mu1 module 3 powerpoint

7/27/2019 MU1 Module 3 Powerpoint

http://slidepdf.com/reader/full/mu1-module-3-powerpoint 1/35

Course Name: Internal Auditing and Controls

Module: 3

Module Title: Risk Management, Control

Frameworks and Governance

Lectures and handouts by:

Chuck Campbell

Copyright © The Certified General Accountants Association of British Columbia. All rights reserved.

1

Risk management, control frameworks,

and governance

Module 3

As you learned in Module 1, the scope of internal auditing has

expanded over the past several decades. From a limited

focus on compliance and financial integrity, it first grew to

encompass the assessment of effectiveness, efficiency and

economy of operations. In recent years, the focus has

widened further to consider risk management and

governance. In this module you will learn about the

importance of managing risk, control frameworks and

control self-assessment. You will also consider the role of

governance and that of the audit committee.

2

Internal Auditing & Controls

Module 3

Part 1 Topic 3.1 Risk management

Part 2 Topic 3.2 Role of the internal auditor Topic 3.3 Risk assessment process

Part 3 Topic 3.4 Control frameworks

Topic 3.5 Auditing using control frameworks

Part 4 Topic 3.6 Control self-assessment and continuous auditing

Part 5 Topic 3.7 Governance

Topic 3.8 Role of the audit committee

Topic 3.9 The Sarbanes-Oxley Act of 2002

Part 6 Module summary – Learning objectives

Recent examination questions

3




Module 3

Part 1

Topic 3.1 Risk management

4

The relationship between risk and

control

Risk is the possibility (uncertainty) of an event

occurring that will have a (negative) impact on

the achievement of objectives.

5


control

Risk is the possibility (uncertainty) of an event

occurring that will have a (negative) impact on

the achievement of objectives.

Enterprise risk is, therefore, the uncertainty of an

event occurring that may reduce the likelihood of

an organization achieving its objectives.

6




control (cont’d)

Enterprise risk management is defined as “a

process, effected by an entity’s board of directors, management and other personnel,applied in strategy setting and across theenterprise, designed to identify potential eventsthat may affect the entity, and manage risk tobe within its risk appetite, to providereasonable assurance regarding theachievement of entity objectives.”

7


control (cont’d)

Effective control provides reasonable assurance

that the entity will achieve its objectives (by

reducing uncontrolled risks to an acceptable

level) and, therefore, includes the identification

and management of risks.

8


control (cont’d)

Risk models enable management to identify the

risks faced by the enterprise, establish risk

tolerances (risk limits) for these risks and test

controls to ensure that the uncontrolled risks

remain within the organization’s established

risk tolerances.

9



Benefits of enterprise risk

management

aligning risk management and strategy;

enhancing risk response decisions;

reducing operational surprises and losses;

identifying and managing multiple and cross-

enterprise risks;

seizing opportunities;

improving deployment of capital.

10

Limitations to enterprise risk

management

human judgement in decision making may be faulty;

decisions on responding to risk (including establishing

controls) must take into account the relative costs and

benefits;

breakdowns can occur due to simple errors or mistakes;

controls can be circumvented by collusion;

11

Limitations to enterprise risk

management (continued)

management has the ability to override risk managementdecisions (including controls);

decisions must often be made in conditions of

uncertainty and without complete information.

For these reasons the board and management cannot have

absolute assurance as to the achievement of objectives.

12



Identifying risks using risk models

A number of risk models or risk frameworks have

been developed to help identify the risks related

to an organization’s activities and plans. The

risks faced by businesses vary from organization

to organization and should be identified by the

organization’s management.

13

Risk and the “Butterfly Risk Tool”

Reading 3-2 introduces a new tool to enable both

internal auditors and management to better

identify risk events as part of the organization’s

risk analysis.

The “Butterfly Risk Tool” considers the sources of

risk and the potential consequences of those

risks to the organization. Control activities

should be designed to address the sources of

risk and reduce the likelihood and impact of

adverse consequences.

14

Setting appropriate risk limits

Risk tolerances or risk limits define the amount of residual,uncontrolled risk that the board and management are

prepared to consider as acceptable. For example, a

company could determine the amount of foreign

currency risk that it was prepared to accept and

implement processes to hedge exposures in excess of

that amount. The amount of exposure that the company

was prepared to accept would be its “risk tolerance,”

“risk limit” or “risk appetite.”

15



Techniques for mitigating or

reducing risks

Management has a number of alternative techniques which

can be used to manage the risks faced by anorganization. These include:

avoiding the risk;

16


reducing risks (cont’d)

Management has a number of alternative techniques whichcan be used to manage the risks faced by anorganization. These include:

avoiding the risk;

diversification;

17


reducing risks (cont’d)

Management has a number of alternative techniques whichcan be used to manage the risks faced by anorganization. These include:

avoiding the risk;

diversification;

controlling the risk;

18




Module 3

Part 2

Topic 3.2 Role of the internal auditor

Topic 3.3 Risk assessment process

22

The role of internal auditing in the

assessment and management of risks

Internal auditing includes assisting the

organization by identifying and evaluating

significant exposures to risk and contributing

to the improvement of risk management and

control systems. The internal auditor should

monitor and evaluate the effectiveness of the

organization’s risk management system.

23


assessment and management of

risks (cont’d)

The purpose of internal auditing (in the context of riskmanagement) is to assess the appropriateness andadequacy of management’s actions to avoid, share,transfer and control risks to keep them within the definedcontrol limits or tolerances.

The IIA has issued a practice guide to assist internalauditors in assessing management’s risk managementprocesses. This is found as On-line Reading 3.2-1.

24




absence of a formal risk

management process

If an organization has not established a riskmanagement process, the internal auditor shouldbring this to the attention of management together with suggestions for establishing such a process.

25



management process


If requested, internal auditors can play a proactiverole in assisting with the initial establishment of arisk management process for the organization.

26



management process


If requested, internal auditors can play a proactiverole in assisting with the initial establishment of arisk management process for the organization.

Internal auditors can facilitate or enable riskmanagement processes but they should not “own” or be responsible for the management of the risksidentified.

27


http://slidepdf.com/reader/full/mu1-module-3-powerpoint 10/35 1

Principles of risk management

1. Risk management creates and protects

value (and must be most rigorous when

risks are greatest).

2. Risk management is an integral part of

organizational processes.

3. Risk management is part of decision-

making.

4. Risk management expressly addresses

uncertainty.

28


5. Risk management is systematic, structured,

and timely.

6. Risk management is based on the best

available information.

7. Risk management is tailored to the specific

organization.

8. Risk management takes human and cultural

factors into account.

29


9. Risk management is transparent and

inclusive.

10. Risk management is dynamic, iterative, and

responsive to change.

11. Risk management facilitates continual

improvement and enhancement of the

organization.

30



ISO 31000 on risk management

Risk management should:

address uncertainty;

constitute an integral part of business process and

decision-making;

be based on the best available information and

tailored to the organization;

take human and cultural factors into account;

be dynamic, iterative and responsive to change;

mature further as the organization gets better at

risk management;

create and protect value.

31

Differences between traditional and

risk-based internal auditing

Risk-based auditing starts by reviewing the organizational

objectives, then considers the business risks that impact

the achievement of those objectives and examines the

methodologies in place to mitigate those risks. Risks

can be avoided, shared or transferred, rather than

controlled. Risk-based auditing also explicitly accepts

that there will always be some risk that must be

accepted, but the acceptable amount must be kept within

the limits established by the board and management.

32

Differences between traditional and

risk-based internal auditing (cont’d)

Traditional auditing began with a consideration of

controls, focusing only on the design and

effectiveness of the controls in meeting

traditional control objectives of ensuring

accurate financial information, compliance with

laws and policies, safeguarding of assets and

achievement of effectiveness, efficiency and

economy of operations.

33



Managing the risk of the internal audit

activity

The risks to internal audit activities fall into three

broad categories:

audit failure;

false assurance; and

reputation risks.

Internal audit departments should proactively

manage their risks in these areas, particularly by

monitoring compliance with professional and

ethical standards.

34


Module 3

Part 3

Topic 3.4 Control frameworks

Topic 3.5 Auditing using control frameworks

35

Risk and control frameworks

Risk and control models or frameworks have beendeveloped by a number of organizations, firms

and individuals as a means of providing a

common language to be used in the

identification and mitigation of risks.

Risk frameworks focus on the risks faced by

enterprises; control frameworks focus on the

controls to mitigate the risks.

36



Different definitions of control

objectives

COSO (the American Committee of SponsoringOrganizations of the Treadway Commission),CoCo (the CICA Criteria of ControlCommittee), and the IIA have similar, butdifferent, definitions of control. All threedefinitions consider control to consist of actionstaken to support people in the achievement of the organization’s objectives.

37


objectives (cont’d)

The objectives of control set out by COSO relate tothe effectiveness and efficiency of operations,the reliability of reporting and compliance withapplicable laws, regulations and internalpolicies. CoCo uses virtually identical languageto describe its view of control objectives.

38


objectives (cont’d)

The IIA Standards list four objectives: reliability

and integrity of financial and operational

information, effectiveness and efficiency of

operations, safeguarding of assets, and

compliance (with laws, regulations and

contracts). These can all be considered to fall

within the objectives set out in the COSO and

CoCo frameworks.

39



Components of effective internal

controlCOSO states than in an effective internal control

system, the following five components work to

support the achievement of an organization’s mission, strategies and related business

objectives:

the control environment;

risk assessment;

control activities;

information and communication;

monitoring activities.

40

The nature of control

CoCo’s Guidance on Control makes fiveobservations on the nature of control:

Control is effected by people throughout anorganization.

Those who are accountable for activities should beaccountable for controlling those activities.

Organizations are constantly interacting and adapting.

Control can never supply absolute assurance – onlyreasonable assurance.

Effective control requires a balance between

autonomy and integration, and between the statusquo and adapting to change.

41

Limitations of control (cont’d)

Control cannot give absolute assurance – only reasonableassurance – because:

1. Controls must be cost-effective.

2. There are inherent limitations to control. These include:

the decision-making processes may be faulty (or basedon incomplete or uncertain information).

controls tend to be directed at routine, recurringtransactions.

some human error is inevitable.

there is always the possibi lity of collusive circumventionof controls.

there is always the possibility of management over-rideof controls.

42



The CoCo framework

The CoCo framework:

is generally broader than most other frameworks;

classifies criteria of control into four groups: purpose;

commitment;

capability;

monitoring and learning.

recognizes soft controls (such as trust).

43

Control frameworks and internalauditing

The development of control frameworks has led toa broader understanding of control andmanagement’s responsibility for controlling theactivities that they manage. It has broughtmanagement more into the control assessmentprocess and created greater control-consciousness in management. It hasrecognized the existence and potentialeffectiveness of “soft” controls and included

them in evaluation.

44

Control frameworks and internal

auditing (cont’d)

Using the COSO control framework is a six-stepprocess:

1. Understand the control framework to be used.

2. Determine existing control strengths and weaknesses.

3. Define key issues and reportable conditions.

4. Validate testimonial evidence.

5. Complete the assessment.

6. Identify and recommend corrective action.

45




Module 3

Part 4

Topic 3.6 Control self-assessment and continuous

auditing

46

Control self-assessment defined

Control self-assessment can be broadly defined

as “any activity where the people responsible

for a business area, task, or objective using

some demonstrable approach analyze the

status of control and risk to provide additional

assurance related to the achievement of one

or more business objectives.”

47

Purposes of control self-assessment

Identification of risks and exposures. Assessment of the control processes that

mitigate or manage those risks.

Developing action plans to reduce risks to

acceptable levels.

Determining the likelihood of achieving

business objectives.

48



Starting points for CSA

CSA can start with any of the following:

1. Objectives

2. Risks

3. Processes

4. Controls

49

Alternative processes in CSA

1. Facilitated team workshops – gather information from work teams representingdifferent levels in the organization.

50


1. Facilitated team workshops – gather

information from work teams representingdifferent levels in the organization.

2. Surveys – uses a questionnaire format incircumstances where: Respondents are too numerous or geographically

dispersed;

Management style discourages open, candiddiscussion;

Workshops are viewed as too expensive.

51




1. Facilitated team workshops – gather information from work teams representingdifferent levels in the organization.

2. Surveys – uses a questionnaire format incircumstances where: Respondents are too numerous or geographically

disbursed;

Management style discourages open, candiddiscussion;

Workshops are viewed as too expensive.

3. Management-produced analysis – generallyprepared by a team in a staff or support rolewithin the activity.

52

Steps in the control self-assessmentprocess (facilitated team workshops)

As developed by Gulf Canada Resources, controlself-assessment (CSA) consisted of thefollowing phases:

1. Identify business objectives and customize theprocess for the participating workshop team.

2. Conduct a workshop with management andstaff from the unit being assessed.

3. Prepare a summary report and provide

feedback.

53

Steps in the control self-assessment

process (facilitated team workshops)(cont’d)

Phases in control self-assessment (cont’d)

4. Analyze and review results, comparing themwith those from other workshops.

5. Report results to management.

6. Report summary results to the auditcommittee.

7. Provide follow-up and assistance in dealingwith the issues identified.

54



Different viewpoints on CSA

Is i t real ly internal aud i t ing?

Maybe . . . but it is not sufficient in itself – sometesting of the operating effectiveness of keycontrols should be performed in addition toCSA in areas of significant enterprise riskwhere CSA is used.

55

Advantages of control self-

assessment

Advantages of control self-assessment include:

increases management and employee

awareness of controls;

56


assessment




brings the focus of those who know the

processes to bear on control issues;

57




assessment


increases management and employeeawareness of controls;

brings the focus of those who know theprocesses to bear on control issues;

gains acceptance of recommendations;

58


assessment




brings the focus of those who know the

processes to bear on control issues;

gains acceptance of recommendations;

provides potential cost savings in later

years.

59

Disadvantages of control self-

assessment

Disadvantages of control self-assessment include:

lack of objectivity and independence of

evaluations;

60




assessment



evaluations;

costly to implement (in the first few years);

61


assessment


lack of objectivity and independence of evaluations;


may become mechanical in time;

62


assessment



evaluations;


may become mechanical in time;

requires an open management style to be

effective.

63



Continuous auditing

Another technique that auditors can use to monitor

risks and evaluate the effectiveness of internalcontrols in known as continuous auditing. This

technique usually relies upon technology to

monitor risk and controls automatically. This is

explained further in Reading 3-8.

64


Module 3

Part 5

Topic 3.7 Governance

Topic 3.8 Role of the audit committee

Topic 3.9 The Sarbanes-Oxley Act of 2002

65

The concept of governance

Governance is “the combination of processes

and structures implemented by the board in

order to inform, direct, manage and monitor

the activities of the organization toward the

achievement of its objectives.”

66




“Corporate governance” means the process andstructures used to direct and manage the businessand affairs of the corporation with the objective of

enhancing shareholder value, which includesensuring the financial viability of the business. Theprocess and structure define the division of power and establish mechanisms for achievingaccountability among shareholders, the board of directors and management. The direction andmanagement of the business should take intoaccount the impact on other stakeholders such asemployees, customers, suppliers and communities.

67


Governance refers to the responsibilities andactions of members of governing bodies intheir stewardship capacity (to protect theinterests of the entity’s stakeholders).

Accountability is the obligation to answer for aresponsibility.

Boards of directors (or their equivalents) are

accountable to the entity’s stakeholders for the performance of their governance role.

68

Control and governance role of the board of directors

CoCo’s Guidance for Directors provides the following list of control and governance responsibilities for private

sector Boards of Directors:

1. approve and monitor mission, vision and strategy;

69




CoCo’s Guidance for Directors provides the following list of

control and governance responsibilities for private



2. approve and monitor the organization’s ethical

values;

70







values;

3. monitor management control;

71


CoCo’s Guidance for Directors provides the following list of control and governance responsibilities for private




values;


4. evaluate the performance of senior management;

72









values;



5. oversee external communications;

73







values;



5. oversee external communications;

6. assess the board’s own effectiveness.

74


The Board of Directors is the focal point for all governance activities.

is ultimately accountable and responsible for the

performance and affairs of the organization, its

effective risk management practices and its risk

limits.

oversees all organizational activities but does not

have direct management of any of them.

establishes the “tone at the top” and implements

best governance practices for the organization.

75



Control and governance role of management

Management

sets strategic direction and establishes the entity’s value system.

provides assurance that risks are managed as partof a risk management process, that operations aremonitored, results are measured and correctiveactions are implemented in a timely fashion.

deploys strategy, enforces internal control andprovides direct supervision over operational areas.

accountable for implementing and monitoring therisk management and control processes.

76

Role of internal audit in relation to

governance

Internal audit should assess and make appropriate

recommendations for improving the governance

process in its accomplishment of the following

objectives:

promoting appropriate ethics and values within the

organization;

77


governance



process in its accomplishment of the following

objectives:


organization;

ensuring effective organizational performance

management and accountability;

78




governance



process in its accomplishment of the followingobjectives:


organization;

ensuring effective organizational performance

management and accountability;

effectively communicating risk and control information

to appropriate areas of the organization;

79


governance

Internal audit should assess and make appropriaterecommendations for improving the governanceprocess in its accomplishment of the followingobjectives: promoting appropriate ethics and values within the

organization;

ensuring effective organizational performance managementand accountability;

effectively communicating risk and control information toappropriate areas of the organization;

effectively coordination the activities of and communicatinginformation among the board, external and internal auditorsand management.

80


governance

Internal audit can: evaluate whether companywide governance

components work together as expected.

analyze the level of reporting transparency among partsof the governance structure.

compare governance best practices.

identify compliance with recognized and applicablegovernance codes.

Guidance from the IIA states that “internal auditors may participate in the establishment of governance processes.”

81



The role of the audit committee of the

board of directors

The responsibilities of the board’s audit committee

usually include the following:

1. oversight of published financial informationincluding annual financial reports, interimreports, public disclosure documents, etc.

82


board of directors



1. oversight of published financial information

including annual financial reports, interimreports, public disclosure documents, etc.

2. oversight of the internal auditing function

83


board of directors






3. oversight of the internal financial controls

84




board of directors



1. oversight of published financial informationincluding annual financial reports, interimreports, public disclosure documents, etc.



4. oversight of the corporate Code of Conduct

85


board of directors







4. oversight of the corporate Code of Conduct

5. liaison with the organization’s externalauditors

86

Audit committee charter

Best practices include an audit committee

charter, drawn up by the audit committee andapproved by the board. It would typicallyinclude:

PURPOSE

AUTHORITY

COMPOSITION

MEETINGS

RESPONSIBILITIES

(See Exhibit 3-2 for an example charter)

87



Impact of Sarbanes-Oxley Act of 2002 on

corporate governance

The Sarbanes-Oxley Act of 2002 was passed by the

US Congress to address investor concerns after theEnron collapse.

88



The Sarbanes-Oxley Act of 2002 was passed by theUS Congress to address investor concerns after theEnron collapse.

Among the changes was the creation of a board tooversee audit and assurance of publicly tradedentities.

89



The Sarbanes-Oxley Act of 2002 was passed by theUS Congress to address investor concerns after theEnron collapse.

Among the changes was the creation of a board tooversee audit and assurance of publicly tradedentities.

CEOs and CFOs must now attest to their belief in

the accuracy of published financial information.

90





The Sarbanes-Oxley Act of 2002 was passed by theUS Congress to address investor concerns after the

Enron collapse. Among the changes was the creation of a board to

oversee audit and assurance of publicly tradedentities.

CEOs and CFOs must now attest to their belief in theaccuracy of published financial information.

External auditors (in the United States) will have toprovide opinions on the controls over financialreporting within their publicly traded audit clients.

91



The Sarbanes-Oxley Act of 2002 was passed by the USCongress to address investor concerns after the Enroncollapse.

Among the changes was the creation of a board to overseeaudit and assurance of publicly traded entities.

CEOs and CFOs must now attest to their belief in theaccuracy of published financial information.

External auditors (in the United States) will have to provideopinions on the controls over financial reporting within their publicly traded audit clients.

These changes have increased the responsibility of boardsand their audit committees and have resulted in much greater

significance being placed on the internal audit functions withinthose companies affected by the law.

92


Module 3

Part 6

Module summary – Learning objectives


93



Module 3 Learning Objectives

1. Explain enterprise risk management and

how risk models can help identify specific

risks and set appropriate tolerance limits.(Level 1)

94


2. Explain the role of the internal auditor in the

risk management process and how this role

changes when there is no established risk

management process. (Level 1)

95


3. Explain how auditors use risk assessment

to assist in audit planning and compare this

approach with traditional approaches to

internal auditing. (Level 1)

96




4. Explain the definition, nature, inherent

limitations, and criteria of control as set out

by the Committee of SponsoringOrganizations (COSO), and compare the

COSO control framework with other

frameworks. (Level 2)

97


5. Describe the impact of the development of

control frameworks on internal auditing and

outline the steps in using a control

framework as the basis of assessing control

in an organization. (Level 2)

98


6. Explain the control self-assessment

process, identify its advantages and

disadvantages, and outline how continuous

monitoring can improve the effectiveness of

internal control. (Level 2)

99




7. Outline the IIA performance standards on

governance, the governance responsibilities

of the board of directors or equivalent body,and the role of internal audit in corporate

governance. (Levels 1 and 2)

100


8. Explain the role of the audit committee of

the board of directors. (Levels 1 and 2)

101


9. Explain how the Sarbanes-Oxley Act of

2002 has affected corporate governance

and understand how internal audit may

assist in the Sarbanes-Oxley compliance

process. (Level 2)

102




The examination blueprint states thatbetween 8% and 11% of the examination

will test material from Module 3.

Typical examination questions:

Multiple choice questions

103



Essay questions – question 1

104



Essay questions -- question 2

105

mu1 module 3 powerpoint

Documents