1

Using ERM Concepts in Managing Controls

The Institute of Internal AuditorsAugust 10, 2004

Using ERM Concepts in Managing Controls

The Institute of Internal AuditorsAugust 10, 2004

Ed Dudley, CIA, CPA

Retired Vice-President & General Auditor-ABB Americas

2

• Introduction & Overview Ed Dudley• Integrating ERM Concepts in a Facilitated Entity

EvaluationLynn Fountain

• Using Risk Assessment to Assess Control Deficiencies Paul Sobel

• Integrating ERM – A Multidimensional ViewPeg Weir

• Break• Q & A

AgendaAgenda

3

Key Risk Issues for TodayKey Risk Issues for Today

• Benefits of Using an ERM Approach• Approach For Measuring Entity Level

Controls• ERM Principles in Assessing “Soft”

Attributes• Risk Management for an Entity

Evaluation• ERM Planning Considerations

4

Key Risk Issues for TodayKey Risk Issues for Today

• Key Control Deficiency Questions• Making Control Deficiency Assessments• Understanding Risk Tolerance

Considerations• Developing Performance Based Culture

and Metrics• Benefits of Continuous Improvement Life

Cycle Approach

5

Integrating ERM Concepts in a Facilitated Entity

Evaluation

Integrating ERM Concepts in a Facilitated Entity

Evaluation

Lynn Fountain

VP Risk Assessment & Audit Services

Aquila, Inc.

6

Measuring Entity Controls Utilizing ERMMeasuring Entity Controls Utilizing ERM

Risk AssessmentControl Environment

RiskAssessment

RiskAssessment

RiskAnalysis

RiskAnalysis

RiskStrategy

RiskStrategy

RiskCapabilities

RiskCapabilities

• Do the capabilities (people, process, technology and information) exist to execute the desired state

• How will actions be monitored?

• What attributes will be evaluated?• Define stages of maturity• Determine each attributes maturity

stage.• What stage of maturity is

considered acceptable?

Filter: Key attributes that fallbelow desired stage.

• Where current stage is less than desirable, what are the underlying reasons and causes?

Filter: Consider what attributes Should be improved to meet management strategies

• Based on management’s risk strategy, what attributes should be addressed to improve their current state?

Filter: Identify methods to monitor actions

Control Activities Information & Communication

Monitoring

7

Facilitated Approach to Measuring Entity Controls

Facilitated Approach to Measuring Entity Controls

• ERM principles provide a structured method to assess the “soft” attributes of Entity evaluation.

• Benefits using an ERM approach:– Align management risk appetite with risk evaluation– Enhance response to risk identification – Identify how evaluation permeates across the

organization– Identify integrated solutions for managing risk areas

8

Planning Considerations Planning Considerations

• Ensure use of ERM principles– Attributes to be voted, as well as session

participants, must be reflective of entire organization

– Communication of voting stages must include considerations for cost vs. benefit

– Voting considerations must include how actions permeate across the organization. Should not be based on one event.

– Attributes voted must be able to have actionable items for any remediation to be considered.

9

Session Planning Session Planning • Identify voting attributes

– Attributes should cover five components of COSO

• Define scale and stages – Stages are consistent throughout definitions– Provide for voting in-between stages

• Identify Participants– Cross-functional representation: financial,

operational, compliance

• Conduct pre-sessions– Review voting scale, attributes and definitions

10

Session ExecutionSession Execution• Define “rules of the day”• Encourage open feedback

– Discussion is most value added portion– Ensure anonymity of individual comments

• Monitor real-time voting for large variances in opinion– Facilitate discussion when voting is widely dispersed– Consider re-vote

• Avoid common pitfalls– Group think– Voting creep– Duress voting– Dominant Participant– Fatigue

11

Stage A Stage B Stage C Stage D Stage E

Process Ad Hoc

Results often left to heroics of individuals

Informal Processes

Not well communicated or executed

Formal processes that are adequate

Processes may not always be consistent or well communicated

Areas of improvement in efficiency and effectiveness

Formal processes that are well executed

Processes are consistent and well communicated

Improvement area exists in relation to monitoring and KPI’s

Processes are optimal

Best practice methods and metrics

Risk Management Capability Characteristics Stages:

Entity Evaluation

Risk Management Capability Characteristics Stages:

Entity Evaluation

12

Example AttributesControl Environment

Example AttributesControl Environment

– Ethics Policy– Ethical Values– Ethics Reporting– Ethics Discipline– Commitment to

competence – personnel– Commitment to

competence management– Commitment- to

competence - external auditors

– Mgmt structure & operating style

– Mgmt financial reporting philosophy

– Mgmt internal control philosophy

– Mgmt incentives– Mgmt financial goals– Organization structure and

size– Ownership and

Accountability– Policy establishment– Approvals– Segregation of Duties– HR Policies and

Procedures– Job Screening– Job Descriptions– Job Performance

13

Example AttributesExample Attributes

• Risk Assessment– Business Objectives– Strategic Plan– Method to identify business

risks– Mgmt Risk Tolerance– Acquisitions/Divestures– Budgets– Accounting, Operating and

Regulatory Changes• Information and

Communication– Systems Reliability– Users– Change Control– DR Plan– Business Continuity– Management

Communication

• Control Activities– KPI’s– Financial Reports– Reconciliation of Physical

Assets– Physical Inventories– Destruction of Assets

• Monitoring– Monitoring Overrides– Correcting Deficiency– Monitoring process

change

14

DeliverablesDeliverables

• Graphical depiction of voting averages• Evaluate areas that fall below desired

stage• Determine actions & obtain management

sign-off• Assign target dates and responsibilities• Communicate results

– Board– Management

15

16

SUMMARYSUMMARY

• Approach Benefits

• Planning Considerations

• Execution of Session

• Deliverables Post-Session

• Remediation/Follow-up

17

Using Risk Assessment to Assess Control DeficienciesUsing Risk Assessment to

Assess Control Deficiencies

Paul J. Sobel

Vice President, Internal Audit

Mirant Corporation

18

Control Deficiency QuestionsControl Deficiency Questions

• If a control deficiency were to occur, how bad could it be?– Impact on financial reporting– Likelihood of that impact occurring

• How could that deficiency manifest itself, i.e., what are the scenarios should it occur?

• What are the levels over which a deficiency becomes significant? Material?

19

Key Risk DecisionsKey Risk Decisions

What is our tolerance relative to control deficiencies?

How would the deficiency occur, i.e., what are the scenarios?

What is our risk assessment of the deficiency?

Monitoring

Information and Communication

Control Activities

Risk Response

Risk Assessment

Event Identification

Objective Setting

Internal Environment

OPERATIONS

EN

TIT

Y - L

EV

EL

DIV

ISIO

N

BU

SIN

ES

S U

NIT

SU

BS

IDIA

RY

STRATEGIC

REPORTIN

G

COM

PLIANCE

20

Deficiency AssessmentDeficiency Assessment

REMOTE

LIKELIHOOD

Impact

INCONSEQUENTIAL

CONSEQUENTIAL

MATERIAL MaterialWeakness

SignificantDeficiency

Not a Significant Deficiency

MORE THAN REMOTE

21

Impact TypesImpact Types

• Financial Impact

• Reporting/Filing Delay

• Fraud Potential

• Pervasive Impact

• Technical Violation

22

Likelihood FactorsLikelihood Factors

• Nature of account, disclosures and assertions

• Susceptibility to loss or fraud

• Subjectivity, complexity or judgment involved

• Cause and frequency of known exceptions

• Interdependence or redundancy of controls

23

LIKELIHOOD

INCONSEQUENTIAL

MATERIAL

REMOTE MORE THAN REMOTE

Not a Significant Deficiency

Material Weakness

Impact

CONSEQUENTIAL Significant Deficiency

Potential ScenariosPotential Scenarios

“. . . evaluating deficiencies and whether they constitute significant deficiencies or material weaknesses will necessarily always involve judgment.”

– PCAOB

PotentialScenarios

24

Tolerance ConsiderationsTolerance Considerations• Quantitative Factors

– % of revenues, assets or income• Materiality level = .0025 - .005 x revenues (i.e., .25% - .5%), or 5% of

operating income• Significance level = 5% - 20% of materiality

– Change in EPS (e.g., 1¢)– More than rounding– Change in key financial ratios

• Qualitative Considerations– Entity-level considerations (e.g., tone at the top)– Nature of controls– Ability to monitor controls– Nature of disclosures (e.g., related party implications)– Non-direct considerations (e.g., credit rating, regulatory compliance)

25

SummarySummary• Evaluating control deficiencies

requires a great deal of judgment

• Utilizing risk management concepts, particularly risk assessment, brings some structure to those judgments

• Must develop and articulate tolerance levels

• Think through the various scenarios

• Caution: Don’t let it become a black and white decision decision-making process

LIKELIHOOD

INCONSEQUENTIAL

MATERIAL

REMOTE MORE THAN REMOTE

Not a Significant Deficiency

Material Weakness

Impact

CONSEQUENTIAL Significant Deficiency

26

ERM – A Multi-Dimensional View

ERM – A Multi-Dimensional View

Margaret (Peg) WeirManager, Internal Control Group

United States Postal Service

27

ERM -

A Multi-Dimensional View ERM -

A Multi-Dimensional View • United States Postal Service

– Independent Government Entity; Self Sustaining – Board of Governors– Management - Internal Control Group– Inspection Service– Internal Auditor-Office of Inspector General– Government oversight– External Auditor

28

Enterprise Risk HierarchyEnterprise Risk Hierarchy

External and Internal Audit Findings

Board - Audit & Finance Committee Oversight

Business Environment &Management Priorities/StrategiesTransformational

Traditional

Special cases

ERM CONTINUOUS IMPROVEMENT

Financial

Events

External Auditor

Internal Auditor

Management (Includes Internal

Control Group)

Fraud

Control EnvironmentControl Activities

Risk Assessment MonitoringInformation & Communication

Inspection Service

Board

29

Continuous Improvement Life Cycle

Continuous Improvement Life Cycle

30

Business Review Committee/Internal Control Process CycleBusiness Review Committee/

Internal Control Process CycleHQ IC meets with HQ Functional peers to

discuss risks

HQ IC evaluates data related to identified risks

HQ IC proposes national risk prioritization (supported by data to Business Review Committee for concurrence)

Field IC evaluate local data relative to national priorities to

determine appropriate local risk prioritization

HQ IC reports to BRC on progress of nationally

prioritized risk mitigation efforts

31

Internal Control Process CycleInternal Control Process CycleManagement prioritizes risks

based on data or other influences

IC Analysts analyze additional

data and review prioritized internal

controls

IC Analysts work with process owners to determine root causes and develop risk mitigating solutions

Process owners implement risk

mitigating solutions

IC Analysts monitor results and share best processes

enterprise wide

32

Risk Assessment ModelRisk Assessment Model

33

ERM -

A Multi-Dimensional View ERM -

A Multi-Dimensional View • Ongoing risk assessment in ERM Lifecycle

– Data driven risk analysis– Partnerships to address risks and achieve goals & objectives– Ongoing monitoring – Linkage to national performance metrics

• Hierarchy of internal and external considerations

• Prioritization/Evaluation/Improvement/Monitoring

• Quarterly and Annual assessment and reporting

34

Q & AQ & A

35

• Use a Facilitated Approach to Measuring Entity Level Controls

• Ensure the Use of ERM Principles

• Utilize Facilitated Session Planning and Execution

• Determine Deliverables and Communicate Results

Summary of Main PointsSummary of Main Points

36

Summary of Main PointsSummary of Main Points

• Ask Key Control Deficiency Questions

• Key Risk Decisions Must Revolve Around Risk Tolerance, Occurrence Scenarios and Risk Assessment

• Evaluate Control Deficiencies With Risk Management Concepts - Particularly Risk Assessment

37

Summary of Main PointsSummary of Main Points

• Consider both internal and external influences

• Link Key Performance Metrics to ERM Improvements

• Continuously Improve Controls Through Monitoring and Prioritizing

38

Get Your CPE Certificate:Get Your CPE Certificate:

If you are a primary Webcast participant:•If you view the live Webcast, you should be receiving your CPE certificate via email today.•You can also view the certificate in your account. Just log in and hit the “CPE” button.•If you are viewing the archived Webcast, you will have to take the corresponding quiz which you will find in your webcast account.

If you are not the primary participant but will be viewing the Webcast:

•Additional viewers may obtain CPE for a $15 administrative fee per additional viewer per Webcast. Register online at http://www.auditlearning.org.

39

September 14, 2004

““Role of Transition-Year2Role of Transition-Year2””

40

Webcast EvaluationVisit the Login Page

Webcast EvaluationVisit the Login Page