Risk Based Internal Audit Patrick Rozario Head of Business Risk Services
|
|
- Osborne Watkins
- 7 years ago
- Views:
Transcription
1 Risk Based Internal Audit Patrick Rozario Head of Business Risk Services 9 February 2009
2 Agenda Introduction applying risk management techniques control environment risk assessment case study control activities information & communications monitoring
3 What are the challenges we face? leading a cohesive organisation establishing the right culture finding first signs of problems / risks setting strategy and aligning it to business processes motivating employees & yourself reviewing performance
4 What are the challenges faced? how to comply with regulations how to find the value from compliance how to meet the board demands ability to create efficiencies and improve your bottom line ($$$) a safe and rewarding place to work
5 What is Risk Management for your enterprise? " a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." - Source: COSO ERM Integrated Framework, Executive Summary, September 2004
6 Enterprise Risk Management (ERM) research says 271 risk management executives in North America and Europe were recently surveyed by the Conference Board 90% want to build ERM into their processes Only 10% have - Source: Internal Auditor Magazine 7,500 Chief Audit Executives worldwide were recently surveyed by the IIA Research Foundation Only 6% have fully implemented ERM - Source: Internal Auditor Magazine
7 Value proposition: why do it? focuses management attention on the truly important risks risks with potential to significantly impact earnings or even endanger company survival develops a strategic, company-wide approach to risk management and mitigation using all the available tools: derivatives, insurance, internal controls and strategic action integrates risk management into critical decision-making processes, such as strategic planning
8 Value proposition: why do it? (con't) identifies the risks inherent in current strategy and business model before the competition to provide sustainable competitive advantage determines risk appetite of the company in context of investor expectations
9 Hong Kong Code of Corporate Governance Hong Kong adopted / based on the UK Combined Code Directors Remuneration of Directors and Senior Management Accountability and Audit Delegation by the Board Communication with Shareholders Comply or Explain Approach
10 Hong Kong Code internal control Code provision C.2.1. existence, design and operating effectiveness minimal time frame The directors should at least annually conduct a review of the effectiveness of the system of internal control of the issuer and its subsidiaries and report to shareholders that they have done so in their Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls and risk management functions. Corporate Governance Report 4 major areas of review coverage/scope
11 Agenda Introduction applying risk management techniques control environment risk assessment case study control activities information & communications monitoring
12 COSO framework Committee of Sponsoring Organisations of the Treadway Commission developed AICPA, AAA, NAA, FEI, and IIA worldwide standard 3 Objective Categories 5 Interrelated Control Components adopted by HKICPA & US-Sarbanes- Oxley Act
13 A "Framework" for evaluation COSO what does the "framework" accomplish? establishes a common language establishes a generic benchmark of acceptable internal controls
14 COSO objectives i.e., what we are trying to accomplish The COSO Cube looks at each component of internal control by objectives. The Cube further indicates that internal control is relevant to the entire enterprise, or to any of its units or activities. 1. Operations 2. Financial Reporting 3. Compliance
15 COSO components i.e., how we plan to accomplish our objectives "Internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the management process. 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring
16 COSO components Control environment Tone of the organisation attributes of people employed level of Integrity ethical values competence combination creates the foundation of the control environment
17 Code on Corporate Governance The Board / Director & Delegation by the Board Board of Directors that should assume responsibility for leadership and control, Board Committees and management functions Remuneration Polices Formal and transparent procedure for setting policy on directors' and senior management Accountability and Audit Audit committee, internal controls Communication with Shareholders Annual general meeting, voting by poll
18 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market
19 COSO Components Risk assessment risk awareness and prevention setting objectives mission or value statements overall strategy integrated with sales, production, marketing, financial, etc. to operate in concert establishing mechanisms to identify, analyse and manage risks
20 Risk Based Internal Audit Methodology
21 Risk identification & prioritisation: what do we focus on? identify risk areas based on quantitative metrics what can go wrong? identify risk areas based on qualitative metrics define universe of risk factors
22 Risk identification & prioritisation: ABC International Holdings Ltd ABC International Holdings Ltd "Profile" manufacturer of electronics equipment headquartered in Hong Kong, listed on HKEx 10+ international locations & entities sales in N. America, Latin America, Europe and Asia
23 Risk identification & prioritisation: Quantitative analysis How important is this entity to my financial statements? Corporate Reporting Unit 1 Reporting Unit 2 Reporting Unit 3 1. Materiality of the Amounts Primary Factor 2. Complexity of the Entity and Processes 3. History of Accounting Adjustments 4. Propensity for Change in Processes or Accounting Principles Secondary Factors 5. Potential for Significant Unrecorded Liabilities
24 Risk identification & prioritisation: Quantitative analysis (con't) determine significant entities 5%+ of Group Turnover Aggregate turnover = 84% ("large portion")
25 Risk identification & prioritisation: Quantitative analysis (con't) select significant accounts & business processes Planning Materiality = Revenue x 2% = $315,800,000
26 Risk identification & prioritisation Qualitative analysis what can go wrong? Business Risk Model - Example
27 Risk identification & prioritisation Qualitative analysis what can go wrong? (con't) Business Risk Model Definitions - Example
28 Qualitative analysis evaluating the risks identify stakeholders, whom should: represent management positions cross-cut departments and responsibilities directly be connected with accomplishing the objectives of the Strategic Plan. evaluate options for gathering information Interviews, questionnaires, focus groups, etc.
29 Qualitative analysis sample questionnaire Legal and Regulatory Risk Failure to comply with federal, state, or local regulations could result in fines, penalties, criminal or civil claims, or damage to the company's reputation What are the specific legal and regulatory requirements that the company needs to comply with? Is management fully aware of these requirements and how is this controlled? Are the markets in your industries deregulated? Has there been significant litigation and how are disputes resolved? Have there been major investigations by legal/regulatory authorities? How are your employees trained in these regulatory requirements? What record retention/destruction process exists within your company? Has the company received significant fines? What role does the general counsel play on the various company boards? Is the general counsel proactively involved in all acquisitions, mergers and divestitures? Do you have significant government contracts and other contracts?
30
31 Risk prioritisation How bad can it be? Significance: "How big or material are the potential adverse consequences of the risk?" ratings scale 1 - Not Significant: neither a strategic nor financial impact 3 - Moderately Significant: Noticeable challenges to achieving strategic objectives and/or financial targets (one-week's earnings) 5 - Highly Significant: strategic objectives cannot be achieved, resulting in significant financial impact (one-quarter's earnings) and questions about future viability
32 Risk prioritisation How bad can it be? (con't) Likelihood: "How possible is it that the adverse consequences from the risk will occur?" ratings scale 1 - Never or rarely: unlikely to occur between now and 2009 (<5%) 3 Possible: may occur between now and 2009 (<50%) 5 Definitely: already occurring or almost certainly will occur between now and 2009 (>90%)
33 Risk prioritisation How bad can it be? (con't) Tolerance: "How willing is the Company to accept any level of risk as it relates to strategic goals and objectives?" ratings scale Very Low Tolerance Management is not willing to accept more than a nominal level of risk. Adverse risks are intolerable whatever benefits the activity will bring and risk reduction measures are essential whatever their cost (risk avoidance). Moderate Tolerance Management will accept a moderate level of risk. Costs and benefits are taken into account and opportunities balanced against potential adverse consequences. Extremely High Tolerance Management will accept an extremely high level of risk. Positive or negative risks are negligible or so small that no risk treatment measures are needed (total risk acceptance).
34 Risk prioritisation: ABC International Holdings Ltd Liquidity risk Significance (High: 5) working balance on hand of HK$343 million vs monthly average running expense of HK$1.25 billion. cash flow turnover gross profit margin analysis: 7.55% and 7.17% for years 2006 and 2007 respectively.
35 Risk prioritisation: ABC International Holdings Ltd Liquidity risk (con't) Likelihood (High: 4) quick ratios as of 30 Mar 2006 & 2007 = 0.63 & 0.72 current liquidity level ratio is lower than competitors XYZ (1.15) and MNO (1.2) lower liquidity due to: inability to obtain long-term bank borrowings heavy reliance on extended credit of suppliers Tolerance (Low)
36 Risk prioritisation: ABC International Holdings Ltd IT risk Significance (High: 5) ERP System in use for Purchasing, Material Control, Sales and Accounting if system is unavailable, overall operations are interrupted
37 Risk prioritisation: ABC International Holdings Ltd IT risk (con't) Likelihood (Moderate: 2) remote access for PRC, Brazil and Taiwan factories as well as certain suppliers and hardware vendors: chance of malicious attacks customised applications integrated into ERP: risks related to data completeness during transmission robust IT department with backup & recovery controls, redundant and load sharing infrastructure: effective internal controls in place Tolerance (Moderate)
38 Risk prioritisation Evaluate risks against risk tolerances Significance Likelihood Tolerance Analysis Liquidity 5 4 Low Poor liquidity management can lead to default or loss of production, inability to fund the operational or financial obligations of the business and arouse going concern problems Industry 3 3 Moderate Industry changes would have moderate to high impact as the Company s product may have to undergo significant changes. Technological changes are inherent with industry, hence ABC Company s likelihood and tolerance are both moderate Product Failure 5 2 Low High quality products and performance are very important to the ABC Company; hence high impact and low tolerance. Company s strong quality control helps keep likelihood low IT 5 2 Moderate ERP system controls significant daily operations of ABC Robust IT department with controls related to access, availability, data integrity and infrastructure Health & Safety 5 2 Low Considering the high value placed on employees, Company has a low tolerance to health & safety risks which could have a moderate impact The Company has an effective health & safety program, which has helped the likelihood of this risk remain low
39 Analyse risks Prioritised risk report
40 Prioritised risk map Significance Low High Low High Likelihood
41 Interpreting the risk map High Significance Low Secondary Risk Lower likelihood, but could have significant adverse impact on business objectives Some monitoring, emphasis on risk sharing and detective controls Low Priority Risks Significant monitoring might not be necessary unless change in classification Periodically reassess Key Risks Critical risks that potentially threaten the achievement of business objectives High monitoring and activity and preventive controls Secondary Risks Consider cost/benefit trade-off Some monitoring and effective detective controls Reassess often, monitoring for changing conditions Low Likelihood High
42 Monitor risks Risk Monitoring Internal Audit Program Risk Significance Likelihood Significance Likelihood Tolerance Business Processes (dept/ function) IA Program Liquidity Industry Low Moderate Cash Mgmt/Treasury Working capital management Strategy Mergers & Acquisitions Monitor availabilities of banking facilities and other financing sources. Review debtors aging reports, ensuring the effectiveness of debtor collection process Review business controls over strategy setting process. Ensure S, W, O, T have considered impact of industry/technology changes Product Failure Low Production/Conversion Production, Q&A Customer Service NPD Review controls over quality control and analyse customer returns. Review controls over New Product Development. IT Health & Safety Moderate Low IT Program change, security, backup & recovery General counsel HR Review IT General Controls. Reconfirm that controls are good in this area analyse reports of safety issues.
43 Risk-based Internal Audit Plan Quantitative Analysis Qualitative Analysis Significant Entities ABC Electronics (SZ) Co., Ltd. ABC Technology Co. (SZ) ABC Technology Co. (Shanghai) Key Business Cycles Revenue Inventory Procurement Expenditure & Payroll Fixed Assets Bank & Cash Financing IT Sub-Cycles Pricing strategies Quality Control, Customer Returns Working capital management
44 Best practices and lessons learned Do Establish a Risk Management Committee and Charter Identify a risk champion supported by the CEO Understand that ERM is a journey and not a project Provide a holistic definition of business risk Include consultants but do not let them drive ERM
45 Best practices and lessons learned Don't underestimate the impact of existing culture undersell ERM as a business risk assessment implement ERM as a part-time job take on too much at one time
46 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market
47 COSO components Control activities establishing and implementing policies and procedures carry out the entity s objectives addresses the risk to achievement of objectives occurs throughout the organisation, at all levels and in all functions approvals, authorisations, verifications, reconciliations, segregation of duties, etc.
48 Plan & execute a risk response avoid: exit the risk generating activity reduce: control the risk through preventive or detective measures share the risk: transfer the risk through a mechanism such as insurance accept: incorporate the likely cost of the risk's occurrence in the overall plan (i.e., to price for the risk)
49 Risk response What control investment should we make? H Inherent Risk M L Under-Managed Zone of Balanced Investment Over-Managed L M H Investment
50 First steps to implementing sound control activities People and plans identify or hire someone with appropriate skills to manage the process. Necessary skills include: understanding of processes, risks and internal controls understanding of COSO or similar framework time to devote to maintaining understanding of the continuously changing requirements and options develop a game plan including timelines and scope determinations (i.e., who, what, when & where)
51 First steps to implementing sound control activities Understand the Process-Activity Model examine impacts and relationships between upstream and downstream activities, and across processes risks that occur in one activity often manifest in other areas controls in one activity can mitigate risks in other activities Procure-to- Pay Plan-to- Report The Process-Activity Model Order-to- Cash Hire-to- Retire Inceptionto-Retire (Capital) Plan-to-Fulfill (Supply Chain)
52 The Process-Activity Model sample: Procure-to-Pay process The Procure-to-Pay process cuts across several functions Procurement/ Sourcing Accounts Payable Treasury Tax Other and typically encompasses the activities listed below: Primary Activities Identify/analyse needs Manage suppliers Manage catalogs/items Create/approve requisitions Process purchase orders Receive items Manage inventory (activity integrates with Plan-to-Fulfill process) Process invoices Process expense reports Match vouchers Process payments Process accounting entries Support Activities Manage strategic sourcing & contracts Setup/maintain system control tables Manage reconciliation Manage supplier inquiries Measure suppliers & manage quality Measure internal compliance Manage warranties Manage taxes Manage security Report & query Manage integration processes Maintain process controls & manage risk Exception Activities Manage match exceptions Process manual payments Void/stop payments Process change orders Return items Manage integration exceptions
53 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market
54 COSO components Information and communication systems of communications how information is identified, captured, exchanged and used on a timely basis information systems how reports are designed, produced, disseminated and used on a timely basis are the right people getting the right information at the right time?
55 COSO components System of communications effectiveness with which employees duties and control responsibilities are communicated establishment of channels of communication for people to report suspected improprieties receptivity of management to employee suggestions of ways to enhance productivity, quality or other similar improvements
56 COSO components System of communications (con't) adequacy of communication across the organisation and the completeness and timeliness of information and its sufficiency to enable people to discharge their responsibilities effectively openness and effectiveness of channels with customers, suppliers and other external parties for communicating information on changing customer needs timely and appropriate follow-up by management to issues reported
57 COSO components Information obtaining external and internal information, and providing management with necessary reports on the entity s performance relative to established objectives providing information to the right people in sufficient detail and on time to enable them to carry out their responsibilities efficiently and effectively
58 COSO components Information development or revision of information systems based on a strategic plan for information systems linked to the entity s overall strategy and responsive to achieving the entity-wide and process-level objectives management s support for the development of necessary information systems is demonstrated by the commitment of appropriate resources human and financial
59 Domains of IT general controls IT control environment program development program changes computer operations access to programs and data
60 Two types of IT controls 1. General controls Controls that provide a reliable operating environment and support the effective operation of application controls 2. Application controls Controls that directly support reporting objectives
61 Agenda Introduction applying risk-based internal audit in your company control environment risk assessment case study control activities information & communications monitoring governance report card: trends in the market
62 COSO components Monitoring assessing the quality of the system ensures controls continue to operate effectively adjusts for changing environment ongoing monitoring activities built into the normal, recurring activities performed on a real-time basis separate evaluations periodically tested based on circumstances independent Internal Control Review
63 The objective of an internal control review Financial statement audit Internal control audit Versus material misstatement correctness test amounts/balance understand all components of F/S what is state of controls over a process material weakness tests of operation / effectiveness understand all components of process
64 Controls evaluation Where should we invest evaluation resources? Higher-Risk Controls Detective Manual Address critical accounts & assertions One control out of a few Operate in high risk areas Operate in areas with turnover of key personnel High degree of reliance on other controls Lower-Risk Controls Preventive Automated Address secondary accounts & assertions One control out of many Operate in lower risk areas Operate in stable personnel environment Operates effectively on its own
65 Controls evaluation Control risk vs. control reliance Control Risk High Low Monitor closely Make sure other controls effectively mitigate risk Lower levels of evaluation and monitoring effort needed Generally small control procedures operating among many Highest level of evaluation and monitoring effort needed Should consider implementing supporting controls Bread-and-butter controls These controls do the job right, consistently Primary Control Reliance Secondary
66 Execute the internal audit 4
67 Independent internal control review - Organisation Determine Scope of Project and Involving Business Units Board of Directors Audit Committee Internal Audit Department Professional Consultants/ External Auditors Internal Audit Department may not have: Enough resources (manpower, experience) Applicable Internal Control System Framework Assessment and testing strategy Due to limited resources and time, part or all of the Internal Audit Function is outsourced.
68 Internal control review Annual Reporting Declare evaluation of internal control 4 1 Company Risk Assessment Identify risks Limit review to significant areas Perform testing of controls Identify errors in operation of controls 3 Testing & Remediation Quality & Risk Mgmt. Professional Excellence Best Practices Profitability 2 Documentation Document processes & controls Review design
69 Phase I Risk Phase Assessment I Entity-level Risk Identify risks Limit review to significant areas Assessment and Project Planning leverage risk assessment work performed already for scope of audit identify applicable processes and activities create project scope and plan for remaining phases identify project team
70 Phase II: Design Effectiveness Documentation Document processes & controls Review design Identify key controls in place by conducting a walkthrough of the key processes to confirm existence Determine whether there are significant gaps with the design of the controls. Key controls should be designed so as to detect or prevent error or fraud
71 Phase III: Operating Effectiveness Testing & Remediation Perform testing of controls Identify errors in operation of controls identify processes and controls for testing design tests of controls operating effectiveness execute and document tests of controls identify potential issues or improvements and agree upon actions communicate and report results to management and the audit committee follow-up on findings and agreed-upon action plans
72 Phase IV Annual Reporting Declare evaluation of internal control Ongoing compliance plan ongoing maintenance and testing through prospective management and internal audit activities broaden scope to cover other enterprise-wide risks
73 Internal control review approach Risk & control reporting documentation gathered from review should be effectively managed need to determine how to manage and what format consider using software to simplify process identify reporting deliverables e.g. - Risk and Control Report - compiled on an annual basis provides the Audit Committee and the executive single picture of the internal control environment, enabling an assessment of priorities and potential exposures across the company. This report will help the Audit Committee in preparing the Corporate Governance Report as required by the Listing Rules.
74 Internal control review approach Manage the review A Internal Control Review needs to be effectively managed To do so need to consider: all stakeholder expectations people responsible financial impact timeline communication strategy regulatory requirements Internal Audit Department is often chosen as the main responsible entity and must report directly to Audit Committee. It s also very common to outsource or co-source the planning and internal audit to professional parties
75 Conclusion Potential Benefits of Effective Risk Management & Internal Control Early entry into new business areas Higher/ sustainable share prices Reduction in management time spent on fire fighting Fewer sudden shocks or unwelcome surprises Achievement of Company Objectives Increased likelihood of change initiatives being achieved Achievement of competitive advantage Better basis for strategy setting Lower cost of capital More focus internally on doing the right things source: Grant HKICPA Thornton Internal Control & Risk Management Framework (June 2005) which adapted from Implementing Turnbull A Boardroom Briefing, ICAEW
76 Overview of Grant Thornton in Hong Kong & mainland China dedicated to serving the needs of growing companies since 1949 a member of Grant Thornton International provides services include Assurance, China practice, Tax, Business Risk, Corporate Finance, Forensic & Investigations, and Recovery & Reorganisation 42 Partners and a total of 1,300 personnel in 6 offices in mainland China and Hong Kong offices in Beijing, Shanghai, Guangzhou Shenzhen and Chengdu with over 600 personnel
77 Your contacts Patrick Rozario Head of Business Risk Services 13/F, Gloucester Tower The Landmark 15 Queen s Road Central Hong Kong T F E patrick.rozario@gthk.com.hk
78 Questions?
RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide
RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide About This Course About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation
More informationRISK MANAGEMENT IN A FOR-
RISK MANAGEMENT IN A FOR- PROFIT ORGANISATION 1 OBJECTIVES Explain the risk management framework The underlying process and cycle, and resources and people involved The framework can be applied in for
More informationENTERPRISE RISK MANAGEMENT AN OVERVIEW. November 2011
ENTERPRISE RISK MANAGEMENT AN OVERVIEW November 2011 Overview Overview of Enterprise Risk Management (ERM) Risk Assessment Process Identifying Business Risks Consideration of Impact and Likelihood Soliciting
More informationEnterprise Risk Management
Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's
More informationRisk Assessment & Enterprise Risk Management
Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less
More informationTHE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK
THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date
More informationIntegration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand
Integration of Risk Management and Internal Audit Chartered Institute of Management Accountants, New Zealand Contents Understanding the three lines of defense governance model What is Risk? Risk Management
More informationImproving Financial Performance, Governance and Compliance
Enterprise Risk Management Improving Financial Performance, Governance and Compliance Through A Structured Approach Experis Finance By: Fred E. Lutzeier National ERM Director Fred.Lutzeier@Experis.Com
More informationUnderstanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.
More informationInternal Controls and Risk Management Report
42 Internal Controls and Risk Management Report Responsibility Our Board of Directors has the overall responsibility to ensure that sound and effective internal controls are maintained, while management
More informationCorporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005
Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005 Corporate Governance Services 0 Overview Hong Kong Code on Corporate Governance Practices Corporate Governance
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationCOSO Internal Control Integrated Framework (2013)
COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)
More informationENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving
More informationHow To Understand The Role Of An Internal Audit
Top Ten Issues facing Internal Auditing in the Future The IIA Dallas Chapter April 6, 2006 Presented by: David A. Richards, CIA, CPA President The Institute of Internal Auditors drichards@theiia.org 1
More information10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process
10-1 Auditing Business Process Auditing Business Process Objectives Understand the Auditing of the Enteties Business Process Identify the types of transactions in different Business Process Asses Control
More informationThe College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
More informationCOSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting
in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL
More informationand Risk Tolerance in an Effective ERM Program
The Roles of Risk Appetite and Risk Tolerance in an Effective ERM Program Eric Gerner, Risk Advisory Services Director Tuesday, July 10, 2012 General Information Share the webinar Ask a question Votes
More informationAPPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014
WOOLWORTHS HOLDINGS LIMITED CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 This table is a useful reference to each of the King III principles
More informationAPPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES
APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES Ethical Leadership and Corporate Citizenship The board should provide effective leadership based on ethical foundation. that the company
More informationFraud and Role of Information Technology. September 2008
Fraud and Role of Information Technology September 2008 Agenda IT Value Proposition Slide 2 Prior Interpretations of Internal Control Structure Have Addressed Three Separate Parts Which Were Audited Somewhat
More informationFINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, 2012. Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund
FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, 2012 Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund There are different risk assessments prepared: Annual risk assessment
More informationAnti-Fraud Management Example In Accounts Payable. Michael Heckner October 12, 2012
Anti-Fraud Management Example In Accounts Payable Michael Heckner October 12, 2012 GRC Top Reasons Customers Invest Today Business Process Improvements Systematic, reliable processes Improve predictability
More informationTying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation
Tying It All Together: Practical ERM Integration Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation November 16, 2007 1 Agenda Basis for ERM Integration ERM Objectives ERM Focus
More informationApplication of King III Corporate Governance Principles
APPLICATION of KING III CORPORATE GOVERNANCE PRINCIPLES 2013 Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have
More informationINTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404
INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404 OF THE U.S. SARBANES-OXLEY ACT OF 2002 May 26, 2004 Copyright 2004 by, 247 Maitland Avenue, Altamonte Springs, Florida, 32701-4201, USA Internal Auditing
More informationEffective Internal Audit in the Financial Services Sector
Effective Internal Audit in the Financial Services Sector Recommendations from the Committee on Internal Audit Guidance for Financial Services: How They Relate to the Global Institute of Internal Auditors
More informationApplication of King III Corporate Governance Principles
Application of Corporate Governance Principles Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have been applied
More informationAdministrative Guidelines on the Internal Control Framework and Internal Audit Standards
Administrative Guidelines on the Internal Control Framework and Internal Audit Standards GCF/B.09/18 18 February 2015 Meeting of the Board 24 26 March 2015 Songdo, Republic of Korea Agenda item 24 Page
More informationTransmittal Letter... 1. Objectives and Scope... 2. Approach... 3-7. Financial System... 8. Permitting Application... 9
Internal Audit Committee of Information Technology Risk Assessment Public Report Prepared By: Internal Auditors of Brevard County September 30, 2009 Table of Contents Transmittal Letter... 1 Objectives
More informationHow to Develop Successful Enterprise Risk and Vendor Management Programs
Project Management Institute New York City Chapter January 2014 Chapter Meeting How to Develop Successful Enterprise Risk and Vendor Management Programs Christina S. Kite Senior Vice President Corporate
More informationCSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.
Introduction CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.com June 2015 Companies which adopt CSR or sustainability 1
More informationCapital Requirements Directive Pillar 3 Disclosure. December 2015
Capital Requirements Directive Pillar 3 Disclosure December 2015 1. Background The purpose of this document is to outline the Pillar 3 disclosures for BlueBay Asset Management LLP ( BlueBay ). BlueBay
More informationThe Role of Internal Audit in Risk Governance
The Role of Internal Audit in Risk Governance How Organizations Are Positioning the Internal Audit Function to Support Their Approach to Risk Management Executive summary Risk is inherent in running any
More informationInforming the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013
Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council This version of the report is a draft. Its contents and subject matter remain under review and its contents
More informationInternal Audit Framework
Internal Audit Framework Internal Audit Framework National Treasury Republic of South Africa March 2009 (2 nd Edition) The Internal Audit Framework is being provided as a service to the Public Service.
More informationInternal Control Integrated Framework. May 2013
Internal Control Integrated Framework May 2013 0 Table of Contents COSO & Project Overview Internal Control-Integrated Framework Illustrative Documents Illustrative Tools for Assessing Effectiveness of
More informationInternal Audit Manual
COMPTROLLER OF ACCOUNTS Ministry of Finance Government of the Republic of Trinidad Tobago Internal Audit Manual Prepared by the Financial Management Branch, Treasury Division, Ministry of Finance TABLE
More informationFinance Effectiveness Efficiency
Business Unit Finance Effectiveness Efficiency An overview Agenda Page 1 Efficiency - An overview 1 2 Our services 7 3 Case study 14 Section 1 Efficiency - An overview 1 Section 1 Efficiency - An overview
More informationThe task of Orava s risk management is also to support in adapting to the changes in business and risk environment.
RISK MANAGEMENT POLICY AND PRINCIPLES 1 (17) Board of Directors 20 January 2011 RISK MANAGEMENT POLICY Orava s goals and tasks of the Risk management The central short-term goal of Orava is to distinctly
More informationIIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT
IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT Revised: Page 1 of 8 Introduction The importance to strong corporate governance of managing risk has been increasingly
More informationInternal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned
Internal Controls over Financial Reporting Integrating in Business Processes & Key Lessons learned Introduction Stephen McIntyre, CA, CPA (Illinois) Senior Manager at Ernst & Young in the Risk Advisory
More informationGet More Out of Your Risk Assessment. Austin Chapter of the IIA
Get More Out of Your Risk Assessment Austin Chapter of the IIA Speakers Alyssa G. Martin, CPA Dallas Executive Partner, Advisory Services 25 years of public accounting experience, with a practice emphasis
More informationRISK MANAGEMENt AND INtERNAL CONtROL
RISK MANAGEMENt AND INtERNAL CONtROL Overview 02-09 Internal control the Board meets regularly throughout the year and has adopted a schedule of matters which are required to be brought to it for decision.
More informationRISK MANAGEMENT AND COMPLIANCE
RISK MANAGEMENT AND COMPLIANCE Contents 1. Risk management system... 2 1.1 Legislation... 2 1.2 Guidance... 3 1.3 Risk management policy... 4 1.4 Risk management process... 4 1.5 Risk register... 8 1.6
More informationDRAFT. Informing the audit risk assessment for Cheshire Fire Authority. Year ending 31 March 2013 xx April 2013
Informing the audit risk assessment for Cheshire Fire Authority This version of the report is a draft. Its contents and subject matter remain under review and its contents may change and be expanded as
More informationQuality Assurance Checklist
Internal Audit Foundations Standards 1000, 1010, 1100, 1110, 1111, 1120, 1130, 1300, 1310, 1320, 1321, 1322, 2000, 2040 There is an Internal Audit Charter in place Internal Audit Charter is in place The
More informationInternal Financial Controls
Internal Financial Controls Who All Are Responsible? 3 What is Internal Financial Control (IFC)? 5 What is Internal financial controls over financial reporting (ICFR)? Internal Controls Global Perspective
More informationAuditing Module 7 June 2009. Suggested Solutions
Auditing Module 7 June 2009 Suggested Solutions 1 Question 1 1. Tests of control are tests carried out to obtain assurance about the operating and effectiveness of controls. An example of such a test would
More informationIntegrated Risk Management:
Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)
More informationWEEK 6. Objective 1: Sales Transaction Cycle Risks
WEEK 6 CSA ch4 & GS ch10: pp457-488 Objective 1: Sales Transaction Cycle Risks The major assertions of interest to the auditor in ST of balances for account receivable are existence and valuation and allocation.
More informationRolls Royce s Corporate Governance ADOPTED BY RESOLUTION OF THE BOARD OF ROLLS ROYCE HOLDINGS PLC ON 16 JANUARY 2015
Rolls Royce s Corporate Governance ADOPTED BY RESOLUTION OF THE BOARD OF ROLLS ROYCE HOLDINGS PLC ON 16 JANUARY 2015 Contents INTRODUCTION 2 THE BOARD 3 ROLE OF THE BOARD 5 TERMS OF REFERENCE OF THE NOMINATIONS
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationINTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS
INTERNATIONAL FOR ASSURANCE ENGAGEMENTS (Effective for assurance reports issued on or after January 1, 2005) CONTENTS Paragraph Introduction... 1 6 Definition and Objective of an Assurance Engagement...
More informationGUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES
20 th February, 2013 To Insurance Companies Reinsurance Companies GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES These guidelines on Risk Management and Internal
More informationAudit of the Policy on Internal Control Implementation
Audit of the Policy on Internal Control Implementation Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada February 18, 2013 1 TABLE OF
More informationINTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315
INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315 IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT (Effective for audits of financial
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationSarbanes-Oxley Section 404: Management s Assessment Process
Sarbanes-Oxley Section 404: Management s Assessment Process Frequently Asked Questions ADVISORY Contents 1 Introduction 2 Providing a Road Map for Management 3 Questions and Answers 3 Section I. Planning
More informationPeriodic risk assessment by internal audit
Periodic risk assessment by internal audit I Introduction The Good Practice Internal Audit Manual Template, developed by the Internal Audit CoP of Pempal, defines the importance and the impact that an
More informationLOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE
LOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE The Comptroller s Economic Development and Analysis (EDA) Division provides education and direct assistance to local governments, helping
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationFundamentals Level Skills Module, F8 (IRL)
Answers Fundamentals Level Skills Module, F8 (IRL) Audit and Assurance (Irish) June 2008 Answers 1 (a) Prior year internal control questionnaires Obtain the audit file from last year s audit. Ensure that
More informationAudit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee
Audit Committee Dear Shareholder, We are satisfied that the business has maintained robust risk management and internal controls, supported by strong overall governance processes, and that management have
More informationHenkel s Compliance Management System (CMS)
Henkel s Compliance Management System (CMS) As a company that operates in an ethically and legally correct manner, Henkel s image and reputation is inseparable from the appropriate conduct of each of its
More informationINTERNAL AUDIT SERVICES Glenorchy City Council Internal audit report of Derwent Entertainment Centre financial business and operating systems
INTERNAL AUDIT SERVICES Internal audit report of Derwent Entertainment Centre financial business and operating systems ADVISORY Contents Executive summary...2 Internal audit findings...4 Summary of other
More informationHow to achieve excellent enterprise risk management Why risk assessments fail
How to achieve excellent enterprise risk management Why risk assessments fail Overview Risk assessments are a common tool for understanding business issues and potential consequences from uncertainties.
More informationBuilding a Strategic Internal Audit Function
Internal Audit Building a Strategic Internal Audit Function Ten steps to a strategically focused internal audit function With the passage of internal control related rules and regulations in countries
More informationMatthew E. Breecher Breecher & Company PC November 12, 2008
Applying COSO s Enterprise Risk Management Integrated Framework Matthew E. Breecher Breecher & Company PC November 12, 2008 The basic outline for this presentation was provided by: Objectives for the session:
More informationA Guide to Corporate Governance for QFC Authorised Firms
A Guide to Corporate Governance for QFC Authorised Firms January 2012 Disclaimer The goal of the Qatar Financial Centre Regulatory Authority ( Regulatory Authority ) in producing this document is to provide
More informationGuidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance
More informationwww.pwc.com California ISO Audit of the Financial Statements for the Year Ending December 31, 2015 December 18, 2015
www.pwc.com California ISO Audit of the Financial Statements for the Year Ending December 31, 2015 December 18, 2015 Agenda Governance and audit communications Audit strategy Audit timing Perspectives
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationThe audit committee and risk management
Audit Committee Institute Sponsored by KPMG The audit committee and risk management Is the board of directors adequately overseeing management's process for identifying and monitoring key business risks?
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...
More informationHow To Audit A Company
INTERNATIONAL STANDARD ON AUDITING 315 IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT (Effective for audits of financial statements for
More informationAppendix 15 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT
Appendix 15 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT The Code This Code sets out the principles of good corporate governance, and two levels of recommendations: code provisions; and recommended
More informationDirect Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference
Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference Chair An Independent Non-Executive Director In the absence of the Committee Chairman and an appointed
More informationDeveloping an Effective Enterprise Risk Management Program
Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationfmswhitepaper Why community-based financial institutions should practice enterprise risk management.
fmswhitepaper Why community-based financial institutions should practice enterprise risk management. By Michael D. Cohn, CPA, CISA, CGEIT Director, WolfPAC Solutions Group Unique Insights Implementation
More informationRisk and Audit Committee Terms of Reference. 16 June 2016
Risk and Audit Committee Terms of Reference 16 June 2016 Risk and Audit Committee Terms of Reference BHP Billiton Limited and BHP Billiton Plc Approved by the Boards of BHP Billiton Limited and BHP Billiton
More informationB o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing
B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued
More informationSample Financial institution Risk Management Policy 2011
Sample Financial institution Risk Management Policy 2011 1 Contents Risk Management Program...2 Internal Control and Risk Management Diagram... 2 General Control Environment... 2 Specific Internal Control
More informationA Risk-Based Audit Strategy November 2006 Internal Audit Department
Mental Health Mental Retardation Authority of Harris County ENTERPRISE RISK MANAGEMENT A Framework For Assessing, Evaluating And Measuring Our Agency s Risk A Risk-Based Audit Strategy November 2006 Internal
More informationASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES
ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES THIS POLICY SETS OUT THE REQUIREMENTS FOR SAFEGUARDING COMPANY ASSETS AND RESOURCES TO PROTECT PATIENTS, STAFF, PRODUCTS, PROPERTY AND
More informationThe Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies
The Essentials of Enterprise Risk Management Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies Introduction How should an organization think about the management
More informationwww.pwc.com Business Resiliency Business Continuity Management - January 14, 2014
www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition
More informationSarbanes-Oxley Section 404 Implementation Practices of Leading Companies
Sarbanes-Oxley Section 404 Implementation Practices of Leading Companies Sarbanes-Oxley Section 404 Implementation Practices of Leading Companies Dr. Robert A. Howell Distinguished Visiting Professor of
More informationGovernance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202) 623-1430 e-mail: fernandof@iadb.
Governance and Risk Management in the Public Sector Fernando A. Fernandez Inter-American Development Bank (202) 623-1430 e-mail: fernandof@iadb.org 1 Agenda Governance, why is it important? Compliance
More information[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06]
SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting
More informationCONSULTATION PAPER ON RISK MANAGEMENT AND INTERNAL CONTROL: REVIEW OF THE CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT
CONSULTATION PAPER ON RISK MANAGEMENT AND INTERNAL CONTROL: REVIEW OF THE CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT June 2014 CONTENTS Page No. CONTENTS... 1 EXECUTIVE SUMMARY... 1 CHAPTER
More informationUsing COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister
Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.
More informationPrudential Practice Guide
Prudential Practice Guide SPG 220 Risk Management July 2013 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal advice and users
More informationRisk Management and Internal Controls
Risk Management and Internal Controls Internal control The Board meets regularly throughout the year and has adopted a schedule of matters which are required to be brought to it for decision. This procedure
More informationSTANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices
A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards
More information2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase
Research Publication Date: 20 April 2010 ID Number: G00176029 2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase John E. Van Decker, Cathy Tornbohm This Gartner Financial
More informationQualification in Internal Audit Leadership (QIAL ) Exam Syllabus
QIAL SYLLABUS MARCH 2015 Qualification in Internal Audit Leadership (QIAL ) Exam Syllabus The QIAL assessment comprises five sections: Case study 1*: Internal Audit Leadership (3 hours and 45 minutes)
More information