King III @ September 2009 (Anton van Wyk – firstname.lastname@example.org – 011 797 5338). King III – Apply or Explain. PwC. Mississippi Company Bubble France 1720 South Sea Bubble UK 1720. Victorian Land Boom Australia 1890. Tulip Mania Holland 1637. Railroads Bubble UK 1846.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
(Anton van Wyk – email@example.com – 011 797 5338)
King III – Apply or Explain
South Sea Bubble
Victorian Land Boom
Panic of 1825 import from Bank of England
Panic of 1893 extension of 1873
Depression of 1780s
Panic of 1837 paper credit overexpands
Panic of 1857 ends Gold Rush expansion
Panic of 1873 spurs US move to gold standard
Global “Governance events” over the centuries
1990 – 92
1990 - 92
ERM Exchange Rate Crisis
Finland, UK, Spain, Italy
1992 – 93
Asian Financial Crisis
South Korea, Thailand
1992 - 97
1985 - 89
1985 - 89
International banking crisis
Announcement of International
UK, Ireland, Spain
Mortgage Liquidity Crisis
1986 – 95
Stock Market Crash
2001 - 02
1990 - 91
Panic of 1901
first NYSE crash
1919 - 20
1995 - 2001
Management hedge fund collapse
Florida Building Bubble
The Great Crash
1929 - 39
And Subprime Crisis
BC – AD
Again, huge failings in the last 2 years
Pressures emerging to sharpen risk assessment focus
Business durability, collaboration, balance & connectivity
Information required to predict the future
Internal Financial control assurance
Searching for the “right” resources
“One view – one risk aggregation” – Combined Assurance
‘Cost of compliance’
Searching for assurance value
People/stakeholders/investors thinking differently
Perverse incentive / bonus payments – rewarding failure.
Globe unprepared for the scale, speed & severity of recent crisis
Many things happening simultaneously
Existing risk models and internal audit functionality couldn’t cope with the complexity of factors impacting the chaos
Risk Governance not linking strategy, risk management & risk bearing capacity
The weak were eliminated – at huge cost
The resilient will (mostly) prevail – cash is King
Well capitalised banks survived
Stock markets worked
The future will still offer less predictable outcomes – there will be more crises, will we be better prepared.
We have though, once again shown we are one of the most resilient countries (and people) on earth.
Assurance over the final report
The role of Internal Audit?
Key integration by Internal Audit.
Strategically focussed Internal Audit
A Transformed Approach
Informing the Audit Committee
Creating better relationships
Internal Financial Control
Testing and maintenance
Internal audit’s assessment statement
Governance of Risk
Correlation of Risk Appetite and Risk Tolerance
Knowing this space
Absolute board leadership
Risk embedded within Strategy and Business Processes
Balancing Risk and Reward – taking calculated ‘smart’ risks
Assessment of cost of risk, including lost opportunities
CEO as Risk Champion
Determine the levels of risk tolerance
The risk committee or audit committee should assist the board in carrying out its risk responsibilities
Management has the responsibility to design, implement and monitor the risk management plan
Risk assessments are performed on a continuous basis
Framework and methodologies are implemented to increase the possibility of anticipating unpredictable risks
Management considered and implements appropriate risk responses
Continuous risk monitoring by management
The board should receive combined assurance regarding the effectiveness of the risk management process
10 Minutes on Managing Risk ..\Risk\pwc-10minutes-managing-risk.pdf
Economic & financial / Energy costs, price volatility, currency fall, asset price collapse
Environmental / Climate change, weather, water, catastrophe
Geopolotocal / Globalisation retrenchment, risk governance, war, terrorism, crime
Societal / Diseases
Technological / Critical system failure or attack, nanotechnologies
Travel / Fast, flexible logistics and transport
Product demand / Responding to rising middle class
Market confluence / Finance, goods, services
Resource pressure / Food, water, energy
Communication / Inexpensive, instant, omnipresent
Globalisation factorsForces of globalisation cross the spectrum of risk
Do we understand how risk appetite and tolerance is applied in our organisation?
How do we know that the biggest risk exposures to our organisation are being adequately managed?
When last did we participate in a risk assessment activity?
How often have we considered the same risk-related issue in the various management and governance meetings?
Is ICT risk actively considered in our risk management process?
Do we specifically consider compliance risk and, if so, how satisfied are we that it is effectively covered?
Are risks prioritised and ranked to focus the responses and interventions on those risks outside the board’s risk tolerance limits?
Do we have an approved annual risk management plan?
Who assures non financial risks, such as plant availability, staff capacity and competency, the impact of legislative changes on the business/organisation etc? And to which management or board committee is the assurance provided? Are we satisfied that this assurance is reliable?
Do we have a fraud risk plan to consider our fraud exposure and prevention?
Does our disclosure on the effectiveness of risk management reflect the actual position of our business/organisation?
© 2009 PricewaterhouseCoopers Inc. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. PricewaterhouseCoopers Inc is an authorised financial services provider.
There is an effective risk based internal audit
Evaluating the company’s governance processes
Objective assessment of the effectiveness of risk management and the internal control framework
Analysing and evaluating business process and associated controls
Adhere to the IIA Standards and Code of ethics
Should follow a risk based approach to its plan
Informed by the strategy and risks of the company
Assess the company’s risks and opportunities
Provide a written assessment of the effectiveness of the company’s system of internal controls and risk management
An integral part of the combined assurance model as internal assurance provider
Internal controls should be established not only over financial matters, but also operational, compliance and sustainability issues
Internal audit should provide a written assessment of internal controls and risk management to the board
Written assessment of internal financial controls to the audit committee
The audit committee should be responsible for the oversight of internal audit
Subjected to an independent quality review
Should be strategically positioned to achieve its objectives
The CAE should have standing invitation to attend executive committee meetings
Internal audit function should be appropriately resourced and have sufficient budget allocated to the function
Skilled and resourced as is appropriate for the complexity and volume of risk and assurance needs
The CAE should develop and maintain a quality assurance and improvement programme
Written assessment of internal financial controls made available to the audit committee
Here are highlights of what the respondents to the PwC ‘State of the Profession’ 2009 survey, had to say about internal audit budgets and resources:
“Top-down” approach where coverage is driven by issues that directly impact stakeholder value, with clear and explicit linkage to strategic issues of the organisation.
Identify Stakeholder Value Creating Activities
Understanding Enterprise Risks (Strategic, Financial, Operations, Compliance)
Evaluate Impact to Stakeholder Value
Traditional “bottom-up” approach based on stakeholder interviews and analysis. Focus is on coverage of identified risk areas, geography and business operations.
Evaluate Impact of Risks within Audit Universe
Identify Risks (Financial Operations, Compliance)
Define Audit Universe (e.g., geography, business unit, etc.)Risk based Internal Audit
Strategic / Business
Percentage of internal audit departments that contribute 25 % or more of their resources to key categories of risks
Percentage of internal audit departments that increased coverage in each area during 2008Composition of auditing activities
Internal Audit focus should evolve to align with emerging/changing risks
Internal Audit should balance its focus on all key elements in the risk domain
The portfolio of stakeholders will expand to include business unit management and other key executives, as well as other committees of the Board
Internal Audit should enhance its understanding of (and focus on) risk management in general and ERM in particular. Internal Audit should become a key source of insight on the risks facing the organisation.
Internal Audit needs to enhance its communications with management and the Board. Communications need to become more impactful and timely.
Internal Audit management and staff need to develop greater business knowledge and enhance IT skills
Good internal control will ensure sustained business development!
Project Management Support
Internal audit required to
Identify risks to financial reporting
Evaluate whether financial controls exist to address the risks identified
Evaluate design, implementation and operation of identified controls
Document the review in a comprehensive manner to support its conclusions
Adequate skilled resources in internal audit function
The changing role of the audit committee
Is there a control framework (e.g. COSO) governing financial reporting in the organisation?
Have we identified and documented all probable risks to fair presentation in the financial statements and disclosures? (Fair presentation implies that the numbers and disclosures are not materially misstated).
Are there controls in place to address these risks and are they adequately designed to prevent or detect material misstatements in the financial statements and disclosures?
Do the controls identified operate as they are supposed to and are they appropriately evidenced?
Have we examined or tested the controls identified above to ensure that our report to the audit committee is accurate and complete?
Have we appropriately evidenced our assessment?
Is a process in place to ensure that the framework remains relevant over time?
A coordinated approach to all assurance activities
to ensure that assurance provided by
adequately addresses significant risks facing the company and that
suitable controls exist to mitigate and reduce these risks
“Integrating and aligning assurance processes in an organisation to maximise risk and governance oversight and control efficiencies, and optimise overall assurance to the Audit and Risk Committee, considering the organisation’s risk appetite”
Corporate Governance Framework