THE ROLE OF INTERNAL AUDIT
Download
1 / 43

THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT - PowerPoint PPT Presentation


  • 543 Views
  • Uploaded on

THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT. Prepared by: Azman Kassim, CMIIA. LEARNING OBJECTIVES. WHAT IS CORPORATE GOVERNANCE? IMPORTANCE OF RISK MANAGEMENT RISK MANAGEMENT PROCESS RISK BASED APPROACH AUDITING VALUE ADDED ROLE OF INTERNAL AUDIT ROLE OF MANAGEMENT & BOARD.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT' - ofira


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT

Prepared by:

Azman Kassim, CMIIA


LEARNING OBJECTIVES

  • WHAT IS CORPORATE GOVERNANCE?

  • IMPORTANCE OF RISK MANAGEMENT

  • RISK MANAGEMENT PROCESS

  • RISK BASED APPROACH AUDITING

  • VALUE ADDED ROLE OF INTERNAL AUDIT

  • ROLE OF MANAGEMENT & BOARD


INTRODUCTION

  • WORLDWIDE DEVELOPMENT

  • Corporate Failures

  • Eg ENRON, WORLD.COM

  • Release of draft Enterprise Risk Management-

  • Integrated Framework in 2003


INTRODUCTION

  • LOCAL DEVELOPMENT

  • Formation of The Institute of Internal Auditors Malaysia (IIAM-1997)

  • Securities Commission (1993)

  • Malaysian Institute of Corporate Governance (1999)

  • Bursa Malaysia’s SIC Guide (2001)


WHAT IS CORPORATE GOVERNANCE?

It can be defined as :

“….process and structure used to direct and manage the business and affairs of the company towards enhancing business prosperity and corporate accountability with the ultimate objective of realising long-term shareholders’ value, whilst taking into account the interest of other stakeholders’.

Extracted from Report on Corporate Governance


CHARACTERISTICS OF GOOD CORPORATE GOVERNANCE

  • Can be accomplished through 3 important elements :

  • an effective Board of Directors

  • management structure and policies and procedures; and

  • independent supervision of audit committees



Today’s organizations are concerned about:

Risk Management

Governance

Control

Assurance (and Consulting)


WHY A SHIFT OF FOCUS

TOWARDS RISK MANAGEMENT?

  • Rapid acceleration in competition as markets

  • are globalize

  • Continuous quantum leap in technology

  • Increasing volume and complexity of

  • legislation

  • Business that do not deal with risk will not

  • survive

  • Without effective risk management framework

  • all efforts are directed towards firefighting

  • rather than add value


WHY THE NEED FOR RISK MANAGEMENT??

“Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of objectives, linked at different levels and internally consistent.

Risk assessment is the identification and analysis of relevant risks to the achievement of objectives, forming a basis for determining how the risks should be managed.

Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.”

Treadway Commission (US)


Survey on stage of erm development
SURVEY ON STAGE OF ERM DEVELOPMENT

  • 48 % Partial and Complete ERM Framework

  • The rest not in place and no plans to implement ERM

    study conducted in 2004 by IIA Research Foundation based in USA


LINKING RISKS AND CONTROLS IN A BUSINESS PROCESS

Risks

Raw

Materials/

Services

Finished

Products

Suppliers

Customers

Controls

Process


Institute of Internal Auditors

“Internal auditing is an independent, objective assurance and consulting

activity designed to add value and improve an organization’s operation.

It helps organization accomplish its objectives by bringing a systematic,

disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance process.”


INTERNAL AUDITING PROFESSION

  • AUDIT CHARTER

  • INTERNAL AUDIT GUIDELINES

  • SPPIA

  • CODE OF ETHIC

  • REGULATED : LAWS & REGULATION


INTERNAL AUDIT PROCESS MAP

Organization

Mission,

Objectives

& Plan

Organization

Structure

Organization

Risks

Strategic Audit

Planning

Audit

Tasks

Audit

Strategy

  • Control Self Assessment

  • Review of Control Systems

  • Internal Control Advice

  • Information Systems Risk Analysis

  • Systems Under Development

  • Review of the Risk Management Systems

Annual Audit

Planning

Audit

Schedule


Internal Audit Process

  • Risk Management is:

  • central aspect of the work of an internal auditor

  • essential tool in the development of an internal audit

  • strategy and annual internal audit plan

  • provision of control advice


Standards

  • 2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually.

  • 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems.

  • 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.


RISK MANAGEMENT

  • PURPOSE

  • BOARD’S ROLE

  • SENIOR MANAGEMENT ROLE

  • INTERNAL AUDITOR’S ROLE



WHAT IS RISK MANAGEMENT? auditing process

Identifying risk

Risk Management is an ongoing process of

Measure its potential impact

Monitors the action

Do what’s necessary to manage it


RISK MANAGEMENT auditing process

DEFINITION

“It is a term applied to a logical and systematic method of identifying, analyzing, assessing, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimize losses and maximize opportunities. Risk management is as much about identifying opportunities as avoiding or mitigating losses.”

Source: AS/NZS 4360:1995


RISK COMPONENTS auditing process

Political Economic Cycle

Environmental, Health & Safety

Business Interruptions

Business Risk Exposures

Personnel

Financial

Information Technology

Contractual/Legal

Harmful Actions


RISK : auditing process

Any issue which could impact your ability to meet your objectives

Source : PricewaterhouseCoopers 1999


DIFFERENT VIEWS OF RISK auditing process

Hazard

Risk of bad things happening

Uncertainty

Not meeting expectations

Opportunity

Exploiting the upside


RISK ASSESSMENT THOUGHT PROCESS auditing process

Define Objec-tives

Identify Risks

Assess Risks

Decide How to Manage Risks

Design or Evaluate Controls

What do we want to accomplish?

What can go wrong? (describe both cause and effect)

  • Likelihood

  • Significance

  • Avoid

  • Transfer

  • Accept

  • Reduce

To cost- effectively reach optimum level of risk


Risk analysis
Risk Analysis auditing process

Risk

Assessment

Risk

Management

Risk

Monitoring

Identification

Control It

Process

Level

Measurement

Share or

Transfer It

Activity

Level

Prioritization

Diversify or

Avoid It

Entity Level

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors


RISK MATRIX auditing process

  • LIKELIHOOD & IMPACT

  • 4 QUADRANTS

  • ACCEPT,REDUCE, TRANSFER, REJECT


Impact vs probability
Impact vs. Probability auditing process

High

Medium Risk

High Risk

S

I

G

N

I

F

I

C

A

N

C

E

I

M

P

A

C

T

Share

Mitigate & Control

O

R

Low Risk

Medium Risk

Accept

Control

PROBABILITY

Low

High

OR

LIKELIHOOD


Example call center risk assessment
Example: Call Center Risk Assessment auditing process

High

Medium Risk

High Risk

  • Loss of phones

  • Loss of computers

  • Credit risk

  • Customer has a long wait

  • Customer can’t get through

  • Customer can’t get answers

I

M

P

A

C

T

Low Risk

Medium Risk

  • Entry errors

  • Equipment obsolescence

  • Repeat calls for same problem

  • Fraud

  • Lost transactions

  • Employee morale

Low

PROBABILITY

High


Example accounts payable process
Example: Accounts Payable Process auditing process

ControlRiskControlObjectiveActivity

CompletenessMaterial Accrual of transaction open liabilities not recorded Invoices accrued after closing


ROLE OF THE BOARD auditing process

Responsible for :

setting up appropriate internal control policies

seeking regular assurance to satisfy itself that the systems is functioning adequately and its integrity is maintained

ensuring that the system is adequate in managing risk in an approved manner

-

-

-


ROLE OF MANAGEMENT auditing process

Implement the board policies on risk and control

Identify and evaluate risks faced by the company for consideration by the board

design, operate and monitor a suitable system of internal control which implements the policies adopted by the board

ensure that all employees have some responsibility for internal control

-

-

-

-


ROLE OF MANAGEMENT auditing process

-

-

Remind all that risk exists in all aspects of the business

inject a risk culture where Board and CEO supports, perceived as clearly supporting, the necessary focus on risk management


INTERNAL AUDIT’S ROLE auditing process

  • May be initial champion (but it must not be an “audit thing”)

  • Advise top management in setting up the process

  • Advise line managers in performing the self assessments

  • Evaluate self assessment process and compare to audit results


Internal auditors can add value by
INTERNAL AUDITORS CAN ADD VALUE BY: auditing process

  • Reviewing critical control systems and risk management processes.

  • Performing an effectiveness review of management's risk assessments and the internal controls.

  • Providing advice in the design and improvement of control systems and risk mitigation strategies.


Internal auditors can add value by1
INTERNAL AUDITORS CAN ADD VALUE BY: auditing process

  • Implementing a risk-based approach to planning and executing the internal audit process.

  • Ensuring that internal auditing’s resources are directed at those areas most important to the organization.

  • Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.


Internal auditors can add value by2
INTERNAL AUDITORS CAN ADD VALUE BY: auditing process

  • Facilitating ERM workshops.

  • Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management.


COMMON BARRIERS TO TODAY’S INTERNAL AUDIT CHALLENGES auditing process

People - Subject Matter Expertise, Competencies

Methodology - Risk-Based Audit Approach

Technology - Auditing Tools/Software

Knowledge - Knowledge Sharing

Extract from IBBM May-June 2005


ROLES INTERNAL AUDITING SHOULD auditing processNOT UNDERTAKE

  • Setting Risk Appetite

  • Imposing Risk Management Process

  • Management Assurance on Risks

  • Taking Decisions on Risk Responses

  • Implementing Risk Responses on Management’s Behalf

  • Accountability For Risk Management

The Institute of Internal Auditors, September 29, 2004


E N V I R O N M E N T R I S K

Competitor Sovereign/Political Social/Cultural Technological Innovation

Shareholder Relations Financial Markets Labor Availability Sensitivity

Capital Availability Legal Catastrophic Events Regulatory Globalization

P R O C E S S R I S K

EMPOWERMENT RISK

Accountability

Leadership

Authority/Limit

Outsourcing

Performance Incentives

Change Readiness

Communications

OPERATIONS RISK

Customer Satisfaction

Efficiency/Productivity

Capacity

Inventory

Cycle Time

Obsolescence

Compliance

Labor/Employee

Product Acceptance

Product/Service Quality

Environmental

Health and Safety

Resource Availability

Resource Price Volatility

Trademark/Brand Name Erosion

FINANCIAL RISK

Interest Rate

Currency

Equity

Cash Flow

Opportunity Cost

Concentration

Default

Market

Settlement

Price

Liquidity

INFORMATION PROCESSING/

TECHNOLOGY RISK

Relevance

Integrity

Access

Availability

Infrastructure

Credit

INTEGRITY RISK

Management Fraud

Employee Fraud

Illegal Acts

Unauthorized Use

Reputation

I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K

OPERATIONAL

Product Pricing

Product Costing

Contract Commitment

Performance Measurement

Process Alignment

Regulatory Reporting

FINANCIAL

Budget and Planning

Accounting Information

Financial Reporting Evaluation

Taxation

Compensation and Benefits

Investment Evaluation

Regulatory Reporting

STRATEGIC

Environmental Monitoring

Business Portfolio

Valuation

Performance Measurement

Organization Design

Resource Allocation

Planning

Product Life Cycle

BUSINESS RISK MODEL A COMMON LANGUAGE


Conclusion
CONCLUSION I S K

  • Internal auditors need to rise up to the changes within themselves and the organization they serve and be change agents as well

  • Managing risk is crucial to any organization if they are to be competitive and successful in today’s global economy


THANK YOU I S K


ad