Audit, Control and Risk Management

1
Audit, Control and Risk Management

• Budget Management and Financial Accountability
• Steven E. Jameson
• Lead Auditing Specialist, IAD
• March 2, 2004

2
How Is The Audit Profession Changing?

• Independence is being re-emphasized
• Heavy emphasis on financial reporting
• Greater focus on technology
• Focus and scope expanding more into governance
  and risk
• Expanded expertise and facilitation skills
• Resource for assurance and consulting services
• Help the organization manage business risk

3
What Will Drive Change?

• Factors Identified by the Competency Framework of
  Internal Auditing (CFIA)
• Global and organizational change
• Technological innovation
• Competition for market share
• Legislative imperatives
• Shareholders demanding increased accountability
• Clients changing expectations
• Strategic alliances
• Mergers and acquisitions

4
Major Areas for Legislation and Regulation Reform
Measures

• Ethical Climate
• Shareholder Involvement
• Boards of Directors
• Audit Committees
• Corporate Management
• Public Accounting
• Corporate Disclosures

5
Recommendations for Internal Auditors

• Focus on and evaluate the control system for
  effectiveness
• Ensure a good Enterprise Risk Management plan
• Ensure adequate controls to manage risk
• Internal auditors should include their own risk
  assessment
• Keep current on all the investigative committees,
  press reports, new legislation, etc.

6
Assurance

• Internal auditing provides assurance about
• Risk management
• Control
• Provided to
• Management
• Audit committee
• And other stakeholders

7
Framework for Effective Control

• Control your environment
• Control your risk
• Control your activities
  
• Control your information and
  communication
  
• Monitor and review your control

8
The Bank Uses the COSO Framework

Monitoring
Information
Control activities
Communication
Risk Assessment
Control Environment
9
Who/what Can Assist?

• COSO
• A good control environment
• Properly assessed risks
• Effective controls (appropriate
  polices/procedures)
• Relevant/timely information
• Focused/timely monitoring/review

10
Benefits of Effective Control Structure

• It will
• Improve accountability and program delivery
• Promote ethical and professional business
  practices
• Advance risk management
• Enhance communications, decision making and
  performance reporting
• Contribute to quality outcomes

11
Some Signs of Dysfunctional Control System

• Controls mostly detective not preventive
• Practice different from documented procedures
• Responsibility difficult to pinpoint
• Control not commensurate to risk
• Control can be circumvented back door
• Mere appearance of control

12
Internal Control Reporting

• Any organization accepting investor money should
  have a comprehensive internal control system
• The system should be monitored for effectiveness
• There should be public reporting with emphasis on
  ethics, risk, and related controls

13
Enterprise Risk Management

• COSO ERM Project
• Linkage to COSO Internal Control

14
Perceptions in Todays Risk Environment

• Risk profiles are increasing
• Regulatory/public scrutiny
• Expanding services increases risks
• Business change increases risk complexity
• Risk management not keeping pace
• Need for right kind of risk training
• Need for risk assessment methodologies/technology
  tools
• Stakeholders have different risk needs
• Inconsistent risk language used

Gaps in Risk Coverage
15
COSOs Objectives

• Develop the COSO Enterprise Risk Management
  Framework.
• Include conceptual framework and application
  guidance.
• Identify interrelationships between risk and risk
  management, and with the COSO Internal Control
  Integrated Framework.

16
Project Oversight

• COSO Board IIA, AICPA, FEI, IMA, AAA
• COSO Advisory Council two reps from each member
  organization
• Project Coordinator Moss Adams LLP
• PWC project team

17
Intended Users

• COSO member orgs
• Government
• Industry associations
• Management of middle market and large companies
• Not-for-profit

• Academia
• Lawyers
• Professional orgs
• Regulators and other rule-makers
• Risk management professionals and public
  accounting firms

18
Assessment Phase

• Literature search
• 376 web sites
• 200 books, periodicals, other pubs
• COSO organization forums
• Four forums
• Stakeholder interviews
• Survey

19
Key Benefits From ERM

• Awareness of risk increased
• Cross-enterprise risk identified
• Coordination across business units for more
  effective mitigation
• Complete/consistent risk information
• Common risk language established
• Shareholder value protected/enhanced

20
Survey Results

• 19 have a CRO
• CRO more common w/ revenue lt 1B
• 20 have a board approved policy
• 22 have a dedicated ERM committee
• 84 do not have formal measurements

21
Key Success Factors for Implementing ERM

• Provide clear goals and objectives
• Establish sponsorship or senior management
• Link to performance measures and compensation
• Drive the approach from the corporate/head office
• Establish a dedicated corporate function

22
What Works What Needs Well
Improvement

• Bus. units are taking ownership of risk mgmt.
• Insurance mgmt.
• Communication of risk
• Sr. mgmt. and exec. support and involvement

• Communication and education
• Integration of ERM processes
• Formalizing the process

23
ERM vs. Internal Control

• ERM elaborates and expands on those components of
  internal control relevant to risk
• Significantly expands on the risk assessment
  component
• Emphasizes and expands on other components as
  they relate to risk

24
ERM vs. Internal Control

• Internal control and ERM are two separate
  frameworks w/ considerable overlap
• In some respects IC is broader and in others ERM
  is broader
• IC framework remains in tact
• ERM framework addresses risk management concepts
  more broadly and deeply

25
ERM vs. Internal Control

• ERM is effective only when
• IC components are present and functioning
  effectively
• ERM components are present and functioning
  effectively
• Addl. features needed to convert RM into ERM
• Application of RM concepts in strategy-setting
• Taking a portfolio view of ERM components

26
ERM vs. Internal Control

• Core concept You can have effective internal
  control without enterprise risk management, but
  you cannot have effective enterprise risk
  management without effective internal controls.

27
COSOs Definition of Enterprise Risk Management
ERM is a process, effected by an entitys board
of directors, management, and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, manage risks to be
within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives. - Proposed by COSO (2003) -
www.coso.org
28
Key Elements to ERM

• Emphasizes
• Enterprise not just selected silos of risk
• Consideration of risks on portfolio basis
• Collection of risks
• Interactions of risks
• Done to enhance entity value
• Heavily integrated with business strategy
• Focus is on identification, measurement,
  assessment, and response to risks primarily
  across 2 dimensions
• Probability (Likelihood)
• Criticality (Consequence)
• Key part of entitys corporate governance
• Responsibility of senior management and board
• Pushed down to key business segment management

29
8 Components of the Framework
30
Coming Soon

• COSOs release of ERM
• Framework for enterprise risk management
• Application guidance on how to implement ERM