aligning risk management and strategy; enhancing risk response decisions; reducing operational surprises and losses; identifying and managing multiple and crossenterprise risks; seizing opportunities; improving deployment of capital.
10
human judgement in decision making may be faulty; decisions on responding to risk (including establishing controls) must take into account the relative costs and benefits; breakdowns can occur due to simple errors or mistakes; controls can be circumvented by collusion;
11
management has the ability to override risk management decisions (including controls); decisions must often be made in conditions of uncertainty and without complete information.
For these reasons the board and management cannot have absolute assurance as to the achievement of objectives.
12
13
15
16
17
18
avoiding the risk; diversification; controlling the risk; sharing the risk (through insurance, for example)
19
avoiding the risk; diversification; controlling the risk; sharing the risk (through insurance, for example) transferring the risk;
20
avoiding the risk; diversification; controlling the risk; sharing the risk (through insurance, for example) transferring the risk; accepting the risk.
21
22
23
The role of internal auditing in the assessment and management of risks (contd)
The purpose of internal auditing (in the context of risk management) is to assess the appropriateness and adequacy of managements actions to avoid, share, transfer and control risks to keep them within the defined control limits or tolerances. The IIA has issued a practice guide to assist internal auditors in assessing managements risk management processes. This is found as On-line Reading 3.2-1.
24
The role of internal auditing in the absence of a formal risk management process
If an organization has not established a risk management process, the internal auditor should bring this to the attention of management together with suggestions for establishing such a process.
25
The role of internal auditing in the absence of a formal risk management process
If an organization has not established a risk management process, the internal auditor should bring this to the attention of management together with suggestions for establishing such a process. If requested, internal auditors can play a proactive role in assisting with the initial establishment of a risk management process for the organization.
26
The role of internal auditing in the absence of a formal risk management process
If an organization has not established a risk management process, the internal auditor should bring this to the attention of management together with suggestions for establishing such a process. If requested, internal auditors can play a proactive role in assisting with the initial establishment of a risk management process for the organization. Internal auditors can facilitate or enable risk management processes but they should not own or be responsible for the management of the risks identified.
27
2.
3.
4.
Risk management creates and protects value (and must be most rigorous when risks are greatest). Risk management is an integral part of organizational processes. Risk management is part of decisionmaking. Risk management expressly addresses uncertainty.
28
6.
7.
8.
Risk management is systematic, structured, and timely. Risk management is based on the best available information. Risk management is tailored to the specific organization. Risk management takes human and cultural factors into account.
29
10.
11.
Risk management is transparent and inclusive. Risk management is dynamic, iterative, and responsive to change. Risk management facilitates continual improvement and enhancement of the organization.
30
10
address uncertainty; constitute an integral part of business process and decision-making; be based on the best available information and tailored to the organization; take human and cultural factors into account; be dynamic, iterative and responsive to change; mature further as the organization gets better at risk management; create and protect value.
31
32
33
11
Internal audit departments should proactively manage their risks in these areas, particularly by monitoring compliance with professional and ethical standards.
34
35
36
12
37
38
39
13
the control environment; risk assessment; control activities; information and communication; monitoring activities.
40
five
Control is effected by people throughout an organization. Those who are accountable for activities should be accountable for controlling those activities. Organizations are constantly interacting and adapting. Control can never supply absolute assurance only reasonable assurance. Effective control requires a balance between autonomy and integration, and between the status quo and adapting to change.
41
Controls must be cost-effective. There are inherent limitations to control. These include: the decision-making processes may be faulty (or based on incomplete or uncertain information). controls tend to be directed at routine, recurring transactions. some human error is inevitable. there is always the possibility of collusive circumvention of controls. there is always the possibility of management over-ride of controls.
42
14
is generally broader than most other frameworks; classifies criteria of control into four groups:
43
44
Understand the control framework to be used. Determine existing control strengths and weaknesses. Define key issues and reportable conditions. Validate testimonial evidence. Complete the assessment. Identify and recommend corrective action.
45
15
46
47
Identification of risks and exposures. Assessment of the control processes that mitigate or manage those risks. Developing action plans to reduce risks to acceptable levels. Determining the likelihood of achieving business objectives.
48
16
2.
3.
4.
49
Facilitated team workshops gather information from work teams representing different levels in the organization.
50
Facilitated team workshops gather information from work teams representing different levels in the organization. Surveys uses a questionnaire format in circumstances where:
2.
Respondents are too numerous or geographically dispersed; Management style discourages open, candid discussion; Workshops are viewed as too expensive.
51
17
Facilitated team workshops gather information from work teams representing different levels in the organization. Surveys uses a questionnaire format in circumstances where:
2.
Respondents are too numerous or geographically disbursed; Management style discourages open, candid discussion; Workshops are viewed as too expensive.
3.
Management-produced analysis generally prepared by a team in a staff or support role within the activity.
52
staff from the unit being assessed. a summary report and feedback.
provide
53
summary committee.
results
to
the
audit
18
55
56
57
19
58
60
20
61
62
lack of objectivity and independence of evaluations; costly to implement (in the first few years); may become mechanical in time; requires an open management style to be effective.
63
21
Continuous auditing
Another technique that auditors can use to monitor risks and evaluate the effectiveness of internal controls in known as continuous auditing. This technique usually relies upon technology to monitor risk and controls automatically. This is explained further in Reading 3-8.
64
65
Governance is the combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.
66
22
Corporate governance means the process and structures used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value, which includes ensuring the financial viability of the business. The process and structure define the division of power and establish mechanisms for achieving accountability among shareholders, the board of directors and management. The direction and management of the business should take into account the impact on other stakeholders such as employees, customers, suppliers and communities.
67
Governance refers to the responsibilities and actions of members of governing bodies in their stewardship capacity (to protect the interests of the entitys stakeholders). Accountability is the obligation to answer for a responsibility. Boards of directors (or their equivalents) are accountable to the entitys stakeholders for the performance of their governance role.
68
69
23
70
71
72
24
73
is the focal point for all governance activities. is ultimately accountable and responsible for the performance and affairs of the organization, its effective risk management practices and its risk limits. oversees all organizational activities but does not have direct management of any of them. establishes the tone at the top and implements best governance practices for the organization.
75
25
sets strategic direction and establishes the entitys value system. provides assurance that risks are managed as part of a risk management process, that operations are monitored, results are measured and corrective actions are implemented in a timely fashion. deploys strategy, enforces internal control and provides direct supervision over operational areas. accountable for implementing and monitoring the risk management and control processes.
76
77
promoting appropriate ethics and values within the organization; ensuring effective organizational performance management and accountability;
78
26
promoting appropriate ethics and values within the organization; ensuring effective organizational performance management and accountability; effectively communicating risk and control information to appropriate areas of the organization;
79
promoting appropriate ethics and values within the organization; ensuring effective organizational performance management and accountability; effectively communicating risk and control information to appropriate areas of the organization; effectively coordination the activities of and communicating information among the board, external and internal auditors and management.
80
evaluate whether companywide governance components work together as expected. analyze the level of reporting transparency among parts of the governance structure. compare governance best practices. identify compliance with recognized and applicable governance codes.
Guidance from the IIA states that internal auditors may participate in the establishment of governance processes.
81
27
oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc.
82
2.
oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function
83
2. 3.
oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function oversight of the internal financial controls
84
28
2. 3. 4.
oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function oversight of the internal financial controls oversight of the corporate Code of Conduct
85
2. 3. 4. 5.
oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc. oversight of the internal auditing function oversight of the internal financial controls oversight of the corporate Code of Conduct liaison with the organizations external auditors
86
29
The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse.
88
The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities.
89
The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities. CEOs and CFOs must now attest to their belief in the accuracy of published financial information.
90
30
The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities. CEOs and CFOs must now attest to their belief in the accuracy of published financial information. External auditors (in the United States) will have to provide opinions on the controls over financial reporting within their publicly traded audit clients.
91
The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse. Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities. CEOs and CFOs must now attest to their belief in the accuracy of published financial information. External auditors (in the United States) will have to provide opinions on the controls over financial reporting within their publicly traded audit clients. These changes have increased the responsibility of boards and their audit committees and have resulted in much greater significance being placed on the internal audit functions within those companies affected by the law.
92
93
31
how risk models can help identify specific risks and set appropriate tolerance limits. (Level 1)
94
risk management process and how this role changes when there is no established risk management process. (Level 1)
95
to assist in audit planning and compare this approach with traditional approaches to internal auditing. (Level 1)
96
32
the definition, nature, inherent limitations, and criteria of control as set out by the Committee of Sponsoring Organizations (COSO), and compare the COSO control framework with other frameworks. (Level 2)
97
control frameworks on internal auditing and outline the steps in using a control framework as the basis of assessing control in an organization. (Level 2)
98
the control self-assessment process, identify its advantages and disadvantages, and outline how continuous monitoring can improve the effectiveness of internal control. (Level 2)
99
33
governance, the governance responsibilities of the board of directors or equivalent body, and the role of internal audit in corporate governance. (Levels 1 and 2)
100
101
2002 has affected corporate governance and understand how internal audit may assist in the Sarbanes-Oxley compliance process. (Level 2)
102
34
103
104
105
35