Risk Based Internal Audit Patrick Rozario Head of Business Risk Services

Transcription

1 Risk Based Internal Audit Patrick Rozario Head of Business Risk Services 9 February 2009

2 Agenda Introduction applying risk management techniques control environment risk assessment case study control activities information & communications monitoring

3 What are the challenges we face? leading a cohesive organisation establishing the right culture finding first signs of problems / risks setting strategy and aligning it to business processes motivating employees & yourself reviewing performance

4 What are the challenges faced? how to comply with regulations how to find the value from compliance how to meet the board demands ability to create efficiencies and improve your bottom line ($$$) a safe and rewarding place to work

5 What is Risk Management for your enterprise? " a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." - Source: COSO ERM Integrated Framework, Executive Summary, September 2004

6 Enterprise Risk Management (ERM) research says 271 risk management executives in North America and Europe were recently surveyed by the Conference Board 90% want to build ERM into their processes Only 10% have - Source: Internal Auditor Magazine 7,500 Chief Audit Executives worldwide were recently surveyed by the IIA Research Foundation Only 6% have fully implemented ERM - Source: Internal Auditor Magazine

7 Value proposition: why do it? focuses management attention on the truly important risks risks with potential to significantly impact earnings or even endanger company survival develops a strategic, company-wide approach to risk management and mitigation using all the available tools: derivatives, insurance, internal controls and strategic action integrates risk management into critical decision-making processes, such as strategic planning

8 Value proposition: why do it? (con't) identifies the risks inherent in current strategy and business model before the competition to provide sustainable competitive advantage determines risk appetite of the company in context of investor expectations

9 Hong Kong Code of Corporate Governance Hong Kong adopted / based on the UK Combined Code Directors Remuneration of Directors and Senior Management Accountability and Audit Delegation by the Board Communication with Shareholders Comply or Explain Approach

10 Hong Kong Code internal control Code provision C.2.1. existence, design and operating effectiveness minimal time frame The directors should at least annually conduct a review of the effectiveness of the system of internal control of the issuer and its subsidiaries and report to shareholders that they have done so in their Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls and risk management functions. Corporate Governance Report 4 major areas of review coverage/scope

11 Agenda Introduction applying risk management techniques control environment risk assessment case study control activities information & communications monitoring

12 COSO framework Committee of Sponsoring Organisations of the Treadway Commission developed AICPA, AAA, NAA, FEI, and IIA worldwide standard 3 Objective Categories 5 Interrelated Control Components adopted by HKICPA & US-Sarbanes- Oxley Act

13 A "Framework" for evaluation COSO what does the "framework" accomplish? establishes a common language establishes a generic benchmark of acceptable internal controls

14 COSO objectives i.e., what we are trying to accomplish The COSO Cube looks at each component of internal control by objectives. The Cube further indicates that internal control is relevant to the entire enterprise, or to any of its units or activities. 1. Operations 2. Financial Reporting 3. Compliance

15 COSO components i.e., how we plan to accomplish our objectives "Internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the management process. 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring

16 COSO components Control environment Tone of the organisation attributes of people employed level of Integrity ethical values competence combination creates the foundation of the control environment

17 Code on Corporate Governance The Board / Director & Delegation by the Board Board of Directors that should assume responsibility for leadership and control, Board Committees and management functions Remuneration Polices Formal and transparent procedure for setting policy on directors' and senior management Accountability and Audit Audit committee, internal controls Communication with Shareholders Annual general meeting, voting by poll

18 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market

19 COSO Components Risk assessment risk awareness and prevention setting objectives mission or value statements overall strategy integrated with sales, production, marketing, financial, etc. to operate in concert establishing mechanisms to identify, analyse and manage risks

20 Risk Based Internal Audit Methodology

21 Risk identification & prioritisation: what do we focus on? identify risk areas based on quantitative metrics what can go wrong? identify risk areas based on qualitative metrics define universe of risk factors

22 Risk identification & prioritisation: ABC International Holdings Ltd ABC International Holdings Ltd "Profile" manufacturer of electronics equipment headquartered in Hong Kong, listed on HKEx 10+ international locations & entities sales in N. America, Latin America, Europe and Asia

23 Risk identification & prioritisation: Quantitative analysis How important is this entity to my financial statements? Corporate Reporting Unit 1 Reporting Unit 2 Reporting Unit 3 1. Materiality of the Amounts Primary Factor 2. Complexity of the Entity and Processes 3. History of Accounting Adjustments 4. Propensity for Change in Processes or Accounting Principles Secondary Factors 5. Potential for Significant Unrecorded Liabilities

24 Risk identification & prioritisation: Quantitative analysis (con't) determine significant entities 5%+ of Group Turnover Aggregate turnover = 84% ("large portion")

25 Risk identification & prioritisation: Quantitative analysis (con't) select significant accounts & business processes Planning Materiality = Revenue x 2% = $315,800,000

26 Risk identification & prioritisation Qualitative analysis what can go wrong? Business Risk Model - Example

27 Risk identification & prioritisation Qualitative analysis what can go wrong? (con't) Business Risk Model Definitions - Example

28 Qualitative analysis evaluating the risks identify stakeholders, whom should: represent management positions cross-cut departments and responsibilities directly be connected with accomplishing the objectives of the Strategic Plan. evaluate options for gathering information Interviews, questionnaires, focus groups, etc.

29 Qualitative analysis sample questionnaire Legal and Regulatory Risk Failure to comply with federal, state, or local regulations could result in fines, penalties, criminal or civil claims, or damage to the company's reputation What are the specific legal and regulatory requirements that the company needs to comply with? Is management fully aware of these requirements and how is this controlled? Are the markets in your industries deregulated? Has there been significant litigation and how are disputes resolved? Have there been major investigations by legal/regulatory authorities? How are your employees trained in these regulatory requirements? What record retention/destruction process exists within your company? Has the company received significant fines? What role does the general counsel play on the various company boards? Is the general counsel proactively involved in all acquisitions, mergers and divestitures? Do you have significant government contracts and other contracts?

30

31 Risk prioritisation How bad can it be? Significance: "How big or material are the potential adverse consequences of the risk?" ratings scale 1 - Not Significant: neither a strategic nor financial impact 3 - Moderately Significant: Noticeable challenges to achieving strategic objectives and/or financial targets (one-week's earnings) 5 - Highly Significant: strategic objectives cannot be achieved, resulting in significant financial impact (one-quarter's earnings) and questions about future viability

32 Risk prioritisation How bad can it be? (con't) Likelihood: "How possible is it that the adverse consequences from the risk will occur?" ratings scale 1 - Never or rarely: unlikely to occur between now and 2009 (<5%) 3 Possible: may occur between now and 2009 (<50%) 5 Definitely: already occurring or almost certainly will occur between now and 2009 (>90%)

33 Risk prioritisation How bad can it be? (con't) Tolerance: "How willing is the Company to accept any level of risk as it relates to strategic goals and objectives?" ratings scale Very Low Tolerance Management is not willing to accept more than a nominal level of risk. Adverse risks are intolerable whatever benefits the activity will bring and risk reduction measures are essential whatever their cost (risk avoidance). Moderate Tolerance Management will accept a moderate level of risk. Costs and benefits are taken into account and opportunities balanced against potential adverse consequences. Extremely High Tolerance Management will accept an extremely high level of risk. Positive or negative risks are negligible or so small that no risk treatment measures are needed (total risk acceptance).

34 Risk prioritisation: ABC International Holdings Ltd Liquidity risk Significance (High: 5) working balance on hand of HK$343 million vs monthly average running expense of HK$1.25 billion. cash flow turnover gross profit margin analysis: 7.55% and 7.17% for years 2006 and 2007 respectively.

35 Risk prioritisation: ABC International Holdings Ltd Liquidity risk (con't) Likelihood (High: 4) quick ratios as of 30 Mar 2006 & 2007 = 0.63 & 0.72 current liquidity level ratio is lower than competitors XYZ (1.15) and MNO (1.2) lower liquidity due to: inability to obtain long-term bank borrowings heavy reliance on extended credit of suppliers Tolerance (Low)

36 Risk prioritisation: ABC International Holdings Ltd IT risk Significance (High: 5) ERP System in use for Purchasing, Material Control, Sales and Accounting if system is unavailable, overall operations are interrupted

37 Risk prioritisation: ABC International Holdings Ltd IT risk (con't) Likelihood (Moderate: 2) remote access for PRC, Brazil and Taiwan factories as well as certain suppliers and hardware vendors: chance of malicious attacks customised applications integrated into ERP: risks related to data completeness during transmission robust IT department with backup & recovery controls, redundant and load sharing infrastructure: effective internal controls in place Tolerance (Moderate)

38 Risk prioritisation Evaluate risks against risk tolerances Significance Likelihood Tolerance Analysis Liquidity 5 4 Low Poor liquidity management can lead to default or loss of production, inability to fund the operational or financial obligations of the business and arouse going concern problems Industry 3 3 Moderate Industry changes would have moderate to high impact as the Company s product may have to undergo significant changes. Technological changes are inherent with industry, hence ABC Company s likelihood and tolerance are both moderate Product Failure 5 2 Low High quality products and performance are very important to the ABC Company; hence high impact and low tolerance. Company s strong quality control helps keep likelihood low IT 5 2 Moderate ERP system controls significant daily operations of ABC Robust IT department with controls related to access, availability, data integrity and infrastructure Health & Safety 5 2 Low Considering the high value placed on employees, Company has a low tolerance to health & safety risks which could have a moderate impact The Company has an effective health & safety program, which has helped the likelihood of this risk remain low

39 Analyse risks Prioritised risk report

40 Prioritised risk map Significance Low High Low High Likelihood

41 Interpreting the risk map High Significance Low Secondary Risk Lower likelihood, but could have significant adverse impact on business objectives Some monitoring, emphasis on risk sharing and detective controls Low Priority Risks Significant monitoring might not be necessary unless change in classification Periodically reassess Key Risks Critical risks that potentially threaten the achievement of business objectives High monitoring and activity and preventive controls Secondary Risks Consider cost/benefit trade-off Some monitoring and effective detective controls Reassess often, monitoring for changing conditions Low Likelihood High

42 Monitor risks Risk Monitoring Internal Audit Program Risk Significance Likelihood Significance Likelihood Tolerance Business Processes (dept/ function) IA Program Liquidity Industry Low Moderate Cash Mgmt/Treasury Working capital management Strategy Mergers & Acquisitions Monitor availabilities of banking facilities and other financing sources. Review debtors aging reports, ensuring the effectiveness of debtor collection process Review business controls over strategy setting process. Ensure S, W, O, T have considered impact of industry/technology changes Product Failure Low Production/Conversion Production, Q&A Customer Service NPD Review controls over quality control and analyse customer returns. Review controls over New Product Development. IT Health & Safety Moderate Low IT Program change, security, backup & recovery General counsel HR Review IT General Controls. Reconfirm that controls are good in this area analyse reports of safety issues.

43 Risk-based Internal Audit Plan Quantitative Analysis Qualitative Analysis Significant Entities ABC Electronics (SZ) Co., Ltd. ABC Technology Co. (SZ) ABC Technology Co. (Shanghai) Key Business Cycles Revenue Inventory Procurement Expenditure & Payroll Fixed Assets Bank & Cash Financing IT Sub-Cycles Pricing strategies Quality Control, Customer Returns Working capital management

44 Best practices and lessons learned Do Establish a Risk Management Committee and Charter Identify a risk champion supported by the CEO Understand that ERM is a journey and not a project Provide a holistic definition of business risk Include consultants but do not let them drive ERM

45 Best practices and lessons learned Don't underestimate the impact of existing culture undersell ERM as a business risk assessment implement ERM as a part-time job take on too much at one time

46 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market

47 COSO components Control activities establishing and implementing policies and procedures carry out the entity s objectives addresses the risk to achievement of objectives occurs throughout the organisation, at all levels and in all functions approvals, authorisations, verifications, reconciliations, segregation of duties, etc.

48 Plan & execute a risk response avoid: exit the risk generating activity reduce: control the risk through preventive or detective measures share the risk: transfer the risk through a mechanism such as insurance accept: incorporate the likely cost of the risk's occurrence in the overall plan (i.e., to price for the risk)

49 Risk response What control investment should we make? H Inherent Risk M L Under-Managed Zone of Balanced Investment Over-Managed L M H Investment

50 First steps to implementing sound control activities People and plans identify or hire someone with appropriate skills to manage the process. Necessary skills include: understanding of processes, risks and internal controls understanding of COSO or similar framework time to devote to maintaining understanding of the continuously changing requirements and options develop a game plan including timelines and scope determinations (i.e., who, what, when & where)

51 First steps to implementing sound control activities Understand the Process-Activity Model examine impacts and relationships between upstream and downstream activities, and across processes risks that occur in one activity often manifest in other areas controls in one activity can mitigate risks in other activities Procure-to- Pay Plan-to- Report The Process-Activity Model Order-to- Cash Hire-to- Retire Inceptionto-Retire (Capital) Plan-to-Fulfill (Supply Chain)

52 The Process-Activity Model sample: Procure-to-Pay process The Procure-to-Pay process cuts across several functions Procurement/ Sourcing Accounts Payable Treasury Tax Other and typically encompasses the activities listed below: Primary Activities Identify/analyse needs Manage suppliers Manage catalogs/items Create/approve requisitions Process purchase orders Receive items Manage inventory (activity integrates with Plan-to-Fulfill process) Process invoices Process expense reports Match vouchers Process payments Process accounting entries Support Activities Manage strategic sourcing & contracts Setup/maintain system control tables Manage reconciliation Manage supplier inquiries Measure suppliers & manage quality Measure internal compliance Manage warranties Manage taxes Manage security Report & query Manage integration processes Maintain process controls & manage risk Exception Activities Manage match exceptions Process manual payments Void/stop payments Process change orders Return items Manage integration exceptions

53 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market

54 COSO components Information and communication systems of communications how information is identified, captured, exchanged and used on a timely basis information systems how reports are designed, produced, disseminated and used on a timely basis are the right people getting the right information at the right time?

55 COSO components System of communications effectiveness with which employees duties and control responsibilities are communicated establishment of channels of communication for people to report suspected improprieties receptivity of management to employee suggestions of ways to enhance productivity, quality or other similar improvements

56 COSO components System of communications (con't) adequacy of communication across the organisation and the completeness and timeliness of information and its sufficiency to enable people to discharge their responsibilities effectively openness and effectiveness of channels with customers, suppliers and other external parties for communicating information on changing customer needs timely and appropriate follow-up by management to issues reported

57 COSO components Information obtaining external and internal information, and providing management with necessary reports on the entity s performance relative to established objectives providing information to the right people in sufficient detail and on time to enable them to carry out their responsibilities efficiently and effectively

58 COSO components Information development or revision of information systems based on a strategic plan for information systems linked to the entity s overall strategy and responsive to achieving the entity-wide and process-level objectives management s support for the development of necessary information systems is demonstrated by the commitment of appropriate resources human and financial

59 Domains of IT general controls IT control environment program development program changes computer operations access to programs and data

60 Two types of IT controls 1. General controls Controls that provide a reliable operating environment and support the effective operation of application controls 2. Application controls Controls that directly support reporting objectives

61 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market

62 COSO components Monitoring assessing the quality of the system ensures controls continue to operate effectively adjusts for changing environment ongoing monitoring activities built into the normal, recurring activities performed on a real-time basis separate evaluations periodically tested based on circumstances independent Internal Control Review

63 The objective of an internal control review Financial statement audit Internal control audit Versus material misstatement correctness test amounts/balance understand all components of F/S what is state of controls over a process material weakness tests of operation / effectiveness understand all components of process

64 Controls evaluation Where should we invest evaluation resources? Higher-Risk Controls Detective Manual Address critical accounts & assertions One control out of a few Operate in high risk areas Operate in areas with turnover of key personnel High degree of reliance on other controls Lower-Risk Controls Preventive Automated Address secondary accounts & assertions One control out of many Operate in lower risk areas Operate in stable personnel environment Operates effectively on its own

65 Controls evaluation Control risk vs. control reliance Control Risk High Low Monitor closely Make sure other controls effectively mitigate risk Lower levels of evaluation and monitoring effort needed Generally small control procedures operating among many Highest level of evaluation and monitoring effort needed Should consider implementing supporting controls Bread-and-butter controls These controls do the job right, consistently Primary Control Reliance Secondary

66 Execute the internal audit 4

67 Independent internal control review - Organisation Determine Scope of Project and Involving Business Units Board of Directors Audit Committee Internal Audit Department Professional Consultants/ External Auditors Internal Audit Department may not have: Enough resources (manpower, experience) Applicable Internal Control System Framework Assessment and testing strategy Due to limited resources and time, part or all of the Internal Audit Function is outsourced.

68 Internal control review Annual Reporting Declare evaluation of internal control 4 1 Company Risk Assessment Identify risks Limit review to significant areas Perform testing of controls Identify errors in operation of controls 3 Testing & Remediation Quality & Risk Mgmt. Professional Excellence Best Practices Profitability 2 Documentation Document processes & controls Review design

69 Phase I Risk Phase Assessment I Entity-level Risk Identify risks Limit review to significant areas Assessment and Project Planning leverage risk assessment work performed already for scope of audit identify applicable processes and activities create project scope and plan for remaining phases identify project team

70 Phase II: Design Effectiveness Documentation Document processes & controls Review design Identify key controls in place by conducting a walkthrough of the key processes to confirm existence Determine whether there are significant gaps with the design of the controls. Key controls should be designed so as to detect or prevent error or fraud

71 Phase III: Operating Effectiveness Testing & Remediation Perform testing of controls Identify errors in operation of controls identify processes and controls for testing design tests of controls operating effectiveness execute and document tests of controls identify potential issues or improvements and agree upon actions communicate and report results to management and the audit committee follow-up on findings and agreed-upon action plans

72 Phase IV Annual Reporting Declare evaluation of internal control Ongoing compliance plan ongoing maintenance and testing through prospective management and internal audit activities broaden scope to cover other enterprise-wide risks

73 Internal control review approach Risk & control reporting documentation gathered from review should be effectively managed need to determine how to manage and what format consider using software to simplify process identify reporting deliverables e.g. - Risk and Control Report - compiled on an annual basis provides the Audit Committee and the executive single picture of the internal control environment, enabling an assessment of priorities and potential exposures across the company. This report will help the Audit Committee in preparing the Corporate Governance Report as required by the Listing Rules.

74 Internal control review approach Manage the review A Internal Control Review needs to be effectively managed To do so need to consider: all stakeholder expectations people responsible financial impact timeline communication strategy regulatory requirements Internal Audit Department is often chosen as the main responsible entity and must report directly to Audit Committee. It s also very common to outsource or co-source the planning and internal audit to professional parties

75 Conclusion Potential Benefits of Effective Risk Management & Internal Control Early entry into new business areas Higher/ sustainable share prices Reduction in management time spent on fire fighting Fewer sudden shocks or unwelcome surprises Achievement of Company Objectives Increased likelihood of change initiatives being achieved Achievement of competitive advantage Better basis for strategy setting Lower cost of capital More focus internally on doing the right things source: Grant HKICPA Thornton Internal Control & Risk Management Framework (June 2005) which adapted from Implementing Turnbull A Boardroom Briefing, ICAEW

76 Overview of Grant Thornton in Hong Kong & mainland China dedicated to serving the needs of growing companies since 1949 a member of Grant Thornton International provides services include Assurance, China practice, Tax, Business Risk, Corporate Finance, Forensic & Investigations, and Recovery & Reorganisation 42 Partners and a total of 1,300 personnel in 6 offices in mainland China and Hong Kong offices in Beijing, Shanghai, Guangzhou Shenzhen and Chengdu with over 600 personnel

77 Your contacts Patrick Rozario Head of Business Risk Services 13/F, Gloucester Tower The Landmark 15 Queen s Road Central Hong Kong T F E patrick.rozario@gthk.com.hk

78 Questions?