1.1 Slides Consultancy Services

The consultancy role of Internal The consultancy role of Internal AuditorsAuditors

Audit CommitteesAudit Committees

Chairperson independent

Majority outside department

AC should review: Effectiveness of:

– internal controls– Internal audit

Risk areas Audit results and

recommendations Scope - external audit & cost

effectiveness

IIndependentndependent Objective Objective

Assurance Assurance Consulting Activity Consulting Activity Add ValueAdd Value

Improve Improve OperationsOperations

Evaluate and improve the Evaluate and improve the effectivenesseffectiveness of of risk management, control and governance risk management, control and governance processes.processes.

Internal audit (IIA)

ObjectivesObjectives

Internal Audit vs. ConsultingInternal Audit vs. Consulting IIA Standards for ConsultingIIA Standards for Consulting Why Internal Auditors as ConsultantsWhy Internal Auditors as Consultants Consulting Skills for Internal AuditorsConsulting Skills for Internal Auditors

Only Only 45%45% of 1,800 audit committee of 1,800 audit committee members surveyed are satisfied that members surveyed are satisfied that their company’s Internal Audit function their company’s Internal Audit function delivers value.delivers value.

Who are the internal Who are the internal customers?customers?

IA CustomersIA Customers

Audit CommitteeAudit CommitteeAuditeeAuditeeSenior ManagementSenior ManagementExternal AuditorsExternal AuditorsRegulatorsRegulators

Internal Audit vs. ConsultingInternal Audit vs. Consulting

Internal Audit ConsultingFocused on historical data Focused on future activity

Results in an audit reportResults in recommendations for implementation

Initiated by CAE Initiated by business manager

Results provided to Audit Committee

Results provided to requestor

IIA Standards & DefinitionsIIA Standards & Definitions

““Internal auditing is an independent, objective Internal auditing is an independent, objective assurance and assurance and consulting activityconsulting activity designed to designed to add value and improve an organization's add value and improve an organization's operations. It helps an organization accomplish its operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined objectives by bringing a systematic, disciplined approach to evaluate and improve the approach to evaluate and improve the effectiveness of risk management, control, and effectiveness of risk management, control, and governance processes.”governance processes.”

IIA Standards for ConsultingIIA Standards for Consulting 1000.C1- The nature of consulting services 1000.C1- The nature of consulting services

must be defined in the internal audit charter.must be defined in the internal audit charter. 1130.C1 – Internal auditors may provide 1130.C1 – Internal auditors may provide

consulting services relating to operations for consulting services relating to operations for which they had previous responsibilities.which they had previous responsibilities.

1130.C2 1130.C2

IIA Standards for ConsultingIIA Standards for Consulting 1210.C1 – The chief audit executive 1210.C1 – The chief audit executive

must decline the consulting must decline the consulting engagement or obtain competent engagement or obtain competent advice and assistance if the internal advice and assistance if the internal auditors lack the knowledge, skills, or auditors lack the knowledge, skills, or other competencies needed to perform other competencies needed to perform all or part of the engagement.all or part of the engagement.

1220.C1 – Internal auditors must 1220.C1 – Internal auditors must exercise due professional care during exercise due professional care during a consulting engagement.a consulting engagement.

IIA Standards for ConsultingIIA Standards for Consulting

1220.C1 1220.A1

Relative complexity and extent of work

Relative complexity and extent of work

Cost/Benefit Cost/Benefit

Needs and expectation of the client Adequacy/Effectiveness

Probability of significant errors

IIA Standards for ConsultingIIA Standards for Consulting 2010.C1 – The chief audit executive should 2010.C1 – The chief audit executive should

consider accepting proposed consulting consider accepting proposed consulting engagements based on the engagement’s engagements based on the engagement’s potential to improve management of risks, add potential to improve management of risks, add value, and improve the organization’s value, and improve the organization’s operations. Accepted engagements must be operations. Accepted engagements must be included in the plan.included in the plan.

IIA Standards for ConsultingIIA Standards for Consulting

2120.C12120.C1 2120.C22120.C2 2120.C3 – When assisting management in 2120.C3 – When assisting management in

establishing or improving risk management establishing or improving risk management processes, internal auditors must processes, internal auditors must refrain refrain from assuming any management from assuming any management responsibilityresponsibility by actually managing risks. by actually managing risks.

IIA Standards for ConsultingIIA Standards for Consulting 2130.C1 – Internal auditors must incorporate 2130.C1 – Internal auditors must incorporate

knowledge of controls gained from consulting knowledge of controls gained from consulting engagements into evaluation of the organization’s engagements into evaluation of the organization’s control processes.control processes.

2201.C12201.C1 2210.C12210.C1 2210.C22210.C2 2220.C12220.C1 2220.C2 – During consulting engagements, internal 2220.C2 – During consulting engagements, internal

auditors must address controls consistent with the auditors must address controls consistent with the engagement’s objectives and engagement’s objectives and be alert to significant be alert to significant control issues.control issues.

IIA Standards for ConsultingIIA Standards for Consulting 2240.C12240.C1 2330.C12330.C1 2410.C12410.C1 2440.C12440.C1 2440.C2 – During consulting engagements, 2440.C2 – During consulting engagements,

governance, risk management, and control governance, risk management, and control issues may be identified. Whenever these issues issues may be identified. Whenever these issues are significant to the organization, they must be are significant to the organization, they must be communicated to senior management and the communicated to senior management and the board.board.

2500.C12500.C1

ObjectivesObjectives

Internal Audit vs. ConsultingInternal Audit vs. Consulting IIA Standards for ConsultingIIA Standards for Consulting Why Internal Auditors as ConsultantsWhy Internal Auditors as Consultants Consulting Skills for Internal AuditorsConsulting Skills for Internal Auditors

Why Internal Auditors as ConsultantsWhy Internal Auditors as Consultants

Why Internal Auditors as Why Internal Auditors as ConsultantsConsultants

We know COSO. We know SOX. We’ve We know COSO. We know SOX. We’ve performed that same accounts payable audit the performed that same accounts payable audit the same way 3 years in a row with no major audit same way 3 years in a row with no major audit findings to date. It’s time to infuse our IA findings to date. It’s time to infuse our IA department with creativity and ask ourselves, department with creativity and ask ourselves, what more can we be doing for our internal what more can we be doing for our internal customer? How can we perform this audit customer? How can we perform this audit differently to add greater value? differently to add greater value?

What Are The Risks?What Are The Risks?Risk of Political ExposureRisk of Political ExposureProject FailureProject FailureManagement ExpectationsManagement ExpectationsConflict of InterestConflict of InterestMaintaining Independence and ObjectivityMaintaining Independence and ObjectivityConsulting AssignmentConsulting Assignment

Consulting Skills for AuditorsConsulting Skills for Auditors Include consulting services in annual audit Include consulting services in annual audit

plan/budgetplan/budgetDefine and communicate scope early and Define and communicate scope early and

oftenoftenGain client buy-inGain client buy-inDon’t be afraid to say noDon’t be afraid to say no

Consulting Skills for AuditorsConsulting Skills for Auditors Identify process improvement areasIdentify process improvement areas

RVA – Real Value AddedRVA – Real Value AddedBVA – Business Value AddedBVA – Business Value AddedNVA – Non-Value AddedNVA – Non-Value Added

6 Tips for a Consultative Approach to Audit6 Tips for a Consultative Approach to Audit

Strive to understand the business on Strive to understand the business on a deeper levela deeper level

Align resources to critical areas of Align resources to critical areas of risk risk

Develop in-house expertiseDevelop in-house expertise Build trust through relationshipsBuild trust through relationships Offer something extraOffer something extra Speak business, not auditSpeak business, not audit

IA should assist the organization in achieving goals by evaluating & improving the process through which:

• goals and values are established and communicated,

• the accomplishment of goals is monitored,

• accountability is ensured, and

• values are preserved.

IIAIIA standardsstandards - - 21302130

King 2 – Internal auditKing 2 – Internal audit IA should provideIA should provide

Assurance that management processes are Assurance that management processes are adequate to identify and monitor significant risksadequate to identify and monitor significant risks

Confirmation of effective operations of established Confirmation of effective operations of established control systemscontrol systems

Credible processes for feedback on risk Credible processes for feedback on risk management and assurancemanagement and assurance

Objective confirmation that ex auth receives right Objective confirmation that ex auth receives right quality of assurance and reliable info from quality of assurance and reliable info from managementmanagement

COSOCOSO – – all five components must be present all five components must be present and functioning before a control system can be and functioning before a control system can be

effectiveeffective

Control environment

Safeguard assets

Compliance with laws, regulations, contracts

Reliability and integrity of information

Economy, effectiveness and efficiency

Risk assessment

Safeguard assets




Info and commu-nication

Safeguard assets




Control activity - prevention

Safeguard assets




Monitoring activities - detection

Safeguard assets




Objective settingCo

ntro

l env

iron

men

t

Stra

tegi

c

Ope

rati

onal

Repo

rtin

g

Com

plia

nce

High-level goals, aligned with and High-level goals, aligned with and supporting the entitysupporting the entity’’s mission/visions mission/vision

Effectiveness/efficiency of operations, Effectiveness/efficiency of operations, performance and service delivery performance and service delivery goals. goals.

Compliance with Compliance with applicable laws and applicable laws and regulations.regulations.

Effectiveness of Effectiveness of internal/external reporting -internal/external reporting -financial or non-financial.financial or non-financial.

Safe

guar

ding

of a

sset

s

Prevention/Prevention/Timely Timely detectiondetection

03/05/2303/05/23 4848

Objective Process

RiskGovernance processGovernance process

Legal mandate:Laws and regulations

Strategic/operational Plans (SMART/CQQT)

Strategy and planning - boardStrategy and planning - board Current situationCurrent situation

Strategic planning – lackingStrategic planning – lacking Dysfunctional management and board committeesDysfunctional management and board committees Highly controlled agenda for strategic decisionsHighly controlled agenda for strategic decisions Committed to one strategy to exclude other possibilitiesCommitted to one strategy to exclude other possibilities Reluctant to acknowledge past mistakesReluctant to acknowledge past mistakes

Best practicesBest practices Review options, challenging them, agree measures for successReview options, challenging them, agree measures for success Review strategic development process – sufficiently robust, Review strategic development process – sufficiently robust,

properly assessedproperly assessed Examine plans and processes for strategy implementationExamine plans and processes for strategy implementation Monitor implementation – agreed metricsMonitor implementation – agreed metrics

Vehicles used by the boardVehicles used by the boardBoard meetingsBoard meetingsSpecial board-level strategy meetingsSpecial board-level strategy meetingsEmpowering board committeesEmpowering board committeesAdvisory groupsAdvisory groupsFacilitationFacilitation

Information needed by board to Information needed by board to fulfill responsibilitiesfulfill responsibilities

Strategic planStrategic plan Alternative strategiesAlternative strategies Performance measuresPerformance measures Major risk factorsMajor risk factors Major interdependenciesMajor interdependencies Resources and investment requiredResources and investment required Strategic alliances, acquisitionsStrategic alliances, acquisitions Technology implicationsTechnology implications Best, worse case scenariosBest, worse case scenarios Evaluation of past strategiesEvaluation of past strategies

External information needsExternal information needsCustomer demand - now and futureCustomer demand - now and futureCurrent market positionCurrent market positionCompetitor intelligenceCompetitor intelligence Industry information and trendsIndustry information and trendsAnalysis – stakeholder reactions to Analysis – stakeholder reactions to

proposed strategiesproposed strategies Information/concern expressed by market Information/concern expressed by market

analysisanalysis

Nothing is more important Nothing is more important than successful than successful implementationimplementation

Tools for implementationTools for implementationRealigning the organizationRealigning the organizationEffective use of technologyEffective use of technologyRecruiting, developing, retaining human Recruiting, developing, retaining human

resources and skillsresources and skillsManage knowledge for effective customer Manage knowledge for effective customer

care, risk management, innovationcare, risk management, innovation ImplementationImplementationEffective risk managementEffective risk management

Generic principlesGeneric principlesObjectives should be readily understood and measurable (SMART) (QQCT) – outcome versus output based

RM requires that personnel at all levels have a requisite understanding of objectives as they relate to individual’s sphere of influence

All employees must have a mutual understanding of what is to be accomplished and a means of measuring what is being accomplished

Establishment of Entity-wide Objectives

Lack of strategic plan that has established entity-wide objectives that provide sufficiently broad statements and guidance about what the department is supposed to achieve, yet are specific enough to relate directly to the (department).

Management has established overall entity-wide objectives in the form of mission, goals, and objectives, such as those defined in strategic and annual performance plans.

The entity-wide objectives relate to and stem from program requirements established by legislation.

The entity-wide objectives are specific enough to clearly apply to the specific users instead of applying generically.

Entity-wide objectives are not clearly communicated to all employees, and management does obtains feedback signifying that the communication has been effective.

There is no relationship and consistency between the department operational strategies and the entity-wide objectives.

Strategic plans support the entity-wide objectives.

Strategic plans address resource allocations and priorities.

Strategic plans and budgets are designed with an appropriate level of detail for various management levels.

Assumptions made in strategic plans and budgets are consistent with the department's historical experience and current circumstances.

Lack of an integrated management strategy and risk assessment plan that considers the entity-wide objectives and relevant sources of risk from internal management factors and external sources and establishes a control structure to address those risks.

Establishment of Entity-wide Objectives (2)

Establishment of Activity-Level Objectives

Lack of strategic plan where activity-level (program or mission-level) objectives flow from and are linked with entity-wide objectives and strategic plans.

All significant activities are adequately linked to the entity-wide objectives and strategic plans.

Activity-level objectives are reviewed periodically to assure that they have continued relevance.

Activity-level objectives are not complementary, does not reinforce each other, and are contradictory

The activity-level objectives lacks relevancy to all significant processes

Objectives have been established for all key operational and the support activities.

Activity-level objectives are consistent with effective past practices and performance, and are consistent with any industry or business norms that may be applicable to operations.

Activity-level objectives lack key measurable indicators.

Department resources are inadequate relative to the activity-level objectives. The resources needed to meet the objectives have been identified.

If adequate resources are not available, management has plans to acquire them.

The strategic plan does not include those activity-level objectives that are critical to the success of the overall entity-wide objectives.Management has identified the things that must occur or happen if the entity-wide objectives are to be met.

The critical activity-level objectives receive particular attention and review from management and their performance is monitored regularly.

Lack of commitment: All levels of management are not involved in establishing the activity-level objectives and are committed to their achievement.

Establishment - Activity-Level Objectives (2)

Cont

rol e

nvir

onm

ent

Executive authority

Legal mandate = entity wide objectives = strategic plans = business plans = job

descriptions and performance agreements Effective communication to all employees

Integrity and ethical values

No dealings with others not demonstrating No dealings with others not demonstrating appropriate level of commitment to integrityappropriate level of commitment to integrity

Ethical Ethical tone at the toptone at the top Properly communicated downwardsProperly communicated downwards

Formal code of conductFormal code of conduct Ethical standardsEthical standards Acceptable operational practicesAcceptable operational practices Conflict of interestConflict of interest

Basics of tone at the topBasics of tone at the topCode of conductCode of conductCommunicating expectationsCommunicating expectationsAvailable channelsAvailable channelsExplicit responsibility and accountabilityExplicit responsibility and accountability Investigation and enforcementInvestigation and enforcementCommunicating resultsCommunicating resultsSelf assessmentSelf assessmentEthics officerEthics officer

Ethics policy topicsEthics policy topics Intellectual propertyIntellectual property Safety and violenceSafety and violence Environmental protectionEnvironmental protection Protecting assetsProtecting assets Confidential informationConfidential information Computer data and securityComputer data and security GiftsGifts Sexual harassmentsSexual harassments Relationships with suppliers and customersRelationships with suppliers and customers Insider tradingInsider trading

Lack of a formal code of conduct and other policies communicating appropriate ethical and moral behavioral standards and addressing acceptable operational practices and conflicts of interest.

The codes are comprehensive in nature and directly address issues such as improper payments, appropriate use of resources, conflicts of interest, political activities of employees, acceptance of gifts or donations or foreign decorations, and use of due professional care.

The codes are periodically acknowledged by signature from all employees.

Employees indicate that they know what kind of behavior is acceptable and unacceptable, what penalties unacceptable behavior may bring, and what to do if they become aware of unacceptable behavior.

Integrity and valuesIntegrity and values

Lack of an ethical tone that has been established at the top of the department and has been communicated throughout the department.Management fosters and encourages a culture that emphasizes the importance of integrity and ethical values- achieved through oral communications in meetings, via one-on-one discussions, and by example in day-to-day activities.

Employees indicate peer pressure exists for appropriate moral/ ethical behavior

Management takes quick and appropriate action as soon as there are any signs that a problem may exist.

Lack of high ethical plane in conducting dealings with the public, Cabinet, employees, suppliers, auditors, and others.Financial, budgetary, and operational/programmatic reports to Cabinet, Treasury, Personnel Management and the public are proper and accurate

Management cooperates with auditors and other evaluators, discloses known problems to them, and values their comments and recommendations

Under billings by suppliers or overpayments by users or customers are quickly corrected.

The department has a well-defined and understood process for dealing with employee claims and concerns in a timely and appropriate manner.

Integrity and values (2)Integrity and values (2)

Lack of appropriate disciplinary action is taken in response to departures from approved policies and procedures or violations of the code of conduct.Management takes action when there are violations of policies, procedures, or the code(s) of conduct.

The types of disciplinary actions that can be taken are widely communicated throughout the department so that others know that if they behave improperly, they will face similar consequences

Lack of management action to appropriately addresses intervention or overriding internal control. Guidance exists concerning the circumstances and frequency with which intervention may be needed, and the management levels which may take such action.

Any intervention or overriding of internal control is fully documented as to reasons and specific actions taken.

Overriding of internal control by low-level management personnel is prohibited except in emergency situations, and upper-level management isimmediately notified and the circumstances are documented.

Integrity and values (3)Integrity and values (3)

Lack of management action to remove temptation for unethical behavior

Management has a sound basis for setting realistic and achievable goals and does not pressure employees to meet unrealistic ones.

Management provides fair, non-extreme incentives (as opposed to unfair and unnecessary temptations) to help ensure integrity and adherence to ethical values.

Compensation and promotion are based on achievements and performance.

Integrity and valuesIntegrity and values

Objective Process


Laws/regs


Capability – finance & human

Responsibility/accountability

Key measurable objectives and indicators

Cont

rol e

nvir

onm

ent

Executive authority


Commitment to competence Job descriptions & performance agreements define Job descriptions & performance agreements define

taskstasks Adequate analysis of knowledge and skills neededAdequate analysis of knowledge and skills needed Adequate training programAdequate training program

Authority and responsibility

Appropriate structureResponsibility assignedDelegation of authority consistent with assignment of responsibilityDisciplinary processes consistent

Hire qualified staffEthical appointments with background checks

Department structureDepartment structureInappropriate departmental structure for the size and nature of its operations.

The departmental structure facilitates the flow of information throughout the department.

The departmental structure is appropriately centralized or decentralized, given the nature of its operations, and management has clearly articulated the considerations and factors taken into account in balancing the degree of centralization versusDecentralization

Lack of identification and communication of key areas of authority and responsibility throughout the department.

Executives in charge of major activities or functions are fully aware of their duties and responsibilities.

An accurate and updated departmental chart showing key areas of responsibility is provided to all employees.

Executives and key managers understand their internal control responsibilities and ensure that their staff also understand their own responsibilities.

Lack of appropriate and clear internal reporting relationships.

Reporting relationships have been established and effectively provide managers information needed to carry out responsibilities

Employees are aware of the established reporting relationships.

Mid-level managers can easily communicate with senior operating executives.

Lack of periodic evaluation of the departmental structure.

Lack of capacity particularly in managerial positions.

Managers/supervisors have time to carry out their duties and responsibilities.

Employees do not have to work excessive overtime or outside the ordinary workweek to complete assigned tasks.

Managers and supervisors are not fulfilling the roles of more than one employee.

Department structure (2)Department structure (2)

Commitment to competenceCommitment to competence

Lack of job descriptions and performance agreements to define the tasks required to accomplish particular jobs and fill the various positions.Management has analyzed the tasks that need to be performed for particular jobs and given consideration to such things as the level of judgment required and the extent of supervision necessary.

Formal job descriptions or other means of identifying and defining specific tasks required for job positions have been established and are up-to-date.

Lack of analyses of the knowledge, skills, and abilities needed to perform jobs appropriately.The knowledge, skills, and abilities needed for various jobs have been identified and made known to employees.

Evidence exists that the department attempts to assure that employees selected for various positions have the requisite knowledge, skills, and abilities.

Commitment to competence (2)Commitment to competence (2)Lack of training and counseling in order to help employees maintain and improve their competence for their jobs

There is an appropriate training program to meet the needs of all employees.

The department emphasizes the need for continuing training and has a control mechanism to help ensure that all employees actually received appropriate training.

Supervisors have the necessary management skills and have been trained to provide effective job performance counseling.

Performance appraisals are based on an assessment of critical job factors and clearly identify areas in which the employee is performing well and areas that need improvement.

Employees are provided candid and constructive job performance counseling.

Lack of demonstrated ability in general management and extensive practical experience in operating governmental or business entities.

Assignment of Authority and Responsibility

Lack of appropriately assigned authority and delegated responsibility to the proper personnel to deal with departmental goals and objectives.

Authority and responsibility are clearly assigned throughout the department and this is clearly communicated to all employees.

Responsibility for decision-making is clearly linked to the assignment of authority, and individuals are held accountable accordingly.

Along with increased delegation of authority and responsibility, management has effective procedures to monitor results.

Employees are uncertain as to (1) how his or her actions interrelate to others considering the way in which authority and responsibilities are assigned, and (2) is aware of the related duties concerning internal control.Job descriptions clearly indicate the degree of authority and accountability delegated to each position and the responsibilities assigned.

Job descriptions and performance evaluations contain specific references to internal control-related duties, responsibilities, and accountability.

The delegation of authority is inappropriate in relation to the assignment of responsibility.

Employees at the appropriate levels are empowered to correct problems or implement improvements.

There is an appropriate balance between the delegation of authority at lower levels to get the job done. and the involvement of senior-level personnel

Assignment of Authority and Responsibility (2)

Human Resource Policies and PracticesLack of policies and procedures for hiring, orienting, training, evaluating, counseling, promoting, compensating, disciplining, and terminating employees.

Management communicates information to recruiters about the type of competencies needed for the work or participates in the hiring process.

Department has standards or criteria for hiring qualified people, with emphasis on education, experience, accomplishment, and ethical behavior

Position descriptions/ qualifications are standardized for similar jobs.

A training program has been established - includes orientation programs for new employees and ongoing training for all employees.

Promotion, compensation, rotation of employees - based on performance appraisals.

Performance appraisals linked to goals and objectives included in the strategic plan.

The importance of integrity/ ethical values reflected in performance appraisal criteria.

Employees are provided with appropriate feedback and counseling on their job performance and suggestions for improvements.

Disciplinary/remedial action in response to violations of policies or ethical standards.

Employment is terminated, following established policies, when performance is consistently below standards or there are significant and serious violations of policy

Lack of conducting background checks on candidates for employment.

Candidates who change jobs often are given particularly close attention.

Hiring standards require investigations for criminal records for all potential employees.

References and previous employers are contacted.

Educational and professional certifications are confirmed.

Lack of a proper amount of supervision.

Employees receive guidance, review, and on-the-job training from supervisors to help ensure proper work flow and processing of transactions and events, reduce misunderstandings, and discourage wrongful acts.

Supervisory personnel ensure that staff are aware of their duties and responsibilities and management's expectations.

Human Resource Policies and Practices (2)

Management operating styleManagement operating styleExcessive personnel turnover in key functions, such as operations and program management, accounting, or internal audit, indicating a problem with the departments emphasis on internal control.

There has not been excessive turnover of supervisory personnel related to internal control problems, there is a strategy for dealing with turnover related to constraints such as salary caps

Key personnel have not quit unexpectedly.

Personnel turnover has not been so great as to impair internal control as a result of employing many people new to their jobs and unfamiliar with the control activities and responsibilities.

There is no pattern to personnel turnover that would Indicate a problem with the emphasis that management places on internal control.

Negative and un-supportive attitude toward functions of accounting, information management systems, personnel operations, monitoring, internal & external audits & evaluations. Financial accounting and budgeting operations are considered essential & viewed as methods for exercising control over the entity various activities.

Management regularly relies on accounting/financial and programmatic data from its systems for decision-making purposes and performance evaluation.

If the accounting operation is decentralized, unit accounting personnel also have reporting responsibility to the central financial officer(s).

Financial management, accounting operations, budget execution operations - under direction of CFO and strong synchronization and coordination exists between budgetary and proprietary financial accounting activities.

Management looks to information management function for critical operating data & make improvements in systems as technology advances.

Personnel operations have a high priority and senior executives emphasize the importance of good human capital management

Management places a high degree of importance on the work of the Internal Audit, external audits

Management operating style (2)Management operating style (2)

Lack of safeguarding of assets and information from unauthorized access or use.

Lack of frequent interaction between senior management and operating/program management, especially when operating from geographically dispersed locations.Lack of management information regarding financial, budgetary, and operational/ programmatic reporting.

Management informed/ involved in critical financial reporting issues, supports a conservative approach toward application of accounting principles/ estimates.

Management discloses all financial, budgetary, and programmatic information needed to fully understand the operations and financial condition

Management avoids focus on short-term reported results.

Personnel do not submit inappropriate/ inaccurate reports to meet targets

Facts not exaggerated, budgetary estimates not stretched to point of unreasonableness

Management operating style (3)Management operating style (3)

Objective Process


Laws/regs




Performance agreements/

Job descriptions

Performance measurement


Cont

rol e

nvir

onm

ent

Monitoring of objectives

Executive authority


Commitment to competence

Key performance objectivesKey performance indicatorsManagement informationException reportsResponsibility assigned


Objective Process


Laws/regs




Performance agreements/Job descriptions



Management info

Exception reports

Core principles underlying effective Core principles underlying effective performance measurementperformance measurement

Golden threadGolden threadMeasurement across key processesMeasurement across key processesReliable measurement selection processReliable measurement selection processSet and monitor goals (KMO and KMI)Set and monitor goals (KMO and KMI)Consistent measuring and reportingConsistent measuring and reportingAutomate measurement and reportingAutomate measurement and reportingLink measurement to compensationLink measurement to compensation

Corporate dollarsCorporate dollars

03/05/2303/05/23 8585

DashboardDashboard

InformationLack of process to gather information from internal and external sources and provide it to management as part of department reporting on operational performance relative to established objectives.

Internally generated information critical to achieving the department objectives, including information relative to critical success factors, is identified and regularly reported to management.

The department obtains and reports to managers any relevant external information that may affect the achievement of its missions, goals, and objectives, particularly that related to legislative or regulatory developments and political or economic changes.

Internal and external information needed by managers at all levels is reported to them.

Information (2)Information (2)Lack of process to identify, capture, and distribute pertinent information to the right people in sufficient detail, in the right form, and at the appropriate time to enable them to carry out their duties and responsibilities efficiently and effectively.

Managers receive analytical information that helps them identify specific actions that need to be taken.

Information is provided at the right level of detail for different levels of management.

Information is summarized and presented appropriately and provides pertinent information while permitting a closer inspection of details as needed.

Information is available on a timely basis to allow effective monitoring of events, activities, and transactions and to allow prompt reaction.

Program managers receive operational and financial information to help them determine whether they are meeting the strategic and annual performance plans and meeting goals for accountability of resources.

Operational information is provided to managers so that they may determine whether their programs comply with applicable laws and regulations.

The appropriate financial and budgetary information is provided for both internal and external financial reporting.

Communications Management does not ensure that effective internal communications occur.

Top management provides a clear message throughout the department that internal control responsibilities are important and must be taken seriously.

Employees specific duties clearly communicated - they understand relevant aspects of internal control, how their role fits into it, how their work relates to work of others.

Employees informed when unexpected occurs in performing their duties, attention s/be given to underlying cause - internal control weaknesses can be identified/ corrected.

Acceptable behavior versus unacceptable behavior and the consequences of improper conduct are clearly communicated to all employees.

Mechanisms exist to allow easy flow of information down, across, and up department, easy communications exist between functional activities

Employees indicate that informal or separate lines of communications exist, which serve as a control for normal communications avenues.

Personnel understand there will be no reprisals for reporting adverse information, improper conduct, or circumvention of internal control activities.

Mechanisms in place for employees to recommend improvements in operations, and management acknowledges good employee suggestions

Management communicates frequently with internal oversight groups, keep them informed of performance, risks, major initiatives, and any other significant events.

Management does not ensure that effective external communications occur with groups that can have a serious impact on programs, projects, operations, and other activities, including budgeting and financing.Open and effective communications channels have been established with customers, suppliers, contractors, consultants, and other groups that can provide significant input on quality and design of department products and services.

All outside parties are clearly informed of ethical standards and also understand that improper actions, such as improper billings, kickbacks, or other improper payments, will not be tolerated.

Communications from external parties, is encouraged since it can be a source of information on how well internal control is functioning.

Complaints or inquires, especially those concerning services, such as shipments, receipts, and billings, are welcomed since they can point out control problems.

Management makes certain that the advice and recommendations of Internal Audit and other auditors and evaluators are fully considered and that actions are implemented to correct any problems or weaknesses they identify.

Communications (2)

Forms and Means of Communications

The department lacks a system to communicate important information with employees and others.

Management uses effective communications methods, which may include policy and procedures manuals, management directives, memoranda, bulletin board notices, internet and intranet web pages, videotaped messages, e-mail, and speeches.

Two of the most powerful forms of communications used by management are the positive actions it takes in dealing with personnel throughout the department and its demonstrated support of internal control.

The department does not manage, develop, and revise its information systems in an effort to continually improve the usefulness and reliability of its communication of information.

Information systems management is based on a strategic plan for information systems that is linked to the departments overall strategic plan.

A mechanism exists for identifying emerging information needs.

As part of the departments information management, improvements and advances in technology are monitored, analyzed, evaluated, and introduced to help the department respond more rapidly and efficiently to those it serves.

Management continually monitors the quality of the information captured, maintained, and communicated as measured by such factors as appropriateness of content, timeliness, accuracy, and accessibility.

Management's support for the development of information technology is demonstrated by its commitment of appropriate human and financial resources to the effort.

Forms and Means of Communications (2)

Ongoing Monitoring

Lack of a strategy to ensure that ongoing monitoring is effective and will trigger separate evaluations where problems are identified or systems are critical and testing is periodically desirable.

Management's strategy provides for routine feedback and monitoring of performance and control objectives.

The monitoring strategy includes methods to emphasize to program and operational mangers that they have responsibility for internal control and that they should monitor the effectiveness of control activities as a part of their regular duties.

The monitoring strategy includes methods to emphasize to program mangers their responsibility for internal control and their duties to regularly monitor the effectiveness of control activities.

The monitoring strategy includes identification of critical operational and mission support systems that need special review and evaluation.

The strategy includes a plan for periodic evaluation of control activities for critical operational and mission support systems.

Ongoing monitoring (2)Ongoing monitoring (2)Lack of process whereby department personnel obtain information about whether internal control is functioning properly.Operating reports integrated/reconciled with financial and budgetary reporting system data and used to manage operations on an ongoing basis, and management is aware of inaccuracies or exceptions that could indicate internal control problems.

Operating management compares production, sales, or other operating information obtained in the course of its daily activities to system-generated information- follow up on any inaccuracies or other problems that might be found.

Operating personnel are required to sign-off on the accuracy of their units financial statements and are held accountable if errors are discovered.

Communications from vendors and monthly statements of accounts payable are used as control monitoring techniques.

Supplier complaints about any unfair practices by department purchasing agents are investigated.

Control activities that should have prevented or detected any problems that arose, but did not function properly, are reassessed.

Ongoing monitoring (3)Ongoing monitoring (3)Lack of appropriate departmental structure and supervision to help provide oversight of internal control functions.Automated edits and checks as well as clerical activities are used to help control accuracy and completeness of transaction processing.

Separation of duties and responsibilities is used to help deter fraud.

The Internal Audit is independent and has authority to report directly to the department head and does not conduct department operations for management.

Lack of periodic reconciliations between data recorded by information and financial systems with physical assets and discrepancies are examinedInventory levels of materials, supplies, and other assets are checked regularly; differences between recorded and actual amounts are corrected; and the reasons for the discrepancies resolved.

The frequency of the comparison is a function of the vulnerability of the asset.

Custodial accountability for assets and resources is assigned to responsible individuals.

Ongoing monitoring (4)Ongoing monitoring (4)Lack of effective and regular internal audit to provide recommendations for improvements in internal control with management taking appropriate follow-up action.Lack of communication with employees to provide management with feedback on whether internal control is effective.Relevant issues, information, and feedback concerning internal control raised at training seminars, planning sessions, and other meetings are captured and used by management to address problems or strengthen the internal control structure.

Employee suggestions on internal control are considered and acted upon as appropriate.

Management encourages employees to identify internal control weaknesses and report them to the next supervisory level.

Lack of process to ensure that employees are regularly asked to state explicitly whether they comply with the department's code of conduct or similar department pronouncements of expected employee behavior.Personnel periodically acknowledge compliance with the code of conduct.

Signatures are required to evidence performance of critical internal control functions, such as reconciliations.

Objective Process

RiskContinuous improvementContinuous improvement

Laws/regs




Performance agreements/Job descriptions



Management info

Exception reports

Values are preservedValues are preservedAppropriate disciplinary actionAppropriate disciplinary actionManagement action to address Management action to address

intervention/overriding controlintervention/overriding controlManagement action to remove unethical Management action to remove unethical

behaviorbehavior

KINGKING 22 IA report to highest level of authorityIA report to highest level of authority IIA definition of internal auditIIA definition of internal audit IA plan should be risk based linking to the IA plan should be risk based linking to the

ex auth risk assessmentex auth risk assessmentCoordination with all assurance providers Coordination with all assurance providers

(internal and external)(internal and external)External auditors high commitment to External auditors high commitment to

ethics and independenceethics and independence

Oversight Groups

Lack of mechanisms in place to monitor and review operations and programs.

An Internal Audit, who is independent from management, audits and reviews department activities

The department has an audit committee or senior management council consisting of high-level line and staff executives that review the internal audit work and coordinate closely with the Internal and external auditors.

If there is an internal audit operation it reports to the department head.

The internal audit function reviews that departments activities and systems and provides information, analyses, appraisals, recommendations, and counsel to management.

Oversight groups (2)Oversight groups (2)Lack of coordination with executive oversight departments.

Good working relationship with Treasury, and major officials, including the CFO, meet regularly with Treasury personnel to discuss areas such as financial and budgetary reporting, internal control, and management's performance.

High-level department personnel maintain good working relationships with other executive branch departments that exercise multi-department control responsibilities, such as Treasury and Tender Board

Lack of communication with Cabinet in general and oversight committees in particular.

The department provides Cabinet and oversight committees (SCOPA) (board) with timely and accurate information to allow monitoring of department activities, including review of the department's (1) mission and goals, (2) performance reporting, and (3) financial position and operating results

High-level department officials meet regularly with Cabinet and auditors to discuss major issues affecting operations, internal control, performance, and other major department activities and programs.

When do we audit GP’sWhen do we audit GP’s

Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb

Governance processes

Risk management

Adequacy and effectiveness

Reporting on governance processesReporting on governance processes

assure management that the internal control system used to manage the relevant risk is

adequate and effective to enable management to achieve the objectives of the department

AgendaAudit Committees

IIA standards Best practices COSORisk Management GuidelinesImplementation Guidance

2010.A12010.A1 – – The internal audit activity’s plan of The internal audit activity’s plan of engagements should be based on a risk engagements should be based on a risk assessment, undertaken at least annually.assessment, undertaken at least annually.

2120.A12120.A1 – – Based on the results of the risk Based on the results of the risk assessment, the internal audit activity should assessment, the internal audit activity should evaluate the adequacy and effectiveness of evaluate the adequacy and effectiveness of controls encompassing the organization’s controls encompassing the organization’s governance, operations, and information systems.governance, operations, and information systems.

2210.A12210.A1 – – When planning the engagement, the When planning the engagement, the internal auditor should identify and assess risks internal auditor should identify and assess risks relevant to the activity under review. The relevant to the activity under review. The engagement objectives should reflect the results of engagement objectives should reflect the results of the risk assessment.the risk assessment.

StandardsStandards

COSO frameworkCOSO frameworkControl framework, 1992Control framework, 1992

Five elements, all must be present and Five elements, all must be present and functioning – controls to be effectivefunctioning – controls to be effective

Risk management, 2003Risk management, 2003 Eight elements, all must be present and Eight elements, all must be present and

functioning – ERM to be effectivefunctioning – ERM to be effective

COSOCOSO Control frameworkControl framework

Control environmentControl environment Risk assessmentRisk assessment Information/ Information/

communicationcommunication Control activitiesControl activities MonitoringMonitoring

ERM frameworkERM framework Internal environmentInternal environment Objective settingObjective setting Event identificationEvent identification Risk assessmentRisk assessment Risk ResponseRisk Response Control activities Control activities Information/ Information/

communicationcommunication MonitoringMonitoring

Objective settingCo

ntro

l env

iron

men

t

Stra

tegi

c

Ope

rati

onal

Repo

rtin

g

Com

plia

nce

High-level goals, aligned with and High-level goals, aligned with and supporting the entitysupporting the entity’’s mission/visions mission/vision

Effectiveness/efficiency of operations, Effectiveness/efficiency of operations, performance and service delivery performance and service delivery goals. goals.

Compliance with Compliance with applicable laws and applicable laws and regulations.regulations.

Effectiveness of Effectiveness of internal/external reporting -internal/external reporting -financial or non-financial.financial or non-financial.

Safe

guar

ding

of a

sset

s

Prevention/Prevention/Timely Timely detectiondetection

RM – provides reasonable assuranceRM – provides reasonable assurance

Extent to which strategic objectives are Extent to which strategic objectives are being achieved,being achieved,

Extent to which operations objectives are Extent to which operations objectives are being achieved,being achieved,

Reporting is reliable, andReporting is reliable, andApplicable laws and regulations are being Applicable laws and regulations are being

complied with.complied with.

RM – achievement of objectivesRM – achievement of objectives Effective RM can be expected to provide Effective RM can be expected to provide

reasonable assurance of achieving objectives reasonable assurance of achieving objectives relating to:relating to: reliability of reportingreliability of reporting and to and to compliance with laws and regulationscompliance with laws and regulations..

(Achievement of those categories of objectives is (Achievement of those categories of objectives is within the entity’s control and depends on how within the entity’s control and depends on how well the entity’s related activities are performed.)well the entity’s related activities are performed.)

RM – achievement of objectivesRM – achievement of objectives

Achievement of Achievement of strategic and operations strategic and operations objectivesobjectives not always within the entity's not always within the entity's control. control. (For these objectives, RM provide reasonable (For these objectives, RM provide reasonable assurance that management, and executive assurance that management, and executive authority in oversight role, are made aware, in authority in oversight role, are made aware, in a timely manner, of extent to which entity is a timely manner, of extent to which entity is moving toward achievement of objectives.)moving toward achievement of objectives.)

Control (Internal) environmentControl (Internal) environment Risk management philosophyRisk management philosophy Risk cultureRisk culture Risk appetiteRisk appetite Executive authorityExecutive authority Integrity and valuesIntegrity and values Commitment to competenceCommitment to competence Organisational structureOrganisational structure Accountability and responsibilityAccountability and responsibility HR policies and proceduresHR policies and procedures

Cont

rol e

nvir

onm

ent

Risk management philosophy

Beliefs about risk and how it chooses to Beliefs about risk and how it chooses to conduct its activities and deal with risk conduct its activities and deal with risk

Understood by all personnel/ facilitatesUnderstood by all personnel/ facilitatesemployeesemployees’’ ability to recognize and ability to recognize and effectively manage risk. effectively manage risk.

Reflects the value the entity seeks from Reflects the value the entity seeks from ERM influences how ERM components ERM influences how ERM components will be applied. will be applied.

Reinforces through daily actionReinforces through daily action

Cont

rol e

nvir

onm

ent

Risk culture


Set of shared attitudes, values and Set of shared attitudes, values and practices that characterize how an practices that characterize how an entity considers risk in its day-to-day entity considers risk in its day-to-day activities. activities.

Cont

rol e

nvir

onm

ent

Risk appetite

Risk culture


Guidepost in strategy setting.Guidepost in strategy setting.

ERM helps management select a ERM helps management select a strategy consistent with its risk appetite. strategy consistent with its risk appetite.

Management looks to align organization, Management looks to align organization, people, processes, infrastructure to people, processes, infrastructure to facilitate successful strategy facilitate successful strategy implementation and enable the entity to implementation and enable the entity to stay within its risk appetite.stay within its risk appetite.

Cont

rol e

nvir

onm

ent

Risk appetite

Executive authority

Risk culture


Legal mandate = entity wide objectives = strategic plans = business plans = job

descriptions and performance agreements Effective communication to all employees

Cont

rol e

nvir

onm

ent

Risk appetite

Executive authority

Risk culture



Ethical tone at the top Properly communicated downwards

Formal code of conduct Ethical standards Acceptable operational practices Conflict of interest

Cont

rol e

nvir

onm

ent

Risk appetite

Executive authority

Risk culture




Job descriptions & performance agreements Job descriptions & performance agreements define tasksdefine tasks

Adequate analysis of knowledge and skills Adequate analysis of knowledge and skills neededneeded

Adequate training programAdequate training program

Cont

rol e

nvir

onm

ent

Organisational structure

Risk appetite

Philosophy/operating style

Executive authority

Risk culture




Key performance objectivesKey performance objectivesKey performance indicatorsKey performance indicators

Management informationManagement informationException reportsException reports

Responsibility assignedResponsibility assigned

Cont

rol e

nvir

onm

ent



Risk appetite


Executive authority

Risk culture




Appropriate structureAppropriate structureResponsibility assignedResponsibility assignedDelegation of authority Delegation of authority

consistent with assignment of consistent with assignment of responsibilityresponsibility

Who is driving accountability?Who is driving accountability?Disciplinary processes consistentDisciplinary processes consistent

Cont

rol e

nvir

onm

ent



Risk appetite


Executive authority

Risk culture



HR policies and procedures


Hire qualified staffHire qualified staffEthical Ethical

appointments with appointments with background checksbackground checks

Cont

rol e

nvir

onm

ent



Risk appetite


Executive authority

Risk culture



HR policies and procedures


Oversight groupsOversight groupsMechanism to monitor and review Mechanism to monitor and review

operations and programsoperations and programs Independent oversightIndependent oversight

ReportingObjective

Process

Governance processes

Process

Process

OperationsObjective

StrategicObjective

Mission

ComplianceObjective

Process

Related objectives

Governance processGovernance process

Strategic plan

Human resources

Core responsibilities

Financial budget

Capital budget

Performance agreement

=Objective

The ERM FrameworkThe ERM Framework

Entity objectives can be viewed in thecontext of four categories:

• Strategic • Operations• Reporting• Compliance


ERM considers activities at all levelsof the organization:

• Enterprise-level• Division or

subsidiary• Business unit

processes

Enterprise risk managementEnterprise risk managementrequires an entity to take a requires an entity to take a portfolio portfolio viewview of risk. of risk.


• Management considers how Management considers how individual risks interrelate.individual risks interrelate.

• Management develops a portfolio view Management develops a portfolio view from two perspectives:from two perspectives:

- Business unit level- Business unit level- Entity level- Entity level


The eight componentsof the frameworkare interrelated …


03/05/2303/05/23 130130

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

Objective SettingObjective Setting Is applied when management considers risks Is applied when management considers risks

strategy in the setting of objectives.strategy in the setting of objectives.

Forms the risk appetite of the entity Forms the risk appetite of the entity —— a high- a high-level view of how much risk management and level view of how much risk management and the board are willing to accept.the board are willing to accept.

Risk tolerance, the acceptable level of Risk tolerance, the acceptable level of variation around objectives, is aligned with variation around objectives, is aligned with risk appetite.risk appetite.

Event IdentificationEvent Identification

• Differentiates risks and opportunities.

• Events that may have a negative impact represent risks.

• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.

Event IdentificationEvent Identification

• Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.

• Addresses how internal and external factors combine and interact to influence the risk profile.

Objective settingCo

ntro

l env

iron

men

t

Event identification

InfrastructureInfrastructureAvailability of assets, Capability of assets, Availability of assets, Capability of assets,

Access to capital, ComplexityAccess to capital, ComplexityPersonnelPersonnel

Employee capability, Fraudulent activity, Security practicesEmployee capability, Fraudulent activity, Security practicesProcessProcess

Capacity, Design, Execution, Suppliers/ dependenciesCapacity, Design, Execution, Suppliers/ dependenciesTechnologyTechnology

Data: Acquisition, Maintenance, Distribution, Confidentiality, Data: Acquisition, Maintenance, Distribution, Confidentiality, IntegrityIntegrity

Data and system availability, Capacity,Data and system availability, Capacity,System: Selection, Development, Deployment, ReliabilitySystem: Selection, Development, Deployment, Reliability

Risk AssessmentRisk Assessment• Allows an entity to understand the

extent to which potential events might impact objectives.

• Assesses risks from two perspectives:- Likelihood- Impact

• Is used to assess risks and is normally also used to measure the related objectives.

Risk AssessmentRisk Assessment

• Employs a combination of both qualitative and quantitative risk assessment methodologies.

• Relates time horizons to objective horizons.

• Assesses risk on both an inherent and a residual basis.

Risk ResponseRisk Response• Identifies and evaluates possible

responses to risk.

• Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.

• Selects and executes response based on evaluation of the portfolio of risks and responses.

Control ActivitiesControl Activities

• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.

• Occur throughout the organization, at all levels and in all functions.

• Include application and general information technology controls.

• ManagementManagement identifies, captures, and identifies, captures, and communicates pertinent information in a form communicates pertinent information in a form and timeframe that enables people to carry and timeframe that enables people to carry out their responsibilities. out their responsibilities.

• Communication occurs in a broader sense, Communication occurs in a broader sense, flowing down, across, and up flowing down, across, and up the organization.the organization.

Information & CommunicationInformation & Communication

MonitoringMonitoring

Effectiveness of the other ERM components is Effectiveness of the other ERM components is monitored through:monitored through:

• Ongoing monitoring activities.Ongoing monitoring activities.

• Separate evaluations.Separate evaluations.

• A combination of the two. A combination of the two.

COSOCOSO – – all five components must be present all five components must be present and functioning before a control system can be and functioning before a control system can be

effectiveeffective

Control Control environmentenvironment

Safeguard Safeguard assetsassets

Compliance with Compliance with laws, regulations, laws, regulations, contractscontracts

Reliability and Reliability and integrity of integrity of informationinformation

Economy, Economy, effectiveness effectiveness and efficiencyand efficiency

Risk Risk assessmentassessment





Info and Info and commu-commu-nicationnication





Control activity Control activity - prevention- prevention





Monitoring Monitoring activities - activities - detectiondetection





IIAIIA – – all three components must be present and all three components must be present and functioning before a control system can be functioning before a control system can be effectiveeffective

Governance Governance processesprocesses





Risk Risk assessment assessment processprocess





Control Control processesprocesses





Audit objectiveAudit objectiveTo evaluate the adequacy and effectiveness of To evaluate the adequacy and effectiveness of

controls relating to:controls relating to: Safeguarding of assets in the goods received Safeguarding of assets in the goods received

areaarea Reliability and integrity of information in the:Reliability and integrity of information in the:

Capturing phaseCapturing phase Processing phaseProcessing phase Updating the PTFUpdating the PTF Updating the SMFUpdating the SMF

Economic, effective and efficient use of Economic, effective and efficient use of resources in the ordering phaseresources in the ordering phase

Audit opinionAudit opinionThe controls relating to:The controls relating to: Safeguarding of assets in the goods received Safeguarding of assets in the goods received

areaarea Reliability and integrity of information in the:Reliability and integrity of information in the:

Capturing phaseCapturing phase Processing phaseProcessing phase Updating the PTFUpdating the PTF Updating the SMFUpdating the SMF

Economic, effective and efficient use of Economic, effective and efficient use of resources in the ordering phaseresources in the ordering phase

Are adequate and effectiveAre adequate and effective

Internal ControlInternal Control

A strong system of internalA strong system of internalcontrol is essential to effectivecontrol is essential to effectiveenterprise risk management. enterprise risk management.

Internal AuditorsInternal Auditors• Play an important role in monitoring ERM, but Play an important role in monitoring ERM, but

do NOT have primary responsibility for its do NOT have primary responsibility for its implementation implementation or maintenance.or maintenance.

• Assist management and the board or audit Assist management and the board or audit committee in the process by:committee in the process by:

- Monitoring- Monitoring - Evaluating - Evaluating- Examining- Examining - Reporting - Reporting

- Recommending improvements- Recommending improvements

1.1. Organizational design of businessOrganizational design of business2.2. Establishing an ERM organizationEstablishing an ERM organization3.3. Performing risk assessmentsPerforming risk assessments4.4. Determining overall risk appetiteDetermining overall risk appetite5.5. Identifying risk responsesIdentifying risk responses6.6. Communication of risk resultsCommunication of risk results7.7. MonitoringMonitoring8.8. Oversight & periodic review Oversight & periodic review

by managementby management

Key Implementation FactorsKey Implementation Factors

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

Control It

Share orTransfer It

Diversify orAvoid It

RiskManagement

ProcessLevel

ActivityLevel

Entity Level

RiskMonitoring

Identification

Measurement

Prioritization

RiskAssessment

Risk AnalysisRisk Analysis

DETERMINE RISK DETERMINE RISK APPETITEAPPETITE

Risk appetite is the amount of risk — on a Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in broad level — an entity is willing to accept in pursuit of value.pursuit of value.

Use quantitative or qualitative terms (e.g. Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable consider risk tolerance (range of acceptable variation).variation).

Objective Process

Risk

Strategic risk assessment

Inherent risk

Inherent risk – before the assessment of any controls

03/05/2303/05/23 152152

Risk management strategiesRisk management strategies

IIMMPPAACCTT

X1X1 X2X2

Y1Y1

X3X3Y3Y3

Y2Y2

LikelihoodLikelihood

LikelihoodNew controls

ImpactRisk management strategy

How to measure the magnitude of risk ?

The magnitude of risk is implied by the impact and likelihood.

the magnitude of risk is scored according to:

“magnitude of risk” = “impact” X “likelihood”,

this risk index can be qualitative or quantitative.

high risk

medium risk

low risk

1 2 3 4 5 impact

likelihood 5

4

3

2

1

> 12

< 5ris

k index

Risk assessment

Low

High

High

IMPACT

PROBABILITY

High Risk

Medium Risk

Medium Risk

Low Risk

Example: Call Center Risk Example: Call Center Risk AssessmentAssessment

• Loss of phones• Loss of computers

• Credit risk• Customer has a long wait• Customer can’t get through• Customer can’t get answers

• Entry errors • Equipment obsolescence• Repeat calls for same problem

• Fraud• Lost transactions• Employee morale

• Quantification of risk exposureQuantification of risk exposure

• Options available:Options available:- Accept = monitor- Accept = monitor- Avoid = eliminate - Avoid = eliminate (get out of situation)(get out of situation)

- Reduce = institute controls- Reduce = institute controls- Share = partner with someone - Share = partner with someone (e.g. insurance)(e.g. insurance)

• Residual risk Residual risk (unmitigated risk – e.g. shrinkage)(unmitigated risk – e.g. shrinkage)

IDENTIFY RISK IDENTIFY RISK RESPONSESRESPONSES

Risk response is the application of measures, which lower the magnitude of risks.

the magnitude of risk is lowered by lowering the impact and/or likelihood,

preventive measures aim at eliminating the cause,

mitigation measures aim at preventing the propagation of the cause to the consequence.

likelihood 5

4

3

2

11 2 3 4 5 impact

risk reduction

before

after

cause

causeevent event

consequence

consequence

Risk response

• Dashboard of risks and related responses Dashboard of risks and related responses (visual status of where key risks stand relative to risk (visual status of where key risks stand relative to risk tolerances) tolerances)

• Flowcharts of processes with key controls notedFlowcharts of processes with key controls noted

• Narratives of business objectives linked to Narratives of business objectives linked to operational risks and responsesoperational risks and responses

• List of key risks to be monitored or usedList of key risks to be monitored or used

• Management understanding of key business risk Management understanding of key business risk responsibility and communication of assignmentsresponsibility and communication of assignments

Communicate ResultsCommunicate Results

MonitorMonitor

• Collect and display informationCollect and display information

• Perform analysisPerform analysis- Risks are being properly addressed- Risks are being properly addressed- Controls are working to mitigate risks- Controls are working to mitigate risks

• Accountability for risksAccountability for risks

• OwnershipOwnership

• UpdatesUpdates- - Changes in business objectivesChanges in business objectives- Changes in systems- Changes in systems- Changes in processes- Changes in processes

Management Oversight & Management Oversight & Periodic ReviewPeriodic Review

Objective ControlProcess

RiskControl to minimize risks

Residual risk

Inherent risk

Residual risk – after the assessment of any controls

Objective ControlProcess

RiskR > CInadequateC > RIneffective/inefficientC = RCoC > CoRUneconomic

So What

Control analysis

Control activityMaintain physical security over goods received Segregate custodial and record keeping functions

Prevention Detection IT ManualAdded value opportunityAdded value opportunity

Computerise to increase efficiency, economy, effectiveness

IT management information allows for effective detection controls

Detection control allows development of prevention controls

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

CECE SS CC RR EE

RARA SS CC RR EE

ICIC SS CC RR EE

CACA SS CC RR EE

MM SS CC RR EE

Internal auditors can add Internal auditors can add value by:value by:

• Reviewing critical control systems and risk Reviewing critical control systems and risk management processes.management processes.

• Performing an effectiveness review of Performing an effectiveness review of management's risk assessments and the management's risk assessments and the internal controls.internal controls.

• Providing advice in the design and Providing advice in the design and improvement of control systems and risk improvement of control systems and risk mitigation strategies.mitigation strategies.

• Implementing a risk-based approach to Implementing a risk-based approach to planning and executing the internal audit planning and executing the internal audit process. process.

• Ensuring that internal auditing’s resources are Ensuring that internal auditing’s resources are directed at those areas most important to the directed at those areas most important to the organization.organization.

• Challenging the basis of management’s risk Challenging the basis of management’s risk assessments and evaluating the adequacy and assessments and evaluating the adequacy and effectiveness of risk treatment strategies.effectiveness of risk treatment strategies.


• Facilitating ERM workshops.Facilitating ERM workshops.

• Defining risk tolerances where none have Defining risk tolerances where none have been identified, based on internal auditing's been identified, based on internal auditing's experience, judgment, and consultation with experience, judgment, and consultation with management. management.


Control is clearly understood to relate to operational performance, reporting (financial and non-financial) and compliance and is fully integrated with the department’s culture, structure and business processes. Control is timely, pervasive and anticipatory. Control is the responsibility of everyone in the department.

Control is perceived to relate to financial matters only. Responsibility for internal control is not clearly assigned.

Best practice

Basic

Best practice

Added valueAdded value

Audit scope and objectives

Document system (POF)

Identify weaknesses

Inadequate opinion

No compliance work

RecommendationsAdequate controls

Effectiveness auditLikelihood assessmentLikelihood assessment

ADD VALUEADD VALUE

1.1 Slides Consultancy Services

Documents

Transcript of 1.1 Slides Consultancy Services