RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide
About This Course
About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation for risk-based auditing. Specific risk-based assessment methodologies, components, and best practices. Applying the knowledge to specific situations. www.theiia.org/training - 2 -
About This Course Seminar Objectives By the end of this session, you will have had an opportunity to: Identify relationships between strategy, corporate governance, risk management, and controls. Identify key business processes and objectives. Produce a risk assessment. Produce a risk-based assurance plan. Describe entitywide controls and their relevance to the plan. Plan a risk-based engagement. Network with peers. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
About This Course Seminar Topics The following topics will be covered during the seminar: Role of internal auditing Corporate governance Risk management Control and (risk) frameworks Entitywide risk assessment Risk-based audit engagement www.theiia.org/training - 4 -
About This Course Participant Introductions Introduce yourself to your team members using the following guide: Your name and job title. Your organization and its industry. Your experience in internal auditing. Related work experience. What you want gain from this seminar. Something interesting about you that reveals your risk appetite. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
About This Course Working Agreement Much of the success of this course depends on creating an effective learning environment and process. To create this environment and process we want to have a Working Agreement. Our agreement follows the acronym PROCESS. We agree to demonstrate: P = Participation This seminar is highly participatory. By agreeing to actively participate in discussions and exercises participants will get the greatest benefit from the program. R = Respect There will be times when we will agree to disagree on the significance of issues, possible solutions and best practices. We agree show respect by actively listening to other viewpoints and not forcing our views on other participants. O = Openness We will share our experiences and provide constructive feedback. By agreeing to such openness, participants can expand their perspectives and build their skills. C = Confidentiality Confidential matters should not be discussed outside class. Be aware that information of this kind may have consequences for others. E = Enthusiasm Be enthusiastic about this learning experience!!! S = Sensitivity Participants should be sensitive to the feelings and perspectives of others. S = Sense of fun This seminar should be an enjoyable experience for the participants and the leader. If we approach the discussions and exercises, and other learning tools in the right frame of mind, we will not only have more fun but will also learn more. www.theiia.org/training - 6 -
About This Course Ideas and Insights As you go through the seminar, use the space at the end of each unit to record ideas and insights for your own use and to share with others in the seminar. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
About This Course Quiz True or false: 1. U.S. organizations are required to have internal audit departments under the U.S. Sarbanes-Oxley Act of 2002. 2. Internal audit departments must comply with the International Standards for the Professional Practice of Internal Auditing (Standards). 3. The Sarbanes-Oxley Act s primary focus is on improving corporate governance and transparency. Multiple choice: 4. Risk-based auditing can best be described as: A. A best practice. B. Mandated under the Standards. C. Required by the Sarbanes-Oxley Act.. D. All of the above. E. A and B only www.theiia.org/training - 8 -
About This Course Quiz Answers True or false: 1. False 2. False 3. True Multiple choice: 4. E: A and B only The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Role of Internal Auditing
Role of Internal Auditing Introduction Overview Risk-based auditing is perhaps the only way for an audit organization to add value to management and fulfill its charter responsibility to the independent directors. Objectives By the end of this unit, you should be able to: Identify the value of internal auditing. Define internal auditing. Describe the internal audit standards. Discuss risk-based auditing in organizations. Resources Readings and Resources IIA Position Statement: Risk-based Internal Auditing www.theiia.org/training - 2 -
Role of Internal Auditing Understanding the Value of Internal Auditing Value of Internal Auditing When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate governance, and ongoing business process improvement. Jim LaTorre, PwC The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Role of Internal Auditing Definition of Internal Auditing Mandatory Guidance Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. www.theiia.org/training - 4 -
Role of Internal Auditing Internal Audit Standards The Standards Mandatory Guidance 2100: Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Role of Internal Auditing Activities Activity: My Organization's Approach to Risk-based Auditing Instructions: On your own, spend a few minutes using the worksheet below to determine the degree of satisfaction with your organization s approach to risk-based auditing. Elements Don t Know Satisfied Neutral Dissatisfied Annual enterprisewide risk assessment By management By audit with the involvement of management With involvement of audit committee Audit engagement risk assessment Evaluation tools Client involvement Corporate governance is assured Ethics program is assured Risk management is assured www.theiia.org/training - 6 -
Role of Internal Auditing Elements Don t Know Satisfied Neutral Dissatisfied Internal audit activity maps to enterprise strategy Skills and attitudes of auditors Audit plan is risk-based The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Role of Internal Auditing Activity: My Organization s Strengths and Weaknesses Activity Referring to your individual exercise responses, discuss the four questions below, select a spokesperson, and be prepared to report to the class. What are the strengths and best practices for the risk-assessment process in your organization? What are the weaknesses and challenges to the risk-assessment process in your organization? What is the current role of internal auditing in your organization? What are the opportunities for internal auditing in your organization? www.theiia.org/training - 8 -
Role of Internal Auditing Reading: Risk-based Internal Auditing Position Statement Resources Take a few minutes to read the Risk-based Internal Auditing position statement. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Role of Internal Auditing Unit Conclusion Summary You have completed the lesson Role of Internal Auditing. Here are some key points: When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate governance, and ongoing business process improvement. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity must evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach. You examined your organization s approach to risk-based auditing and looked at the strengths and weakness of the risk-assessment process. www.theiia.org/training - 10 -
Role of Internal Auditing Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Corporate Governance
Corporate Governance Introduction Overview Corporate governance is the foundation of risk-based auditing and should be understood before proceeding. Objectives By the end of this unit, you should be able to: Define corporate governance. Identify Performance Standard 2110: Governance. Identify the various aspects of corporate governance. Identify Assurance Performance Standard 2110.A1 and the elements of a good ethics program. Identify the areas an internal audit must assess, evaluate, and report on to assure corporate governance. Resources Readings and Resources Position Paper: Organizational Governance: Guidance for Internal Auditors The Case Study www.theiia.org/training - 2 -
Corporate Governance Corporate Governance Definition of Corporate Governance Mandatory Guidance Governance The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Corporate Governance Governance Standard Performance Standard 2110: Governance Mandatory Guidance 2110: Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors, and management. www.theiia.org/training - 4 -
Corporate Governance Framework for Corporate Governance Framework The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Corporate Governance Ethics Assurance Performance Standard 2110.A1 Mandatory Guidance 2110.A1: Evaluation of ethics program The internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethics-related objectives, programs, and activities. www.theiia.org/training - 6 -
Corporate Governance Elements of a Good Ethics Program Linked to core values Reliant on the integrity of the people who create, administer, and monitor Dependent on tone at the top Dependent on an engaged board of directors Transparent to all stakeholders The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Corporate Governance Activity: Ethics Assurance in My Organization Activity Instructions Discuss how you are assuring the ethics-related objectives, programs, and activities at your organizations. Record any strengths and best practices: Record any weaknesses and challenges: Select a spokesperson and report to the class. www.theiia.org/training - 8 -
Corporate Governance Corporate Governance Assurance of Corporate Governance Performing audit work to assure corporate governance requires assessing, evaluating, and reporting on the following areas: Governance structures, policies, charters Organization culture, ethics, and values Activities of audit committee Risk management structures and policies Internal audit processes and organization Fraud control and policy Compensation policies and processes Strategic planning and decision making Disclosure structure, process, rigor Enterprise Web page content Measurements The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Corporate Governance Case Study Activity: Community Medical Services Centers (CMSC) Case Study Instructions Review the company background information in the case study. Discuss the elements of good corporate governance. Discuss the gaps in effective corporate governance. Select a spokesperson and debrief the class. www.theiia.org/training - 10 -
Corporate Governance Activity: Corporate Governance in My Organization Activity List the elements of corporate governance that are evident at your organization. Identify what opportunities there are to broaden the role of internal auditing in corporate governance. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Corporate Governance Unit Conclusion Summary You have completed the lesson Corporate Governance. Here are some key points: Corporate governance is the combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of these objectives: promoting appropriate ethics and values within the organization, ensuring effective organizational performance management and accountability, effectively communicating risk and control information to appropriate areas of the organization, and effectively coordinating the activities of and communicating information among the board, and external and internal auditors and management. Corporate governance consists of: compliance with legal or regulatory requirements, internal control assessment and reporting, enterprise risk management, quality initiatives, transparency and disclosure, and governance structures and processes. Assurance Performance Standard 2130.A1 requires that internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethicsrelated objectives, programs, and activities. A good ethics program is linked to core values, reliant on integrity of the people who create, administer, and monitor the program, transparent to all stakeholders, and dependent on the tone at the top and on an engaged board. The areas an internal audit must assess, evaluate, and report on to assure corporate governance are: governance structures, policies, and charters; organization culture, ethics, and values; activities of the audit committee; risk management structures and policies; internal audit processes and organization; fraud control and policy; compensation policies and processes; strategic planning and decision making; disclosure structure, process, and rigor; enterprise Web page content; and measurements. www.theiia.org/training - 12 -
Corporate Governance Implications The corporate governance process must be in the audit universe and assured. Business conduct or ethics programs must be in the audit universe and assured. All audit engagements must consider governance, ethics, and potential for fraud. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Corporate Governance Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. www.theiia.org/training - 14 -
Risk Management
Risk Management Introduction Overview If we are still performing audit assurance work according to the old models, we will miss a great deal of opportunity to demonstrate the value of an independent and objective audit function that is capable of and willing to examine governance and risk management gaps. Objectives By the end of this unit, you should be able to: Define enterprise risk management (ERM) and risk. Identify the difference between inherent and residual risk. Identify the assumptions of risk management. Identify the benefits of risk management. Identify the categories of risk. Identify the areas the internal audit activity must assess, evaluate, and report on to assure corporate governance. Resources Readings and Resources The IIA s Position Paper, The Role of Internal Auditing in Enterprisewide Risk Management The Case Study www.theiia.org/training - 2 -
Risk Management ERM and Risk ERM Definition Enterprise Risk Management Definition Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel, applied in a strategy setting across the organization. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives. COSO ERM The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Risk Management Risk Definition Mandatory Guidance Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. www.theiia.org/training - 4 -
Risk Management Types of Risk Inherent and Residual Risk Inherent Risk Definition Inherent risk is the underlying risk before any controls are applied to mitigate the risk. Mandatory Guidance Residual Risk The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Risk Management Risk Management Assumptions Assumptions for Risk Management All organizations exist to add value for stakeholders. All organizations face uncertainty. Value is created, preserved, or eroded by management decisions. ERM is an enabler of the management process. It is interrelated to governance. It is interrelated to performance management. www.theiia.org/training - 6 -
Risk Management Benefits of Risk Management Benefits Aligns risk appetite and strategy Links growth, risk, and return Enhances risk response decisions Minimizes operational surprises and losses The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Risk Management Categories of Risk Categories Strategic Operational Financial Compliance www.theiia.org/training - 8 -
Risk Management Internal Audit Standards Performance Standard 2120 Mandatory Guidance 2120: Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Interpretation: Determining whether risk management processes are effective is a judgment resulting from the internal auditor s assessment that: Organizational objectives support and align with the organization s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2011-9 -
Risk Management Case Study Activity: CMSC Strategy and Risks Case Study Note: There is no formal ERM at CMSC. Instructions Review the CMSC strategy in the case study. In your group, identify the risks to this strategy and assign them to the four categories of risk. Select a spokesperson and debrief the class. Broad Risks to CMSC Strategy Risk Category What are the three most critical risks as you understand the CMSC business model? 1. 2. 3. www.theiia.org/training - 10 -
Risk Management Activity: Risks in My Organization Activity What are the risks that are unique to your industry, organization, or geography? Are all strategic risks identified and known to internal auditing? If not, which risks are unknown? Are all strategic risks mapped to the audit plan? What are the opportunities for internal auditing in the area of enterprise risk management in your organization? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Risk Management Unit Conclusion Summary You have completed the lesson Risk Management. Here are some key points: Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel, applied in a strategy setting across the organization. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives. Risk is measured in terms of impact and likelihood. Inherent risk is the underlying risk before any controls are applied to mitigate the risk. Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to risk. Risk management assumes that: all organizations exist to add value for stakeholders; all organizations face uncertainty; value is created, preserved, or eroded by management decisions; and ERM is an enabler of the management process, interrelated to governance, and interrelated to performance management. Risk management aligns risk appetite and strategy, links growth, risk, and return, enhances risk response decisions, and minimizes operational surprises and losses. The categories of risk are strategic, operational, financial, and compliance. The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. www.theiia.org/training - 12 -
Risk Management Implications Risk management is a critical business process and must be in the auditable universe. Risk management is linked to strategy, vision, and values and interdependent on governance. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Risk Management Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. www.theiia.org/training - 14 -
Control (and Risk) Frameworks
Control (and Risk) Frameworks Introduction Overview How many of your organizations have deployed COSO or COSO ERM? Objectives By the end of this unit, you should be able to: Define Performance Standard 2130: Control. Identify the elements of COSO control and ERM frameworks. Identify the internal control environment factors, risk management factors, control activity factors, information and communication factors, and monitoring factors. Identify the limitations of internal control and limiting factors. Identify roles and responsibilities in internal control. www.theiia.org/training - 2 -
Control (and Risk) Frameworks Internal Audit Standard Performance Standard 2130: Control Mandatory Guidance 2130: Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Control (and Risk) Frameworks COSO Control and ERM Frameworks Report on Fraudulent Financial Reporting Treadway Commission Committee of Sponsoring Organizations (COSO) American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives Institute (FEI) Institute of Internal Auditors (IIA) Institute of Management Accountants (IMA) www.theiia.org/training - 4 -
Control (and Risk) Frameworks Definition of Internal Control Internal Control Definition Internal control is a process affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of reporting Compliance with applicable laws and regulations - COSO The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Control (and Risk) Frameworks Components of Internal Control (and ERM) Control (internal) environment Objective setting (ERM) Event identification (ERM) Risk assessment Risk response (ERM) Control activities Information and communication Monitoring www.theiia.org/training - 6 -
Control (and Risk) Frameworks COSO Pyramid The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Control (and Risk) Frameworks COSO ERM Cube www.theiia.org/training - 8 -
Control (and Risk) Frameworks Factors and Points of Focus Internal Control Environment Factors (with Points of Focus) Integrity and Ethical Values Codes of conduct and other policies. Tone at the top. Dealings with employees, suppliers, and customers. Appropriate remedial action. Management s attitude towards control intervention and override. Pressure to meet goals (e.g., short-term goals and compensation targets). Commitment to Competence Job Descriptions. Analyses of knowledge and skills. Boards and Audit Committees Independence (questions management) Use of focused Board Committees. Knowledge and experience of directors. Frequency and timeliness of meetings with CFO, CAE, etc. Sufficiency and timeliness of information, including sensitive information and investigations. Oversight in executive compensation. Role in tone at the top. Management s Philosophy and Style Nature of business risks accepted. Personnel turnover in key areas. Management s attitude toward and concerns about financial reporting and safeguarding assets. Frequency of interaction between senior and operating management. Attitudes and actions displayed in financial reporting. Organizational Structure Appropriate organizational structure (e.g., information flow). Key managers understand their responsibilities and have adequate knowledge and experience. Appropriate reporting relationships. Organizational structure is modified in light of changed conditions. Sufficient numbers of supervisors to employees exist. Authority and Responsibility Assignment of responsibility and delegation of authority provide for accountability and control. Appropriate control-related standards exist. Sufficient numbers of skilled employees exist. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Control (and Risk) Frameworks Appropriate balance between getting the job done and management involvement (i.e., employees have the right level of empowerment to correct problems and implement improvements). Human Resources Policies and Procedures Hiring, training, promotion, compensation. Awareness of responsibilities and expectations. Background checks. Performance evaluations/salary increases. Links to integrity and ethics (e.g., remedial actions, compensation). Risk Management s Philosophy and Appetite Aggressive attitude, level of attention to detail, statements about risks and acceptable losses, strategic and annual planning efforts, use of feasibility studies. www.theiia.org/training - 10 -
Control (and Risk) Frameworks Risk Management Factors Objectives aligned with organization s strategy, vision, and values Risks identified Risks assessed considering impact and likelihood Risk response, aligning risks with enterprise risk appetite Change management Forward-looking The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Control (and Risk) Frameworks Control Activities Factors Preventative, directive, manual, computer, and management Policies, principles, and procedures (The principles were not noted in the original COSO framework.) Integrated with risk assessment www.theiia.org/training - 12 -
Control (and Risk) Frameworks Information and Communications Factors Information Strategic and integrated systems Systems support strategic initiatives Integration with operations Quality of information (e.g., data integrity, complete information, and information related to strategic objectives) Communication Internal External The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Control (and Risk) Frameworks Monitoring Factors Operational reports and MIS External parties Organizational structure Self-assessments Audits www.theiia.org/training - 14 -
Control (and Risk) Frameworks Limitations of Internal Control Limitations Provides no assurance that objectives will be met, only reasonable assurance that management will know level of achievement Provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-15 -
Control (and Risk) Frameworks Limiting Factors The factors that override control activities are: Judgment. Breakdowns. Overrides. Collusion. Cost versus benefits. www.theiia.org/training - 16 -
Control (and Risk) Frameworks Roles and Responsibilities Who is Responsible? Roles and Responsibilities Management owns controls. Management can empower others and see this as a partnership. Management cannot say they did not know. All personnel have control responsibility for their area. The board of directors is responsible for oversight and guidance. Internal auditing evaluates effectiveness. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-17 -
Control (and Risk) Frameworks Activity: COSO and ERM Discussion Activity Instructions Consider the COSO Control and ERM Frameworks. Discuss the following questions: Why do you think the COSO Control Framework was not widely embraced in 1991? Has your organization implemented COSO or COSO ERM? If not, what will it take to make this happen? How should the COSO ERM Framework be implemented? Select a spokesperson and debrief the class. www.theiia.org/training - 18 -
Control (and Risk) Frameworks Activity: Change the Vocabulary Activity Instructions Pick five terms related to risk-based assessment and define them in easy language for others in your organization. From internal environment to: leadership, human resources From risk assessment to: strategic planning From control activities to: process excellence, technology, continuous improvement From information and communication to: technology, human resources, leadership From monitoring to: metrics, measurements The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-19 -
Control (and Risk) Frameworks Unit Conclusion Summary You have completed the lesson on Control and Risk Frameworks. Here are some key points: The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal control is a process, affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. Enterprise risk management (ERM) is part of internal control and the components of internal control and ERM are: control (internal) environment, objective setting (ERM), event identification (ERM), risk assessment, risk response (ERM), control activities, information and communication, and monitoring. The COSO pyramid and COSO ERM cube are good ways to visualize internal control and ERM. Internal control environment factors include integrity and ethical values, commitment to competence, the board of directors and audit committee, management s philosophy and style, the organizational structure, assignment of authority and responsibility, and human resource policies and practices. Other factors impacting internal control are risk management, control activities, information and communications, and monitoring factors. Internal control provides no assurance that objectives will be met, only reasonable assurance that management will know a level of achievement. Internal control provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved. Internal control is limited by judgment, breakdowns, overrides, collusion, and cost versus benefits. Within internal control, management owns controls, all personnel have control responsibility for their area, the board of directors is responsible for oversight and guidance, and the internal audit activity evaluates effectiveness of controls. www.theiia.org/training - 20 -
Control (and Risk) Frameworks Implications Internal auditing must make the link between COSO frameworks, process excellence, and continuous improvement. Internal auditing must translate the language of control to language of management. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-21 -
Control (and Risk) Frameworks Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. www.theiia.org/training - 22 -
Entitywide Risk Assessment
Entitywide Risk Assessment Introduction Overview Internal auditing includes developing business processes and an audit plan. This unit will explore both aspects of internal auditing. Objectives By the end of this unit, you should be able to: Identify Assurance Performance Standard 2130.A1. Identify the process for performing an entitywide risk assessment. Define business process. Identify the process of developing an audit plan. Resources Readings and Resources The Case Study www.theiia.org/training - 2 -
Entitywide Risk Assessment Internal Audit Standard Assurance Performance Standard 2130.A1 Mandatory Guidance 2130.A1: Evaluating adequacy and effectiveness of controls The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2011-3 -
Entitywide Risk Assessment Entitywide Risk Assessment Performing an Entitywide Risk Assessment Inventory the business processes, activities, or organizations that account for all organizational risks. The risk assessment should lead to an audit universe that probably will have units that have not been assured by internal auditing. The how, when, and why decision will come later after there is consensus within the organization that all known risks have been catalogued. Determine impact of inherent risk. Determine likelihood of inherent risk. Some organizations will assess the impact and likelihood in separate steps using a matrix with two axes: impact and likelihood. Some organizations will assess the impact and likelihood in a combined step. Weight the risk factors. Assign relative risk score. Gain consensus from the audit committee. www.theiia.org/training - 4 -
Entitywide Risk Assessment Business Process Business Process Definition Business Process GAO Definition A collection of related, structured activities a chain of events that produce a specific service or product for a particular customer or customers. Business Process Anonymous Definition A series of actions that is definable, repeatable, and measurable that supports the organization s objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Entitywide Risk Assessment Case Study Activity: Business Processes Case Study Review the case study. In your groups, determine the critical business processes essential to manage the risks to CMSC s strategy. What are the three most significant (strategic) business processes? Which business processes are the most fraud sensitive? Select a spokesperson and debrief the class. www.theiia.org/training - 6 -
Entitywide Risk Assessment Audit Plan Developing an Audit Plan Inventory the business processes or activities. Establish risk factors that apply to all processes or activities. Risk rank the auditable universe. Assign workload estimates to each unit. Assign any coverage rules. Develop full coverage plan. Consider resources. Identify gaps. Commit to constrained resources plan. Gain consensus from audit committee and management. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Entitywide Risk Assessment Typical Risk Universe and Audit Plan Example: An auditable unit is defined as the intersection of a business process and an organization. All auditable units have six identical risk factors with ratings of from one to seven. All business processes have the following three risk factors: Strategic importance (scored 1 through 7) Financial impact (scored 1 through 7) Image and reputation (scored 1 through 7) All organizations have the following three risk factors: Control environment (scored 1 through 7) Organizational stability (scored 1 through 7) Fraud sensitivity (scored 1 through 7) Scores are totaled for all six factors for all auditable units; each auditable unit has a potential risk score ranging from 6 to 42. Units with scores of 36 to 42 are assured annually. Units with scores of 30 to 35 are assured every 24 months. Units with scores of 24 to 29 are assured every 36 months. Units with scores of 6 to 23 are assured on a risk basis. www.theiia.org/training - 8 -
Entitywide Risk Assessment Activity: Resources Discussion Activity What is the impact if you do not have appropriate resources? Do you match the plan to resources? What do you do about the gap? How do you manage audits that go over planned time? How do you address fraud risks in the audit plan? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Entitywide Risk Assessment Unit Conclusion Summary You have completed the lesson Entitywide Risk Assessment. Here are some key points: Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance, operations, and information systems. The process of performing an entitywide risk assessment includes these steps: inventory the business processes, activities, or organizations that account for all organizational risks; determine the impact and likelihood of inherent risk; weigh the risk factors; assign relative risk score; and gain agreement from the audit committee. Business process has been defined as a collection of related, structured activities a chain of events that produces a specific service or product for a particular customer or customers. An audit plan should inventory the business processes or activities, establish risk factors that apply to all processes or activities, risk rank the auditable universe, assign workload estimates to each unit, assign any coverage rules, develop a full coverage plan, consider resources, identify gaps, commit to constrained resources plan, and gain consensus from audit committee and management. www.theiia.org/training - 10 -
Entitywide Risk Assessment Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Risk-based Audit Engagement
Risk-based Audit Engagement Introduction Overview This unit will discuss the risks to business processes, setting up controls to manage those risks, and reporting on the results of risk-based assurance activities. Objectives By the end of this unit, you should be able to: Identify the process of performing a risk-based engagement. Identify the attributes of a business process definition or objective. Identify the risk-to-business processes and risk events. Identify the four common ways to manage risk. Identify the definition of controls, the type of controls, and evaluation methods for controls. Identify internal audit standards 2210, 2210.A1, 2210.A2, 2210.A3, and 2240. Identify the guidelines for reporting the results of a risk-based audit engagement. Resources Readings and Resources The Case Study www.theiia.org/training - 2 -
Risk-based Audit Engagement The Engagement Performing the Engagement Reassess the risk assumptions of the auditable unit. Validate that the process in fact has sufficient risk to warrant assuring in this audit cycle. Understand the business process and its objectives. Identify the risks to the objectives. Usually, the client will do this in conjunction with their own process documentation. Measure and prioritize risks. Identify controls and evaluate the design. Develop audit objectives and program. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Risk-based Audit Engagement Business Process Objective Definition of Objective Attributes: Example: Clearly defined deliverable or outcome Includes the business event that triggers the process States inputs and outputs Includes business decisions that are part of the event response May indicate flow of material or information between process steps General accounting objective: To record and report all financial transactions timely, accurately, and in accordance with GAAP and all applicable laws and regulations. Moreover, the information should be sufficiently concise, relevant, reliable, and comparable (period-toperiod) to ensure ease of use by all stakeholders. The process begins with the receipt of any financial transaction and concludes when executive management and the board has accepted the results. www.theiia.org/training - 4 -
Risk-based Audit Engagement Case Study Activity: Objective Statement Case Study In your group, write a business process objective statement for the human resources process. Use the attributes noted in your participant guide. Select a spokesperson and be prepared to report. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Risk-based Audit Engagement Risks to Business Processes Risks Mandatory Guidance Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. General accounting risks: Material misstatements of financial records Regulatory challenges Tax errors Not understood by stakeholders Reputation Unauthorized or unapproved entries www.theiia.org/training - 6 -
Risk-based Audit Engagement Identifying Risk Events What could go wrong? Who could we fail? Where are we vulnerable? What resources do we need to protect? What must go right for us to succeed? How could our operations be disrupted? How do we know if we are achieving our objectives? What information must we rely on? What decisions require the most judgment? What activities are the most complex? What activities are regulated? What is our greatest legal exposure? How could someone convert assets? How successful will be at managing change? How will we retain critical resources? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Risk-based Audit Engagement Managing Risk Risk Management These are four common ways to manage risk: 1. Avoid the risk (e.g., decide not to offer the product or service because the risk is higher than the organization s risk appetite, not to enter a new geographic market due the lack of cultural knowledge or highly corrupt environment, or not to proceed with an acquisition as a result of due diligence that shows excessive legal liability). 2. Transfer the risk (e.g., find a partner to enter a new geographic market or purchase insurance). 3. Accept the risk because it is within the known risk appetite and cost of controls exceeds the benefit. 4. Reduce the risk by controls is the usual approach but with the caveat that an appropriate cost benefit analysis should be performed to ensure that excessive controls don t lead to a lost-opportunity risk. www.theiia.org/training - 8 -
Risk-based Audit Engagement Case Study Activity: Business Process Objectives Case Study Review the human resources business process for which you wrote the process objective statement. In your group, identify the risks to meeting those business process objectives. Determine which are strategic, operational, financial, or compliance. Determine the likelihood and impact using a high, medium, and low scale. Select a spokesperson and be prepared to report. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Risk-based Audit Engagement Worksheet: Risks to the Business Process Strategic Risks Likelihood Impact Score Operational Risks Reporting Risks Compliance Risks www.theiia.org/training - 10 -
Risk-based Audit Engagement Identifying Controls Control Definition Mandatory Guidance Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Risk-based Audit Engagement Types of Controls Directive: Controls that encourage desirable events to occur. Preventative: Controls that prevent undesirable events from occurring. Detective: Controls that detect undesirable events that have already occurred. Mitigating: Controls that compensate for a missing or costly control. www.theiia.org/training - 12 -
Risk-based Audit Engagement Evaluating Controls Adequacy: Determine whether the process, as designed, provides reasonable assurance (operational auditing). Effectiveness: Determine whether the process is functioning as intended (transactional testing). The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Risk-based Audit Engagement Internal Audit Standards 2210: Engagement Objectives Mandatory Guidance 2210: Engagement Objectives Objectives must be established for each engagement. Mandatory Guidance 2210.A1: Preliminary assessment of risk Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. Mandatory Guidance 2210.A2: Probability of significant errors and other exposures Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. www.theiia.org/training - 14 -
Risk-based Audit Engagement Mandatory Guidance 2210.A3: Setting criteria to evaluate controls Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria. Mandatory Guidance 2240: Engagement Work Program Internal auditors must develop and document work programs that achieve the engagement objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-15 -
Risk-based Audit Engagement Case Study Activity: Entitywide and Activity-level Controls Activity 1. Review the risks to the human resources hiring sub-process that you identified in the case study. 2. Refer to the case study. 3. Identify two or three entity wide controls you would expect to manage the risks to this process. 1. 2. 3. 4. Identify two or three activity-level controls you would expect to manage the high-risk areas you have identified. 1. 2. 3. 5. Identify one control to manage a medium- to low-risk area. 6. Determine the audit tests you would perform. 7. Agree on at least two tests you would not perform in a risk-based engagement. 8. Select a spokesperson and be prepared to report. www.theiia.org/training - 16 -
Risk-based Audit Engagement Worksheets: Controls to Manage the Risks Controls Test Approach Entitywide Controls 1) 2) 3) Activity-level Controls 1) 2) 3) 4) The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-17 -
Risk-based Audit Engagement Reporting the Results Reporting the Results of Risk-based Audit Activity Needs assessment: Used to determine the level of the report s readers, who the audience for the report is, and what level of detail is needed in the report. Reporting should be timely. Use language of risk rather than control and compliance: Adding value versus the old stereotypes of control and compliance. Management actions: Risk-based audit engagements are only complete when: Management understands the residual risks they need to mitigate. Deficiencies have been mitigated. The audit committee has accepted management s actions as appropriate. www.theiia.org/training - 18 -
Risk-based Audit Engagement Unit Conclusion Summary You have completed the lesson Risk-based Audit Engagement. Here are some key points: Performing a risk-based engagement requires internal auditing to reassess the risk assumptions of the auditable unit, understand the business process and its objectives, identify the risks to the objectives, measure and prioritize risks, identify controls and evaluate the design, and develop audit objectives and a program. The attributes of a business process definition or objective are that it is has a clearly defined deliverable or outcome, includes the business event that triggers the process, states inputs and outputs, includes business decisions that are part of the event response, and may indicate flow of material or information between process steps. Risk is any event occurring that will have an impact on the achievement of objectives and is measured in terms of impact and likelihood. One of the best tools for internal auditing in identifying risk events is to ask questions. The four common ways to manage risk are: avoid, transfer, accept, and reduce to acceptable level via controls. A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Controls fall into four categories: directive, preventative, detective, and mitigating. Controls are evaluated on their adequacy and effectiveness. Standard 2210 states that objectives must be established for each engagement. Standard 2240 states that internal auditors must develop and document work programs that achieve the engagement objectives. A needs assessment should be performed to determine which readers want what level of detail. A risk-based auditing engagement has not been concluded until management has bought into the residual risk that needs remediation, has remediated the deficiency, and the audit committee has accepted management s remediation as being appropriate. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-19 -
Risk-based Audit Engagement Implications Audit engagements start with understanding the business process and its risks. Audit engagements end when the audit committee is satisfied with management s resolution. Various risks need to be scored and assessed. Not all risks warrant testing. www.theiia.org/training - 20 -
Risk-based Audit Engagement Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-21 -
Seminar Conclusion
Seminar Conclusion Introduction Overview This unit will help you recall the key concepts and techniques we have discussed. It is also intended to enable you to plan how to use what you have learned when you return to work. Objectives After completing this lesson, you should be able to: Discuss any open items or expectations and identify your plans and next steps. Restate major concepts and skills learned during the seminar. www.theiia.org/training - 2 -
Seminar Conclusion Putting It All Together Seminar Objectives Revisited By the end of this session, you will have had an opportunity to: Identify relationships between strategy, corporate governance, risk management, and controls. Identify key business processes and objectives. Produce a risk assessment. Produce a risk-based assurance plan. Describe entitywide controls and their relevance to the plan. Plan a risk-based engagement. Network with peers. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Seminar Conclusion Activity: Roundtable Discussion Activity What percentage of your time is spent on planning vs. field work and reporting? How have you marketed the internal audit function in your organization? Is the internal audit function in your organization demand driven? What is internal audit s reputation in your organization? www.theiia.org/training - 4 -
Seminar Conclusion Implications There are more key processes than internal auditing can assure on a timely schedule. There are more risks to process objectives than policies and procedures can manage. There are many controls that are not cost-effective. There are valuable entity-level controls that are effective and can reduce process (activity-level) controls. Internal audit adds exponentially more value by assuring governance, risk management, and controls that have the greatest impact on strategy. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Seminar Conclusion Plan for Action Review the topics that were discussed during the program. Select concepts and techniques that you learned or re-emphasized that will help you accomplish the challenges you face. Be specific as to how you will use the information you have learned. www.theiia.org/training - 6 -
Seminar Conclusion Wrap-up Thank you for your participation! The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Case Study: Adding Value for Risk-based Auditing
Case Study: Adding Value for Risk-based Auditing Community Medical Service Center Company Background Community Medical Services Centers (CMSC) entered the healthcare industry seven years ago. CMSC s founder and principal owner, Jimmy Grey Stockton, grew up in a small North Carolina town. He is concerned that many of these communities no longer have adequate medical services because their local hospital has closed or cut back on services. As a result of this concern, Mr. Stockton attracted 60 investors and created a public but closely held corporation. Ten of the investors serve on the board of directors. Mr. Stockton serves as chief executive officer (CEO) and chairman. The corporate office is located in Carthage, NC. CMSC has now grown to 12 outlets. Mr. Stockton is from a family of health professionals. His father was, for many years, the only family practitioner in the small town where he grew up. His mother was a nurse in the community. Jimmy Grey, after military service, became a physical therapist through a program at the community college and started a practice associated with an orthopedic clinic in a neighboring town. This practice was highly successful and led to acquisitions of related healthcare services in surrounding counties. As the need for capital grew beyond family and friends, CMSC went public with an initial public offering (IPO) five years ago. The board of directors is composed of ten original investors in addition to Jimmy Grey. They are: Dr. Marjorie Fisk, MD, internist Dr. Jim Golden, DVD, veterinarian Dr. Bernard Miller, OD, anesthesiologist Ms. Meriwether Petigru, real estate broker and owner of Sand Hills Realty Mr. Chester Pinkny, CEO and Chairman of First Bank of the South Mr. Lad Powell, retired attorney whose previous law firm acts as counsel to CMSC Mr. Bruce Ray, CPA, partner in a local public accounting firm Mr. Larry Scoggins, real estate developer and entrepreneur Lt. Col. Tommy Lee White, USMC retired Mr. Hunter Winfrey, owner of Hunter s Fish Camp www.theiia.org/training - 2 -
Case Study: Adding Value for Risk-based Auditing The executive team is comprised of: Mr. Jimmy Grey Stockton, CEO and Chairman Mr. Rodney Scoggins, CFO Ms. Laura Ferguson, VP Business Development Mr. Jay Green, CPA, Controller Ms. Angela Pharr, VP Human Resources Mr. Russell Jordan, RN, Medical Services There is an open executive search for a chief information officer (CIO). The role of risk officer has been assigned to Jay Green. The role of compliance officer has been assigned to Rodney Scoggins. There is no chief audit executive as the internal audit role has been outsourced to a regional public accounting firm in Charlotte. A different public accounting firm has been retained for external auditing services, also with offices in Charlotte. Outside legal counsel has been retained; board member Lad Powell was a partner in the firm before retiring from the firm three years ago. CMSC s Web site, recently launched, has the following information disclosed: Our Vision CMSC s vision is to develop world-class non-critical-care health centers in under-served markets to improve the health of patients through innovative health care and wellness programs. Our Mission CMSC s mission is to deliver high-quality, innovative health-care services that help patients regain and improve their health. Our Values Honesty and integrity in all of our dealings with stakeholders Exceed patients expectations Dedicated people working as a team Market-driven, results-oriented heath-care provider Respect and embrace diversity Balance work and personal life Make a difference in all of the communities that we serve The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Case Study: Adding Value for Risk-based Auditing Stockholder Relations Board of Directors Board Committees (Audit, Governance, Executive Compensation) Executive Officers Corporate Governance Guidelines Business Conduct Guidelines Certificate of Incorporation Bylaws Director Compensation Executive Compensation Beneficial Ownership Commitment to Sarbanes-Oxley Compliance Commitment to Health Insurance and Portability Act of 1996 (HIPAA) Quarterly and Annual SEC Fillings How to Contact the Board www.theiia.org/training - 4 -
Case Study: Adding Value for Risk-based Auditing CMSC Strategy and Risks CMSC s strategy was developed by the executive team and ratified by the board of directors six months ago. The primary strategic initiative is to grow from 12 medical services centers to 24 within 3 years and to 48 centers within 5 years. This is expected to be achieved by acquiring small, underutilized hospitals and physician-owned, out-patient surgical centers. CMSC hopes to attract physicians and establish regional cardiac care centers as well as cancer treatment centers to include the full range of cancer treatments. The strategy foresees a need to acquire or start a patient transportation subsidiary to include emergency air ambulance capability. Additionally, the strategy calls for affiliation with a major university health center such as Duke, UNC, or Wake Forest in the fifth year of the strategy. The strategy anticipates the need for capital in the near term and suggests a secondary stock offering within 18-24 months when current capital is exhausted. Financial performance has been satisfactory to the investors to date, and the secondary offering is presumed to raise sufficient capital. The market area includes small towns with populations less than 10,000 in North Carolina. Considerations: How robust do you think the strategic planning process is with the information presented? Who should be involved in the strategic planning process? Who should own the strategic planning process? How would you provide reasonable assurance that the strategy would be carried out as outlined? How would you monitor success of the strategy as it evolved? To whom would you report progress as the strategy evolved? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Case Study: Adding Value for Risk-based Auditing Community Medical Services Center - Typical Floor Plan www.theiia.org/training - 6 -
Case Study: Adding Value for Risk-based Auditing CMSC Hiring Process Narrative CMSC department manager completes an employee requisition form which is routed to an HR associate at the location. The HR associate sends the requisition by internal mail or fax to the regional manager for review. If the position is not budgeted or exceeds the budgeted salary, the director of human resources must review and approve the requisition. The position is then posted on the Intranet Web site and HR personnel list the position with external recruiting sources. The HR associate receives applications and resumes and then meets with the requesting department manager to determine which applicants to invite in for interviews. Rejection letters are sent to those applicants that are not interviewed. The HR associate and department manager interview applicants, and each interviewer completes an applicant evaluation form. The interviewers reach a consensus hiring decision or continue the search. All evaluation forms are sent to the corporate Human Resources department. The department manager completes an Offer Letter Request form and sends to the regional manager. The regional manager orders any background and licensing checks and sends the offer letter after satisfactory responses are received with copies to the HR associate and department manager. Upon acceptance of the offer, the Human Resources department notifies the HR associate, who then establishes an employee file and orientation package. The department manager completes the payroll authorization form and updates the payroll application and HR database. This data is verified by the HR department before processing can occur. The HR administrator receives payroll reports for all personnel at the site they are responsible for. Planning Comments Some department managers and associates said the HR policy manual (over 200 pages) is difficult to use. They also indicated the process takes too long, e.g., HR department is a bottleneck, forms are frequently lost or misplaced for long periods of time, and they are slow in returning phone calls and e-mails. HR staff said they relied on the HR policy manual, properly completed forms, formal reviews and approvals, and separation of duties in payroll process to adequately manage the risks. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Position Statement The Institute of Internal Auditors UK and Ireland Risk Based Internal Auditing Introduction The focus of internal audit work has shifted dramatically over the last decade. There has been a move from systems based auditing to process based auditing and the current emphasis is on Risk Based Internal Auditing (RBIA). RBIA is a much used and much misunderstood term. This paper aims to set out the Institute s position with regard to RBIA and to offer some high level guidance on how to approach it. Context The current definition of internal auditing is that it is: An independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes RBIA is an approach that can help to meet these requirements. The Standards for the Professional Practice of Internal Auditing and the associated Practice Advisories emphasise adopting a risk-based approach to internal auditing. This approach is also consistent with the Turnbull guidance Internal Control: Guidance for Directors on the Combined Code, which requires directors to adopt a risk-based approach to establishing a sound system of internal control and reviewing its effectiveness, and to embed risk management and internal control into the culture of the organisation. Internal auditors need to adopt a risk-based approach compatible with that adopted by their organisation. There are many approaches which could be adopted by internal audit depending on the extent to which internal audit is able to rely on the risk management processes across the organisation. This enables the auditor to avoid duplicating processes already carried out by management, and allows him or her to question management s processes or conclusions. Internal auditors might say that they have always focused their efforts on the riskier areas of the organisation. However, this approach has historically been directed by internal audit s own assessment of risk. The key distinction with RBIA is that the focus should be to understand and analyse management s assessment of risk and to base audit efforts around that process. What is Risk Based Internal Auditing? The objective of RBIA is to provide independent assurance to the board that: The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended. These risk management processes are of sound design. The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board. And a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat. RBIA starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement. The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board (the risk appetite). While internal audit s main contribution is to provide assurance on management s treatment of risk (through governance and control processes) it may also advise management on other aspects of their response to risks such as decisions to terminate, transfer or tolerate risks.
Risk Based Internal Auditing The Risk Based Internal Auditing approach is described schematically below: Corporate Objectives Identification of risks to achieving objectives What is the risk appetite of the business? Is the risk management process an adequate and effective process for identifying, assessing, managing & reporting on risk? Yes No Use organisation s own view of risk as far as possible Facilitate risk identification with management Facilitate refinement Determine risk universe Determine scope and priority of assignments Based on risks select areas for review For each area, review adequacy of risk management processes to identify & manage risks Where largely OK Where not OK Evaluate processes and determine how management gain assurance that the risk management activities are being carried out as intended Facilitate risk identification and assessment inherent risks mitigation residual risks Give assurance where OK and facilitate improvement where not
Risk Based Internal Auditing The practice of Risk Based Internal Auditing Points of information: The scope of risk-based internal auditing includes strategic and business risks. The key starting point is to determine that appropriate objectives have been set by the organisation and then to determine whether or not the business has an adequate process in place for identifying, assessing and managing the risks that impact on the achievement of these objectives. out a range of stages of risk management maturity and the internal audit approach that might be adopted at each stage: Risk Maturity Risk Naive Risk Aware Key Characteristics No formal approach developed for risk management Scattered silo based approach to risk management Internal Audit Approach Promote risk management and rely on audit risk assessment Promote enterprise-wide approach to risk management and rely on audit risk assessment In a mature risk management environment the focus of internal audit work may be: Risk Defined Strategy and policies in place and communicated. Risk appetite defined Facilitate risk management/liaise with risk management and use management assessment of risk where appropriate Auditing the risk management infrastructure, for example, resources, documentation, methods, reporting. Auditing the whole system of internal control for the complete organisation and for individual departments. Carrying out individual audit assignments that are predominantly about specific risks. Where a number of risks are controlled through a common system or process, it may be appropriate to perform a combined audit of that system or process. In less mature risk management environments, where individual audit assignments predominantly focus on complete systems, processes or business units, internal audit needs to review business objectives and risk management processes within each of these auditable entities. Where risk management processes are adequate and embedded, internal audit aims to rely, where possible, on the organisation s own view of the risks in order to determine the audit work that it needs to carry out. Where the risk management processes cannot be relied on, internal audit needs to undertake its own risk assessment (in conjunction with management) to determine the precise level of the work required and then focus on how management assures itself that the risk management activities are operating as intended. The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by the risk appetite) or to facilitate and/or agree improvements as necessary. Risk management continuum Risk Managed Risk Enabled Each organisation must determine how it wishes to implement risk management. This will help determine its appetite for risk and the level of it s risk maturity. For example, not all organisations will wish to become completely risk enabled as they may need to weigh up the costs against their views on the potential benefits. It is for the board of directors and senior management team to determine how far along the continuum they wish to travel. In addition to risk management maturity within an organisation, the extent to which internal audit needs to undertake its own risk assessment also depends upon the degree and speed of strategic and organisational change. When undertaking an audit of a project, the risk management processes covering projects in general and also those specific to the individual project need to be covered. Conclusion Enterprise wide approach to risk management developed and communicated Risk management and internal control fully embedded into the operations Audit risk management processes and use management assessment of risk as appropriate Audit risk management processes and use management assessment of risks as appropriate RBIA does not preclude the use of systems-based and/or processbased auditing as circumstances dictate. It is, however, an approach that focuses on the issues that matter to the organisation and on providing assurance on the risk management framework adopted by the organisation. RBIA will enable internal audit to link directly with the risk management framework thereby leveraging synergies. It is important to understand that not all organisations are at the same stage of risk management implementation. The following diagram sets
Risk Based Internal Auditing Glossary of terms Risk: the chance of something happening or not happening that will have an influence upon the achievement of business objectives. Risk identification: the process of determining what can happen, why and how. Risk analysis: the systematic use of available information to determine the likelihood of specified events occuring and the magnitude of their consequences. Measured in terms of impact and likelihood. Risk management activities: the methods by which an organisation chooses to manage its risks as outlined above. This replaces the traditional approach that focused purely on internal controls. Inherent (gross) risk: the status of the risk (measured through impact and likelihood) without taking account of any risk management activities that the organisation may already have in place. Residual (net) risk: the status of the risk (measured through impact and likelihood) after taking account of any risk management activities that the organisation may have in place. Risk appetite: the level of risk that the board or management is prepared to live with. This is likely to be different for each of the risks that have been identified. Risk evaluation: the process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria Risk assessment: the overall process of risk analysis and risk evaluation. Risk management: an iterative process consisting of steps, which when taken in sequence, enable continual improvement in decisionmaking. It is the logical and systematic method of identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities. (Australian/New Zealand Standard on Risk Management AS/NZS 4360) Management of risk: the means by which an organisation elects to manage individual risks. These may be by treatment (i.e. to reduce impact or likelihood), termination, transfer, or the organisation may decide to tolerate the risks. About Position Statements The Institute of Internal Auditors UK and Ireland (IIA) is the primary body representing, promoting and developing the professional practice of internal auditing in the UK and Ireland. Position statements are part of a range of technical and professional guidance prepared by the Institute for it s members. They are designed to clarify the Institute's official policy position on important and potentially complex matters confronting internal auditors. Disclaimer This technical guidance material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The Institute of Internal Auditors UK and Ireland recommends that you always seek independent expert advice relating directly to any specific situation. The Institute accepts no responsibility for anyone placing sole reliance on this technical guidance. www.iia.org.uk 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX Telephone 020 7498 0101 Fax 020 7978 2492 Email technical@iia.org.uk www.iia.org.uk The Institute of Internal Auditors UK and Ireland Ltd, August 2003
Position Paper Organizational Governance: Guidance for Internal Auditors - July 2006 - The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4102, USA http://www.theiia.org
Table of Contents Overview...3 SECTION 1: ORGANIZATIONAL GOVERNANCE AND THE ROLE OF INTERNAL AUDITING...4 What is Organizational Governance?...4 Role of Internal Auditing in Governance...4 Specific Activities of Organizational Governance...6 Other Considerations...9 Possible Next Steps...10 SECTION 2: ORGANIZATIONAL GOVERNANCE PRINCIPLES, PARTICIPANTS, AND ITS INTERACTION WITH OTHER INITIATIVES...11 Commonly Identified Organizational Governance Principles...11 Participants and Roles...12 Organizational Initiatives Impacting Governance...13 SECTION 3: APPENDICES...16 Appendix A: Resources Discussing Organizational Governance Topics...16 Appendix B: Definitions of Organizational Governance...18 July 2006 Page 2 of 18
IIA Position Paper on Organizational Governance: Guidance for Internal Auditors Overview The topic of organizational governance (often referred to as corporate governance) is important for many key stakeholders in the political and business worlds. Typically, internal auditors operate in two capacities in this area. First, auditors provide independent, objective assessments on the appropriateness of the organization's governance structure and the operating effectiveness of specific governance activities. Second, they act as catalysts for change, advising or advocating improvements to enhance the organization's governance structure and practices. By providing assurance on the risk management, control, and governance processes within an organization, internal auditing is one of the key cornerstones of effective organizational governance. This guidance is designed to help internal auditing in its assurance and advisory role with regard to specific aspects of organizational governance. This document has three main sections: 1. Definition of Organizational Governance and the Role of Internal Auditing. This section provides a framework for understanding the role of internal auditing, specific activities internal auditors can perform, and possible next steps for internal auditors. 2. Organizational Governance Principles, Participants, and Its Interaction With Other Initiatives. This section discusses additional information on the key principles of organizational governance, the roles of typical participants in this area, and the impact of common organizational initiatives (e.g., quality programs, enterprise risk management) on organizational governance. 3. Appendices. This section provides additional definitions and resources related to organizational governance. Organizational governance is a complex topic that overlaps with other internal audit subjects. Various companies, governments, research organizations, regulatory bodies, and other organizations have addressed aspects of the broad topic of organizational governance through various means. This document is not intended to replace all these publications and does not concentrate on organizational governance as an isolated topic. The concepts outlined in this document are intended to apply to the role of internal auditing across a broad range of organization types, including publicly or privately owned businesses, nonprofit or for-profit organizations, and government or nongovernmental institutions. Regardless of the type of organization, the key concepts in this document can be applied to the company's internal audit activity. July 2006 Page 3 of 18
SECTION 1: ORGANIZATIONAL GOVERNANCE AND THE ROLE OF INTERNAL AUDITING What is Organizational Governance? There is no single, comprehensive, universally accepted definition of organizational governance. However, certain common elements are present in most definitions of organizational governance that describe it as the policies, processes, and structures used by organizations to direct and control its activities, achieve its objectives, and protect the interests of its diverse stakeholder groups in a manner consistent with appropriate ethical standards. An often-used definition of organizational governance comes from the Paris-based forum of democratic markets, the Organisation for Economic Co-operation and Development (OECD): Corporate governance involves a set of relationships between a company's management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. 1 See Appendix B in Section 3 for other organizational governance definitions. Role of Internal Auditing in Governance Internal auditing typically operates in two capacities. First, auditors provide independent, objective assessments on the appropriateness of the organization's governance structure and the operating effectiveness of specific governance activities. Second, they act as catalysts for change, advising or advocating improvements to enhance the organization's governance structure and practices. In an organization, management and the board establish and monitor companywide systems for effective governance. Internal auditors can support and improve these actions. In addition, although internal auditors should remain independent, they may participate in the establishment of governance processes. By providing assurance on the organization's risk management, control, and governance processes, internal auditing becomes a key cornerstone for effective organizational governance. Which capacity is most relevant for internal auditing is highly influenced by the maturity level of the organization's governance processes and structure, and the organizational role and qualification of internal auditors. In an organization with a less mature governance structure and process, the internal audit function may be focused more on advice regarding optimal structure and practices, as well as comparing the current governance structure and practices against regulations and other compliance requirements. In organizations with more structured and mature governance practices, internal auditors could focus more on: 1 OECD, Principles of Corporate Governance, revised May 2004 July 2006 Page 4 of 18
Evaluating whether companywide governance components work together as expected. Analyzing the level of reporting transparency among parts of the governance structure. Comparing governance best practices. Identifying compliance with recognized and applicable governance codes. The following graphic conceptually shows how the amount of time internal auditors spend on different tasks changes as the structural maturity of the organization's governance practices changes. Graphic 1: Internal Audit Governance Maturity Model Perform audits of design and effectiveness of specific governance-related processes. Allocation of Audit Effort Provide advice that focuses on the organization's governance structure to meet compliance requirements and addresses basic organization risks. Evaluate best practices and their adaptation to the organization by focusing on the optimization of governance practices and structure. Less Structured More Structured Internal auditing will often be most effective in dealing with governance activities by doing more than performing discrete audits of specific processes. An internal auditor's unique position in an organization allows him or her to observe governance structure and design, while not having direct responsibility for them. Often, internal auditors can assist organizations better by advising the board of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are operating. This is different, however, from providing objective assessment of specific governance activities through discrete audits. Ultimately, internal audit assessments regarding governance activities are likely to be based on information obtained from numerous audit assignments over a period of time. Optimally, internal auditors should aim to provide assessments on the effectiveness of key organizational governance elements, either separately from, or combined with, assessments on the effectiveness of risk management and key controls. These governance activity assessments should take into account: July 2006 Page 5 of 18