RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide"

Transcription

1 RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide

2 About This Course

3 About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation for risk-based auditing. Specific risk-based assessment methodologies, components, and best practices. Applying the knowledge to specific situations

4 About This Course Seminar Objectives By the end of this session, you will have had an opportunity to: Identify relationships between strategy, corporate governance, risk management, and controls. Identify key business processes and objectives. Produce a risk assessment. Produce a risk-based assurance plan. Describe entitywide controls and their relevance to the plan. Plan a risk-based engagement. Network with peers. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

5 About This Course Seminar Topics The following topics will be covered during the seminar: Role of internal auditing Corporate governance Risk management Control and (risk) frameworks Entitywide risk assessment Risk-based audit engagement

6 About This Course Participant Introductions Introduce yourself to your team members using the following guide: Your name and job title. Your organization and its industry. Your experience in internal auditing. Related work experience. What you want gain from this seminar. Something interesting about you that reveals your risk appetite. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

7 About This Course Working Agreement Much of the success of this course depends on creating an effective learning environment and process. To create this environment and process we want to have a Working Agreement. Our agreement follows the acronym PROCESS. We agree to demonstrate: P = Participation This seminar is highly participatory. By agreeing to actively participate in discussions and exercises participants will get the greatest benefit from the program. R = Respect There will be times when we will agree to disagree on the significance of issues, possible solutions and best practices. We agree show respect by actively listening to other viewpoints and not forcing our views on other participants. O = Openness We will share our experiences and provide constructive feedback. By agreeing to such openness, participants can expand their perspectives and build their skills. C = Confidentiality Confidential matters should not be discussed outside class. Be aware that information of this kind may have consequences for others. E = Enthusiasm Be enthusiastic about this learning experience!!! S = Sensitivity Participants should be sensitive to the feelings and perspectives of others. S = Sense of fun This seminar should be an enjoyable experience for the participants and the leader. If we approach the discussions and exercises, and other learning tools in the right frame of mind, we will not only have more fun but will also learn more

8 About This Course Ideas and Insights As you go through the seminar, use the space at the end of each unit to record ideas and insights for your own use and to share with others in the seminar. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

9 About This Course Quiz True or false: 1. U.S. organizations are required to have internal audit departments under the U.S. Sarbanes-Oxley Act of Internal audit departments must comply with the International Standards for the Professional Practice of Internal Auditing (Standards). 3. The Sarbanes-Oxley Act s primary focus is on improving corporate governance and transparency. Multiple choice: 4. Risk-based auditing can best be described as: A. A best practice. B. Mandated under the Standards. C. Required by the Sarbanes-Oxley Act.. D. All of the above. E. A and B only

10 About This Course Quiz Answers True or false: 1. False 2. False 3. True Multiple choice: 4. E: A and B only The Institute of Internal Auditors, Inc., Altamonte Springs, FL

11 Role of Internal Auditing

12 Role of Internal Auditing Introduction Overview Risk-based auditing is perhaps the only way for an audit organization to add value to management and fulfill its charter responsibility to the independent directors. Objectives By the end of this unit, you should be able to: Identify the value of internal auditing. Define internal auditing. Describe the internal audit standards. Discuss risk-based auditing in organizations. Resources Readings and Resources IIA Position Statement: Risk-based Internal Auditing

13 Role of Internal Auditing Understanding the Value of Internal Auditing Value of Internal Auditing When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate governance, and ongoing business process improvement. Jim LaTorre, PwC The Institute of Internal Auditors, Inc., Altamonte Springs, FL

14 Role of Internal Auditing Definition of Internal Auditing Mandatory Guidance Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes

15 Role of Internal Auditing Internal Audit Standards The Standards Mandatory Guidance 2100: Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

16 Role of Internal Auditing Activities Activity: My Organization's Approach to Risk-based Auditing Instructions: On your own, spend a few minutes using the worksheet below to determine the degree of satisfaction with your organization s approach to risk-based auditing. Elements Don t Know Satisfied Neutral Dissatisfied Annual enterprisewide risk assessment By management By audit with the involvement of management With involvement of audit committee Audit engagement risk assessment Evaluation tools Client involvement Corporate governance is assured Ethics program is assured Risk management is assured

17 Role of Internal Auditing Elements Don t Know Satisfied Neutral Dissatisfied Internal audit activity maps to enterprise strategy Skills and attitudes of auditors Audit plan is risk-based The Institute of Internal Auditors, Inc., Altamonte Springs, FL

18 Role of Internal Auditing Activity: My Organization s Strengths and Weaknesses Activity Referring to your individual exercise responses, discuss the four questions below, select a spokesperson, and be prepared to report to the class. What are the strengths and best practices for the risk-assessment process in your organization? What are the weaknesses and challenges to the risk-assessment process in your organization? What is the current role of internal auditing in your organization? What are the opportunities for internal auditing in your organization?

19 Role of Internal Auditing Reading: Risk-based Internal Auditing Position Statement Resources Take a few minutes to read the Risk-based Internal Auditing position statement. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

20 Role of Internal Auditing Unit Conclusion Summary You have completed the lesson Role of Internal Auditing. Here are some key points: When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate governance, and ongoing business process improvement. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity must evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach. You examined your organization s approach to risk-based auditing and looked at the strengths and weakness of the risk-assessment process

21 Role of Internal Auditing Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

22 Corporate Governance

23 Corporate Governance Introduction Overview Corporate governance is the foundation of risk-based auditing and should be understood before proceeding. Objectives By the end of this unit, you should be able to: Define corporate governance. Identify Performance Standard 2110: Governance. Identify the various aspects of corporate governance. Identify Assurance Performance Standard 2110.A1 and the elements of a good ethics program. Identify the areas an internal audit must assess, evaluate, and report on to assure corporate governance. Resources Readings and Resources Position Paper: Organizational Governance: Guidance for Internal Auditors The Case Study

24 Corporate Governance Corporate Governance Definition of Corporate Governance Mandatory Guidance Governance The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

25 Corporate Governance Governance Standard Performance Standard 2110: Governance Mandatory Guidance 2110: Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors, and management

26 Corporate Governance Framework for Corporate Governance Framework The Institute of Internal Auditors, Inc., Altamonte Springs, FL

27 Corporate Governance Ethics Assurance Performance Standard 2110.A1 Mandatory Guidance 2110.A1: Evaluation of ethics program The internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethics-related objectives, programs, and activities

28 Corporate Governance Elements of a Good Ethics Program Linked to core values Reliant on the integrity of the people who create, administer, and monitor Dependent on tone at the top Dependent on an engaged board of directors Transparent to all stakeholders The Institute of Internal Auditors, Inc., Altamonte Springs, FL

29 Corporate Governance Activity: Ethics Assurance in My Organization Activity Instructions Discuss how you are assuring the ethics-related objectives, programs, and activities at your organizations. Record any strengths and best practices: Record any weaknesses and challenges: Select a spokesperson and report to the class

30 Corporate Governance Corporate Governance Assurance of Corporate Governance Performing audit work to assure corporate governance requires assessing, evaluating, and reporting on the following areas: Governance structures, policies, charters Organization culture, ethics, and values Activities of audit committee Risk management structures and policies Internal audit processes and organization Fraud control and policy Compensation policies and processes Strategic planning and decision making Disclosure structure, process, rigor Enterprise Web page content Measurements The Institute of Internal Auditors, Inc., Altamonte Springs, FL

31 Corporate Governance Case Study Activity: Community Medical Services Centers (CMSC) Case Study Instructions Review the company background information in the case study. Discuss the elements of good corporate governance. Discuss the gaps in effective corporate governance. Select a spokesperson and debrief the class

32 Corporate Governance Activity: Corporate Governance in My Organization Activity List the elements of corporate governance that are evident at your organization. Identify what opportunities there are to broaden the role of internal auditing in corporate governance. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

33 Corporate Governance Unit Conclusion Summary You have completed the lesson Corporate Governance. Here are some key points: Corporate governance is the combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of these objectives: promoting appropriate ethics and values within the organization, ensuring effective organizational performance management and accountability, effectively communicating risk and control information to appropriate areas of the organization, and effectively coordinating the activities of and communicating information among the board, and external and internal auditors and management. Corporate governance consists of: compliance with legal or regulatory requirements, internal control assessment and reporting, enterprise risk management, quality initiatives, transparency and disclosure, and governance structures and processes. Assurance Performance Standard 2130.A1 requires that internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethicsrelated objectives, programs, and activities. A good ethics program is linked to core values, reliant on integrity of the people who create, administer, and monitor the program, transparent to all stakeholders, and dependent on the tone at the top and on an engaged board. The areas an internal audit must assess, evaluate, and report on to assure corporate governance are: governance structures, policies, and charters; organization culture, ethics, and values; activities of the audit committee; risk management structures and policies; internal audit processes and organization; fraud control and policy; compensation policies and processes; strategic planning and decision making; disclosure structure, process, and rigor; enterprise Web page content; and measurements

34 Corporate Governance Implications The corporate governance process must be in the audit universe and assured. Business conduct or ethics programs must be in the audit universe and assured. All audit engagements must consider governance, ethics, and potential for fraud. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

35 Corporate Governance Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit

36 Risk Management

37 Risk Management Introduction Overview If we are still performing audit assurance work according to the old models, we will miss a great deal of opportunity to demonstrate the value of an independent and objective audit function that is capable of and willing to examine governance and risk management gaps. Objectives By the end of this unit, you should be able to: Define enterprise risk management (ERM) and risk. Identify the difference between inherent and residual risk. Identify the assumptions of risk management. Identify the benefits of risk management. Identify the categories of risk. Identify the areas the internal audit activity must assess, evaluate, and report on to assure corporate governance. Resources Readings and Resources The IIA s Position Paper, The Role of Internal Auditing in Enterprisewide Risk Management The Case Study

38 Risk Management ERM and Risk ERM Definition Enterprise Risk Management Definition Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel, applied in a strategy setting across the organization. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives. COSO ERM The Institute of Internal Auditors, Inc., Altamonte Springs, FL

39 Risk Management Risk Definition Mandatory Guidance Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood

40 Risk Management Types of Risk Inherent and Residual Risk Inherent Risk Definition Inherent risk is the underlying risk before any controls are applied to mitigate the risk. Mandatory Guidance Residual Risk The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

41 Risk Management Risk Management Assumptions Assumptions for Risk Management All organizations exist to add value for stakeholders. All organizations face uncertainty. Value is created, preserved, or eroded by management decisions. ERM is an enabler of the management process. It is interrelated to governance. It is interrelated to performance management

42 Risk Management Benefits of Risk Management Benefits Aligns risk appetite and strategy Links growth, risk, and return Enhances risk response decisions Minimizes operational surprises and losses The Institute of Internal Auditors, Inc., Altamonte Springs, FL

43 Risk Management Categories of Risk Categories Strategic Operational Financial Compliance

44 Risk Management Internal Audit Standards Performance Standard 2120 Mandatory Guidance 2120: Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Interpretation: Determining whether risk management processes are effective is a judgment resulting from the internal auditor s assessment that: Organizational objectives support and align with the organization s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

45 Risk Management Case Study Activity: CMSC Strategy and Risks Case Study Note: There is no formal ERM at CMSC. Instructions Review the CMSC strategy in the case study. In your group, identify the risks to this strategy and assign them to the four categories of risk. Select a spokesperson and debrief the class. Broad Risks to CMSC Strategy Risk Category What are the three most critical risks as you understand the CMSC business model?

46 Risk Management Activity: Risks in My Organization Activity What are the risks that are unique to your industry, organization, or geography? Are all strategic risks identified and known to internal auditing? If not, which risks are unknown? Are all strategic risks mapped to the audit plan? What are the opportunities for internal auditing in the area of enterprise risk management in your organization? The Institute of Internal Auditors, Inc., Altamonte Springs, FL

47 Risk Management Unit Conclusion Summary You have completed the lesson Risk Management. Here are some key points: Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel, applied in a strategy setting across the organization. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives. Risk is measured in terms of impact and likelihood. Inherent risk is the underlying risk before any controls are applied to mitigate the risk. Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to risk. Risk management assumes that: all organizations exist to add value for stakeholders; all organizations face uncertainty; value is created, preserved, or eroded by management decisions; and ERM is an enabler of the management process, interrelated to governance, and interrelated to performance management. Risk management aligns risk appetite and strategy, links growth, risk, and return, enhances risk response decisions, and minimizes operational surprises and losses. The categories of risk are strategic, operational, financial, and compliance. The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes

48 Risk Management Implications Risk management is a critical business process and must be in the auditable universe. Risk management is linked to strategy, vision, and values and interdependent on governance. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

49 Risk Management Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit

50 Control (and Risk) Frameworks

51 Control (and Risk) Frameworks Introduction Overview How many of your organizations have deployed COSO or COSO ERM? Objectives By the end of this unit, you should be able to: Define Performance Standard 2130: Control. Identify the elements of COSO control and ERM frameworks. Identify the internal control environment factors, risk management factors, control activity factors, information and communication factors, and monitoring factors. Identify the limitations of internal control and limiting factors. Identify roles and responsibilities in internal control

52 Control (and Risk) Frameworks Internal Audit Standard Performance Standard 2130: Control Mandatory Guidance 2130: Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

53 Control (and Risk) Frameworks COSO Control and ERM Frameworks Report on Fraudulent Financial Reporting Treadway Commission Committee of Sponsoring Organizations (COSO) American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives Institute (FEI) Institute of Internal Auditors (IIA) Institute of Management Accountants (IMA)

54 Control (and Risk) Frameworks Definition of Internal Control Internal Control Definition Internal control is a process affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of reporting Compliance with applicable laws and regulations - COSO The Institute of Internal Auditors, Inc., Altamonte Springs, FL

55 Control (and Risk) Frameworks Components of Internal Control (and ERM) Control (internal) environment Objective setting (ERM) Event identification (ERM) Risk assessment Risk response (ERM) Control activities Information and communication Monitoring

56 Control (and Risk) Frameworks COSO Pyramid The Institute of Internal Auditors, Inc., Altamonte Springs, FL

57 Control (and Risk) Frameworks COSO ERM Cube

58 Control (and Risk) Frameworks Factors and Points of Focus Internal Control Environment Factors (with Points of Focus) Integrity and Ethical Values Codes of conduct and other policies. Tone at the top. Dealings with employees, suppliers, and customers. Appropriate remedial action. Management s attitude towards control intervention and override. Pressure to meet goals (e.g., short-term goals and compensation targets). Commitment to Competence Job Descriptions. Analyses of knowledge and skills. Boards and Audit Committees Independence (questions management) Use of focused Board Committees. Knowledge and experience of directors. Frequency and timeliness of meetings with CFO, CAE, etc. Sufficiency and timeliness of information, including sensitive information and investigations. Oversight in executive compensation. Role in tone at the top. Management s Philosophy and Style Nature of business risks accepted. Personnel turnover in key areas. Management s attitude toward and concerns about financial reporting and safeguarding assets. Frequency of interaction between senior and operating management. Attitudes and actions displayed in financial reporting. Organizational Structure Appropriate organizational structure (e.g., information flow). Key managers understand their responsibilities and have adequate knowledge and experience. Appropriate reporting relationships. Organizational structure is modified in light of changed conditions. Sufficient numbers of supervisors to employees exist. Authority and Responsibility Assignment of responsibility and delegation of authority provide for accountability and control. Appropriate control-related standards exist. Sufficient numbers of skilled employees exist. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

59 Control (and Risk) Frameworks Appropriate balance between getting the job done and management involvement (i.e., employees have the right level of empowerment to correct problems and implement improvements). Human Resources Policies and Procedures Hiring, training, promotion, compensation. Awareness of responsibilities and expectations. Background checks. Performance evaluations/salary increases. Links to integrity and ethics (e.g., remedial actions, compensation). Risk Management s Philosophy and Appetite Aggressive attitude, level of attention to detail, statements about risks and acceptable losses, strategic and annual planning efforts, use of feasibility studies

60 Control (and Risk) Frameworks Risk Management Factors Objectives aligned with organization s strategy, vision, and values Risks identified Risks assessed considering impact and likelihood Risk response, aligning risks with enterprise risk appetite Change management Forward-looking The Institute of Internal Auditors, Inc., Altamonte Springs, FL

61 Control (and Risk) Frameworks Control Activities Factors Preventative, directive, manual, computer, and management Policies, principles, and procedures (The principles were not noted in the original COSO framework.) Integrated with risk assessment

62 Control (and Risk) Frameworks Information and Communications Factors Information Strategic and integrated systems Systems support strategic initiatives Integration with operations Quality of information (e.g., data integrity, complete information, and information related to strategic objectives) Communication Internal External The Institute of Internal Auditors, Inc., Altamonte Springs, FL

63 Control (and Risk) Frameworks Monitoring Factors Operational reports and MIS External parties Organizational structure Self-assessments Audits

64 Control (and Risk) Frameworks Limitations of Internal Control Limitations Provides no assurance that objectives will be met, only reasonable assurance that management will know level of achievement Provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved The Institute of Internal Auditors, Inc., Altamonte Springs, FL

65 Control (and Risk) Frameworks Limiting Factors The factors that override control activities are: Judgment. Breakdowns. Overrides. Collusion. Cost versus benefits

66 Control (and Risk) Frameworks Roles and Responsibilities Who is Responsible? Roles and Responsibilities Management owns controls. Management can empower others and see this as a partnership. Management cannot say they did not know. All personnel have control responsibility for their area. The board of directors is responsible for oversight and guidance. Internal auditing evaluates effectiveness. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

67 Control (and Risk) Frameworks Activity: COSO and ERM Discussion Activity Instructions Consider the COSO Control and ERM Frameworks. Discuss the following questions: Why do you think the COSO Control Framework was not widely embraced in 1991? Has your organization implemented COSO or COSO ERM? If not, what will it take to make this happen? How should the COSO ERM Framework be implemented? Select a spokesperson and debrief the class

68 Control (and Risk) Frameworks Activity: Change the Vocabulary Activity Instructions Pick five terms related to risk-based assessment and define them in easy language for others in your organization. From internal environment to: leadership, human resources From risk assessment to: strategic planning From control activities to: process excellence, technology, continuous improvement From information and communication to: technology, human resources, leadership From monitoring to: metrics, measurements The Institute of Internal Auditors, Inc., Altamonte Springs, FL

69 Control (and Risk) Frameworks Unit Conclusion Summary You have completed the lesson on Control and Risk Frameworks. Here are some key points: The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal control is a process, affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. Enterprise risk management (ERM) is part of internal control and the components of internal control and ERM are: control (internal) environment, objective setting (ERM), event identification (ERM), risk assessment, risk response (ERM), control activities, information and communication, and monitoring. The COSO pyramid and COSO ERM cube are good ways to visualize internal control and ERM. Internal control environment factors include integrity and ethical values, commitment to competence, the board of directors and audit committee, management s philosophy and style, the organizational structure, assignment of authority and responsibility, and human resource policies and practices. Other factors impacting internal control are risk management, control activities, information and communications, and monitoring factors. Internal control provides no assurance that objectives will be met, only reasonable assurance that management will know a level of achievement. Internal control provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved. Internal control is limited by judgment, breakdowns, overrides, collusion, and cost versus benefits. Within internal control, management owns controls, all personnel have control responsibility for their area, the board of directors is responsible for oversight and guidance, and the internal audit activity evaluates effectiveness of controls

70 Control (and Risk) Frameworks Implications Internal auditing must make the link between COSO frameworks, process excellence, and continuous improvement. Internal auditing must translate the language of control to language of management. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

71 Control (and Risk) Frameworks Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit

72 Entitywide Risk Assessment

73 Entitywide Risk Assessment Introduction Overview Internal auditing includes developing business processes and an audit plan. This unit will explore both aspects of internal auditing. Objectives By the end of this unit, you should be able to: Identify Assurance Performance Standard 2130.A1. Identify the process for performing an entitywide risk assessment. Define business process. Identify the process of developing an audit plan. Resources Readings and Resources The Case Study

74 Entitywide Risk Assessment Internal Audit Standard Assurance Performance Standard 2130.A1 Mandatory Guidance 2130.A1: Evaluating adequacy and effectiveness of controls The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

75 Entitywide Risk Assessment Entitywide Risk Assessment Performing an Entitywide Risk Assessment Inventory the business processes, activities, or organizations that account for all organizational risks. The risk assessment should lead to an audit universe that probably will have units that have not been assured by internal auditing. The how, when, and why decision will come later after there is consensus within the organization that all known risks have been catalogued. Determine impact of inherent risk. Determine likelihood of inherent risk. Some organizations will assess the impact and likelihood in separate steps using a matrix with two axes: impact and likelihood. Some organizations will assess the impact and likelihood in a combined step. Weight the risk factors. Assign relative risk score. Gain consensus from the audit committee

76 Entitywide Risk Assessment Business Process Business Process Definition Business Process GAO Definition A collection of related, structured activities a chain of events that produce a specific service or product for a particular customer or customers. Business Process Anonymous Definition A series of actions that is definable, repeatable, and measurable that supports the organization s objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

77 Entitywide Risk Assessment Case Study Activity: Business Processes Case Study Review the case study. In your groups, determine the critical business processes essential to manage the risks to CMSC s strategy. What are the three most significant (strategic) business processes? Which business processes are the most fraud sensitive? Select a spokesperson and debrief the class

78 Entitywide Risk Assessment Audit Plan Developing an Audit Plan Inventory the business processes or activities. Establish risk factors that apply to all processes or activities. Risk rank the auditable universe. Assign workload estimates to each unit. Assign any coverage rules. Develop full coverage plan. Consider resources. Identify gaps. Commit to constrained resources plan. Gain consensus from audit committee and management. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

79 Entitywide Risk Assessment Typical Risk Universe and Audit Plan Example: An auditable unit is defined as the intersection of a business process and an organization. All auditable units have six identical risk factors with ratings of from one to seven. All business processes have the following three risk factors: Strategic importance (scored 1 through 7) Financial impact (scored 1 through 7) Image and reputation (scored 1 through 7) All organizations have the following three risk factors: Control environment (scored 1 through 7) Organizational stability (scored 1 through 7) Fraud sensitivity (scored 1 through 7) Scores are totaled for all six factors for all auditable units; each auditable unit has a potential risk score ranging from 6 to 42. Units with scores of 36 to 42 are assured annually. Units with scores of 30 to 35 are assured every 24 months. Units with scores of 24 to 29 are assured every 36 months. Units with scores of 6 to 23 are assured on a risk basis

80 Entitywide Risk Assessment Activity: Resources Discussion Activity What is the impact if you do not have appropriate resources? Do you match the plan to resources? What do you do about the gap? How do you manage audits that go over planned time? How do you address fraud risks in the audit plan? The Institute of Internal Auditors, Inc., Altamonte Springs, FL

81 Entitywide Risk Assessment Unit Conclusion Summary You have completed the lesson Entitywide Risk Assessment. Here are some key points: Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance, operations, and information systems. The process of performing an entitywide risk assessment includes these steps: inventory the business processes, activities, or organizations that account for all organizational risks; determine the impact and likelihood of inherent risk; weigh the risk factors; assign relative risk score; and gain agreement from the audit committee. Business process has been defined as a collection of related, structured activities a chain of events that produces a specific service or product for a particular customer or customers. An audit plan should inventory the business processes or activities, establish risk factors that apply to all processes or activities, risk rank the auditable universe, assign workload estimates to each unit, assign any coverage rules, develop a full coverage plan, consider resources, identify gaps, commit to constrained resources plan, and gain consensus from audit committee and management

82 Entitywide Risk Assessment Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

83 Risk-based Audit Engagement

84 Risk-based Audit Engagement Introduction Overview This unit will discuss the risks to business processes, setting up controls to manage those risks, and reporting on the results of risk-based assurance activities. Objectives By the end of this unit, you should be able to: Identify the process of performing a risk-based engagement. Identify the attributes of a business process definition or objective. Identify the risk-to-business processes and risk events. Identify the four common ways to manage risk. Identify the definition of controls, the type of controls, and evaluation methods for controls. Identify internal audit standards 2210, 2210.A1, 2210.A2, 2210.A3, and Identify the guidelines for reporting the results of a risk-based audit engagement. Resources Readings and Resources The Case Study

85 Risk-based Audit Engagement The Engagement Performing the Engagement Reassess the risk assumptions of the auditable unit. Validate that the process in fact has sufficient risk to warrant assuring in this audit cycle. Understand the business process and its objectives. Identify the risks to the objectives. Usually, the client will do this in conjunction with their own process documentation. Measure and prioritize risks. Identify controls and evaluate the design. Develop audit objectives and program. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

86 Risk-based Audit Engagement Business Process Objective Definition of Objective Attributes: Example: Clearly defined deliverable or outcome Includes the business event that triggers the process States inputs and outputs Includes business decisions that are part of the event response May indicate flow of material or information between process steps General accounting objective: To record and report all financial transactions timely, accurately, and in accordance with GAAP and all applicable laws and regulations. Moreover, the information should be sufficiently concise, relevant, reliable, and comparable (period-toperiod) to ensure ease of use by all stakeholders. The process begins with the receipt of any financial transaction and concludes when executive management and the board has accepted the results

87 Risk-based Audit Engagement Case Study Activity: Objective Statement Case Study In your group, write a business process objective statement for the human resources process. Use the attributes noted in your participant guide. Select a spokesperson and be prepared to report. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

88 Risk-based Audit Engagement Risks to Business Processes Risks Mandatory Guidance Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. General accounting risks: Material misstatements of financial records Regulatory challenges Tax errors Not understood by stakeholders Reputation Unauthorized or unapproved entries

89 Risk-based Audit Engagement Identifying Risk Events What could go wrong? Who could we fail? Where are we vulnerable? What resources do we need to protect? What must go right for us to succeed? How could our operations be disrupted? How do we know if we are achieving our objectives? What information must we rely on? What decisions require the most judgment? What activities are the most complex? What activities are regulated? What is our greatest legal exposure? How could someone convert assets? How successful will be at managing change? How will we retain critical resources? The Institute of Internal Auditors, Inc., Altamonte Springs, FL

90 Risk-based Audit Engagement Managing Risk Risk Management These are four common ways to manage risk: 1. Avoid the risk (e.g., decide not to offer the product or service because the risk is higher than the organization s risk appetite, not to enter a new geographic market due the lack of cultural knowledge or highly corrupt environment, or not to proceed with an acquisition as a result of due diligence that shows excessive legal liability). 2. Transfer the risk (e.g., find a partner to enter a new geographic market or purchase insurance). 3. Accept the risk because it is within the known risk appetite and cost of controls exceeds the benefit. 4. Reduce the risk by controls is the usual approach but with the caveat that an appropriate cost benefit analysis should be performed to ensure that excessive controls don t lead to a lost-opportunity risk

91 Risk-based Audit Engagement Case Study Activity: Business Process Objectives Case Study Review the human resources business process for which you wrote the process objective statement. In your group, identify the risks to meeting those business process objectives. Determine which are strategic, operational, financial, or compliance. Determine the likelihood and impact using a high, medium, and low scale. Select a spokesperson and be prepared to report. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

92 Risk-based Audit Engagement Worksheet: Risks to the Business Process Strategic Risks Likelihood Impact Score Operational Risks Reporting Risks Compliance Risks

93 Risk-based Audit Engagement Identifying Controls Control Definition Mandatory Guidance Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

94 Risk-based Audit Engagement Types of Controls Directive: Controls that encourage desirable events to occur. Preventative: Controls that prevent undesirable events from occurring. Detective: Controls that detect undesirable events that have already occurred. Mitigating: Controls that compensate for a missing or costly control

95 Risk-based Audit Engagement Evaluating Controls Adequacy: Determine whether the process, as designed, provides reasonable assurance (operational auditing). Effectiveness: Determine whether the process is functioning as intended (transactional testing). The Institute of Internal Auditors, Inc., Altamonte Springs, FL

96 Risk-based Audit Engagement Internal Audit Standards 2210: Engagement Objectives Mandatory Guidance 2210: Engagement Objectives Objectives must be established for each engagement. Mandatory Guidance 2210.A1: Preliminary assessment of risk Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. Mandatory Guidance 2210.A2: Probability of significant errors and other exposures Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives

97 Risk-based Audit Engagement Mandatory Guidance 2210.A3: Setting criteria to evaluate controls Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria. Mandatory Guidance 2240: Engagement Work Program Internal auditors must develop and document work programs that achieve the engagement objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

98 Risk-based Audit Engagement Case Study Activity: Entitywide and Activity-level Controls Activity 1. Review the risks to the human resources hiring sub-process that you identified in the case study. 2. Refer to the case study. 3. Identify two or three entity wide controls you would expect to manage the risks to this process Identify two or three activity-level controls you would expect to manage the high-risk areas you have identified Identify one control to manage a medium- to low-risk area. 6. Determine the audit tests you would perform. 7. Agree on at least two tests you would not perform in a risk-based engagement. 8. Select a spokesperson and be prepared to report

99 Risk-based Audit Engagement Worksheets: Controls to Manage the Risks Controls Test Approach Entitywide Controls 1) 2) 3) Activity-level Controls 1) 2) 3) 4) The Institute of Internal Auditors, Inc., Altamonte Springs, FL

100 Risk-based Audit Engagement Reporting the Results Reporting the Results of Risk-based Audit Activity Needs assessment: Used to determine the level of the report s readers, who the audience for the report is, and what level of detail is needed in the report. Reporting should be timely. Use language of risk rather than control and compliance: Adding value versus the old stereotypes of control and compliance. Management actions: Risk-based audit engagements are only complete when: Management understands the residual risks they need to mitigate. Deficiencies have been mitigated. The audit committee has accepted management s actions as appropriate

101 Risk-based Audit Engagement Unit Conclusion Summary You have completed the lesson Risk-based Audit Engagement. Here are some key points: Performing a risk-based engagement requires internal auditing to reassess the risk assumptions of the auditable unit, understand the business process and its objectives, identify the risks to the objectives, measure and prioritize risks, identify controls and evaluate the design, and develop audit objectives and a program. The attributes of a business process definition or objective are that it is has a clearly defined deliverable or outcome, includes the business event that triggers the process, states inputs and outputs, includes business decisions that are part of the event response, and may indicate flow of material or information between process steps. Risk is any event occurring that will have an impact on the achievement of objectives and is measured in terms of impact and likelihood. One of the best tools for internal auditing in identifying risk events is to ask questions. The four common ways to manage risk are: avoid, transfer, accept, and reduce to acceptable level via controls. A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Controls fall into four categories: directive, preventative, detective, and mitigating. Controls are evaluated on their adequacy and effectiveness. Standard 2210 states that objectives must be established for each engagement. Standard 2240 states that internal auditors must develop and document work programs that achieve the engagement objectives. A needs assessment should be performed to determine which readers want what level of detail. A risk-based auditing engagement has not been concluded until management has bought into the residual risk that needs remediation, has remediated the deficiency, and the audit committee has accepted management s remediation as being appropriate. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

102 Risk-based Audit Engagement Implications Audit engagements start with understanding the business process and its risks. Audit engagements end when the audit committee is satisfied with management s resolution. Various risks need to be scored and assessed. Not all risks warrant testing

103 Risk-based Audit Engagement Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

104 Seminar Conclusion

105 Seminar Conclusion Introduction Overview This unit will help you recall the key concepts and techniques we have discussed. It is also intended to enable you to plan how to use what you have learned when you return to work. Objectives After completing this lesson, you should be able to: Discuss any open items or expectations and identify your plans and next steps. Restate major concepts and skills learned during the seminar

106 Seminar Conclusion Putting It All Together Seminar Objectives Revisited By the end of this session, you will have had an opportunity to: Identify relationships between strategy, corporate governance, risk management, and controls. Identify key business processes and objectives. Produce a risk assessment. Produce a risk-based assurance plan. Describe entitywide controls and their relevance to the plan. Plan a risk-based engagement. Network with peers. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

107 Seminar Conclusion Activity: Roundtable Discussion Activity What percentage of your time is spent on planning vs. field work and reporting? How have you marketed the internal audit function in your organization? Is the internal audit function in your organization demand driven? What is internal audit s reputation in your organization?

108 Seminar Conclusion Implications There are more key processes than internal auditing can assure on a timely schedule. There are more risks to process objectives than policies and procedures can manage. There are many controls that are not cost-effective. There are valuable entity-level controls that are effective and can reduce process (activity-level) controls. Internal audit adds exponentially more value by assuring governance, risk management, and controls that have the greatest impact on strategy. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

109 Seminar Conclusion Plan for Action Review the topics that were discussed during the program. Select concepts and techniques that you learned or re-emphasized that will help you accomplish the challenges you face. Be specific as to how you will use the information you have learned

110 Seminar Conclusion Wrap-up Thank you for your participation! The Institute of Internal Auditors, Inc., Altamonte Springs, FL

111 Case Study: Adding Value for Risk-based Auditing

112 Case Study: Adding Value for Risk-based Auditing Community Medical Service Center Company Background Community Medical Services Centers (CMSC) entered the healthcare industry seven years ago. CMSC s founder and principal owner, Jimmy Grey Stockton, grew up in a small North Carolina town. He is concerned that many of these communities no longer have adequate medical services because their local hospital has closed or cut back on services. As a result of this concern, Mr. Stockton attracted 60 investors and created a public but closely held corporation. Ten of the investors serve on the board of directors. Mr. Stockton serves as chief executive officer (CEO) and chairman. The corporate office is located in Carthage, NC. CMSC has now grown to 12 outlets. Mr. Stockton is from a family of health professionals. His father was, for many years, the only family practitioner in the small town where he grew up. His mother was a nurse in the community. Jimmy Grey, after military service, became a physical therapist through a program at the community college and started a practice associated with an orthopedic clinic in a neighboring town. This practice was highly successful and led to acquisitions of related healthcare services in surrounding counties. As the need for capital grew beyond family and friends, CMSC went public with an initial public offering (IPO) five years ago. The board of directors is composed of ten original investors in addition to Jimmy Grey. They are: Dr. Marjorie Fisk, MD, internist Dr. Jim Golden, DVD, veterinarian Dr. Bernard Miller, OD, anesthesiologist Ms. Meriwether Petigru, real estate broker and owner of Sand Hills Realty Mr. Chester Pinkny, CEO and Chairman of First Bank of the South Mr. Lad Powell, retired attorney whose previous law firm acts as counsel to CMSC Mr. Bruce Ray, CPA, partner in a local public accounting firm Mr. Larry Scoggins, real estate developer and entrepreneur Lt. Col. Tommy Lee White, USMC retired Mr. Hunter Winfrey, owner of Hunter s Fish Camp

113 Case Study: Adding Value for Risk-based Auditing The executive team is comprised of: Mr. Jimmy Grey Stockton, CEO and Chairman Mr. Rodney Scoggins, CFO Ms. Laura Ferguson, VP Business Development Mr. Jay Green, CPA, Controller Ms. Angela Pharr, VP Human Resources Mr. Russell Jordan, RN, Medical Services There is an open executive search for a chief information officer (CIO). The role of risk officer has been assigned to Jay Green. The role of compliance officer has been assigned to Rodney Scoggins. There is no chief audit executive as the internal audit role has been outsourced to a regional public accounting firm in Charlotte. A different public accounting firm has been retained for external auditing services, also with offices in Charlotte. Outside legal counsel has been retained; board member Lad Powell was a partner in the firm before retiring from the firm three years ago. CMSC s Web site, recently launched, has the following information disclosed: Our Vision CMSC s vision is to develop world-class non-critical-care health centers in under-served markets to improve the health of patients through innovative health care and wellness programs. Our Mission CMSC s mission is to deliver high-quality, innovative health-care services that help patients regain and improve their health. Our Values Honesty and integrity in all of our dealings with stakeholders Exceed patients expectations Dedicated people working as a team Market-driven, results-oriented heath-care provider Respect and embrace diversity Balance work and personal life Make a difference in all of the communities that we serve The Institute of Internal Auditors, Inc., Altamonte Springs, FL

114 Case Study: Adding Value for Risk-based Auditing Stockholder Relations Board of Directors Board Committees (Audit, Governance, Executive Compensation) Executive Officers Corporate Governance Guidelines Business Conduct Guidelines Certificate of Incorporation Bylaws Director Compensation Executive Compensation Beneficial Ownership Commitment to Sarbanes-Oxley Compliance Commitment to Health Insurance and Portability Act of 1996 (HIPAA) Quarterly and Annual SEC Fillings How to Contact the Board

115 Case Study: Adding Value for Risk-based Auditing CMSC Strategy and Risks CMSC s strategy was developed by the executive team and ratified by the board of directors six months ago. The primary strategic initiative is to grow from 12 medical services centers to 24 within 3 years and to 48 centers within 5 years. This is expected to be achieved by acquiring small, underutilized hospitals and physician-owned, out-patient surgical centers. CMSC hopes to attract physicians and establish regional cardiac care centers as well as cancer treatment centers to include the full range of cancer treatments. The strategy foresees a need to acquire or start a patient transportation subsidiary to include emergency air ambulance capability. Additionally, the strategy calls for affiliation with a major university health center such as Duke, UNC, or Wake Forest in the fifth year of the strategy. The strategy anticipates the need for capital in the near term and suggests a secondary stock offering within months when current capital is exhausted. Financial performance has been satisfactory to the investors to date, and the secondary offering is presumed to raise sufficient capital. The market area includes small towns with populations less than 10,000 in North Carolina. Considerations: How robust do you think the strategic planning process is with the information presented? Who should be involved in the strategic planning process? Who should own the strategic planning process? How would you provide reasonable assurance that the strategy would be carried out as outlined? How would you monitor success of the strategy as it evolved? To whom would you report progress as the strategy evolved? The Institute of Internal Auditors, Inc., Altamonte Springs, FL

116 Case Study: Adding Value for Risk-based Auditing Community Medical Services Center - Typical Floor Plan

117 Case Study: Adding Value for Risk-based Auditing CMSC Hiring Process Narrative CMSC department manager completes an employee requisition form which is routed to an HR associate at the location. The HR associate sends the requisition by internal mail or fax to the regional manager for review. If the position is not budgeted or exceeds the budgeted salary, the director of human resources must review and approve the requisition. The position is then posted on the Intranet Web site and HR personnel list the position with external recruiting sources. The HR associate receives applications and resumes and then meets with the requesting department manager to determine which applicants to invite in for interviews. Rejection letters are sent to those applicants that are not interviewed. The HR associate and department manager interview applicants, and each interviewer completes an applicant evaluation form. The interviewers reach a consensus hiring decision or continue the search. All evaluation forms are sent to the corporate Human Resources department. The department manager completes an Offer Letter Request form and sends to the regional manager. The regional manager orders any background and licensing checks and sends the offer letter after satisfactory responses are received with copies to the HR associate and department manager. Upon acceptance of the offer, the Human Resources department notifies the HR associate, who then establishes an employee file and orientation package. The department manager completes the payroll authorization form and updates the payroll application and HR database. This data is verified by the HR department before processing can occur. The HR administrator receives payroll reports for all personnel at the site they are responsible for. Planning Comments Some department managers and associates said the HR policy manual (over 200 pages) is difficult to use. They also indicated the process takes too long, e.g., HR department is a bottleneck, forms are frequently lost or misplaced for long periods of time, and they are slow in returning phone calls and s. HR staff said they relied on the HR policy manual, properly completed forms, formal reviews and approvals, and separation of duties in payroll process to adequately manage the risks. The Institute of Internal Auditors, Inc., Altamonte Springs, FL

118 Position Statement The Institute of Internal Auditors UK and Ireland Risk Based Internal Auditing Introduction The focus of internal audit work has shifted dramatically over the last decade. There has been a move from systems based auditing to process based auditing and the current emphasis is on Risk Based Internal Auditing (RBIA). RBIA is a much used and much misunderstood term. This paper aims to set out the Institute s position with regard to RBIA and to offer some high level guidance on how to approach it. Context The current definition of internal auditing is that it is: An independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes RBIA is an approach that can help to meet these requirements. The Standards for the Professional Practice of Internal Auditing and the associated Practice Advisories emphasise adopting a risk-based approach to internal auditing. This approach is also consistent with the Turnbull guidance Internal Control: Guidance for Directors on the Combined Code, which requires directors to adopt a risk-based approach to establishing a sound system of internal control and reviewing its effectiveness, and to embed risk management and internal control into the culture of the organisation. Internal auditors need to adopt a risk-based approach compatible with that adopted by their organisation. There are many approaches which could be adopted by internal audit depending on the extent to which internal audit is able to rely on the risk management processes across the organisation. This enables the auditor to avoid duplicating processes already carried out by management, and allows him or her to question management s processes or conclusions. Internal auditors might say that they have always focused their efforts on the riskier areas of the organisation. However, this approach has historically been directed by internal audit s own assessment of risk. The key distinction with RBIA is that the focus should be to understand and analyse management s assessment of risk and to base audit efforts around that process. What is Risk Based Internal Auditing? The objective of RBIA is to provide independent assurance to the board that: The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended. These risk management processes are of sound design. The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board. And a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat. RBIA starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement. The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board (the risk appetite). While internal audit s main contribution is to provide assurance on management s treatment of risk (through governance and control processes) it may also advise management on other aspects of their response to risks such as decisions to terminate, transfer or tolerate risks.

119 Risk Based Internal Auditing The Risk Based Internal Auditing approach is described schematically below: Corporate Objectives Identification of risks to achieving objectives What is the risk appetite of the business? Is the risk management process an adequate and effective process for identifying, assessing, managing & reporting on risk? Yes No Use organisation s own view of risk as far as possible Facilitate risk identification with management Facilitate refinement Determine risk universe Determine scope and priority of assignments Based on risks select areas for review For each area, review adequacy of risk management processes to identify & manage risks Where largely OK Where not OK Evaluate processes and determine how management gain assurance that the risk management activities are being carried out as intended Facilitate risk identification and assessment inherent risks mitigation residual risks Give assurance where OK and facilitate improvement where not

120 Risk Based Internal Auditing The practice of Risk Based Internal Auditing Points of information: The scope of risk-based internal auditing includes strategic and business risks. The key starting point is to determine that appropriate objectives have been set by the organisation and then to determine whether or not the business has an adequate process in place for identifying, assessing and managing the risks that impact on the achievement of these objectives. out a range of stages of risk management maturity and the internal audit approach that might be adopted at each stage: Risk Maturity Risk Naive Risk Aware Key Characteristics No formal approach developed for risk management Scattered silo based approach to risk management Internal Audit Approach Promote risk management and rely on audit risk assessment Promote enterprise-wide approach to risk management and rely on audit risk assessment In a mature risk management environment the focus of internal audit work may be: Risk Defined Strategy and policies in place and communicated. Risk appetite defined Facilitate risk management/liaise with risk management and use management assessment of risk where appropriate Auditing the risk management infrastructure, for example, resources, documentation, methods, reporting. Auditing the whole system of internal control for the complete organisation and for individual departments. Carrying out individual audit assignments that are predominantly about specific risks. Where a number of risks are controlled through a common system or process, it may be appropriate to perform a combined audit of that system or process. In less mature risk management environments, where individual audit assignments predominantly focus on complete systems, processes or business units, internal audit needs to review business objectives and risk management processes within each of these auditable entities. Where risk management processes are adequate and embedded, internal audit aims to rely, where possible, on the organisation s own view of the risks in order to determine the audit work that it needs to carry out. Where the risk management processes cannot be relied on, internal audit needs to undertake its own risk assessment (in conjunction with management) to determine the precise level of the work required and then focus on how management assures itself that the risk management activities are operating as intended. The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by the risk appetite) or to facilitate and/or agree improvements as necessary. Risk management continuum Risk Managed Risk Enabled Each organisation must determine how it wishes to implement risk management. This will help determine its appetite for risk and the level of it s risk maturity. For example, not all organisations will wish to become completely risk enabled as they may need to weigh up the costs against their views on the potential benefits. It is for the board of directors and senior management team to determine how far along the continuum they wish to travel. In addition to risk management maturity within an organisation, the extent to which internal audit needs to undertake its own risk assessment also depends upon the degree and speed of strategic and organisational change. When undertaking an audit of a project, the risk management processes covering projects in general and also those specific to the individual project need to be covered. Conclusion Enterprise wide approach to risk management developed and communicated Risk management and internal control fully embedded into the operations Audit risk management processes and use management assessment of risk as appropriate Audit risk management processes and use management assessment of risks as appropriate RBIA does not preclude the use of systems-based and/or processbased auditing as circumstances dictate. It is, however, an approach that focuses on the issues that matter to the organisation and on providing assurance on the risk management framework adopted by the organisation. RBIA will enable internal audit to link directly with the risk management framework thereby leveraging synergies. It is important to understand that not all organisations are at the same stage of risk management implementation. The following diagram sets

121 Risk Based Internal Auditing Glossary of terms Risk: the chance of something happening or not happening that will have an influence upon the achievement of business objectives. Risk identification: the process of determining what can happen, why and how. Risk analysis: the systematic use of available information to determine the likelihood of specified events occuring and the magnitude of their consequences. Measured in terms of impact and likelihood. Risk management activities: the methods by which an organisation chooses to manage its risks as outlined above. This replaces the traditional approach that focused purely on internal controls. Inherent (gross) risk: the status of the risk (measured through impact and likelihood) without taking account of any risk management activities that the organisation may already have in place. Residual (net) risk: the status of the risk (measured through impact and likelihood) after taking account of any risk management activities that the organisation may have in place. Risk appetite: the level of risk that the board or management is prepared to live with. This is likely to be different for each of the risks that have been identified. Risk evaluation: the process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria Risk assessment: the overall process of risk analysis and risk evaluation. Risk management: an iterative process consisting of steps, which when taken in sequence, enable continual improvement in decisionmaking. It is the logical and systematic method of identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities. (Australian/New Zealand Standard on Risk Management AS/NZS 4360) Management of risk: the means by which an organisation elects to manage individual risks. These may be by treatment (i.e. to reduce impact or likelihood), termination, transfer, or the organisation may decide to tolerate the risks. About Position Statements The Institute of Internal Auditors UK and Ireland (IIA) is the primary body representing, promoting and developing the professional practice of internal auditing in the UK and Ireland. Position statements are part of a range of technical and professional guidance prepared by the Institute for it s members. They are designed to clarify the Institute's official policy position on important and potentially complex matters confronting internal auditors. Disclaimer This technical guidance material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The Institute of Internal Auditors UK and Ireland recommends that you always seek independent expert advice relating directly to any specific situation. The Institute accepts no responsibility for anyone placing sole reliance on this technical guidance Abbeville Mews, 88 Clapham Park Road, London SW4 7BX Telephone Fax The Institute of Internal Auditors UK and Ireland Ltd, August 2003

122 Position Paper Organizational Governance: Guidance for Internal Auditors - July The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida , USA

123 Table of Contents Overview...3 SECTION 1: ORGANIZATIONAL GOVERNANCE AND THE ROLE OF INTERNAL AUDITING...4 What is Organizational Governance?...4 Role of Internal Auditing in Governance...4 Specific Activities of Organizational Governance...6 Other Considerations...9 Possible Next Steps...10 SECTION 2: ORGANIZATIONAL GOVERNANCE PRINCIPLES, PARTICIPANTS, AND ITS INTERACTION WITH OTHER INITIATIVES...11 Commonly Identified Organizational Governance Principles...11 Participants and Roles...12 Organizational Initiatives Impacting Governance...13 SECTION 3: APPENDICES...16 Appendix A: Resources Discussing Organizational Governance Topics...16 Appendix B: Definitions of Organizational Governance...18 July 2006 Page 2 of 18

124 IIA Position Paper on Organizational Governance: Guidance for Internal Auditors Overview The topic of organizational governance (often referred to as corporate governance) is important for many key stakeholders in the political and business worlds. Typically, internal auditors operate in two capacities in this area. First, auditors provide independent, objective assessments on the appropriateness of the organization's governance structure and the operating effectiveness of specific governance activities. Second, they act as catalysts for change, advising or advocating improvements to enhance the organization's governance structure and practices. By providing assurance on the risk management, control, and governance processes within an organization, internal auditing is one of the key cornerstones of effective organizational governance. This guidance is designed to help internal auditing in its assurance and advisory role with regard to specific aspects of organizational governance. This document has three main sections: 1. Definition of Organizational Governance and the Role of Internal Auditing. This section provides a framework for understanding the role of internal auditing, specific activities internal auditors can perform, and possible next steps for internal auditors. 2. Organizational Governance Principles, Participants, and Its Interaction With Other Initiatives. This section discusses additional information on the key principles of organizational governance, the roles of typical participants in this area, and the impact of common organizational initiatives (e.g., quality programs, enterprise risk management) on organizational governance. 3. Appendices. This section provides additional definitions and resources related to organizational governance. Organizational governance is a complex topic that overlaps with other internal audit subjects. Various companies, governments, research organizations, regulatory bodies, and other organizations have addressed aspects of the broad topic of organizational governance through various means. This document is not intended to replace all these publications and does not concentrate on organizational governance as an isolated topic. The concepts outlined in this document are intended to apply to the role of internal auditing across a broad range of organization types, including publicly or privately owned businesses, nonprofit or for-profit organizations, and government or nongovernmental institutions. Regardless of the type of organization, the key concepts in this document can be applied to the company's internal audit activity. July 2006 Page 3 of 18

125 SECTION 1: ORGANIZATIONAL GOVERNANCE AND THE ROLE OF INTERNAL AUDITING What is Organizational Governance? There is no single, comprehensive, universally accepted definition of organizational governance. However, certain common elements are present in most definitions of organizational governance that describe it as the policies, processes, and structures used by organizations to direct and control its activities, achieve its objectives, and protect the interests of its diverse stakeholder groups in a manner consistent with appropriate ethical standards. An often-used definition of organizational governance comes from the Paris-based forum of democratic markets, the Organisation for Economic Co-operation and Development (OECD): Corporate governance involves a set of relationships between a company's management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. 1 See Appendix B in Section 3 for other organizational governance definitions. Role of Internal Auditing in Governance Internal auditing typically operates in two capacities. First, auditors provide independent, objective assessments on the appropriateness of the organization's governance structure and the operating effectiveness of specific governance activities. Second, they act as catalysts for change, advising or advocating improvements to enhance the organization's governance structure and practices. In an organization, management and the board establish and monitor companywide systems for effective governance. Internal auditors can support and improve these actions. In addition, although internal auditors should remain independent, they may participate in the establishment of governance processes. By providing assurance on the organization's risk management, control, and governance processes, internal auditing becomes a key cornerstone for effective organizational governance. Which capacity is most relevant for internal auditing is highly influenced by the maturity level of the organization's governance processes and structure, and the organizational role and qualification of internal auditors. In an organization with a less mature governance structure and process, the internal audit function may be focused more on advice regarding optimal structure and practices, as well as comparing the current governance structure and practices against regulations and other compliance requirements. In organizations with more structured and mature governance practices, internal auditors could focus more on: 1 OECD, Principles of Corporate Governance, revised May 2004 July 2006 Page 4 of 18

126 Evaluating whether companywide governance components work together as expected. Analyzing the level of reporting transparency among parts of the governance structure. Comparing governance best practices. Identifying compliance with recognized and applicable governance codes. The following graphic conceptually shows how the amount of time internal auditors spend on different tasks changes as the structural maturity of the organization's governance practices changes. Graphic 1: Internal Audit Governance Maturity Model Perform audits of design and effectiveness of specific governance-related processes. Allocation of Audit Effort Provide advice that focuses on the organization's governance structure to meet compliance requirements and addresses basic organization risks. Evaluate best practices and their adaptation to the organization by focusing on the optimization of governance practices and structure. Less Structured More Structured Internal auditing will often be most effective in dealing with governance activities by doing more than performing discrete audits of specific processes. An internal auditor's unique position in an organization allows him or her to observe governance structure and design, while not having direct responsibility for them. Often, internal auditors can assist organizations better by advising the board of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are operating. This is different, however, from providing objective assessment of specific governance activities through discrete audits. Ultimately, internal audit assessments regarding governance activities are likely to be based on information obtained from numerous audit assignments over a period of time. Optimally, internal auditors should aim to provide assessments on the effectiveness of key organizational governance elements, either separately from, or combined with, assessments on the effectiveness of risk management and key controls. These governance activity assessments should take into account: July 2006 Page 5 of 18

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving

More information

Enterprise Risk Management

Enterprise Risk Management Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's

More information

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment Internal Controls Enterprise-Wide Risk Assessment Balancing Risk and Controls In order to achieve goals and objectives, management needs to effectively balance risks and controls. Control procedures need

More information

Fraud Prevention and Deterrence

Fraud Prevention and Deterrence Fraud Prevention and Deterrence Fraud Risk Assessment 2016 Association of Certified Fraud Examiners, Inc. What Is Fraud Risk? The vulnerability that an organization faces from individuals capable of combining

More information

How quality assurance reviews can strengthen the strategic value of internal auditing*

How quality assurance reviews can strengthen the strategic value of internal auditing* How quality assurance reviews can strengthen the strategic value of internal auditing* PwC Advisory Internal Audit Table of Contents Situation Pg. 02 In response to an increased focus on effective governance,

More information

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards Administrative Guidelines on the Internal Control Framework and Internal Audit Standards GCF/B.09/18 18 February 2015 Meeting of the Board 24 26 March 2015 Songdo, Republic of Korea Agenda item 24 Page

More information

COSO Internal Control Integrated Framework (2013)

COSO Internal Control Integrated Framework (2013) COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)

More information

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404 INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404 OF THE U.S. SARBANES-OXLEY ACT OF 2002 May 26, 2004 Copyright 2004 by, 247 Maitland Avenue, Altamonte Springs, Florida, 32701-4201, USA Internal Auditing

More information

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Introduction to the International Standards Internal auditing is conducted in diverse legal and cultural environments;

More information

A Practical Approach to Implementing the COSO Internal Control Integrated Framework

A Practical Approach to Implementing the COSO Internal Control Integrated Framework A Practical Approach to Implementing the COSO Internal Control Integrated Framework Dr. Sandra B. Richtermeyer, CPA, CMA IMA s COSO Board Member Professor of Accountancy & Associate Dean Xavier University

More information

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Revised: October 2012 i Table of contents Attribute Standards... 3 1000 Purpose, Authority, and Responsibility...

More information

Internal Auditing: Assurance, Insight, and Objectivity

Internal Auditing: Assurance, Insight, and Objectivity Internal Auditing: Assurance, Insight, and Objectivity WHAT IS INTERNAL AUDITING? INTERNAL AUDITING business people all around the world are familiar with the term. But do they understand the value it

More information

A Risk-Based Audit Strategy November 2006 Internal Audit Department

A Risk-Based Audit Strategy November 2006 Internal Audit Department Mental Health Mental Retardation Authority of Harris County ENTERPRISE RISK MANAGEMENT A Framework For Assessing, Evaluating And Measuring Our Agency s Risk A Risk-Based Audit Strategy November 2006 Internal

More information

Internal Control Integrated Framework. May 2013

Internal Control Integrated Framework. May 2013 Internal Control Integrated Framework May 2013 0 Table of Contents COSO & Project Overview Internal Control-Integrated Framework Illustrative Documents Illustrative Tools for Assessing Effectiveness of

More information

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012 Table of Contents Executive Summary... 1 Introduction... 1 Risk Management and Assurance (Assurance Services)... 1 Assurance Framework...

More information

International Standards for the Professional Practice of Internal Auditing

International Standards for the Professional Practice of Internal Auditing International Standards for the Professional Practice of Internal Auditing Introduction Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve

More information

4th Edition Audit Committee Effectiveness What Works Best

4th Edition Audit Committee Effectiveness What Works Best 4th Edition Audit Committee Effectiveness What Works Best Prepared by Principal Authors Catherine L. Bromilow, CPA Donald P. Keller, CPA Project Manager Garret K. Tripp, CPA, CFE Sponsored by IIA-Chicago

More information

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL

More information

Internal Auditing Guidelines

Internal Auditing Guidelines Internal Auditing Guidelines Recommendations on Internal Auditing for Lottery Operators Issued by the WLA Security and Risk Management Committee V1.0, March 2007 The WLA Internal Auditing Guidelines may

More information

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06]

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting

More information

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Introduction to the Standards Internal auditing is conducted in diverse legal and cultural environments; for organizations

More information

Standards for the Professional Practice of Internal Auditing

Standards for the Professional Practice of Internal Auditing Standards for the Professional Practice of Internal Auditing THE INSTITUTE OF INTERNAL AUDITORS 247 Maitland Avenue Altamonte Springs, Florida 32701-4201 Copyright c 2001 by The Institute of Internal Auditors,

More information

INTERNAL CONTROL I. SOME GENERAL COMMENTS ON INTERNAL CONTROL

INTERNAL CONTROL I. SOME GENERAL COMMENTS ON INTERNAL CONTROL INTERNAL CONTROL I. SOME GENERAL COMMENTS ON INTERNAL CONTROL Companies establish internal control (IC) to aid the company in more effectively meeting its goals. It is management s responsibility to maintain

More information

IFAD Policy on Enterprise Risk Management

IFAD Policy on Enterprise Risk Management Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008

More information

Enterprise Risk Management Aligning Risk with Strategy and Performance

Enterprise Risk Management Aligning Risk with Strategy and Performance Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management Aligning Risk with Strategy and Frequently Asked Questions November 2016 edition Table of Contents Project Background...

More information

2015-16 Internal Control Questionnaire and Assessment

2015-16 Internal Control Questionnaire and Assessment Bureau of Financial Monitoring and Accountability Florida Department of Economic Opportunity September 9, 2015 107 East Madison Street Caldwell Building Tallahassee, Florida 32399 www.floridajobs.org TABLE

More information

T The Revised COSO ERM Framework. Robert Hirth Chairman, COSO

T The Revised COSO ERM Framework. Robert Hirth Chairman, COSO T The Revised COSO ERM Framework Robert Hirth Chairman, COSO COSO: Thought Leadership to Improve Your Organization What the Heck is COSO?... Originally formed in 1985, COSO is a joint initiative of five

More information

Audit of the Test of Design of Entity-Level Controls

Audit of the Test of Design of Entity-Level Controls Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents

More information

An overview of COSO s 2013 Internal Control-Integrated Framework

An overview of COSO s 2013 Internal Control-Integrated Framework An overview of COSO s 2013 Internal Control-Integrated Framework Prepared by: Sara Lord, Partner, National Professional Standards Group, McGladrey LLP sara.lord@mcgladrey.com May 2013 Introduction In 1992,

More information

COSO P r e s e n t e d b y : A p r i l 8,

COSO P r e s e n t e d b y : A p r i l 8, COSO 2013 P r e s e n t e d b y : Tim Lietz A p r i l 8, 2 0 1 4 1 Our Time with You COSO Background Why COSO 2013? What Has Changed? Principles Overview Implementation Tasks and Challenges 2 COSO Background

More information

Guide to Internal Control Over Financial Reporting

Guide to Internal Control Over Financial Reporting Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).

More information

Markup Version Proposed Changes to the Standards

Markup Version Proposed Changes to the Standards The is releasing the exposure draft with proposed changes to the International Standards for the Professional Practice of Internal Auditing (Standards). The exposure period is from February 1 to April

More information

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE Committee of Sponsoring Organizations of the Treadway Commission Governance and Internal Control LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE By The Institute of Internal Auditors Douglas J. Anderson

More information

International Standards for the Professional Practice of Internal Auditing INTRODUCTION ATTRIBUTE STANDARDS

International Standards for the Professional Practice of Internal Auditing INTRODUCTION ATTRIBUTE STANDARDS INTRODUCTION Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives

More information

Effective Internal Audit in the Financial Services Sector

Effective Internal Audit in the Financial Services Sector Effective Internal Audit in the Financial Services Sector Recommendations from the Committee on Internal Audit Guidance for Financial Services: How They Relate to the Global Institute of Internal Auditors

More information

Matthew E. Breecher Breecher & Company PC November 12, 2008

Matthew E. Breecher Breecher & Company PC November 12, 2008 Applying COSO s Enterprise Risk Management Integrated Framework Matthew E. Breecher Breecher & Company PC November 12, 2008 The basic outline for this presentation was provided by: Objectives for the session:

More information

2013 COSO Framework Deloitte Training

2013 COSO Framework Deloitte Training 2013 COSO Framework Deloitte Training Agenda Module Module 1 Module 2 Module 3 Module 4 Module 5 Module 6 Module 7 Module 8 Module 9 Module 10 Module 11 Topic COSO Background Objectives of Internal Control

More information

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

Director Training and Qualifications Application Guide: Class 2 Director Core Competencies

Director Training and Qualifications Application Guide: Class 2 Director Core Competencies 4711 Yonge Street Suite 700 Toronto ON M2N 6K8 Telephone: 416-325-9444 Toll Free 1-800-268-6653 Fax: 416-325-9722 4711, rue Yonge Bureau 700 Toronto (Ontario) M2N 6K8 Téléphone : 416 325-9444 Sans frais

More information

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued

More information

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization Internal Audit Quality Assessment Presented To: World Intellectual Property Organization April 2014 Table of Contents List of Acronyms 3 Page Executive Summary Opinion as to Conformance to the Standards,

More information

PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions

PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions PRACTICE GUIDE Formulating and Expressing Internal Audit Opinions 2 of 23 Table of Contents 1. Executive Summary... 1 2. Introduction... 2 3. Planning the Expression of an Opinion... 3 3.1 Expressing an

More information

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office. GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers

More information

RULEBOOK ON THE MANNER OF PERFORMING INTERNAL AUDIT OPERATIONS 3

RULEBOOK ON THE MANNER OF PERFORMING INTERNAL AUDIT OPERATIONS 3 Official Gazette of Republic of Macedonia, no. 72/03. RULEBOOK ON THE MANNER OF PERFORMING INTERNAL AUDIT OPERATIONS 3 Article 1 This Rulebook shall regulate the manner of performing internal audit operations

More information

In-House Counsel s Role in Risk Management. Melanie Osborne - Stoel Rives LLP Lynne Seville, Parker Smith & Feek

In-House Counsel s Role in Risk Management. Melanie Osborne - Stoel Rives LLP Lynne Seville, Parker Smith & Feek In-House Counsel s Role in Risk Management Melanie Osborne - Stoel Rives LLP Lynne Seville, Parker Smith & Feek What is Risk? Risk Management Components Articulate the organization's objectives Identify

More information

Internal Audit Quality Assessment. Presented To: Houston Independent School District

Internal Audit Quality Assessment. Presented To: Houston Independent School District Internal Audit Quality Assessment Presented To: Houston Independent School District July 2013 Table of Contents Executive Summary Opinion as to Conformance to the Standards Objectives / Scope / Methodology

More information

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2 Index Accounts Payable Process Review Procedures Assessments, 191 Actions to Resolve Risks COSO ERM Control Activities, 97 Activity Management COSO ERM Control Activities, 81 AICPA SAS No. 1 Internal Controls

More information

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Linking Risk Management to Business Strategy, Processes, Operations and Reporting Linking Risk Management to Business Strategy, Processes, Operations and Reporting Financial Management Institute of Canada February 17 th, 2010 KPMG LLP Agenda 1. Leading Practice Risk Management Principles

More information

Introduction to ISO 31000:2009

Introduction to ISO 31000:2009 Introduction to ISO 31000:2009 ISO 31000 was published as a standard in November of 2009. It provides a standard on how risk should be implemented. The intention of ISO 31000:2009 was to be relevant and

More information

SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS

SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS VOLUME 1 This volume addresses PwC risk management policies and audit methodology and is for internal distribution only. This toolkit volume

More information

Effective Enterprise Risk Management with ErmsCo ERM Foundation

Effective Enterprise Risk Management with ErmsCo ERM Foundation Executive Brief Effective Enterprise Risk Management with ErmsCo ERM Foundation Introduction to ErmsCo About ErmsCo ErmsCo is a consulting and training firm that focuses on assisting financial institutions

More information

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

More information

FRAMEWORK FOR AN ETHICAL MATURITY INDEX. Authors: Elena Demidenko and Patrick McNutt

FRAMEWORK FOR AN ETHICAL MATURITY INDEX. Authors: Elena Demidenko and Patrick McNutt FRAMEWORK FOR AN ETHICAL MATURITY INDEX Authors: Elena Demidenko and Patrick McNutt Across key Enterprise risk management frameworks, COSO ERM (http://www.coso.org) and ASNZ4360 (ASNZ 4360: 2004 (http://www.standards.com.au)

More information

Internal control over financial reporting Statement, assessment summary and action plan. For the fiscal year ending March 31, 2012

Internal control over financial reporting Statement, assessment summary and action plan. For the fiscal year ending March 31, 2012 Internal control over financial reporting Statement, assessment summary and action plan For the fiscal year ending March 31, 2012 Summary of the assessment of effectiveness of the system of internal control

More information

Fraud Risk Management

Fraud Risk Management Fraud Risk Management Overview Discussion Questions 1) Does your organization follow a specific risk management model? If so, which one? Do you think this model adequately addresses the risks your organization

More information

INTERNAL AUDIT CHARTER

INTERNAL AUDIT CHARTER APPENDIX A INTERNAL AUDIT CHARTER Version Control Version No Author Date 1.2 Anna Wright September 2014 Shared Service Senior Auditor 1.3 Lisa Cotton August 2015 Shared Service Senior Auditor 1.4 Lisa

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

Clarifying the Confusion between COSO and ISO

Clarifying the Confusion between COSO and ISO Clarifying the Confusion between COSO and ISO Clarifying the Confusion between COSO and ISO 2 Introduction According to the Association of Certified Fraud Examiners, a typical organisation loses an estimated

More information

PUBLIC INTERNAL AUDIT STANDARDS

PUBLIC INTERNAL AUDIT STANDARDS PUBLIC INTERNAL AUDIT STANDARDS Public internal audit standards have been determined by the Internal Audit Coordination Board (the Board) as per line (a) of the first paragraph of Article 67 of Law No.

More information

Top Ten Issues facing Internal Auditing in the Future

Top Ten Issues facing Internal Auditing in the Future Top Ten Issues facing Internal Auditing in the Future The IIA Dallas Chapter April 6, 2006 Presented by: David A. Richards, CIA, CPA President The Institute of Internal Auditors drichards@theiia.org 1

More information

BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL

BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL BOARD OF EDUCATION OF BALTIMORE COUNTY INTERNAL AUDIT OPERATIONS MANUAL BACKGROUND The Office of Internal Audit Operations Manual was developed to be used as a guide and resource for the Office of Internal

More information

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals Report No. OIG-A-2012-007 March 30, 2012 NATIONAL RAILROAD PASSENGER CORPORATION

More information

The Institute of Internal Auditors 247 Maitland Avenue Altamonte Springs, FL 32701-4201 USA

The Institute of Internal Auditors 247 Maitland Avenue Altamonte Springs, FL 32701-4201 USA INTERNATIONAL Professional Practices Framework (IPPF) Disclosure Copyright 2009 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201.

More information

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français. Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance

More information

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation Tying It All Together: Practical ERM Integration Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation November 16, 2007 1 Agenda Basis for ERM Integration ERM Objectives ERM Focus

More information

Checklist for assessing conformance with the Public Sector Internal Audit Standards and the local government application note

Checklist for assessing conformance with the Public Sector Internal Audit Standards and the local government application note APPENDI A Checklist for assessing conformance with the Public Sector Internal Audit Standards and the local government application note Assessment completed by John Bailey, Head of Internal Audit, Nottinghamshire

More information

The Financial Reporter

The Financial Reporter Article from: The Financial Reporter December 2004 Issue 59 Actuarial Aspects of SOX 404 Laura J. Hay and Richard H. Browne Laura J. Hay is principal at KPMG LLP in New York, N.Y. She can be reached at

More information

MISSION VALUES. The guide has been printed by:

MISSION VALUES. The guide has been printed by: www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit

More information

The Role of the Board in Enterprise Risk Management

The Role of the Board in Enterprise Risk Management Enterprise Risk The Role of the Board in Enterprise Risk Management The board of directors plays an essential role in ensuring that an effective ERM program is in place. Governance, policy, and assurance

More information

Updates to the COSO Internal Controls Framework. How to Apply it to Your Control Framework

Updates to the COSO Internal Controls Framework. How to Apply it to Your Control Framework Updates to the COSO Internal Controls Framework How to Apply it to Your Control Framework Presenters Jack Kristan, CPA. CIA, MBA Senior Consulting Manager, Plante Moran Enterprise Risk Services Jack has

More information

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology Inclusive of, framework, procedures and methodology Contents 1 Introduction 1 1.1 Legislative Framework and best practice 1 1.2 Purpose of Enterprise Risk Management 2 1.3 Scope and Applicability 3 1.4

More information

OPERATIONAL RISK EXAMINATION TECHNIQUES

OPERATIONAL RISK EXAMINATION TECHNIQUES OPERATIONAL RISK EXAMINATION TECHNIQUES 1 OVERVIEW Examination Planning Oversight Policies, Procedures, and Limits Measurement, Monitoring, and MIS Internal Controls and Audit 2 Risk Assessment: Develop

More information

The Global Fund Risk Management Policy 1

The Global Fund Risk Management Policy 1 The Global Fund Risk Management Policy 1 INTRODUCTION 1 Risk can be defined as the effect of uncertainty on the achievement of an organization s objectives. Risk management is, therefore, the process of

More information

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology May 20, 2015 Internal FR 2 Risk and Risk Assessment Defined Risk Institute of Internal Auditors (IIA) The

More information

Framework for Enterprise Risk Management

Framework for Enterprise Risk Management Framework for Enterprise Risk Management 2013 Johnson & Johnson Contents Introduction.... 4 J&J Strategic Framework... 5 What is Risk?.......................................................... 7 J&J Approach

More information

CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT S RESPONSIBILITIES AND IMPORTANCE TO THE EXTERNAL AUDITORS

CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT S RESPONSIBILITIES AND IMPORTANCE TO THE EXTERNAL AUDITORS A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT

More information

Standards for Internal Control in New York State Government

Standards for Internal Control in New York State Government Standards for Internal Control in New York State Government OFFICE OF THE NEW YORK STATE COMPTROLLER Thomas P. DiNapoli, State Comptroller March 2016 A Message from State Comptroller Thomas P. DiNapoli

More information

SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT

SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT Through CGIAR Financial Guideline No 3 Auditing Guidelines Manual the CGIAR has adopted the IIA Definition of internal auditing

More information

INTERNAL AUDIT CHARTER

INTERNAL AUDIT CHARTER INTERNAL AUDIT CHARTER Table of Contents Section 1 Introduction Section 2 Role Section 3 Professionalism Section 4 Authority Section 5 Organization Section 6 - Independence and Objectivity Section 7 Responsibility

More information

Developing an Effective Enterprise Risk Management Program

Developing an Effective Enterprise Risk Management Program Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

TABLE OF CONTENTS BACKGROUND AND INTRODUCTION... 5 PURPOSE... 5 SCOPE... 6 RISK ASSESSMENT PROCESS... 6

TABLE OF CONTENTS BACKGROUND AND INTRODUCTION... 5 PURPOSE... 5 SCOPE... 6 RISK ASSESSMENT PROCESS... 6 TABLE OF CONTENTS BACKGROUND AND INTRODUCTION... 5 PURPOSE... 5 SCOPE... 6 RISK ASSESSMENT PROCESS... 6 RISK ASSESSMENT AND EVALUATION METHODOLOGY... 6 RESULTS... 8 RISK ASSESSMENT GAPS... 9 RISK ASSESSMENT

More information

THE IIA S GLOBAL INTERNAL AUDIT COMPETENCY FRAMEWORK Career Map Alignment

THE IIA S GLOBAL INTERNAL AUDIT COMPETENCY FRAMEWORK Career Map Alignment THE IIA S GLOBAL INTERNAL AUDIT COMPETENCY FRAMEWORK Career Map Alignment Copyright 2014 by The Institute of Internal Auditors, Inc., ( The IIA ) strictly reserved. Any reproduction of The IIA name or

More information

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,

More information

Complements of: A Comparison of Internal Controls: COBIT, SAC, COSO and SAS 55/ Sully s Trail Pittsford, NY (585)

Complements of: A Comparison of Internal Controls: COBIT, SAC, COSO and SAS 55/ Sully s Trail Pittsford, NY (585) Complements of: A Comparison of Internal Controls: COBIT, SAC, COSO and SAS 55/78 171 Sully s Trail Pittsford, NY 14450 (585) 381-1000 By Janet L. Colbert, Ph.D., CPA, CIA, and Paul L. Bowen, Ph.D., CPA

More information

The IIA Standards: The IPPF Framework

The IIA Standards: The IPPF Framework The IIA Standards: The IPPF Framework S P E A K E R : D O T T. R O B E R TO R O S ATO C O U R S E O F B U S I N E S S A U D I T I N G U N I V E R S I T Y O F R O M E T O R V E R G A T A D E C E M B E R

More information

Policy 10.105: Enterprise Risk Management Policy

Policy 10.105: Enterprise Risk Management Policy Name: Responsibility: Complements: Enterprise Risk Management Framework Coordinator, Enterprise Risk Management Policy 10.105: Enterprise Risk Management Policy Date: November 2006 Revision Date(s): January

More information

Audit of the Policy on Internal Control Implementation

Audit of the Policy on Internal Control Implementation Audit of the Policy on Internal Control Implementation Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada February 18, 2013 1 TABLE OF

More information

Title Reference Status Date Internal Audit Department Charter

Title Reference Status Date Internal Audit Department Charter INTERNAL AUDIT DEPARTMENT CHARTER January 2014 Document control Title Reference Status Date Internal Audit Department Charter Version 0 Developed in NITA in Internal Audit Department Draft 1 Version 1

More information

Data Analysis: The Cornerstone of Effective Internal Auditing. A CaseWare Analytics Research Report

Data Analysis: The Cornerstone of Effective Internal Auditing. A CaseWare Analytics Research Report Data Analysis: The Cornerstone of Effective Internal Auditing A CaseWare Analytics Research Report Contents Why Data Analysis Step 1: Foundation - Fix Any Cracks First Step 2: Risk - Where to Look Step

More information

INTERNAL CONTROLS EVALUATION

INTERNAL CONTROLS EVALUATION INTERNAL CONTROLS EVALUATION Planning an Internal Controls Evaluation Project Internal Control Documentation Internal Control Testing Evaluation of Internal Control Deficiency Reporting Internal Control

More information

CHAPTER 1 AUDITING: INTEGRAL TO THE ECONOMY

CHAPTER 1 AUDITING: INTEGRAL TO THE ECONOMY A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 1 AUDITING: INTEGRAL TO THE ECONOMY LEARNING OBJECTIVES

More information

and Risk Tolerance in an Effective ERM Program

and Risk Tolerance in an Effective ERM Program The Roles of Risk Appetite and Risk Tolerance in an Effective ERM Program Eric Gerner, Risk Advisory Services Director Tuesday, July 10, 2012 General Information Share the webinar Ask a question Votes

More information

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Examination of an Entity s Internal Control 1403 AT Section 501 An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source:

More information

INTERNAL AUDIT FRAMEWORK

INTERNAL AUDIT FRAMEWORK INTERNAL AUDIT FRAMEWORK April 2007 Contents 1. Introduction... 3 2. Internal Audit Definition... 4 3. Structure... 5 3.1. Roles, Responsibilities and Accountabilities... 5 3.2. Authority... 11 3.3. Composition...

More information

Booker & Associates. For more information, contact Fay Booker, 1

Booker & Associates. For more information, contact Fay Booker, 1 For more information, contact Fay Booker, fbooker@bookerandassociates.com 1 Booker & Associates Introduction Credit Unions are in the risk taking business. With every transaction, a Credit Union takes

More information

Internal Audit Quality Assessment. Presented To: Houston Independent School District

Internal Audit Quality Assessment. Presented To: Houston Independent School District Internal Audit Quality Assessment Presented To: Houston Independent School District October 2015 Table of Contents List of Acronyms 3 Page Executive Summary Opinion as to Conformance to the Standards,

More information

COSO Framework 2013 & SOX Compliance. Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013

COSO Framework 2013 & SOX Compliance. Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013 COSO Framework 2013 & SOX Compliance Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013 What s Happened On May 14, 2013, after a little more than 20 years the Committee of Sponsoring

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

United States General Accounting Office GAO. Internal Control Standards. Internal Control Management and Evaluation Tool. August 2001 GAO-01-1008G

United States General Accounting Office GAO. Internal Control Standards. Internal Control Management and Evaluation Tool. August 2001 GAO-01-1008G GAO United States General Accounting Office Internal Control Standards August 2001 Internal Control Management and Evaluation Tool GAO-01-1008G PREFACE August 2001 The General Accounting Office (GAO)

More information