responsibilities of the board of directors or equivalent body, and the role of internal audit in corporate governance. (Levels 1 and 2)

100

Module 3 Learning Objectives

8. Explain the role of the audit committee of

the board of directors. (Levels 1 and 2)

101

Module 3 Learning Objectives

9. Explain how the Sarbanes-Oxley Act of

2002 has affected corporate governance and understand how internal audit may assist in the Sarbanes-Oxley compliance process. (Level 2)

102

34

Recent examination questions

The examination blueprint states that between 8% and 11% of the examination will test material from Module 3. Typical examination questions:
Multiple choice questions

103

Recent examination questions

Typical examination questions:

Essay questions question 1

104

Recent examination questions

Typical examination questions:

Essay questions -- question 2

105

35