enterprise risk management and risk based internal...
TRANSCRIPT
![Page 1: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/1.jpg)
© 2015 Grant Thornton. All rights reserved.
Enterprise Risk Management
and Risk Based Internal Audit Grant Thornton Recommended Methodology
Nasser Barakat
Partner
Grant Thornton – Business Risk
Services
![Page 2: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/2.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk Scope of
Definition
![Page 3: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/3.jpg)
© 2015 Grant Thornton. All rights reserved.
What is risk?
A range of possible
negative events that
could take place in an
uncertain environment.
Each of these events
could have a
significant impact on
the organisation and
its goals.
![Page 4: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/4.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk is anything that will
prevent you from achieving
your business objectives….
![Page 5: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/5.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk
Work unit assets
(resources)
Management
processes
Work unit
objectives
The organisation's
objectives
![Page 6: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/6.jpg)
© 2015 Grant Thornton. All rights reserved.
Control Broadly
Defined
![Page 7: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/7.jpg)
© 2015 Grant Thornton. All rights reserved.
Control
… is broadly defined as ‘the
combination of many factors
which support people in their
efforts to achieve their
business objectives’.
![Page 8: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/8.jpg)
© 2015 Grant Thornton. All rights reserved.
Linking risks, controls and objectives
Risk
Business/Quality Objectives
Control Desired end
results/outcomes
![Page 9: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/9.jpg)
© 2015 Grant Thornton. All rights reserved.
Linking risks, controls and objectives
Desired end
results/outcomes
![Page 10: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/10.jpg)
© 2015 Grant Thornton. All rights reserved.
Linking risks, controls and objectives
Desired end
results/outcomes
![Page 11: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/11.jpg)
© 2015 Grant Thornton. All rights reserved.
What is Risk
Management?
![Page 12: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/12.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk management
![Page 13: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/13.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk management
![Page 14: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/14.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk management
… represents the diversity of
actions management takes
in order to mitigate some or
all of the business risks.
![Page 15: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/15.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk management alternatives
TERMINATE Avoiding risk
TREAT Reducing the impact
and/or probability of
risk assurance
TOLERATE Retaining risk
(acceptance)
TRANSFER Passing on risk
Risk Mitigation
Technique
Transfer Activity
e.g. subcontracting
Transfer Responsibility
e.g. insurance
![Page 16: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/16.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk management alternatives
TERMINATE Avoiding risk
TREAT Reducing the impact
and/or probability of
risk assurance
TOLERATE Retaining risk
(acceptance)
TRANSFER Passing on risk
Risk Mitigation
Technique
Transfer Activity
e.g. subcontracting
Transfer Responsibility
e.g. insurance
![Page 17: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/17.jpg)
© 2015 Grant Thornton. All rights reserved.
Components of risks
Adequately
controlled Insured Accepted
R I S K
![Page 18: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/18.jpg)
© 2015 Grant Thornton. All rights reserved.
GT methodology for the
implementation of an enterprise
risk management system and
risk based internal audit
![Page 19: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/19.jpg)
© 2015 Grant Thornton. All rights reserved.
CRSA Control and Risk
Self Assessment
![Page 20: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/20.jpg)
© 2015 Grant Thornton. All rights reserved.
CRSA
Is a process in which staff collectively
Identify business uncertainties in
their area of responsibility
Assess their control activities
Develop actions for improvements
under the guidance of risk
management.
![Page 21: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/21.jpg)
© 2015 Grant Thornton. All rights reserved.
Sta
ge
3
Sta
ge
2
Workshop:
Identify and access risks and controls
Workshop:
Building a risk and control matrix
Development of compliance tests
Management sign-off
Testing (by both I.A.
and business unit)
Reports on the test results
Reports on CRSA
Sta
ge
1
Senior management
and the board
Internal audit report
Develop and conduct
substantive tests
Sta
ge
4
Sta
ge
5
Internal and external
loss data
![Page 22: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/22.jpg)
© 2015 Grant Thornton. All rights reserved.
The CRSA workshop
The following risk/control matrix,
lists some of the operational risks
and controls related to a bank’s
International Brokerage function
![Page 23: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/23.jpg)
© 2015 Grant Thornton. All rights reserved.
The CRSA workshop
![Page 24: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/24.jpg)
© 2015 Grant Thornton. All rights reserved.
Components of risks
R I S K
Working
gap
Actual gap
Acceptable
gap
Adequately
controlled Insured
![Page 25: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/25.jpg)
© 2015 Grant Thornton. All rights reserved.
Risk Based
Internal Audit
![Page 26: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/26.jpg)
© 2015 Grant Thornton. All rights reserved.
What is RBIA?
The Institute of Internal Auditors defines
Risk Based Internal Auditing (RBIA) as a
methodology that:
1. Links internal auditing to an organisation’s overall risk
management framework
2. Allows internal audit to provide assurance to the
board that risk management processes are managing
risk effectively in relation to the risk appetite.
![Page 27: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/27.jpg)
© 2015 Grant Thornton. All rights reserved.
Traditional approach versus risk based
IA approach
Traditional internal audit approach Risk based internal audit approach
Audit plan based on the audit cycle (time duration) Audit plan based on the results of the business units
risk evaluation. Risky areas are covered first and
more frequently
Important Risks might not be covered in the audit program
Provides assurance that Important risks are being
managed properly
Focus on deficiencies in controls and cases of non
compliance with P&P
Focus on risks that are not properly controlled and/or
overly controlled
An understanding of business unit operations is built
through time consuming process mapping exercises
and might rely on outdated P&P manuals.
In depth understanding of the business unit operations
through risk assessment workshops and with the
participation of the business unit management.
![Page 28: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/28.jpg)
© 2015 Grant Thornton. All rights reserved.
Traditional approach versus risk based
IA approach
Traditional internal audit approach Risk based internal audit approach
Internal audit resources are spread over all business
units/activities
More efficient use of internal audit resources by
concentrating on risky units/areas
Disagreement with the business unit management over the
action plans leading to delays in implementation
Facilitate consensus with line management on the needed
action plans thus improving timely and effective
implementation of corrective measures
Disagreement with the business unit management on the
importance of the findings raised by internal audit
The importance of risks is established during the risk
assessment phase and in agreement between internal
audit the business unit management
Subjective internal audit ratings; they mainly rely on the
auditor’s judgment on the importance of the findings.
More objective ratings (findings are classified in
accordance with pre-agreed risk importance criteria).
![Page 29: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/29.jpg)
© 2015 Grant Thornton. All rights reserved.
Internal Audit
Rating Policy
![Page 30: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/30.jpg)
© 2015 Grant Thornton. All rights reserved.
Rating matrix
Key
controls
working
Within
acceptable
gap
1% – 20%
above
acceptable
20% – 40%
above
acceptable
>40%
above
acceptable
All A A B+ B
Up to 80% B B C+ C
50% – 80% C C D D
20% – 50% D D D
<20% D D
![Page 31: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/31.jpg)
© 2015 Grant Thornton. All rights reserved.
Conclusion
Grant Thornton methodology
Allows for the identification, assessment and
monitoring of all types of risks
Moves the responsibility of control
monitoring/improvement to line management
Allows for the quantification of ‘GAP’ in the
control environment
![Page 32: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/32.jpg)
© 2015 Grant Thornton. All rights reserved.
Conclusion
Facilitates agreement with business units
on implementation of recommendations
Concentrate audit efforts and resources
on ‘high risk’ areas
Provide assurance on whether risks are
properly mitigated
![Page 33: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/33.jpg)
© 2015 Grant Thornton. All rights reserved.
Grant Thornton recommended three lines of
defence framework
Second Line of defence –
Risk management and
compliance
Control
environment
Monitoring
activities
Risk
assessment
Information and
communication
Control
activities
First Line of
defence –
Lines of
business and
committees
Third Line of defence –
Internal audit
![Page 34: Enterprise Risk Management and Risk Based Internal …spatialco.com/audit/wp-content/uploads/03-Nasser_Barakat.pdf · Enterprise Risk Management and Risk Based Internal Audit Grant](https://reader031.vdocuments.net/reader031/viewer/2022021718/5b88e6847f8b9a301e8e7a46/html5/thumbnails/34.jpg)
© 2015 Grant Thornton. All rights reserved.
Questions
and Feedback