Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT PowerPoint Presentation
Download Presentation
THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT

THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT

1716 Views Download Presentation
Download Presentation

THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. THE ROLE OF INTERNAL AUDIT IN RISK MANAGEMENT Prepared by: Azman Kassim, CMIIA

  2. LEARNING OBJECTIVES • WHAT IS CORPORATE GOVERNANCE? • IMPORTANCE OF RISK MANAGEMENT • RISK MANAGEMENT PROCESS • RISK BASED APPROACH AUDITING • VALUE ADDED ROLE OF INTERNAL AUDIT • ROLE OF MANAGEMENT & BOARD

  3. INTRODUCTION • WORLDWIDE DEVELOPMENT • Corporate Failures • Eg ENRON, WORLD.COM • Release of draft Enterprise Risk Management- • Integrated Framework in 2003

  4. INTRODUCTION • LOCAL DEVELOPMENT • Formation of The Institute of Internal Auditors Malaysia (IIAM-1997) • Securities Commission (1993) • Malaysian Institute of Corporate Governance (1999) • Bursa Malaysia’s SIC Guide (2001)

  5. WHAT IS CORPORATE GOVERNANCE? It can be defined as : “….process and structure used to direct and manage the business and affairs of the company towards enhancing business prosperity and corporate accountability with the ultimate objective of realising long-term shareholders’ value, whilst taking into account the interest of other stakeholders’. Extracted from Report on Corporate Governance

  6. CHARACTERISTICS OF GOOD CORPORATE GOVERNANCE • Can be accomplished through 3 important elements : • an effective Board of Directors • management structure and policies and procedures; and • independent supervision of audit committees

  7. COSO

  8. Today’s organizations are concerned about: Risk Management Governance Control Assurance (and Consulting)

  9. WHY A SHIFT OF FOCUS TOWARDS RISK MANAGEMENT? • Rapid acceleration in competition as markets • are globalize • Continuous quantum leap in technology • Increasing volume and complexity of • legislation • Business that do not deal with risk will not • survive • Without effective risk management framework • all efforts are directed towards firefighting • rather than add value

  10. WHY THE NEED FOR RISK MANAGEMENT?? “Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to the achievement of objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.” Treadway Commission (US)

  11. SURVEY ON STAGE OF ERM DEVELOPMENT • 48 % Partial and Complete ERM Framework • The rest not in place and no plans to implement ERM study conducted in 2004 by IIA Research Foundation based in USA

  12. LINKING RISKS AND CONTROLS IN A BUSINESS PROCESS Risks Raw Materials/ Services Finished Products Suppliers Customers Controls Process

  13. Institute of Internal Auditors “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operation. It helps organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process.”

  14. INTERNAL AUDITING PROFESSION • AUDIT CHARTER • INTERNAL AUDIT GUIDELINES • SPPIA • CODE OF ETHIC • REGULATED : LAWS & REGULATION

  15. INTERNAL AUDIT PROCESS MAP Organization Mission, Objectives & Plan Organization Structure Organization Risks Strategic Audit Planning Audit Tasks Audit Strategy • Control Self Assessment • Review of Control Systems • Internal Control Advice • Information Systems Risk Analysis • Systems Under Development • Review of the Risk Management Systems Annual Audit Planning Audit Schedule

  16. Internal Audit Process • Risk Management is: • central aspect of the work of an internal auditor • essential tool in the development of an internal audit • strategy and annual internal audit plan • provision of control advice

  17. Standards • 2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. • 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. • 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.

  18. RISK MANAGEMENT • PURPOSE • BOARD’S ROLE • SENIOR MANAGEMENT ROLE • INTERNAL AUDITOR’S ROLE

  19. Risk assessment is an important part of the internal auditing process

  20. WHAT IS RISK MANAGEMENT? Identifying risk Risk Management is an ongoing process of Measure its potential impact Monitors the action Do what’s necessary to manage it

  21. RISK MANAGEMENT DEFINITION “It is a term applied to a logical and systematic method of identifying, analyzing, assessing, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimize losses and maximize opportunities. Risk management is as much about identifying opportunities as avoiding or mitigating losses.” Source: AS/NZS 4360:1995

  22. RISK COMPONENTS Political Economic Cycle Environmental, Health & Safety Business Interruptions Business Risk Exposures Personnel Financial Information Technology Contractual/Legal Harmful Actions

  23. RISK : Any issue which could impact your ability to meet your objectives Source : PricewaterhouseCoopers 1999

  24. DIFFERENT VIEWS OF RISK Hazard Risk of bad things happening Uncertainty Not meeting expectations Opportunity Exploiting the upside

  25. RISK ASSESSMENT THOUGHT PROCESS Define Objec-tives Identify Risks Assess Risks Decide How to Manage Risks Design or Evaluate Controls What do we want to accomplish? What can go wrong? (describe both cause and effect) • Likelihood • Significance • Avoid • Transfer • Accept • Reduce To cost- effectively reach optimum level of risk

  26. Risk Analysis Risk Assessment Risk Management Risk Monitoring Identification Control It Process Level Measurement Share or Transfer It Activity Level Prioritization Diversify or Avoid It Entity Level Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

  27. RISK MATRIX • LIKELIHOOD & IMPACT • 4 QUADRANTS • ACCEPT,REDUCE, TRANSFER, REJECT

  28. Impact vs. Probability High Medium Risk High Risk S I G N I F I C A N C E I M P A C T Share Mitigate & Control O R Low Risk Medium Risk Accept Control PROBABILITY Low High OR LIKELIHOOD

  29. Example: Call Center Risk Assessment High Medium Risk High Risk • Loss of phones • Loss of computers • Credit risk • Customer has a long wait • Customer can’t get through • Customer can’t get answers I M P A C T Low Risk Medium Risk • Entry errors • Equipment obsolescence • Repeat calls for same problem • Fraud • Lost transactions • Employee morale Low PROBABILITY High

  30. Example: Accounts Payable Process ControlRiskControlObjectiveActivity CompletenessMaterial Accrual of transaction open liabilities not recorded Invoices accrued after closing

  31. ROLE OF THE BOARD Responsible for : setting up appropriate internal control policies seeking regular assurance to satisfy itself that the systems is functioning adequately and its integrity is maintained ensuring that the system is adequate in managing risk in an approved manner - - -

  32. ROLE OF MANAGEMENT Implement the board policies on risk and control Identify and evaluate risks faced by the company for consideration by the board design, operate and monitor a suitable system of internal control which implements the policies adopted by the board ensure that all employees have some responsibility for internal control - - - -

  33. ROLE OF MANAGEMENT - - Remind all that risk exists in all aspects of the business inject a risk culture where Board and CEO supports, perceived as clearly supporting, the necessary focus on risk management

  34. INTERNAL AUDIT’S ROLE • May be initial champion (but it must not be an “audit thing”) • Advise top management in setting up the process • Advise line managers in performing the self assessments • Evaluate self assessment process and compare to audit results

  35. INTERNAL AUDITORS CAN ADD VALUE BY: • Reviewing critical control systems and risk management processes. • Performing an effectiveness review of management's risk assessments and the internal controls. • Providing advice in the design and improvement of control systems and risk mitigation strategies.

  36. INTERNAL AUDITORS CAN ADD VALUE BY: • Implementing a risk-based approach to planning and executing the internal audit process. • Ensuring that internal auditing’s resources are directed at those areas most important to the organization. • Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.

  37. INTERNAL AUDITORS CAN ADD VALUE BY: • Facilitating ERM workshops. • Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management.

  38. COMMON BARRIERS TO TODAY’S INTERNAL AUDIT CHALLENGES People - Subject Matter Expertise, Competencies Methodology - Risk-Based Audit Approach Technology - Auditing Tools/Software Knowledge - Knowledge Sharing Extract from IBBM May-June 2005

  39. ROLES INTERNAL AUDITING SHOULD NOT UNDERTAKE • Setting Risk Appetite • Imposing Risk Management Process • Management Assurance on Risks • Taking Decisions on Risk Responses • Implementing Risk Responses on Management’s Behalf • Accountability For Risk Management The Institute of Internal Auditors, September 29, 2004

  40. E N V I R O N M E N T R I S K Competitor Sovereign/Political Social/Cultural Technological Innovation Shareholder Relations Financial Markets Labor Availability Sensitivity Capital Availability Legal Catastrophic Events Regulatory Globalization P R O C E S S R I S K EMPOWERMENT RISK Accountability Leadership Authority/Limit Outsourcing Performance Incentives Change Readiness Communications OPERATIONS RISK Customer Satisfaction Efficiency/Productivity Capacity Inventory Cycle Time Obsolescence Compliance Labor/Employee Product Acceptance Product/Service Quality Environmental Health and Safety Resource Availability Resource Price Volatility Trademark/Brand Name Erosion FINANCIAL RISK Interest Rate Currency Equity Cash Flow Opportunity Cost Concentration Default Market Settlement Price Liquidity INFORMATION PROCESSING/ TECHNOLOGY RISK Relevance Integrity Access Availability Infrastructure Credit INTEGRITY RISK Management Fraud Employee Fraud Illegal Acts Unauthorized Use Reputation I N F O R M A T I O N F O R D E C I S I O N M A K I N G R I S K OPERATIONAL Product Pricing Product Costing Contract Commitment Performance Measurement Process Alignment Regulatory Reporting FINANCIAL Budget and Planning Accounting Information Financial Reporting Evaluation Taxation Compensation and Benefits Investment Evaluation Regulatory Reporting STRATEGIC Environmental Monitoring Business Portfolio Valuation Performance Measurement Organization Design Resource Allocation Planning Product Life Cycle BUSINESS RISK MODEL A COMMON LANGUAGE

  41. CONCLUSION • Internal auditors need to rise up to the changes within themselves and the organization they serve and be change agents as well • Managing risk is crucial to any organization if they are to be competitive and successful in today’s global economy

  42. THANK YOU