1 / 24

Role of Internal Auditors in Risk Management and Governance 16 August 2019

Role of Internal Auditors in Risk Management and Governance 16 August 2019. Disclaimer.

barbaraj
Download Presentation

Role of Internal Auditors in Risk Management and Governance 16 August 2019

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Role of Internal Auditors in Risk Management and Governance 16 August 2019

  2. Disclaimer This document/presentation is proprietary to SGV & Co (“Ernst & Young”). It is supplied in confidence and should not be disclosed, duplicated or otherwise revealed in whole or in part to any third parties without the prior consent of Ernst & Young. While every care has been taken in preparing this document, the content is subject to formal contract negotiations. All conditions and warranties whether express or implied by statute, law or otherwise, are hereby excluded. Ernst & Young and the stylized Ernst & Young symbol are registered with trademark offices around the world.

  3. Corporate governance framework IDENTIFY AND MANAGE KEY BUSINESS RISKS • Government and regulatory • Internal Controls Regulations • Other New and Evolving • Country Regulations • Basel III • Etc. • Investment Community • Institutional Investors • Exchange Listing Standard • Etc. • Business Environment • Labor Union • Corporate Social • Responsibility • Suppliers • Etc. • Financial Community • Ratings Agencies • Underwriters • Etc. BUILD AND PROTECT VALUE

  4. Corporate governance - updated definition “The system of stewardship and control to guide organizations in fulfilling their long-term economic, moral, legal and social obligations towards their stakeholders. Corporate governance is a system of direction, feedback and control using regulations, performance standards and ethical guidelines to hold the Board and Senior Management accountable for ensuring ethical behavior – reconciling long-term customer satisfaction with shareholder value – to the benefit of all stakeholders and society. Its purpose is to maximize the organization’s long-term success, creating sustainable value for its shareholders, stakeholders and the nation” “The system of stewardship and control to guide organizations in fulfilling their long-term economic, moral, legal and social obligations towards their stakeholders. Corporate governance is a system of direction, feedback and control using regulations, performance standards and ethical guidelines to hold the Board and Senior Management accountable for ensuring ethical behavior – reconciling long-term customer satisfaction with shareholder value – to the benefit of all stakeholders and society. Its purpose is to maximize the organization’s long-term success, creating sustainable value for its shareholders, stakeholders and the nation” - Code of Corporate Governance for Publicly Listed Companies (2016)

  5. Corporate governance framework IDENTIFY AND MANAGE KEY BUSINESS RISKS • Government and regulatory • Internal Controls Regulations • Other New and Evolving • Country Regulations • Basel III • Etc. • Investment Community • Institutional Investors • Exchange Listing Standard • Etc. • Business Environment • Labor Union • Corporate Social • Responsibility • Suppliers • Etc. • Financial Community • Ratings Agencies • Underwriters • Etc. Risk Function BUILD AND PROTECT VALUE

  6. New code of corporate governance Principle 12 To ensure integrity, transparency and proper governance in the conduct of its affairs, the company should have a strong and effective internal control system and enterprise risk management framework. “ ” Code of Corporate Governance for Publicly Listed Companies

  7. Business Risk “A risk is a threat that an event or action will adversely affect the organization’s ability to achieve its business objectives and maximize stakeholder value.” • or “What keeps the Top Management awake at night?”

  8. Linking Risk to Business Strategy managed properly existing internal Opportunity Risk Management Strategies • Company’s goals, objectives and strategies emerging lack of information Risks tangible external intangible Not managed properly Exposure

  9. Defining Risk Management (RM) A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives. • The Institute of Internal Auditors

  10. ERM Defined Risk Management Coordinated activities to direct and control an organization with regard to risk. Per ISO 31000... Per Committee of Sponsoring Organizations of the Treadway Commission (COSO)… Enterprise Risk Management is aprocess, effected by an entity’s board of directors, management and other personnel,applied instrategy setting andacross the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

  11. ERM helps address these issues Balance • Accountability Are we managing the right risks? • Who is on top of these exposures? • Compliance • Completeness • Are the policies and processes established to manage risks being complied with? ERM Are we proactively identifying & managing our key exposures? • Coordination • Effectiveness • Are the efforts well-coordinated to ensure we don’t manage risks in silo? • Are mitigation strategies monitored for effectiveness?

  12. Role of IA in the ERM process Role of IA in risk management Internal auditor’s role To provide objective assurance to the Board on the effectiveness of an organization’s ERM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively. The Institute of Internal Auditors

  13. Role of IA in the ERM process IA’s primary role in the risk management process: Monitor compliance with the Risk Management Policy Identify and monitor risk created from the implementation of risk management strategies Provide assurance on risk controls • Provide assurance on the integrity of risk information and measures

  14. IA Review of Risk Management Core internal audit roles in regard to ERM Maintaining and developing the ERM Framework Coordinating reporting on risks Coaching management in responding to risks Developing ERM strategy for board approval Championing establishment of ERM Coordinating ERM activities Facilitating identification and evaluation of risk Setting the risk appetite Legitimate internal audit roles with safeguards Reviewing the management of key risks Imposing RM process Management assurance on risks Evaluating the reporting of key risks Taking decisions on risk responses Evaluating RM process Roles internal auditing should not undertake Giving assurance that risk are correctly evaluated Implementing risk responses on management’s behalf Giving assurance on the RM process Accountability of RM The Institute of Internal Auditors

  15. IA Review of Risk Management ASSURANCE ROLE Assurance activities can be categorized in three primary types: Assurance on the risk management process itself. Assurance on significant risks and management assertions. Follow-up of risk treatment plan status. The Institute of Internal Auditors

  16. Primary Types of Assurance Activities Assurance on the risk management process itself. 1 Entity’s risk management program Effectively • Designed • Documented • Operating Entity’s Objective The Institute of Internal Auditors

  17. Primary Types of Assurance Activities Assurance on significant risks and management assertions. 2 Management C o n t r o l s Risk Management Process Audit Procedures Communications Bring risks within entity’s risk tolerance threshold The Institute of Internal Auditors

  18. Primary Types of Assurance Activities Follow-up of risk treatment plan status. 3 Monitor performance against the plan At a minimum, such monitoring should be designed to: Provide management with an assessment of progress against milestones, and Validate risk treatment plan status reports to the board. The Institute of Internal Auditors The Institute of Internal Auditors

  19. Assurance of the Risk Management Process Communication and consultation Monitoring and review Establishing the context Risk assessment Risk identification Process elements approach Risk analysis Risk evaluation Risk treatment ISO 31000

  20. IIA Standards Standard 2120-1 – Obtaining Audit Evidence Assessing the Adequacy of Risk Management Processes Internal auditors need to obtain sufficient and appropriate evidence to determine that the key objectives of the risk management processes are being met to form an opinion on the adequacy of RM processes. The Institute of Internal Auditors

  21. Assessing the Quality of Risk Management documentation • In providing ERM effectiveness statement to external parties, management should consider developing and maintaining documentation as proper support to the statement. • Considering above, IA should assess whether: • A strategy for managing risk information from all sources is in place. • Necessary infrastructure for communicating risk information is in place. • There are common definitions. • There are guidelines for the creation, deletion, and sharing of risk information. • There are adequate resources assigned. • Technology is cost efficient and used where appropriate. • A proactive approach is taken for monitoring. • Risk information is part of the planning process. • Risk information is integrated with performance information.

  22. Linkage of ERM in Audit Plan Development Linking the Audit Plan to Risk and Exposures The Chief Audit Executive (CAE) must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. Interpretation: • The CAE takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. • If the framework does not exist, the CAE uses his/her own judgment of risks after consultation with senior management and the Board. • The CAE should ensure that internal auditors with specialized expertise or external service providers are used when auditing specialized risk categories (i.e., workplace health and safety, environmental auditing, complex financial instruments).

  23. Linkage of ERM in Audit Plan Development Sample only

  24. Questions?

More Related