RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide
About This Course
About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation for risk-based auditing. Specific risk-based assessment methodologies, components, and best practices. Applying the knowledge to specific situations. www.theiia.org/training - 2 -
About This Course Seminar Objectives By the end of this session, you will have had an opportunity to: Identify relationships between strategy, corporate governance, risk management, and controls. Identify key business processes and objectives. Produce a risk assessment. Produce a risk-based assurance plan. Describe entitywide controls and their relevance to the plan. Plan a risk-based engagement. Network with peers. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
About This Course Seminar Topics The following topics will be covered during the seminar: Role of internal auditing Corporate governance Risk management Control and (risk) frameworks Entitywide risk assessment Risk-based audit engagement www.theiia.org/training - 4 -
About This Course Participant Introductions Introduce yourself to your team members using the following guide: Your name and job title. Your organization and its industry. Your experience in internal auditing. Related work experience. What you want gain from this seminar. Something interesting about you that reveals your risk appetite. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
About This Course Working Agreement Much of the success of this course depends on creating an effective learning environment and process. To create this environment and process we want to have a Working Agreement. Our agreement follows the acronym PROCESS. We agree to demonstrate: P = Participation This seminar is highly participatory. By agreeing to actively participate in discussions and exercises participants will get the greatest benefit from the program. R = Respect There will be times when we will agree to disagree on the significance of issues, possible solutions and best practices. We agree show respect by actively listening to other viewpoints and not forcing our views on other participants. O = Openness We will share our experiences and provide constructive feedback. By agreeing to such openness, participants can expand their perspectives and build their skills. C = Confidentiality Confidential matters should not be discussed outside class. Be aware that information of this kind may have consequences for others. E = Enthusiasm Be enthusiastic about this learning experience!!! S = Sensitivity Participants should be sensitive to the feelings and perspectives of others. S = Sense of fun This seminar should be an enjoyable experience for the participants and the leader. If we approach the discussions and exercises, and other learning tools in the right frame of mind, we will not only have more fun but will also learn more. www.theiia.org/training - 6 -
About This Course Ideas and Insights As you go through the seminar, use the space at the end of each unit to record ideas and insights for your own use and to share with others in the seminar. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
About This Course Quiz True or false: 1. U.S. organizations are required to have internal audit departments under the U.S. Sarbanes-Oxley Act of 2002. 2. Internal audit departments must comply with the International Standards for the Professional Practice of Internal Auditing (Standards). 3. The Sarbanes-Oxley Act s primary focus is on improving corporate governance and transparency. Multiple choice: 4. Risk-based auditing can best be described as: A. A best practice. B. Mandated under the Standards. C. Required by the Sarbanes-Oxley Act.. D. All of the above. E. A and B only www.theiia.org/training - 8 -
About This Course Quiz Answers True or false: 1. False 2. False 3. True Multiple choice: 4. E: A and B only The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Role of Internal Auditing
Role of Internal Auditing Introduction Overview Risk-based auditing is perhaps the only way for an audit organization to add value to management and fulfill its charter responsibility to the independent directors. Objectives By the end of this unit, you should be able to: Identify the value of internal auditing. Define internal auditing. Describe the internal audit standards. Discuss risk-based auditing in organizations. Resources Readings and Resources IIA Position Statement: Risk-based Internal Auditing www.theiia.org/training - 2 -
Role of Internal Auditing Understanding the Value of Internal Auditing Value of Internal Auditing When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate governance, and ongoing business process improvement. Jim LaTorre, PwC The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Role of Internal Auditing Definition of Internal Auditing Mandatory Guidance Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. www.theiia.org/training - 4 -
Role of Internal Auditing Internal Audit Standards The Standards Mandatory Guidance 2100: Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Role of Internal Auditing Activities Activity: My Organization's Approach to Risk-based Auditing Instructions: On your own, spend a few minutes using the worksheet below to determine the degree of satisfaction with your organization s approach to risk-based auditing. Elements Don t Know Satisfied Neutral Dissatisfied Annual enterprisewide risk assessment By management By audit with the involvement of management With involvement of audit committee Audit engagement risk assessment Evaluation tools Client involvement Corporate governance is assured Ethics program is assured Risk management is assured www.theiia.org/training - 6 -
Role of Internal Auditing Elements Don t Know Satisfied Neutral Dissatisfied Internal audit activity maps to enterprise strategy Skills and attitudes of auditors Audit plan is risk-based The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Role of Internal Auditing Activity: My Organization s Strengths and Weaknesses Activity Referring to your individual exercise responses, discuss the four questions below, select a spokesperson, and be prepared to report to the class. What are the strengths and best practices for the risk-assessment process in your organization? What are the weaknesses and challenges to the risk-assessment process in your organization? What is the current role of internal auditing in your organization? What are the opportunities for internal auditing in your organization? www.theiia.org/training - 8 -
Role of Internal Auditing Reading: Risk-based Internal Auditing Position Statement Resources Take a few minutes to read the Risk-based Internal Auditing position statement. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Role of Internal Auditing Unit Conclusion Summary You have completed the lesson Role of Internal Auditing. Here are some key points: When effectively aligned with the needs of its various stakeholders, internal auditing is a key driver of effective management control, proactive risk management, solid corporate governance, and ongoing business process improvement. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity must evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach. You examined your organization s approach to risk-based auditing and looked at the strengths and weakness of the risk-assessment process. www.theiia.org/training - 10 -
Role of Internal Auditing Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Corporate Governance
Corporate Governance Introduction Overview Corporate governance is the foundation of risk-based auditing and should be understood before proceeding. Objectives By the end of this unit, you should be able to: Define corporate governance. Identify Performance Standard 2110: Governance. Identify the various aspects of corporate governance. Identify Assurance Performance Standard 2110.A1 and the elements of a good ethics program. Identify the areas an internal audit must assess, evaluate, and report on to assure corporate governance. Resources Readings and Resources Position Paper: Organizational Governance: Guidance for Internal Auditors The Case Study www.theiia.org/training - 2 -
Corporate Governance Corporate Governance Definition of Corporate Governance Mandatory Guidance Governance The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Corporate Governance Governance Standard Performance Standard 2110: Governance Mandatory Guidance 2110: Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors, and management. www.theiia.org/training - 4 -
Corporate Governance Framework for Corporate Governance Framework The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Corporate Governance Ethics Assurance Performance Standard 2110.A1 Mandatory Guidance 2110.A1: Evaluation of ethics program The internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethics-related objectives, programs, and activities. www.theiia.org/training - 6 -
Corporate Governance Elements of a Good Ethics Program Linked to core values Reliant on the integrity of the people who create, administer, and monitor Dependent on tone at the top Dependent on an engaged board of directors Transparent to all stakeholders The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Corporate Governance Activity: Ethics Assurance in My Organization Activity Instructions Discuss how you are assuring the ethics-related objectives, programs, and activities at your organizations. Record any strengths and best practices: Record any weaknesses and challenges: Select a spokesperson and report to the class. www.theiia.org/training - 8 -
Corporate Governance Corporate Governance Assurance of Corporate Governance Performing audit work to assure corporate governance requires assessing, evaluating, and reporting on the following areas: Governance structures, policies, charters Organization culture, ethics, and values Activities of audit committee Risk management structures and policies Internal audit processes and organization Fraud control and policy Compensation policies and processes Strategic planning and decision making Disclosure structure, process, rigor Enterprise Web page content Measurements The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Corporate Governance Case Study Activity: Community Medical Services Centers (CMSC) Case Study Instructions Review the company background information in the case study. Discuss the elements of good corporate governance. Discuss the gaps in effective corporate governance. Select a spokesperson and debrief the class. www.theiia.org/training - 10 -
Corporate Governance Activity: Corporate Governance in My Organization Activity List the elements of corporate governance that are evident at your organization. Identify what opportunities there are to broaden the role of internal auditing in corporate governance. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Corporate Governance Unit Conclusion Summary You have completed the lesson Corporate Governance. Here are some key points: Corporate governance is the combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of these objectives: promoting appropriate ethics and values within the organization, ensuring effective organizational performance management and accountability, effectively communicating risk and control information to appropriate areas of the organization, and effectively coordinating the activities of and communicating information among the board, and external and internal auditors and management. Corporate governance consists of: compliance with legal or regulatory requirements, internal control assessment and reporting, enterprise risk management, quality initiatives, transparency and disclosure, and governance structures and processes. Assurance Performance Standard 2130.A1 requires that internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethicsrelated objectives, programs, and activities. A good ethics program is linked to core values, reliant on integrity of the people who create, administer, and monitor the program, transparent to all stakeholders, and dependent on the tone at the top and on an engaged board. The areas an internal audit must assess, evaluate, and report on to assure corporate governance are: governance structures, policies, and charters; organization culture, ethics, and values; activities of the audit committee; risk management structures and policies; internal audit processes and organization; fraud control and policy; compensation policies and processes; strategic planning and decision making; disclosure structure, process, and rigor; enterprise Web page content; and measurements. www.theiia.org/training - 12 -
Corporate Governance Implications The corporate governance process must be in the audit universe and assured. Business conduct or ethics programs must be in the audit universe and assured. All audit engagements must consider governance, ethics, and potential for fraud. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Corporate Governance Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. www.theiia.org/training - 14 -
Risk Management
Risk Management Introduction Overview If we are still performing audit assurance work according to the old models, we will miss a great deal of opportunity to demonstrate the value of an independent and objective audit function that is capable of and willing to examine governance and risk management gaps. Objectives By the end of this unit, you should be able to: Define enterprise risk management (ERM) and risk. Identify the difference between inherent and residual risk. Identify the assumptions of risk management. Identify the benefits of risk management. Identify the categories of risk. Identify the areas the internal audit activity must assess, evaluate, and report on to assure corporate governance. Resources Readings and Resources The IIA s Position Paper, The Role of Internal Auditing in Enterprisewide Risk Management The Case Study www.theiia.org/training - 2 -
Risk Management ERM and Risk ERM Definition Enterprise Risk Management Definition Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel, applied in a strategy setting across the organization. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives. COSO ERM The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Risk Management Risk Definition Mandatory Guidance Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. www.theiia.org/training - 4 -
Risk Management Types of Risk Inherent and Residual Risk Inherent Risk Definition Inherent risk is the underlying risk before any controls are applied to mitigate the risk. Mandatory Guidance Residual Risk The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Risk Management Risk Management Assumptions Assumptions for Risk Management All organizations exist to add value for stakeholders. All organizations face uncertainty. Value is created, preserved, or eroded by management decisions. ERM is an enabler of the management process. It is interrelated to governance. It is interrelated to performance management. www.theiia.org/training - 6 -
Risk Management Benefits of Risk Management Benefits Aligns risk appetite and strategy Links growth, risk, and return Enhances risk response decisions Minimizes operational surprises and losses The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Risk Management Categories of Risk Categories Strategic Operational Financial Compliance www.theiia.org/training - 8 -
Risk Management Internal Audit Standards Performance Standard 2120 Mandatory Guidance 2120: Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Interpretation: Determining whether risk management processes are effective is a judgment resulting from the internal auditor s assessment that: Organizational objectives support and align with the organization s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2011-9 -
Risk Management Case Study Activity: CMSC Strategy and Risks Case Study Note: There is no formal ERM at CMSC. Instructions Review the CMSC strategy in the case study. In your group, identify the risks to this strategy and assign them to the four categories of risk. Select a spokesperson and debrief the class. Broad Risks to CMSC Strategy Risk Category What are the three most critical risks as you understand the CMSC business model? 1. 2. 3. www.theiia.org/training - 10 -
Risk Management Activity: Risks in My Organization Activity What are the risks that are unique to your industry, organization, or geography? Are all strategic risks identified and known to internal auditing? If not, which risks are unknown? Are all strategic risks mapped to the audit plan? What are the opportunities for internal auditing in the area of enterprise risk management in your organization? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Risk Management Unit Conclusion Summary You have completed the lesson Risk Management. Here are some key points: Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel, applied in a strategy setting across the organization. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of objectives. Risk is measured in terms of impact and likelihood. Inherent risk is the underlying risk before any controls are applied to mitigate the risk. Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to risk. Risk management assumes that: all organizations exist to add value for stakeholders; all organizations face uncertainty; value is created, preserved, or eroded by management decisions; and ERM is an enabler of the management process, interrelated to governance, and interrelated to performance management. Risk management aligns risk appetite and strategy, links growth, risk, and return, enhances risk response decisions, and minimizes operational surprises and losses. The categories of risk are strategic, operational, financial, and compliance. The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. www.theiia.org/training - 12 -
Risk Management Implications Risk management is a critical business process and must be in the auditable universe. Risk management is linked to strategy, vision, and values and interdependent on governance. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Risk Management Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. www.theiia.org/training - 14 -
Control (and Risk) Frameworks
Control (and Risk) Frameworks Introduction Overview How many of your organizations have deployed COSO or COSO ERM? Objectives By the end of this unit, you should be able to: Define Performance Standard 2130: Control. Identify the elements of COSO control and ERM frameworks. Identify the internal control environment factors, risk management factors, control activity factors, information and communication factors, and monitoring factors. Identify the limitations of internal control and limiting factors. Identify roles and responsibilities in internal control. www.theiia.org/training - 2 -
Control (and Risk) Frameworks Internal Audit Standard Performance Standard 2130: Control Mandatory Guidance 2130: Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Control (and Risk) Frameworks COSO Control and ERM Frameworks Report on Fraudulent Financial Reporting Treadway Commission Committee of Sponsoring Organizations (COSO) American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives Institute (FEI) Institute of Internal Auditors (IIA) Institute of Management Accountants (IMA) www.theiia.org/training - 4 -
Control (and Risk) Frameworks Definition of Internal Control Internal Control Definition Internal control is a process affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of reporting Compliance with applicable laws and regulations - COSO The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Control (and Risk) Frameworks Components of Internal Control (and ERM) Control (internal) environment Objective setting (ERM) Event identification (ERM) Risk assessment Risk response (ERM) Control activities Information and communication Monitoring www.theiia.org/training - 6 -
Control (and Risk) Frameworks COSO Pyramid The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Control (and Risk) Frameworks COSO ERM Cube www.theiia.org/training - 8 -
Control (and Risk) Frameworks Factors and Points of Focus Internal Control Environment Factors (with Points of Focus) Integrity and Ethical Values Codes of conduct and other policies. Tone at the top. Dealings with employees, suppliers, and customers. Appropriate remedial action. Management s attitude towards control intervention and override. Pressure to meet goals (e.g., short-term goals and compensation targets). Commitment to Competence Job Descriptions. Analyses of knowledge and skills. Boards and Audit Committees Independence (questions management) Use of focused Board Committees. Knowledge and experience of directors. Frequency and timeliness of meetings with CFO, CAE, etc. Sufficiency and timeliness of information, including sensitive information and investigations. Oversight in executive compensation. Role in tone at the top. Management s Philosophy and Style Nature of business risks accepted. Personnel turnover in key areas. Management s attitude toward and concerns about financial reporting and safeguarding assets. Frequency of interaction between senior and operating management. Attitudes and actions displayed in financial reporting. Organizational Structure Appropriate organizational structure (e.g., information flow). Key managers understand their responsibilities and have adequate knowledge and experience. Appropriate reporting relationships. Organizational structure is modified in light of changed conditions. Sufficient numbers of supervisors to employees exist. Authority and Responsibility Assignment of responsibility and delegation of authority provide for accountability and control. Appropriate control-related standards exist. Sufficient numbers of skilled employees exist. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Control (and Risk) Frameworks Appropriate balance between getting the job done and management involvement (i.e., employees have the right level of empowerment to correct problems and implement improvements). Human Resources Policies and Procedures Hiring, training, promotion, compensation. Awareness of responsibilities and expectations. Background checks. Performance evaluations/salary increases. Links to integrity and ethics (e.g., remedial actions, compensation). Risk Management s Philosophy and Appetite Aggressive attitude, level of attention to detail, statements about risks and acceptable losses, strategic and annual planning efforts, use of feasibility studies. www.theiia.org/training - 10 -
Control (and Risk) Frameworks Risk Management Factors Objectives aligned with organization s strategy, vision, and values Risks identified Risks assessed considering impact and likelihood Risk response, aligning risks with enterprise risk appetite Change management Forward-looking The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Control (and Risk) Frameworks Control Activities Factors Preventative, directive, manual, computer, and management Policies, principles, and procedures (The principles were not noted in the original COSO framework.) Integrated with risk assessment www.theiia.org/training - 12 -
Control (and Risk) Frameworks Information and Communications Factors Information Strategic and integrated systems Systems support strategic initiatives Integration with operations Quality of information (e.g., data integrity, complete information, and information related to strategic objectives) Communication Internal External The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Control (and Risk) Frameworks Monitoring Factors Operational reports and MIS External parties Organizational structure Self-assessments Audits www.theiia.org/training - 14 -
Control (and Risk) Frameworks Limitations of Internal Control Limitations Provides no assurance that objectives will be met, only reasonable assurance that management will know level of achievement Provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-15 -
Control (and Risk) Frameworks Limiting Factors The factors that override control activities are: Judgment. Breakdowns. Overrides. Collusion. Cost versus benefits. www.theiia.org/training - 16 -
Control (and Risk) Frameworks Roles and Responsibilities Who is Responsible? Roles and Responsibilities Management owns controls. Management can empower others and see this as a partnership. Management cannot say they did not know. All personnel have control responsibility for their area. The board of directors is responsible for oversight and guidance. Internal auditing evaluates effectiveness. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-17 -
Control (and Risk) Frameworks Activity: COSO and ERM Discussion Activity Instructions Consider the COSO Control and ERM Frameworks. Discuss the following questions: Why do you think the COSO Control Framework was not widely embraced in 1991? Has your organization implemented COSO or COSO ERM? If not, what will it take to make this happen? How should the COSO ERM Framework be implemented? Select a spokesperson and debrief the class. www.theiia.org/training - 18 -
Control (and Risk) Frameworks Activity: Change the Vocabulary Activity Instructions Pick five terms related to risk-based assessment and define them in easy language for others in your organization. From internal environment to: leadership, human resources From risk assessment to: strategic planning From control activities to: process excellence, technology, continuous improvement From information and communication to: technology, human resources, leadership From monitoring to: metrics, measurements The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-19 -
Control (and Risk) Frameworks Unit Conclusion Summary You have completed the lesson on Control and Risk Frameworks. Here are some key points: The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal control is a process, affected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. Enterprise risk management (ERM) is part of internal control and the components of internal control and ERM are: control (internal) environment, objective setting (ERM), event identification (ERM), risk assessment, risk response (ERM), control activities, information and communication, and monitoring. The COSO pyramid and COSO ERM cube are good ways to visualize internal control and ERM. Internal control environment factors include integrity and ethical values, commitment to competence, the board of directors and audit committee, management s philosophy and style, the organizational structure, assignment of authority and responsibility, and human resource policies and practices. Other factors impacting internal control are risk management, control activities, information and communications, and monitoring factors. Internal control provides no assurance that objectives will be met, only reasonable assurance that management will know a level of achievement. Internal control provides reasonable, not absolute, assurance that financial reporting and compliance objectives will be achieved. Internal control is limited by judgment, breakdowns, overrides, collusion, and cost versus benefits. Within internal control, management owns controls, all personnel have control responsibility for their area, the board of directors is responsible for oversight and guidance, and the internal audit activity evaluates effectiveness of controls. www.theiia.org/training - 20 -
Control (and Risk) Frameworks Implications Internal auditing must make the link between COSO frameworks, process excellence, and continuous improvement. Internal auditing must translate the language of control to language of management. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-21 -
Control (and Risk) Frameworks Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. www.theiia.org/training - 22 -
Entitywide Risk Assessment
Entitywide Risk Assessment Introduction Overview Internal auditing includes developing business processes and an audit plan. This unit will explore both aspects of internal auditing. Objectives By the end of this unit, you should be able to: Identify Assurance Performance Standard 2130.A1. Identify the process for performing an entitywide risk assessment. Define business process. Identify the process of developing an audit plan. Resources Readings and Resources The Case Study www.theiia.org/training - 2 -
Entitywide Risk Assessment Internal Audit Standard Assurance Performance Standard 2130.A1 Mandatory Guidance 2130.A1: Evaluating adequacy and effectiveness of controls The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2011-3 -
Entitywide Risk Assessment Entitywide Risk Assessment Performing an Entitywide Risk Assessment Inventory the business processes, activities, or organizations that account for all organizational risks. The risk assessment should lead to an audit universe that probably will have units that have not been assured by internal auditing. The how, when, and why decision will come later after there is consensus within the organization that all known risks have been catalogued. Determine impact of inherent risk. Determine likelihood of inherent risk. Some organizations will assess the impact and likelihood in separate steps using a matrix with two axes: impact and likelihood. Some organizations will assess the impact and likelihood in a combined step. Weight the risk factors. Assign relative risk score. Gain consensus from the audit committee. www.theiia.org/training - 4 -
Entitywide Risk Assessment Business Process Business Process Definition Business Process GAO Definition A collection of related, structured activities a chain of events that produce a specific service or product for a particular customer or customers. Business Process Anonymous Definition A series of actions that is definable, repeatable, and measurable that supports the organization s objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Entitywide Risk Assessment Case Study Activity: Business Processes Case Study Review the case study. In your groups, determine the critical business processes essential to manage the risks to CMSC s strategy. What are the three most significant (strategic) business processes? Which business processes are the most fraud sensitive? Select a spokesperson and debrief the class. www.theiia.org/training - 6 -
Entitywide Risk Assessment Audit Plan Developing an Audit Plan Inventory the business processes or activities. Establish risk factors that apply to all processes or activities. Risk rank the auditable universe. Assign workload estimates to each unit. Assign any coverage rules. Develop full coverage plan. Consider resources. Identify gaps. Commit to constrained resources plan. Gain consensus from audit committee and management. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Entitywide Risk Assessment Typical Risk Universe and Audit Plan Example: An auditable unit is defined as the intersection of a business process and an organization. All auditable units have six identical risk factors with ratings of from one to seven. All business processes have the following three risk factors: Strategic importance (scored 1 through 7) Financial impact (scored 1 through 7) Image and reputation (scored 1 through 7) All organizations have the following three risk factors: Control environment (scored 1 through 7) Organizational stability (scored 1 through 7) Fraud sensitivity (scored 1 through 7) Scores are totaled for all six factors for all auditable units; each auditable unit has a potential risk score ranging from 6 to 42. Units with scores of 36 to 42 are assured annually. Units with scores of 30 to 35 are assured every 24 months. Units with scores of 24 to 29 are assured every 36 months. Units with scores of 6 to 23 are assured on a risk basis. www.theiia.org/training - 8 -
Entitywide Risk Assessment Activity: Resources Discussion Activity What is the impact if you do not have appropriate resources? Do you match the plan to resources? What do you do about the gap? How do you manage audits that go over planned time? How do you address fraud risks in the audit plan? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Entitywide Risk Assessment Unit Conclusion Summary You have completed the lesson Entitywide Risk Assessment. Here are some key points: Enterprise risk management is a process, affected by an entity s board of directors, management, and other personnel. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance, operations, and information systems. The process of performing an entitywide risk assessment includes these steps: inventory the business processes, activities, or organizations that account for all organizational risks; determine the impact and likelihood of inherent risk; weigh the risk factors; assign relative risk score; and gain agreement from the audit committee. Business process has been defined as a collection of related, structured activities a chain of events that produces a specific service or product for a particular customer or customers. An audit plan should inventory the business processes or activities, establish risk factors that apply to all processes or activities, risk rank the auditable universe, assign workload estimates to each unit, assign any coverage rules, develop a full coverage plan, consider resources, identify gaps, commit to constrained resources plan, and gain consensus from audit committee and management. www.theiia.org/training - 10 -
Entitywide Risk Assessment Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Risk-based Audit Engagement
Risk-based Audit Engagement Introduction Overview This unit will discuss the risks to business processes, setting up controls to manage those risks, and reporting on the results of risk-based assurance activities. Objectives By the end of this unit, you should be able to: Identify the process of performing a risk-based engagement. Identify the attributes of a business process definition or objective. Identify the risk-to-business processes and risk events. Identify the four common ways to manage risk. Identify the definition of controls, the type of controls, and evaluation methods for controls. Identify internal audit standards 2210, 2210.A1, 2210.A2, 2210.A3, and 2240. Identify the guidelines for reporting the results of a risk-based audit engagement. Resources Readings and Resources The Case Study www.theiia.org/training - 2 -
Risk-based Audit Engagement The Engagement Performing the Engagement Reassess the risk assumptions of the auditable unit. Validate that the process in fact has sufficient risk to warrant assuring in this audit cycle. Understand the business process and its objectives. Identify the risks to the objectives. Usually, the client will do this in conjunction with their own process documentation. Measure and prioritize risks. Identify controls and evaluate the design. Develop audit objectives and program. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Risk-based Audit Engagement Business Process Objective Definition of Objective Attributes: Example: Clearly defined deliverable or outcome Includes the business event that triggers the process States inputs and outputs Includes business decisions that are part of the event response May indicate flow of material or information between process steps General accounting objective: To record and report all financial transactions timely, accurately, and in accordance with GAAP and all applicable laws and regulations. Moreover, the information should be sufficiently concise, relevant, reliable, and comparable (period-toperiod) to ensure ease of use by all stakeholders. The process begins with the receipt of any financial transaction and concludes when executive management and the board has accepted the results. www.theiia.org/training - 4 -
Risk-based Audit Engagement Case Study Activity: Objective Statement Case Study In your group, write a business process objective statement for the human resources process. Use the attributes noted in your participant guide. Select a spokesperson and be prepared to report. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Risk-based Audit Engagement Risks to Business Processes Risks Mandatory Guidance Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. General accounting risks: Material misstatements of financial records Regulatory challenges Tax errors Not understood by stakeholders Reputation Unauthorized or unapproved entries www.theiia.org/training - 6 -
Risk-based Audit Engagement Identifying Risk Events What could go wrong? Who could we fail? Where are we vulnerable? What resources do we need to protect? What must go right for us to succeed? How could our operations be disrupted? How do we know if we are achieving our objectives? What information must we rely on? What decisions require the most judgment? What activities are the most complex? What activities are regulated? What is our greatest legal exposure? How could someone convert assets? How successful will be at managing change? How will we retain critical resources? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Risk-based Audit Engagement Managing Risk Risk Management These are four common ways to manage risk: 1. Avoid the risk (e.g., decide not to offer the product or service because the risk is higher than the organization s risk appetite, not to enter a new geographic market due the lack of cultural knowledge or highly corrupt environment, or not to proceed with an acquisition as a result of due diligence that shows excessive legal liability). 2. Transfer the risk (e.g., find a partner to enter a new geographic market or purchase insurance). 3. Accept the risk because it is within the known risk appetite and cost of controls exceeds the benefit. 4. Reduce the risk by controls is the usual approach but with the caveat that an appropriate cost benefit analysis should be performed to ensure that excessive controls don t lead to a lost-opportunity risk. www.theiia.org/training - 8 -
Risk-based Audit Engagement Case Study Activity: Business Process Objectives Case Study Review the human resources business process for which you wrote the process objective statement. In your group, identify the risks to meeting those business process objectives. Determine which are strategic, operational, financial, or compliance. Determine the likelihood and impact using a high, medium, and low scale. Select a spokesperson and be prepared to report. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-9 -
Risk-based Audit Engagement Worksheet: Risks to the Business Process Strategic Risks Likelihood Impact Score Operational Risks Reporting Risks Compliance Risks www.theiia.org/training - 10 -
Risk-based Audit Engagement Identifying Controls Control Definition Mandatory Guidance Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-11 -
Risk-based Audit Engagement Types of Controls Directive: Controls that encourage desirable events to occur. Preventative: Controls that prevent undesirable events from occurring. Detective: Controls that detect undesirable events that have already occurred. Mitigating: Controls that compensate for a missing or costly control. www.theiia.org/training - 12 -
Risk-based Audit Engagement Evaluating Controls Adequacy: Determine whether the process, as designed, provides reasonable assurance (operational auditing). Effectiveness: Determine whether the process is functioning as intended (transactional testing). The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-13 -
Risk-based Audit Engagement Internal Audit Standards 2210: Engagement Objectives Mandatory Guidance 2210: Engagement Objectives Objectives must be established for each engagement. Mandatory Guidance 2210.A1: Preliminary assessment of risk Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. Mandatory Guidance 2210.A2: Probability of significant errors and other exposures Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. www.theiia.org/training - 14 -
Risk-based Audit Engagement Mandatory Guidance 2210.A3: Setting criteria to evaluate controls Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria. Mandatory Guidance 2240: Engagement Work Program Internal auditors must develop and document work programs that achieve the engagement objectives. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-15 -
Risk-based Audit Engagement Case Study Activity: Entitywide and Activity-level Controls Activity 1. Review the risks to the human resources hiring sub-process that you identified in the case study. 2. Refer to the case study. 3. Identify two or three entity wide controls you would expect to manage the risks to this process. 1. 2. 3. 4. Identify two or three activity-level controls you would expect to manage the high-risk areas you have identified. 1. 2. 3. 5. Identify one control to manage a medium- to low-risk area. 6. Determine the audit tests you would perform. 7. Agree on at least two tests you would not perform in a risk-based engagement. 8. Select a spokesperson and be prepared to report. www.theiia.org/training - 16 -
Risk-based Audit Engagement Worksheets: Controls to Manage the Risks Controls Test Approach Entitywide Controls 1) 2) 3) Activity-level Controls 1) 2) 3) 4) The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-17 -
Risk-based Audit Engagement Reporting the Results Reporting the Results of Risk-based Audit Activity Needs assessment: Used to determine the level of the report s readers, who the audience for the report is, and what level of detail is needed in the report. Reporting should be timely. Use language of risk rather than control and compliance: Adding value versus the old stereotypes of control and compliance. Management actions: Risk-based audit engagements are only complete when: Management understands the residual risks they need to mitigate. Deficiencies have been mitigated. The audit committee has accepted management s actions as appropriate. www.theiia.org/training - 18 -
Risk-based Audit Engagement Unit Conclusion Summary You have completed the lesson Risk-based Audit Engagement. Here are some key points: Performing a risk-based engagement requires internal auditing to reassess the risk assumptions of the auditable unit, understand the business process and its objectives, identify the risks to the objectives, measure and prioritize risks, identify controls and evaluate the design, and develop audit objectives and a program. The attributes of a business process definition or objective are that it is has a clearly defined deliverable or outcome, includes the business event that triggers the process, states inputs and outputs, includes business decisions that are part of the event response, and may indicate flow of material or information between process steps. Risk is any event occurring that will have an impact on the achievement of objectives and is measured in terms of impact and likelihood. One of the best tools for internal auditing in identifying risk events is to ask questions. The four common ways to manage risk are: avoid, transfer, accept, and reduce to acceptable level via controls. A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Controls fall into four categories: directive, preventative, detective, and mitigating. Controls are evaluated on their adequacy and effectiveness. Standard 2210 states that objectives must be established for each engagement. Standard 2240 states that internal auditors must develop and document work programs that achieve the engagement objectives. A needs assessment should be performed to determine which readers want what level of detail. A risk-based auditing engagement has not been concluded until management has bought into the residual risk that needs remediation, has remediated the deficiency, and the audit committee has accepted management s remediation as being appropriate. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-19 -
Risk-based Audit Engagement Implications Audit engagements start with understanding the business process and its risks. Audit engagements end when the audit committee is satisfied with management s resolution. Various risks need to be scored and assessed. Not all risks warrant testing. www.theiia.org/training - 20 -
Risk-based Audit Engagement Participant Expectations, Ideas, and Insights Record actions you can take in your organization to implement the topics discussed in this unit. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-21 -
Seminar Conclusion
Seminar Conclusion Introduction Overview This unit will help you recall the key concepts and techniques we have discussed. It is also intended to enable you to plan how to use what you have learned when you return to work. Objectives After completing this lesson, you should be able to: Discuss any open items or expectations and identify your plans and next steps. Restate major concepts and skills learned during the seminar. www.theiia.org/training - 2 -
Seminar Conclusion Putting It All Together Seminar Objectives Revisited By the end of this session, you will have had an opportunity to: Identify relationships between strategy, corporate governance, risk management, and controls. Identify key business processes and objectives. Produce a risk assessment. Produce a risk-based assurance plan. Describe entitywide controls and their relevance to the plan. Plan a risk-based engagement. Network with peers. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Seminar Conclusion Activity: Roundtable Discussion Activity What percentage of your time is spent on planning vs. field work and reporting? How have you marketed the internal audit function in your organization? Is the internal audit function in your organization demand driven? What is internal audit s reputation in your organization? www.theiia.org/training - 4 -
Seminar Conclusion Implications There are more key processes than internal auditing can assure on a timely schedule. There are more risks to process objectives than policies and procedures can manage. There are many controls that are not cost-effective. There are valuable entity-level controls that are effective and can reduce process (activity-level) controls. Internal audit adds exponentially more value by assuring governance, risk management, and controls that have the greatest impact on strategy. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Seminar Conclusion Plan for Action Review the topics that were discussed during the program. Select concepts and techniques that you learned or re-emphasized that will help you accomplish the challenges you face. Be specific as to how you will use the information you have learned. www.theiia.org/training - 6 -
Seminar Conclusion Wrap-up Thank you for your participation! The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Case Study: Adding Value for Risk-based Auditing
Case Study: Adding Value for Risk-based Auditing Community Medical Service Center Company Background Community Medical Services Centers (CMSC) entered the healthcare industry seven years ago. CMSC s founder and principal owner, Jimmy Grey Stockton, grew up in a small North Carolina town. He is concerned that many of these communities no longer have adequate medical services because their local hospital has closed or cut back on services. As a result of this concern, Mr. Stockton attracted 60 investors and created a public but closely held corporation. Ten of the investors serve on the board of directors. Mr. Stockton serves as chief executive officer (CEO) and chairman. The corporate office is located in Carthage, NC. CMSC has now grown to 12 outlets. Mr. Stockton is from a family of health professionals. His father was, for many years, the only family practitioner in the small town where he grew up. His mother was a nurse in the community. Jimmy Grey, after military service, became a physical therapist through a program at the community college and started a practice associated with an orthopedic clinic in a neighboring town. This practice was highly successful and led to acquisitions of related healthcare services in surrounding counties. As the need for capital grew beyond family and friends, CMSC went public with an initial public offering (IPO) five years ago. The board of directors is composed of ten original investors in addition to Jimmy Grey. They are: Dr. Marjorie Fisk, MD, internist Dr. Jim Golden, DVD, veterinarian Dr. Bernard Miller, OD, anesthesiologist Ms. Meriwether Petigru, real estate broker and owner of Sand Hills Realty Mr. Chester Pinkny, CEO and Chairman of First Bank of the South Mr. Lad Powell, retired attorney whose previous law firm acts as counsel to CMSC Mr. Bruce Ray, CPA, partner in a local public accounting firm Mr. Larry Scoggins, real estate developer and entrepreneur Lt. Col. Tommy Lee White, USMC retired Mr. Hunter Winfrey, owner of Hunter s Fish Camp www.theiia.org/training - 2 -
Case Study: Adding Value for Risk-based Auditing The executive team is comprised of: Mr. Jimmy Grey Stockton, CEO and Chairman Mr. Rodney Scoggins, CFO Ms. Laura Ferguson, VP Business Development Mr. Jay Green, CPA, Controller Ms. Angela Pharr, VP Human Resources Mr. Russell Jordan, RN, Medical Services There is an open executive search for a chief information officer (CIO). The role of risk officer has been assigned to Jay Green. The role of compliance officer has been assigned to Rodney Scoggins. There is no chief audit executive as the internal audit role has been outsourced to a regional public accounting firm in Charlotte. A different public accounting firm has been retained for external auditing services, also with offices in Charlotte. Outside legal counsel has been retained; board member Lad Powell was a partner in the firm before retiring from the firm three years ago. CMSC s Web site, recently launched, has the following information disclosed: Our Vision CMSC s vision is to develop world-class non-critical-care health centers in under-served markets to improve the health of patients through innovative health care and wellness programs. Our Mission CMSC s mission is to deliver high-quality, innovative health-care services that help patients regain and improve their health. Our Values Honesty and integrity in all of our dealings with stakeholders Exceed patients expectations Dedicated people working as a team Market-driven, results-oriented heath-care provider Respect and embrace diversity Balance work and personal life Make a difference in all of the communities that we serve The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-3 -
Case Study: Adding Value for Risk-based Auditing Stockholder Relations Board of Directors Board Committees (Audit, Governance, Executive Compensation) Executive Officers Corporate Governance Guidelines Business Conduct Guidelines Certificate of Incorporation Bylaws Director Compensation Executive Compensation Beneficial Ownership Commitment to Sarbanes-Oxley Compliance Commitment to Health Insurance and Portability Act of 1996 (HIPAA) Quarterly and Annual SEC Fillings How to Contact the Board www.theiia.org/training - 4 -
Case Study: Adding Value for Risk-based Auditing CMSC Strategy and Risks CMSC s strategy was developed by the executive team and ratified by the board of directors six months ago. The primary strategic initiative is to grow from 12 medical services centers to 24 within 3 years and to 48 centers within 5 years. This is expected to be achieved by acquiring small, underutilized hospitals and physician-owned, out-patient surgical centers. CMSC hopes to attract physicians and establish regional cardiac care centers as well as cancer treatment centers to include the full range of cancer treatments. The strategy foresees a need to acquire or start a patient transportation subsidiary to include emergency air ambulance capability. Additionally, the strategy calls for affiliation with a major university health center such as Duke, UNC, or Wake Forest in the fifth year of the strategy. The strategy anticipates the need for capital in the near term and suggests a secondary stock offering within 18-24 months when current capital is exhausted. Financial performance has been satisfactory to the investors to date, and the secondary offering is presumed to raise sufficient capital. The market area includes small towns with populations less than 10,000 in North Carolina. Considerations: How robust do you think the strategic planning process is with the information presented? Who should be involved in the strategic planning process? Who should own the strategic planning process? How would you provide reasonable assurance that the strategy would be carried out as outlined? How would you monitor success of the strategy as it evolved? To whom would you report progress as the strategy evolved? The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-5 -
Case Study: Adding Value for Risk-based Auditing Community Medical Services Center - Typical Floor Plan www.theiia.org/training - 6 -
Case Study: Adding Value for Risk-based Auditing CMSC Hiring Process Narrative CMSC department manager completes an employee requisition form which is routed to an HR associate at the location. The HR associate sends the requisition by internal mail or fax to the regional manager for review. If the position is not budgeted or exceeds the budgeted salary, the director of human resources must review and approve the requisition. The position is then posted on the Intranet Web site and HR personnel list the position with external recruiting sources. The HR associate receives applications and resumes and then meets with the requesting department manager to determine which applicants to invite in for interviews. Rejection letters are sent to those applicants that are not interviewed. The HR associate and department manager interview applicants, and each interviewer completes an applicant evaluation form. The interviewers reach a consensus hiring decision or continue the search. All evaluation forms are sent to the corporate Human Resources department. The department manager completes an Offer Letter Request form and sends to the regional manager. The regional manager orders any background and licensing checks and sends the offer letter after satisfactory responses are received with copies to the HR associate and department manager. Upon acceptance of the offer, the Human Resources department notifies the HR associate, who then establishes an employee file and orientation package. The department manager completes the payroll authorization form and updates the payroll application and HR database. This data is verified by the HR department before processing can occur. The HR administrator receives payroll reports for all personnel at the site they are responsible for. Planning Comments Some department managers and associates said the HR policy manual (over 200 pages) is difficult to use. They also indicated the process takes too long, e.g., HR department is a bottleneck, forms are frequently lost or misplaced for long periods of time, and they are slow in returning phone calls and e-mails. HR staff said they relied on the HR policy manual, properly completed forms, formal reviews and approvals, and separation of duties in payroll process to adequately manage the risks. The Institute of Internal Auditors, Inc., Altamonte Springs, FL 2008-7 -
Position Statement The Institute of Internal Auditors UK and Ireland Risk Based Internal Auditing Introduction The focus of internal audit work has shifted dramatically over the last decade. There has been a move from systems based auditing to process based auditing and the current emphasis is on Risk Based Internal Auditing (RBIA). RBIA is a much used and much misunderstood term. This paper aims to set out the Institute s position with regard to RBIA and to offer some high level guidance on how to approach it. Context The current definition of internal auditing is that it is: An independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes RBIA is an approach that can help to meet these requirements. The Standards for the Professional Practice of Internal Auditing and the associated Practice Advisories emphasise adopting a risk-based approach to internal auditing. This approach is also consistent with the Turnbull guidance Internal Control: Guidance for Directors on the Combined Code, which requires directors to adopt a risk-based approach to establishing a sound system of internal control and reviewing its effectiveness, and to embed risk management and internal control into the culture of the organisation. Internal auditors need to adopt a risk-based approach compatible with that adopted by their organisation. There are many approaches which could be adopted by internal audit depending on the extent to which internal audit is able to rely on the risk management processes across the organisation. This enables the auditor to avoid duplicating processes already carried out by management, and allows him or her to question management s processes or conclusions. Internal auditors might say that they have always focused their efforts on the riskier areas of the organisation. However, this approach has historically been directed by internal audit s own assessment of risk. The key distinction with RBIA is that the focus should be to understand and analyse management s assessment of risk and to base audit efforts around that process. What is Risk Based Internal Auditing? The objective of RBIA is to provide independent assurance to the board that: The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended. These risk management processes are of sound design. The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board. And a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat. RBIA starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement. The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board (the risk appetite). While internal audit s main contribution is to provide assurance on management s treatment of risk (through governance and control processes) it may also advise management on other aspects of their response to risks such as decisions to terminate, transfer or tolerate risks.
Risk Based Internal Auditing The Risk Based Internal Auditing approach is described schematically below: Corporate Objectives Identification of risks to achieving objectives What is the risk appetite of the business? Is the risk management process an adequate and effective process for identifying, assessing, managing & reporting on risk? Yes No Use organisation s own view of risk as far as possible Facilitate risk identification with management Facilitate refinement Determine risk universe Determine scope and priority of assignments Based on risks select areas for review For each area, review adequacy of risk management processes to identify & manage risks Where largely OK Where not OK Evaluate processes and determine how management gain assurance that the risk management activities are being carried out as intended Facilitate risk identification and assessment inherent risks mitigation residual risks Give assurance where OK and facilitate improvement where not
Risk Based Internal Auditing The practice of Risk Based Internal Auditing Points of information: The scope of risk-based internal auditing includes strategic and business risks. The key starting point is to determine that appropriate objectives have been set by the organisation and then to determine whether or not the business has an adequate process in place for identifying, assessing and managing the risks that impact on the achievement of these objectives. out a range of stages of risk management maturity and the internal audit approach that might be adopted at each stage: Risk Maturity Risk Naive Risk Aware Key Characteristics No formal approach developed for risk management Scattered silo based approach to risk management Internal Audit Approach Promote risk management and rely on audit risk assessment Promote enterprise-wide approach to risk management and rely on audit risk assessment In a mature risk management environment the focus of internal audit work may be: Risk Defined Strategy and policies in place and communicated. Risk appetite defined Facilitate risk management/liaise with risk management and use management assessment of risk where appropriate Auditing the risk management infrastructure, for example, resources, documentation, methods, reporting. Auditing the whole system of internal control for the complete organisation and for individual departments. Carrying out individual audit assignments that are predominantly about specific risks. Where a number of risks are controlled through a common system or process, it may be appropriate to perform a combined audit of that system or process. In less mature risk management environments, where individual audit assignments predominantly focus on complete systems, processes or business units, internal audit needs to review business objectives and risk management processes within each of these auditable entities. Where risk management processes are adequate and embedded, internal audit aims to rely, where possible, on the organisation s own view of the risks in order to determine the audit work that it needs to carry out. Where the risk management processes cannot be relied on, internal audit needs to undertake its own risk assessment (in conjunction with management) to determine the precise level of the work required and then focus on how management assures itself that the risk management activities are operating as intended. The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by the risk appetite) or to facilitate and/or agree improvements as necessary. Risk management continuum Risk Managed Risk Enabled Each organisation must determine how it wishes to implement risk management. This will help determine its appetite for risk and the level of it s risk maturity. For example, not all organisations will wish to become completely risk enabled as they may need to weigh up the costs against their views on the potential benefits. It is for the board of directors and senior management team to determine how far along the continuum they wish to travel. In addition to risk management maturity within an organisation, the extent to which internal audit needs to undertake its own risk assessment also depends upon the degree and speed of strategic and organisational change. When undertaking an audit of a project, the risk management processes covering projects in general and also those specific to the individual project need to be covered. Conclusion Enterprise wide approach to risk management developed and communicated Risk management and internal control fully embedded into the operations Audit risk management processes and use management assessment of risk as appropriate Audit risk management processes and use management assessment of risks as appropriate RBIA does not preclude the use of systems-based and/or processbased auditing as circumstances dictate. It is, however, an approach that focuses on the issues that matter to the organisation and on providing assurance on the risk management framework adopted by the organisation. RBIA will enable internal audit to link directly with the risk management framework thereby leveraging synergies. It is important to understand that not all organisations are at the same stage of risk management implementation. The following diagram sets
Risk Based Internal Auditing Glossary of terms Risk: the chance of something happening or not happening that will have an influence upon the achievement of business objectives. Risk identification: the process of determining what can happen, why and how. Risk analysis: the systematic use of available information to determine the likelihood of specified events occuring and the magnitude of their consequences. Measured in terms of impact and likelihood. Risk management activities: the methods by which an organisation chooses to manage its risks as outlined above. This replaces the traditional approach that focused purely on internal controls. Inherent (gross) risk: the status of the risk (measured through impact and likelihood) without taking account of any risk management activities that the organisation may already have in place. Residual (net) risk: the status of the risk (measured through impact and likelihood) after taking account of any risk management activities that the organisation may have in place. Risk appetite: the level of risk that the board or management is prepared to live with. This is likely to be different for each of the risks that have been identified. Risk evaluation: the process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria Risk assessment: the overall process of risk analysis and risk evaluation. Risk management: an iterative process consisting of steps, which when taken in sequence, enable continual improvement in decisionmaking. It is the logical and systematic method of identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities. (Australian/New Zealand Standard on Risk Management AS/NZS 4360) Management of risk: the means by which an organisation elects to manage individual risks. These may be by treatment (i.e. to reduce impact or likelihood), termination, transfer, or the organisation may decide to tolerate the risks. About Position Statements The Institute of Internal Auditors UK and Ireland (IIA) is the primary body representing, promoting and developing the professional practice of internal auditing in the UK and Ireland. Position statements are part of a range of technical and professional guidance prepared by the Institute for it s members. They are designed to clarify the Institute's official policy position on important and potentially complex matters confronting internal auditors. Disclaimer This technical guidance material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The Institute of Internal Auditors UK and Ireland recommends that you always seek independent expert advice relating directly to any specific situation. The Institute accepts no responsibility for anyone placing sole reliance on this technical guidance. www.iia.org.uk 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX Telephone 020 7498 0101 Fax 020 7978 2492 Email technical@iia.org.uk www.iia.org.uk The Institute of Internal Auditors UK and Ireland Ltd, August 2003
Position Paper Organizational Governance: Guidance for Internal Auditors - July 2006 - The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4102, USA http://www.theiia.org
Table of Contents Overview...3 SECTION 1: ORGANIZATIONAL GOVERNANCE AND THE ROLE OF INTERNAL AUDITING...4 What is Organizational Governance?...4 Role of Internal Auditing in Governance...4 Specific Activities of Organizational Governance...6 Other Considerations...9 Possible Next Steps...10 SECTION 2: ORGANIZATIONAL GOVERNANCE PRINCIPLES, PARTICIPANTS, AND ITS INTERACTION WITH OTHER INITIATIVES...11 Commonly Identified Organizational Governance Principles...11 Participants and Roles...12 Organizational Initiatives Impacting Governance...13 SECTION 3: APPENDICES...16 Appendix A: Resources Discussing Organizational Governance Topics...16 Appendix B: Definitions of Organizational Governance...18 July 2006 Page 2 of 18
IIA Position Paper on Organizational Governance: Guidance for Internal Auditors Overview The topic of organizational governance (often referred to as corporate governance) is important for many key stakeholders in the political and business worlds. Typically, internal auditors operate in two capacities in this area. First, auditors provide independent, objective assessments on the appropriateness of the organization's governance structure and the operating effectiveness of specific governance activities. Second, they act as catalysts for change, advising or advocating improvements to enhance the organization's governance structure and practices. By providing assurance on the risk management, control, and governance processes within an organization, internal auditing is one of the key cornerstones of effective organizational governance. This guidance is designed to help internal auditing in its assurance and advisory role with regard to specific aspects of organizational governance. This document has three main sections: 1. Definition of Organizational Governance and the Role of Internal Auditing. This section provides a framework for understanding the role of internal auditing, specific activities internal auditors can perform, and possible next steps for internal auditors. 2. Organizational Governance Principles, Participants, and Its Interaction With Other Initiatives. This section discusses additional information on the key principles of organizational governance, the roles of typical participants in this area, and the impact of common organizational initiatives (e.g., quality programs, enterprise risk management) on organizational governance. 3. Appendices. This section provides additional definitions and resources related to organizational governance. Organizational governance is a complex topic that overlaps with other internal audit subjects. Various companies, governments, research organizations, regulatory bodies, and other organizations have addressed aspects of the broad topic of organizational governance through various means. This document is not intended to replace all these publications and does not concentrate on organizational governance as an isolated topic. The concepts outlined in this document are intended to apply to the role of internal auditing across a broad range of organization types, including publicly or privately owned businesses, nonprofit or for-profit organizations, and government or nongovernmental institutions. Regardless of the type of organization, the key concepts in this document can be applied to the company's internal audit activity. July 2006 Page 3 of 18
SECTION 1: ORGANIZATIONAL GOVERNANCE AND THE ROLE OF INTERNAL AUDITING What is Organizational Governance? There is no single, comprehensive, universally accepted definition of organizational governance. However, certain common elements are present in most definitions of organizational governance that describe it as the policies, processes, and structures used by organizations to direct and control its activities, achieve its objectives, and protect the interests of its diverse stakeholder groups in a manner consistent with appropriate ethical standards. An often-used definition of organizational governance comes from the Paris-based forum of democratic markets, the Organisation for Economic Co-operation and Development (OECD): Corporate governance involves a set of relationships between a company's management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. 1 See Appendix B in Section 3 for other organizational governance definitions. Role of Internal Auditing in Governance Internal auditing typically operates in two capacities. First, auditors provide independent, objective assessments on the appropriateness of the organization's governance structure and the operating effectiveness of specific governance activities. Second, they act as catalysts for change, advising or advocating improvements to enhance the organization's governance structure and practices. In an organization, management and the board establish and monitor companywide systems for effective governance. Internal auditors can support and improve these actions. In addition, although internal auditors should remain independent, they may participate in the establishment of governance processes. By providing assurance on the organization's risk management, control, and governance processes, internal auditing becomes a key cornerstone for effective organizational governance. Which capacity is most relevant for internal auditing is highly influenced by the maturity level of the organization's governance processes and structure, and the organizational role and qualification of internal auditors. In an organization with a less mature governance structure and process, the internal audit function may be focused more on advice regarding optimal structure and practices, as well as comparing the current governance structure and practices against regulations and other compliance requirements. In organizations with more structured and mature governance practices, internal auditors could focus more on: 1 OECD, Principles of Corporate Governance, revised May 2004 July 2006 Page 4 of 18
Evaluating whether companywide governance components work together as expected. Analyzing the level of reporting transparency among parts of the governance structure. Comparing governance best practices. Identifying compliance with recognized and applicable governance codes. The following graphic conceptually shows how the amount of time internal auditors spend on different tasks changes as the structural maturity of the organization's governance practices changes. Graphic 1: Internal Audit Governance Maturity Model Perform audits of design and effectiveness of specific governance-related processes. Allocation of Audit Effort Provide advice that focuses on the organization's governance structure to meet compliance requirements and addresses basic organization risks. Evaluate best practices and their adaptation to the organization by focusing on the optimization of governance practices and structure. Less Structured More Structured Internal auditing will often be most effective in dealing with governance activities by doing more than performing discrete audits of specific processes. An internal auditor's unique position in an organization allows him or her to observe governance structure and design, while not having direct responsibility for them. Often, internal auditors can assist organizations better by advising the board of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are operating. This is different, however, from providing objective assessment of specific governance activities through discrete audits. Ultimately, internal audit assessments regarding governance activities are likely to be based on information obtained from numerous audit assignments over a period of time. Optimally, internal auditors should aim to provide assessments on the effectiveness of key organizational governance elements, either separately from, or combined with, assessments on the effectiveness of risk management and key controls. These governance activity assessments should take into account: July 2006 Page 5 of 18
Specific governance assignments. The results of specific board-level governance review work. Governance issues arising out of myriad audit assignments performed during a specific period of time. Other information available to or known by the internal auditor. Internal auditors may operate most effectively for the board as an agent of the board who provide independent, objective information and evaluation. The board would then own internal auditing, fostering a mutually supportive internal audit-board relationship. To gain a complete understanding of the organization's operations, it is essential that the board consider the internal auditor's work. For instance, internal auditors can inform the board on matters such as culture, tone, ethics, transparency, and internal interactions. In addition, contemporary internal auditing is based on the organization's framework for identifying, responding to, and managing the different strategic, operational, financial, and compliance risks facing the organization. As a result, internal auditors can provide objective assurance on the effectiveness of the framework as a whole, including management's monitoring and assurance activities, and on management of individual key risks. This role of supporting the board, however, can create tensions because internal auditing also may be positioned as a partner to management. Internal auditors will need to manage the needs and expectations of both constituents carefully. Additional guidance on the role of internal auditing can be found in Practice Advisories 1000.C1-2, 1120-1, 1130.A1-1, and 1130.A1-2 of The IIA's Professional Practices Framework. Specific Activities of Organizational Governance Governance activities exist to help the organization meet its objectives in being well-run and accountable to its stakeholders. Just like in any other activity, management and the board will want to articulate their objectives in each area and put in place programs to achieve those objectives. The following sections provide suggestions of the objectives and programs related to different governance activities. Recognizing the significant overlap between governance activities and other organizational initiatives, this document focuses on the tasks that are not typically associated with other initiatives. Internal auditors can perform specific tasks that assist organizations in regard to governance structure and processes, and should consider assisting management and the board by assessing the following areas: Board Structure, Objectives, and Dynamics. The board and its committees should be appropriately structured and chartered to operate effectively. There should be healthy board and management interaction; adequate board meeting time devoted to open discussion; a full range of issues considered at board meetings; appropriate board composition (e.g., number of board members, absence of conflicts of interest, capabilities of board members); sufficient frequency of meetings; and meetings in private executive sessions. A board should devote sufficient attention to risks, the organization's risk appetite, and risk management practices. It is not commonplace for internal auditors to evaluate these topics. However, organizations and their boards should consider whether internal audit involvement would be beneficial and accepted. July 2006 Page 6 of 18
Board Committee Functions. Internal auditors can review board meeting schedules, establishment of agendas, dissemination of advance information, and adherence to the committee charters. Internal auditors also can evaluate whether the board committees maintain a calendar of responsibilities and regularly monitor performance to published responsibilities. The Board Policy Manual. Internal auditors could assess the process of developing and maintaining the board governance policy or policy manual (or assist in these activities); evaluate compliance procedures; and make recommendations for improvement. Processes for Maintaining Awareness of Governance Requirements. Governance obligations vary from country to country and industry to industry. Internal auditors could develop networks and processes to maintain awareness of governance requirements and evaluate and monitor the organization's processes for maintaining external awareness. Internal auditors also could interface with roundtables, professional trade associations, internal and external subject matter experts, and internal compliance or risk assessment committees. Auditors can assess whether the organization is in compliance with governance codes and specific criteria found in a governance codes; if the entity in not in compliance, auditors can evaluate the impact and cause of the noncompliance. Internal auditors can assess the adequacy of the disclosures relating to the organization's governance system in its annual report. Board Education and Training. Board members need ongoing education on the significant issues facing the organization, changing technology, and emerging risk areas. New board members frequently need education to prepare them properly for their new responsibilities. Internal auditors can assist the board in these efforts by providing development of training content, delivery of training, and administrative support. Alternatively, internal auditors could assess the adequacy of the education provided to board members compared to best practices from other organizations. Proper Assignment of Accountabilities and Performance Management. Organizational governance responsibilities are assigned to different parties within the company, and each party is accountable for fulfilling its responsibilities. If critical responsibilities are not assigned or assigned to the wrong party, governance suffers. Internal auditors can review whether all the key responsibilities related to organizational governance have been assigned, assigned to the proper parties, and whether the performance management system and disciplinary action processes are effective. Completeness of Ethics Policies and Codes of Conduct. Most organizations have ethics policies and codes of conduct that govern acceptable employee behavior and represent a key part of the organization's governance structure. Internal auditors can assess whether their organization's policies and codes include appropriate subjects and guidance. A number of codes of conduct are available for comparison. Most contain sections addressing conflicts of interest; confidentiality; fair dealing; proper use of organization assets; compliance with laws, rules, and regulations; and reporting of illegal or unethical behavior. Communication and Acceptance of Ethics Policies and Codes of Conduct. To be effective, ethics policies and codes of conduct need to be communicated clearly to, and understood and accepted by, employees. Internal auditors can assess whether this communication is occurring and whether the information is understood by employees. Internal auditors can use surveys, interviews, and other means to determine the effectiveness of this communication process. Internal auditors can July 2006 Page 7 of 18
assess the effectiveness of the processes established to enable employees to communicate concerns they have regarding inappropriate behavior to management or the board (e.g., a whistle-blower process). Internal auditors can also facilitate discussion of ethics topics and processes to resolve ethical issues. Ethics Investigations and Related Employee Discipline. Violations of ethics policies or codes of conduct are investigated usually; if wrongdoing is substantiated, the involved employees are disciplined. Internal auditors can conduct these investigations or, alternatively, assess the adequacy of investigations performed by others. As part of this assessment role, internal auditors should consider whether the investigations were impartial, performed by competent personnel, supported adequately by pertinent facts, and concluded with appropriate actions by management personnel. Management Evaluation and Compensation. Compensation of management is coming under increased scrutiny. The concern is over not just reported cash compensation, but also indirect forms: stock compensation programs, personal use of the organization's resources, and reimbursement of excessive expenses. Internal auditors could focus on the accuracy and completeness of information provided to the board, the judgment exercised by management when classifying indirect executive benefits, and adequacy of the board's attention to this topic. Recruitment Processes for Senior Management and Board Members. Internal auditors can review recruitment standards and policies and evaluate whether practices meet organizational objectives. Although internal auditors should not influence individual decisions, patterns or extended deviations can be reported to the board. Employee Training. Effective organizational governance will normally require employees to be trained on topics such as internal controls, ethics policies, disclosure and compliance requirements, and board policies. Internal auditors can assess the adequacy of this training, and its frequency, effectiveness, and impact. Governance Self-assessments. The board should perform or provide oversight for assessments of their performance, appropriateness of their charter, adequacy of their calendar, and other governance structures and activities. Internal auditors could assist the board in these responsibilities by facilitating data collection and reporting results to the board. Alternatively, internal auditors can assess the adequacy of these efforts, and their compliance with applicable regulations for reporting back to the board. Comparison with Governance Codes or Best Practices. It is becoming more common for governments or stock exchanges to establish governance codes. These codes can include a wide range of topics such as financial reporting practices, organizational structure, and social responsibility. They range from being required practices of the organization to suggested best practices. Internal auditors can provide assurance that their organization is in compliance with these codes. External Communications. External communications include financial reports, press releases, and communication during crises. Internal auditors can assess whether the organization's stated strategies and objectives for reporting to stakeholders are being accomplished. The focus would include not only accuracy, but also full transparency, truthfulness, and timeliness. Oversight of External Auditors. Internal auditors can assist the board in their management of external auditors by evaluating external auditor performance, their relationship with management and ways of handling disputes, the extent of July 2006 Page 8 of 18
additional work outside the normal audit engagement, and fees. Involvement in this area is not likely to take the form of an audit; rather providing advice and support. There is no one-size-fits-all method to optimizing organizational governance. Each organization must tailor an individual solution that considers industry, maturity, business strategy, capabilities, culture, and competitive position. Other Considerations Organizational governance is a complex topic that may take internal auditors into areas not previously explored. Some key considerations to keep in mind are: Management may not have formally considered governance matters as part of a larger organizational governance strategy. Before embarking on exploring the proper role of internal auditors related to governance, internal auditors may need to work with management to ensure there is a proper understanding and definition of the governance processes and structure in the organization. It is critical that whatever role internal auditing undertakes with regard to organizational governance, its impact on the independence of internal auditing needs to be evaluated. Some roles could result in internal auditing impairing its independence regarding certain audit activities. In this case, internal auditors must communicate impairment of its independence to management and the board, and not perform audits or other assessment activities related to this role. A key role of the board and management is the establishment of the organization's strategy. Internal auditors typically do not challenge these key strategic elements or whether the primary organization's strategy is appropriate for the key organization stakeholders. However, this does not mean the internal auditor must remain silent on all items related to strategy. It could be beneficial to the organization for internal auditors to make observations on major issues related to strategy implementation, key risks not adequately addressed by the strategy, conflicts among various strategy elements, or the impact of the strategy on the organization or its stakeholders. Internal auditors must be careful to consider not only the results of individual audit tasks in assessing organizational governance, but also the overall structure of governance within the organization. At times, each part may appear appropriate, but could present serious issues when combined. Internal auditors should be aware of the limitations of performing specific governance review procedures without also having considered the broader (e.g., board) governance processes. Many elements of governance are driven from the top, and internal auditors should consider a topdown review of governance to ensure that designed processes are adequate and embedded effectively throughout the organization. The governance environment is changing rapidly in many countries and industries. The internal auditor must continue to monitor these changes and evaluate how they impact the role of internal auditors in the future. Auditing organizational governance requires skills and competencies that internal auditors may not possess. Before undertaking audits in the governance area, it is critical to ensure that internal auditors posses the relevant skills or obtain appropriate training. Internal auditors also should be encouraged to seek different tools, resources, and best practices. July 2006 Page 9 of 18
Possible Next Steps When pursuing an expanded role in the area of organizational governance, internal auditors can start along a number of different paths. Possible first steps include: 1. Review all relevant internal and external written policies, codes, and charter provisions, pertaining to organizational governance. 2. Discuss organizational governance with executive management or members of the board. The objective of these discussions is to ensure internal auditors have a clear understanding of the governance structure and processes from the perspective of those responsible for them, as well as the maturity of these processes. 3. Discuss options for expanding the role of internal auditors in organizational governance with the board chair, board committee chairs, and executive managers. These discussions could involve explaining the potential actions internal auditors could take and the resources required, as well as the possibility of an assurance gap between the board's assurance requirements and the organization's practices, if internal auditors did not assist in this area. Ensure the internal audit charter is consistent with the expanded role being considered. 4. Discuss organizational governance topics with other key stakeholders including external auditors and employees of the organization s departments such as legal, public affairs corporate secretary office, compliance, and regulatory affairs. During these discussions, explore their current and future activities, as well as how an expanded internal audit role could coordinate with their activities. 5. Develop a broad framework of the organization's governance structure by identifying potential areas of weakness or concern. 6. Draft a multi-year plan to methodically develop the internal audit role in organization governance areas. 7. Perform a pilot audit in one of the areas noted above. Select a single, welldefined, manageable topic and assess the adequacy of the design and execution of the activities related to that topic. Performing a pilot audit will allow the internal auditor a chance to gauge the organization's response to his or her expanded role and learn how to coordinate more effectively with other stakeholders. July 2006 Page 10 of 18
SECTION 2: ORGANIZATIONAL GOVERNANCE PRINCIPLES, PARTICIPANTS, AND ITS INTERACTION WITH OTHER INITIATIVES Commonly Identified Organizational Governance Principles Organizational governance is a broad concept. A partial list of principles often included in defining effective governance processes are: 1. Ensure a properly organized and functioning board that has the correct number of members; an appropriate board committee structure; established meeting protocols; sound, independent judgment about affairs of the organization; and periodically reaffirmed membership. 2. Make sure board members possess appropriate qualifications and experience, with a clear understanding of their role in the governance activities, a sound knowledge of the organization's operations, and an independent/objective mindset. 3. Assure that the board has sufficient authority, funding, and resources to conduct independent inquiries. 4. Maintain an understanding by executive management and the board of the organization's operating structure, including structures that impede transparency. 5. Articulate an organizational strategy against which the success of the overall enterprise and the contribution of individuals are measured. 6. Create an organizational structure that supports the enterprise in achieving its strategy. 7. Establish governing policy for the operation of key activities of the organization. 8. Set and enforce clear lines of responsibility and accountability throughout the organization. 9. Ensure effective interaction among the board, management, external and internal auditors, and any other assurance providers. 10. Secure appropriate oversight by management, including establishment and maintenance of a strong set of internal controls. 11. Make sure that compensation policies and practices especially related to senior management are consistent with the organization's ethical values, objectives, strategy, and control environment, and encourage appropriate behavior. 12. Communicate and reinforce throughout the organization an ethical culture, organizational values, and appropriate tone at the top, which includes an environment that allows employees to raise concerns without fear of retaliation, as well as where potential conflicts of interest are monitored and investigated. 13. Effectively use internal auditors, ensuring the adequacy of their independence, resources, scope of activities, and effectiveness of operations. 14. Clearly define and implement risk management policies, processes, and accountabilities at the board level and throughout the organization. 15. Effectively use external auditors, ensuring their independence, adequate resources, and scope of activities. 16. Provide appropriate disclosure of key information, in a transparent manner, to stakeholders. 17. Provide disclosure of the organization's governance processes, comparing those processes with recognized national codes or best practices. 18. Ensure proper oversight of related party transactions and conflict of interest situations. July 2006 Page 11 of 18
There are other common elements of effective governance in organizations. The publications included in Appendix A have additional discussion of organizational governance principles. The IIA's definition of internal auditing refers to "...bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." This definition incorporates the broad advisory and assurance role that internal auditing can have regarding an organization's governance processes. Aspects of internal auditing's role in governance are addressed in performance standard 2130 of the International Standards for the Professional Practice of Internal Auditing: 2130: Governance The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Effectively communicating risk and control information to appropriate areas of the organization. Effectively coordinating the activities of and communicating information among the board, external and internal auditors, and management. 2130.A1: The internal audit activity should evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities. 2130.C1: Consulting engagement objectives should be consistent with the overall values and goals of the organization. Participants and Roles There are, broadly speaking, five parties that participate in an organization's governance activities and each has specific responsibilities. Role Board Responsibilities The focal point for all governance activities. Ultimately accountable and responsible for the performance and affairs of the organization, effective risk management practices, and establishing a risk appetite level. Oversees all organizational activities (e.g., risk management, strategic direction setting, compliance with laws, good business, and ethical practices), but does not have direct management of any of them. Establishes the "tone at the top" and implements best governance practices for organizational performance. July 2006 Page 12 of 18
Senior Management Operating Management Internal Auditing External Auditing Under the oversight of the board. Sets strategic direction and establishes an entity's value system. Provides assurance that risks are managed as part of a risk management process, operations are monitored, results are measured, and corrective actions are implemented in a timely fashion. Deploys strategy, enforces internal control, and provides direct supervision for areas under its control. Accountable to executive management, and ultimately the board, for implementing and monitoring the risk management process and establishing effective and appropriate internal control systems. Performs assessments to provide assurance that governance structures and processes are properly designed and operating effectively. Provides advice on potential improvements to governance structures and processes. Provides independent assurance on the financial statement preparation and reporting activities, in accordance with applicable regulations and accounting principles. The roles of the parties are separate, and the responsibilities of each role are different. Effective governance is diminished if role boundaries are not respected. Good governance results from effective synergy generated among the activities of these differing roles, while maintaining their separation. Organizational Initiatives Impacting Governance A number of different initiatives within organizations overlap with the area of governance. Additionally, there are organizational initiatives that primarily may be directed at operational or compliance concerns, but which nonetheless impact governance activities. July 2006 Page 13 of 18
The following chart illustrates this overlap between organizational governance and some of the more common initiatives of organizations. Governance Structure and Processes Compliance with Legal or Regulatory Requirements Grey background represents common foundation of core values and ethics Internal Control Assessment and Reporting Transparency and Disclosure Quality Initiatives Enterprise Risk Management The center of the diagram illustrates those aspects of an organization that are common across many, if not all, initiatives and activities. The organization's core values and ethics are the foundation for all activities, such as: Compliance with Legal or Regulatory Requirements. Various requirements are imposed by stock exchanges, industry regulators (e.g., banks, insurance companies), legislative bodies (e.g., the U.S. Congress with the U.S. Sarbanes- Oxley Act of 2002), etc. In these cases, organizations typically have responded by implementing certain structures and processes to ensure compliance. Often, responses to these requirements define the key elements of the governance structure (e.g., composition of the board, role of external auditors). Internal Control Assessment and Reporting. Internal controls help organizations ensure that management's strategies and directions are carried out, often to mitigate risk. Many organizations have robust activities to document, assess, and report on the adequacy of these internal controls using established control frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Criteria of Control (CoCo), etc. Elements of these frameworks clearly overlap with elements of governance, including the control environment, monitoring, and detailed control activities. July 2006 Page 14 of 18
Enterprise Risk Management. Organizations face a variety of risks, and many organizations are evaluating the adequacy of their risk management processes. COSO issued a framework for understanding and evaluating an organization's ERM structures and activities. Adequate understanding and assessment of risk and the effective implementation and functioning of appropriate risk mitigation strategies are key elements of governance processes. Quality Initiatives. Initiatives for improving quality processes in an organization include International Standards Organization (ISO) certification, European Foundation for Quality Management European award, Six Sigma, and the Baldridge award model. The various means these initiatives use to measure the effectiveness of an organization overlap with many structural elements of governance. Transparency and Disclosure. Organizations commonly report financial results and information to key stakeholders and increasingly are reporting more than financial results. Reporting on social responsibility, efforts to preserve the environment, and other social issues are becoming common. Communicating an organization's values regarding stewardship, management practices, employee relations, and other topics often shows an organization's culture and tone. The transparency of financial and non-financial disclosures to stakeholders is a key element of governance. Governance Structures and Processes. Although many of the initiatives listed above overlap with the general concept of organizational governance, some aspects are unique to organizational governance. These often relate to management structure, organization oversight, actions taken to set the tone of the organization (e.g., disciplinary actions taken by the board or management against those who violate organizational values), and specific processes related to the activities of executive management and the board. There are undoubtedly other initiatives and activities that support governance. Based on the organization, the methods of pursuing those initiatives, and interaction of initiatives within an organization, there is often significant overlap among the activities of the various initiatives. There is nothing inappropriate with this overlap, but internal auditors need to understand these overlapping objectives and activities, clarify how they impact organizational governance activities, and understand the assessment or consulting work they perform in these other areas before fully executing their organizational governance activities. July 2006 Page 15 of 18
SECTION 3: APPENDICES Appendix A: Resources Discussing Organizational Governance Topics Institute of Internal Auditors IIA Web Site: Tools and Resources for Corporate Governance Initiatives and Current Legislation, http://www.theiia.org/?doc_id=4061. Corporate Governance and the Board: What Works Best, IIA Research Foundation, http://www.theiia.org/bookstore.cfm?fuseaction=product_detail&order_num=408. Audit Committee Effectiveness: What Works Best, 3 rd Edition, IIA Research Foundation, http://www.theiia.org/bookstore.cfm?fuseaction=product_detail&order_num=5000. Government and Stock Exchange Guidance/Regulations The Combined Code on Corporate Governance, http://www.frc.org.uk/corporate/combinedcode.cfm. ASX Corporate Governance Council Principles of Good Corporate Governance and Best Practice Recommendations, http://www.asx.com.au/about/pdf/asxrecommendations.pdf. U.S. Sarbanes-Oxley Act of 2002 and the SEC's Final Rules implementing the act's provisions, http://www.sec.gov/about/laws.shtml. Corporate Governance: A Practical Guide, London Stock Exchange and RSM Robson Rhodes LLP, June 2004, http://www.londonstockexchange.com/nr/rdonlyres/c450e4fc-89c2-4042-804a- 685855FF217B/0/PracticalGuidetoCorporateGovernance.pdf. Nongovernmental Guidance and Best Practices Principles of Corporate Governance, Organisation for Economic Co-operation and Development (OECD), http://www.oecd.org/searchresult/0,2665,en_2649_201185_1_1_1_1_1,00.html. Frequently Asked Questions in Corporate Governance from the National Association of Corporate Directors: General, http://www.nacdonline.org/faq/details.asp?faq=1. Audit and financial, http://www.nacdonline.org/faq/details.asp?faq=2. National Association of Corporate Directors (NACD) Bookstore, https://secure.nacdonline.org/source/library/ordershome.cfm?activesection=orders, includes the "Report of the Blue Ribbon Commission on Audit Committees" and other publications. International Federation of Accountants Research and discussion papers from 2004, http://www.cimaglobal.com/cps/rde/xchg/sid-0aaac564-07226933/live/root.xsl/9530.htm. COSO Related Resources, http://www.theiia.org/?doc_id=4884. Independent Audit Limited, Better Governance Reporting: A Practical Framework, www.independentaudit.com/reporting/documents/bettergovernancereporting- Apracticalframework.pdf. July 2006 Page 16 of 18
Basel Committee on Banking Supervision Consultative Document "Enhancing Corporate Governance for Banking Organizations," issued for comment in July 2005. (The IIA commended the Basel Committee's efforts to promote effective corporate governance. In its reply, The IIA offered eight recommendations to the committee, advocating internal audit activities and the internal auditor's role in good governance and accurate financial reporting.) See The IIA Position Papers & Responses to Exposure Drafts 2005 Web page, http://www.theiia.org/?doc_id=126, item No. 6. Links to various countries' governance codes or guidelines as assembled by the European Corporate Governance Institute, http://www.ecgi.org/codes/all_codes.php. White papers on governance by Institutional Shareholder Services, Inc., http://www.issproxy.com/governance/whitepapers.jsp. King II code on corporate governance, http://www.iodsa.co.za/corporate.htm. Company Examples Continental Airlines, Corporate Governance: Charters of Committees of the Board of Directors, Governance Guidelines, Ethics Code, Fair Disclosure, http://www.continental.com/company/investor/governance.asp. Starbucks Corporate Governance Principles and Board Committee Charters and Policies, http://www.starbucks.com/aboutus/corporate_governance.asp. Related IIA Guidance Some of the topics mentioned in this document have been addressed in more detail in Practice Advisories of The IIA: 1000.C1-2: Additional Considerations for Formal Consulting Engagements. 2100-1: Nature of Work. 2110-1: Assessing the Adequacy of Risk Management Processes. 2120.A1-1: Assessing and Reporting on Control Processes. 2130-1: Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture of an Organization. July 2006 Page 17 of 18
Appendix B: Definitions of Organizational Governance Corporate governance is the system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized. (Australia) 1 "Corporate governance" refers to the set of rules applicable to the management and control of a company. It is the duty of the board of directors to manage the company's affairs exclusively in the interests of the company and all its shareholders, within the framework of the laws, regulations, and conventions under which the company operates. (Belgium) 2 "Corporate governance" means the process and structures used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value, which includes ensuring the financial viability of the business. The process and structure define the division of power and establish mechanisms for achieving accountability among shareholders, the board of directors and management. The direction and management of the business should take into account the impact on other stakeholders such as employees, customers, suppliers, and communities. (Canada) 3 The nature of supervision by a present-day board of directors, having independent directors at the heart of its activities, is the undertaking of appropriate monitoring from the aspect of fulfilling the duties entrusted to them, while motivating the executive managers and employees with an appropriate compensation system in order to encourage independence. The balancing of this supervision (from the standpoint of the shareholders) with management (the administration of the company business) is called governance Governance, which is the primary role of the independent director, is to ensure the introduction and correct functioning of the internal audit and compensation systems Corporate governance is a scheme for ensuring that the executive managers, who have been placed in charge of the company, fulfill their duties. (Japan) 4 Corporate governance is the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders' role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company's strategic aims, providing the leadership to put them into effect, supervising the management of the business, and reporting to the shareholders on their stewardship. The board's actions are subject to laws, regulations, and the shareholders in general meeting. (United Kingdom) 5. 1 The Australian Stock Exchange Corporate Governance Council, Principles of Good Corporate Governance and Best Practice Recommendations, March 2003. 2 Belgium Commission on Corporate Governance, Corporate Governance for Belgium Listed Companies, December 1998. 3 Toronto Stock Exchange Committee on Corporate Governance, Dey Report, December 1994. 4 Japan Corporate Governance Committee, Corporate Governance Forum of Japan, Revised Corporate Governance Principles, revised October 2001. 5 Report of the Committee on the Financial Aspects of Corporate Governance (Cadbury committee), December 1992. July 2006 Page 18 of 18
September 29, 2004 The Role of Internal Auditing in Enterprise-wide Risk Management In conjunction with the newly released Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management - Integrated Framework, The Institute of Internal Auditors (IIA), in coordination with its IIA- UK and Ireland affiliate, has issued a position paper on The Role of Internal Audit in Enterprise-wide Risk Management. The paper's purpose is to assist chief audit executives (CAEs) in responding to enterprise risk management (ERM) issues in their organizations. The paper suggests ways for internal auditors to maintain the objectivity and independence required by The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) when providing assurance and consulting services. Internal auditing's core role with regard to ERM is to provide objective assurance to the board on the effectiveness of an organization's ERM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively Recommended Roles The main factors CAEs should take into account when determining internal auditing's role are whether the activity raises any threats to the internal auditors' independence and objectivity, and whether it is likely to improve the organization's risk management, control, and governance processes. The IIA's position paper indicates which roles internal auditing should and should not play throughout the ERM process. Core internal auditing roles in regard to ERM. Giving assurance on risk management processes. Giving assurance that risks are correctly evaluated. Evaluating risk management processes. Evaluating the reporting of key risks. Reviewing the management of key risks. Legitimate internal auditing roles with safeguards. Global Headquarters 247 Maitland Ave nue Altamonte Spri n g s, F L 32701-4201 USA Te l : + 1-407 - 937-1100 Fa x : + 1-407 - 937-1101 w w w. t h e i i a. o rg Facilitating identification and evaluation of risks. Coaching management in responding to risks. Coordinating ERM activities. Consolidating the reporting on risks. Maintaining and developing the ERM framework. Championing establishment of ERM. Developing risk management strategy for board approval.
September 29, 2004 Page 2 Roles internal auditing should NOT undertake. Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Taking decisions on risk responses. Implementing risk responses on management's behalf. Accountability for risk management. The Institute emphasizes that organizations should fully understand that management remains responsible for risk management. Internal auditors should provide advice, and challenge or support management's decisions on risk, as opposed to making risk management decisions. The nature of internal auditing's responsibilities should be documented in the audit charter and approved by the audit committee. Finally, The Role of Internal Audit in Enterprise-wide Risk Management is attached. Established in 1941, The IIA serves approximately 95,000 members in internal auditing, governance, internal control, IT audit, education, and security worldwide. The Institute is the recognized authority, principal educator, and acknowledged leader in certification, research, and technological guidance for the profession worldwide.
Position Statement The Institute of Internal Auditors The Role of Internal Audit in Enterprise-wide Risk Management Introduction Over the last few years, the importance to strong corporate governance of managing risk has been increasingly acknowledged. Organisations are under pressure to identify all the business risks they face; social, ethical and environmental as well as financial and operational, and to explain how they manage them to an acceptable level. Meanwhile, the use of enterprise-wide risk management frameworks has expanded, as organisations recognise their advantages over less coordinated approaches to risk management. Internal audit, in both its assurance and its consulting roles, contributes to the management of risk in a variety of ways. In 2002 The Institute of Internal Auditors UK and Ireland issued a position statement on The Role of Internal Audit in Risk Management to provide guidance to members on the roles that were permissible and the safeguards needed to protect internal audit s independence and objectivity. This new revised position statement supersedes the earlier one and takes account of recent developments from around the world in the field of risk management and in internal audit. What is Enterprise-wide Risk Management? People undertake risk management activities to identify, assess, manage, and control all kinds of events or situations. These can range from single projects or narrowly defined types of risk, e.g. market risk, to the threats and opportunities facing the organisation as a whole. The principles presented in this position statement can be used to guide the involvement of internal audit in all forms of risk management but we are particularly interested in enterprise-wide risk management because this is likely to improve an organisation s governance processes. Enterprise-wide risk management (ERM) is a structured, consistent and continuous process across the whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Responsibility for ERM Everyone in the organisation plays a role in ensuring successful enterprise-wide risk management but the primary responsibility for identifying risks and managing them lies with management. Benefits of ERM ER M can make a major contribution towards helping an organisation manage the risks to achieving its objectives. The benefits include: Greater likelihood of achieving those objectives; Consolidated reporting of disparate risks at board level; Improved understanding of the key risks and their wider implications; Identification and sharing of cross business risks; Greater management focus on the issues that really matter; Fewer surprises or crises; More focus internally on doing the right things in the right way; Increased likelihood of change initiatives being achieved; Capability to take on greater risk for greater reward and More informed risk-taking and decision-making. The activities included in ERM Articulating and communicating the objectives of the organisation; Determining the risk appetite of the organisation; Establishing an appropriate internal environment, including a risk management framework; Identifying potential threats to the achievement of the objectives; Assessing the risk i.e. the impact and likelihood of the threat occurring; Selecting and implementing responses to the risks; Undertaking control and other response activities; Communicating information on risks in a consistent manner at all levels in the organisation; Centrally monitoring and coordinating the risk management processes and the outcomes, and Providing assurance on the effectiveness with which risks are managed. The board has overall responsibility for ensuring that risks are managed. In practice, the board will delegate the operation of the risk management framework to the management team, who will be responsible for completing the activities below. There may be a separate function that co-ordinates and project-manages these activities and brings to bear specialist skills and knowledge.
Position statement: The Role of Internal Audit in Enterprise-wide Risk Management Providing assurance on ERM One of the key requirements of the board or its equivalent is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. It is likely that assurance will come from different sources. Of these, assurance from management is fundamental. This should be complemented by the provision of objective assurance, for which internal audit is a key source. Other sources include external audit and independent specialist reviews. Internal audit will normally provide assurances on three areas: Risk management processes, both their design and how well they are working; Management of those risks classified as key, including the effectiveness of the controls and other responses to them; and Reliable and appropriate assessment of risks and reporting of risk and control status. The role of internal audit in ERM Internal auditing is an independent, objective assurance and consulting activity. Its core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management. Indeed, research has shown that board directors and internal auditors agree that the two most important ways that internal audit provides value to the organisation are in providing objective assurance that the major business risks are being managed appropriately and providing assurance that the risk management and internal control framework is operating effectively 1. Figure 1 presents a range of ERM activities and indicates which roles an effective professional internal audit function should and, equally importantly, should not undertake. The key factors to take into account when determining internal audit s role are whether the activity raises any threats to the internal audit function s independence and objectivity and whether it is likely to improve the organisation s risk management, control and governance processes. Figure 1 Internal audit role in ERM Reviewing the management of key risks E valuating the reporting of key risk s E valuating risk management processe s in responding to risks Coaching management F acilitating identification & evaluation of risk s Giving assurance that risks are correctly evaluated Giving assurance on the risk management processes Co-ordinating ERM activities Consolidated reporting on risks Maintaining & developing the ERM framework Championing establishment of ERM Developing RM strategy for board approval Setting Imposing risk the risk appetite management Management processes assurance on risks Taking decisionsonriskresponses Implementingriskresponsesonmanagement'sbehalf Accountability for risk management Core internal audit roles in regard to ERM Legitimate internal audit roles with safeguards Roles internal audit should not undertake
Position statement: The Role of Internal Audit in Enterprise-wide Risk Management The activities on the left of Figure 1 are all assurance activities. They form part of the wider objective of giving assurance on risk management. An internal audit function complying with the International Standards for the Professional Practice of Internal Auditing can and should perform at least some of these activities. Internal audit may provide consulting services that improve an organisation s governance, risk management, and control processes. The extent of internal audit s consulting in ERM will depend on the other resources, internal and external, available to the board and on the risk maturity 2 of the organisation and it is likely to vary over time. Internal audit s expertise in considering risks, in understanding the connections between risks and governance and in facilitation mean that it is well qualified to act as champion and even project manager for ER M, especially in the early stages of its introduction. As the organisation s risk maturity increases and risk management becomes more embedded in the operations of the business, internal audit s role in championing ERM may reduce. Similarly, if an organisation employs the services of a risk management specialist or function, internal audit is more likely to give value by concentrating on its assurance role, than by undertaking the more consulting activities. However, if internal audit has not yet adopted the risk-based approach represented by the assurance activities on the left of Figure 1, it is unlikely to be equipped to undertake the consulting activities in the centre. Consulting roles The centre of Figure 1 shows the consulting roles that internal audit may undertake in relation to ERM. In general the further to the right of the dial that internal audit ventures, the greater are the safeguards that are required to ensure that its independence and objectivity are maintained. Some of the consulting roles that internal audit may undertake are: Making available to management tools and techniques used by internal audit to analyse risks and controls; Being a champion for introducing ERM into the organisation, leveraging its expertise in risk management and control and its overall knowledge of the organisation; Providing advice, facilitating workshops, coaching the organisation on risk and control and promoting the development of a common language, framework and understanding; Acting as the central point for coordinating, monitoring and reporting on risks; and Supporting managers as they work to identify the best way to mitigate a risk. The key factor in deciding whether consulting services are compatible with the assurance role is to determine whether the internal auditor is assuming any management responsibility. In the case of ERM, internal audit can provide consulting services so long as it has no role in actually managing risks that is management s responsibility and so long as senior management actively endorses and supports ERM. We recommend that, whenever internal audit acts to help the management team to set up or to improve risk management processes, its plan of work should include a clear strategy and timeline for migrating the responsibility for these activities to members of the management team. Safeguards Internal audit may extend its involvement in ERM, as shown in Figure 1, provided certain conditions apply. The conditions are: It should be clear that management remains responsible for risk management. The nature of internal audit s responsibilities should be documented in the audit charter and approved by the Audit Committee 3. Internal audit should not manage any of the risks on behalf of management. Internal audit should provide advice, challenge and support to management s decision making, as opposed to taking risk management decisions themselves. Internal audit cannot also give objective assurance on any part of the ER M framework for which it is responsible. Such assurance should be provided by other suitably qualified parties 4. Any work beyond the assurance activities should be recognised as a consulting engagement and the implementation standards related to such engagements should be followed 5. Skills and body of knowledge Internal auditors and risk managers share some knowledge, skills and values. Both, for example, understand corporate governance requirements, have project management, analytical and facilitation skills and value having a healthy balance of risk rather than extreme risk-taking or avoidance behaviours. However, risk managers as such serve only the management of the organisation and do not have to provide independent and objective assurance to the audit committee. Nor should internal auditors who seek to extend their role in ERM underestimate the risk managers specialist areas of knowledge (such as risk transfer and risk quantification and modelling techniques) which are outside the body of knowledge for most internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and knowledge should not undertake work in the area of risk management. Furthermore, the head of internal audit should not provide consulting services in this area if adequate skills and knowledge are not available within the internal audit function and cannot be obtained from elsewhere 6. 1The Value Agenda, Institute of Internal Auditors UK and Ireland and Deloitte & Touche 2003 2 The IIA-UK and Ireland Position Statement on Risk Based Internal Auditing 2003 3Attribute Standard 1000.C1 4 Attribute Standard 1130 5 Perfomance Standards 2010,C1, 2110.C1 & C2, 2120.C1 & C2, 2130.C1, 2201.C1, 2210.C1, 2220.C1, 2240.C1, 2330.C1, 2410.C1, 2440.C1 & C2 and 2500.C1 6Attribute Standard 1210
Position statement: The Role of Internal Audit in Enterprise-wide Risk Management Conclusion Risk management is a fundamental element of corporate governance. Management is responsible for establishing and operating the risk management framework on behalf of the board. Enterprise-wide risk management brings many benefits as a result of its structured, consistent and coordinated approach. Internal audit s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management. When internal audit extends its activities beyond this core role, it should apply certain safeguards, including treating the engagements as consulting services and, therefore, applying all relevant Standards. In this way, internal audit will protect its independence and the objectivity of its assurance services. Within these constraints, ERM can help raise the profile and increase the effectiveness of internal audit. Glossary of terms Assurance Services: An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organisation. Examples may include financial, performance, compliance, system security, and due diligence engagements. Board: A board is an organisation s governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a non profit organisation. Champion: Someone who supports and defends a person or cause. Therefore, a champion of risk management will promote its benefits, educate an organisation s management and staff in the actions they need to take to implement it and will encourage them and support them in taking those actions. Consulting Services: Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organisation s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Control: Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Enterprise: Any organisation established to achieve a set of objectives. Enterprise-wide risk management (ERM): A structured, consistent and continuous process across the whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Facilitating: Working with a group (or individual) to make it easier for that group (or individual) to achieve the objectives that the group has agreed for the meeting or activity. This involves listening, challenging, observing, questioning and supporting the group and its members. It does not involve doing the work or taking decisions. Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Appetite: The level of risk that is acceptable to the board or management. This may be set in relation to the organisation as a whole, for different groups of risks or at an individual risk level. Risk Management Framework: The totality of the structures, methodology, procedures and definitions that an organisation has chosen to use to implement its risk management processes. Risk Management Processes: Processes to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organisation s objectives. Risk Maturity: The extent to which a robust risk management approach has been adopted and applied, as planned, by management across the organisation to identify, assess, decide on responses to and report on opportunities and threats that affect the achievement of the organisation s objectives. Risk Responses: The means by which an organisation elects to manage individual risks. The main categories are to tolerate the risk; to treat it by reducing its impact or likelihood; to transfer it to another organisation or to terminate the activity creating it. Internal controls are one way of treating a risk.
Position statement: The Role of Internal Audit in Enterprise-wide Risk Management Further reading If you would like to find out more about the subject of risk management the following publications may be of interest to you: Publication and Author Publisher Risk Management: Changing the Internal Auditor s Paradigm IIA Research Foundation by Georges Selim and David McNamee IIA Professional Briefing Note 13: Managing Risk IIA-UK and Ireland The Complete Guide to Business Risk Management by Kit Sadgrove Gower Operational Risk and Resilience: Understanding and minimising operational risk to Butterworth Heinemann secure shareholder value by PriceWaterhouseCoopers Risk Management Guide 2001 White Page It s a Risky Business CIPFA The Risk Management Standard IRM, AIRMIC and ALARM ANZ Risk Management Standard Standards Australia and Standards New Zealand Enterprise Risk Management Framework COSO Risk Management in the Public Services CIPFA & ALARM Independence and Objectivity Professional Issues Bulletin 2003 IIA - UK and Ireland Embedding Risk Management into the Culture of your organisation IIA - UK and Ireland Professional Briefing Note 2003 Managing business risk Adam Jolly IOD, Ernst & Young and Kogan Page The universe of risk Pamela Shimell Pearson Education and FT Management of risk OGC TSO Enterprise wide risk management James Deloach Pearson Education and FT Risk John Adams Routledge Risk management for company executives John Smullen Pearson Education and Financial Times Prentice Hall Enterprise Risk Management: Trends & Emerging Practices Miccolis, Hively, and Merkley IIA Research Foundation Enterprise Risk Management: Pulling it All Together Walker, Shenkir and Barton IIA Re search Foundation You may also find the following websites of interest: Website Address www.theiia.org www.iia.org.uk www.gee.co.uk www.corpgov.net www.coso.org www.theirm.org www.airmic.com www.alarm-uk.com www.whitepage.co.uk www.standards.org.au www.standards.co.nz Title or Organisation The Institute of Internal Auditors Institute of Internal Auditors UK and Ireland Gee Publishing Corporate Governance Site The Committee for Sponsoring Organizations (COSO) The Institute of Risk Management (IRM) The Association of Insurance and Risk Managers (AIRMIC) The National Forum for Risk Management in the Public Sector (ALARM) White Page web-site Standards Australia Standards New Zealand
Position statement: The Role of Internal Audit in Enterprise-wide Risk Management About the Institute Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Florida, USA. The IIA has more than 95,000 members in internal auditing, risk management, governance, internal control, IT audit, education, and security. With representation from more than 160 countries, The Institute is the recognized authority, principal educator, and acknowledged leader in certification, research and technological guidance for the profession worldwide. Copyright The copyright of the position statement is jointly held. For permission to reproduce in the UK or Ireland, please contact IIA-UK and Ireland. For permission to reproduce elswhere, please contact The Institute of Internal Auditors at issues@theiia.org. About position statements Position statements are part of a range of technical and professional guidance prepared by the Institute for its members. They are designed to clarify The IIA s official policy position on important and potentially complex matters confronting internal auditors. For details of other guidance material provided by The Institute please visit our website, www.theiia.org Disclaimer This technical guidance material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The Institute recommends that you always seek independent expert advice relating directly to any specific situation. The Institute accepts no responsibility for anyone placing sole reliance on this technical guidance. www.iia.org.uk Institute of Internal Auditors UK and Ireland Ltd 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX UK Telephone +44 (0) 20 7498 0101 Fax +44 (0) 20 7978 2492 Email technical@iia.org.uk Registered in England and Wales, no. 1 474735 www.theiia.org The Institute of Internal Auditors 247 Maitland Avenue, Altamonte Springs, Florida 32701, USA Telephone +1-407-937-1100 Fax +1-407-937-1101 Email issues@theiia.org September 2004