Audit and Risk Management An Integrated Approach

1
Audit and Risk ManagementAn Integrated Approach

• Prepared by
• Erich Schumann
• Global Atlantic Partners LLC
• www.globalatlanticpartners.com
• May 2009

2
Audit and Risk Management Agenda

•  Effective Enterprise Risk Management
• Internal Audits role in ERM
• The Corporate Governance Cycle
• Integrating Strategy into Risk Management based
  audit
• Risk Assessment on a business level
• Risk Assessment quantification techniques
• Case study risk assessment Close the books

3
Audit and Risk ManagementEffective Enterprise
Risk Management

• COSO Definition
• Enterprise Risk Management (ERM) is a process,
  effected by an entitys board of directors,
  management, and other personnel, applied in
  strategic setting and across the enterprise,
  designed to identify potential events that may
  effect the entity and manage risks to be within
  its risk appetite, to provide reasonable
  assurance regarding the achievement of an entity
  objectives

4
Audit and Risk ManagementEffective Enterprise
Risk Management

• Effective ERM
• Is an ongoing, entity wide process to identify,
  evaluate, analyze, respond to, monitor, and
  communicate on risks
• Is effected by people at all levels
• Occurs in strategic setting
• Applies to every unit
• Provides reasonable assurance
• Enables continuous improvement in decision making
• Helps achieve objectives

5
Audit and Risk ManagementFundamental Audit
Characteristics

• IIA Standards for the Professional Practice of
  Internal Auditing
• Attribute Standards
• Purpose, authority and responsibility
• Independence and objectivity
• Proficiency and due professional care
• Quality assurance and improvement program
• Performance Standards
• Managing the internal audit activity
• Control and governance
• Engagement planning, performing of the engagement
• Communicate results, monitoring progress
• Managements acceptance of risks

6
Audit and Risk ManagementAudit Process Evolution

• Generation one Control Based Auditing with
  focus on
• Compliance with laws and regulations
• Financial accuracy of account balances
• Operations of specific controls or procedures
• Generation two Process Based Auditing to
  determine the efficiency and effectiveness of key
  operational processes
• Generation three Risk Based Auditing
• Generation four Risk Management Based
  Auditing

7
Audit and Risk ManagementAudit Process Evolution
8
Audit and Risk ManagementAudit Process Evolution
9
Audit and Risk ManagementInternal Auditings
Value to ERM

• Core internal audit role
• Give assurance on the risk management process
• Give assurance that risks are correctly evaluated
• Evaluate risk management processes
• Evaluate the reporting of key risks
• Review the management of key risks
• IIA publication, May 2007 A holistic view of
  risk

10
Audit and Risk ManagementInternal Auditings
Value to ERM

• Legitimate internal audit roles with safeguards
• Facilitate identification and evaluation of risks
• Coaching management in responding to risks
• Coordinating ERM activities
• Consolidate reporting of risks
• Maintain and develop the ERM framework
• Championing establishment of ERM
• Developing ERM strategy for board approval
• IIA publication, May 2007 A holistic view of
  risk

11
Audit and Risk ManagementInternal Auditings
Value to ERM

• Roles internal audit should NOT undertake
• Setting the risk appetite
• Imposing risk management process
• Management assurance on risks
• Taking decisions on risk responses
• Implementing risk responses on managements
  behalf
• Accountability for risk management
• IIA publication, May 2007 A holistic view of
  risk

12
Audit and Risk ManagementDefinition of Risk

• Risk is the possibility that an event will occur
  and adversely affect the achievement of an
  objective
• Risk begins with the strategy
• Risk does not represent a single point of
  estimate, it is a range of possible outcomes
• Risk encompasses both, opportunities and threats
  (upside and downside)

13
Audit and Risk ManagementThe Corporate
Governance Cycle
14
Audit and Risk Management The Corporate
Governance Cycle

• Boards responsibilities
• Identify and understand the stakeholders needs
• Determine and evaluate possible outcome of
  business activities
• Be aware and concur with the companys risk
  appetite
• Define level of tolerance relative to potential
  adverse outcome
• Delegate authority to management
• Establish information and communication
  requirements

15
Audit and Risk Management The Corporate
Governance Cycle

• Senior Managements responsibilities
• Identify critical processes and activities
• Identify threshold of risk monitoring justifying
  delegation
• Delegate responsibility, authority and
  accountability to appropriate risk owners
• Establish information and communication
  requirements for risk owners

16
Audit and Risk Management The Corporate
Governance Cycle

• Risk owners responsibilities
• Risk management activities are designed
  effectively to manage the related risks within
  the tolerances specified
• Ensure risk management functions as expected
• Monitor risk management activities to identify,
  on a timely basis, any anomalies and divergences
  from expected outcome
• Communicate all results timely to senior
  management

17
Audit and Risk Management The Corporate
Governance Cycle

• Auditors responsibilities
• Evaluate whether risk management activities are
  designed effectively
• Determine if risk management activities are
  operating as designed
• Evaluate whether risk owners assertions to
  senior management re risk management are
  accurate
• Evaluate whether senior managements information
  to the board is complete and accurate
• Identify any governance or risk areas that
  currently are not covered by the ERM process

18
Audit and Risk Management The ERM Funnel
19
Audit and Risk Management Risk Assessment Stages

• Companys culture and organizational structure
  form the final input into the ERM process,
  however, there are three basic stages
• Identifying techniques for identifying events
  that are indicative of risks
• What are the risks that might affect the success
  of the business?
• Assessing importance of risk
• What impact would each of these risks have on the
  company?
• How likely is it that the risk will occur?
• How much tolerance does the company have for
  allowing that risk to occur?
• Filtering filter risks down to small, manageable
  number of key risks

20
Audit and Risk Management Risk Analysis Stage

• Risk sources Where does the risk occur?
  (External to the organization or internal within
  one of the businesses, locations, processes,
  etc.)
• Risk drivers What causes the risk to occur and
  why?
• Risk measurements How can the risk be measured,
  how will the company know the risk is occurring
  and to what extent?

21
Audit and Risk Management Risk Strategy Stage

• Having identified the key risks and the key
  drivers of those risks, it is time to identify
  and evaluate risk strategies
• Avoid the risk divesting, prohibiting
• Transfer the risk insuring, securitizing,
  hedging, outsourcing
• Reduce the risk establishing controls, setting
  transaction limits
• Accept the risk self insurance, monitoring,
  reaction techniques
• Exploit the risk assume higher risks by adding
  volume, arbitrage opportunities, etc.

22
Audit and Risk Management Risk Infrastructure
Stage

• Once a decision is made which strategies to
  pursue for a given risk, it is time to focus the
  design and operation of risk management
  activities on the selected strategies
• Infrastructure capabilities, such as
• Risk management strategies (philosophy and
  strategy), processes, people, technology,
  information
• Understand development stages of ERM
• Ad hoc stage (no structure, fire drills)
• Repeatable stage (some structure, capabilities
  are not flexible)
• Defined stage (capabilities are well defined and
  documented, great reliance on people)
• Managed stage (key performance indicators exist,
  consistent performance of designed capabilities)
• Optimized stage (continued evaluation and
  improvement of ERM)

23
Audit and Risk Management The ERM Funnel An
Ongoing Process

• Enterprise risk management is not a one-time or
  static process
• It is a continuous, real time process that must
  remain alive within the organization
• It is a culture change

24
Audit and Risk ManagementStrategy For Risk
Management Based Auditing

• Using the organizations strategy as a base for
  the audit planning
• If organization does not have strategy auditors
  must THINK strategic
• Auditors must consider strategy on three
  different levels
• Strategic objectives
• Operational objectives
• Value objectives

25
Audit and Risk ManagementStrategy For Risk
Management Based Auditing

• Strategic Objectives
• Align with the companys strategy and are forward
  looking key questions/issues are
• If I had unlimited resources, what initiatives
  would your area (business) undertake to help the
  company to achieve each of its strategic
  objectives?
• Recognizing that no area has unlimited resources,
  discuss what barriers currently exist
• Customize each initiative to options that may be
  more realistic to implement
• Evaluate the value derived from, and eas of,
  implementing each option
• Focus on the most valuable options as short term
  objectives

26
Audit and Risk ManagementStrategy For Risk
Management Based Auditing

• Operational Objectives
• Expresses the key responsibilities of the area
  Operational objectives tend to
• Be focused on current activities, as opposed to
  future initiatives
• Depict key operational tasks, such as processing
  or recording transactions
• Have an element of accuracy, completeness and/or
  timeliness involved in the task
• Support multiple areas of an organization
• Lend themselves to detailed performance
  measurement
• Include compliance or other corporate
  requirements

27
Audit and Risk ManagementStrategy For Risk
Management Based Auditing

• Operational Objectives
• Key questions to be asked
• At the end of the day/month/year, what gives you
  a sense of accomplishment with your job?
• What accomplishments in your job tend to get you
  recognized by your management or internal
  customers?
• If you had more time/resources, what would you do
  differently in your job? Why?

28
Audit and Risk ManagementStrategy For Risk
Management Based Auditing

• Value objectives
• Connect how people in the area are expected to
  act to the companys overall values understand
  and links company values with the areas value
  objectives key questions/tasks
• Can you provide an example of how you exhibit
  each of the companys value?
• What types of actions do management tend to
  recognize or reward?
• How would you expect others in the organization
  to act when working with you? (e.g. in
  demonstrating the companys values)

29
Audit and Risk ManagementStrategy For Risk
Management Based Auditing

• Failure to obtain a good understanding of a
  companys strategy will result in the auditor
  making assumptions and ad hoc guesses when
  deciding where to devote audit resources.
• Understanding what represents success for the
  company, what the barriers are to achieving that
  success, how the company manages those barriers,
  and whether the barriers are managed to the
  desired levels helps the auditor determine the
  most value-added approach and appropriate
  projects and demonstrates relevance to management

30
Audit and Risk ManagementRisk Assessment On
Business Level

• Understand how management monitors risk and
  understand their key risk indicators
• Good Key risk indicators are
• Relevant
• Measurable
• Address each key objective
• Available on time
• Clear and widely articulated

31
Audit and Risk ManagementCapturing Risk
Assessment Results
32
Audit and Risk ManagementCapturing Risk
Assessment Results

• Classifying Risks
• Primary risks are those in 7,8 and 9 boxes
• Represent risks with highest priority
• Requires shorter audit cycles
• Secondary risks are those in 4,5 and 6 boxes
• Represents risks which might require attention,
  often times related to primary risks
• Eventually requires less frequent audit cycle
• Minor risks are those in the 1,2 and 3 boxes
• Represent risks which most likely do not require
  any attention
• Can be disregarded for the audit cycle (or longer
  audit cycle)

33
Audit and Risk ManagementSummary

• Create a risk universe that identifies key
  barriers to the companys success
• Understanding the different characteristics of
  risks, including how close they are to the core
  of the companys strategy
• Assess and prioritize risks based on impact,
  likelihood and tolerance to the risk
• Determine risk management actions and potential
  audit projects, frequency and scope of different
  audits planned

34
Audit and Risk ManagementCase Study Close The
Books - Background

• Background info
• For G/L purposes company is organized in four
  region
• Corporate Controller has ultimate responsibility
  for closing process
• Company uses of the shelf G/L system
• Company has disclosure committee which meet
  quarterly prior to publishing financials,
  corporate controller is one of the members

35
Audit and Risk ManagementCase Study Close The
Books Key risks

• Key risk indicator
• Authorization all transactions executed must by
  properly authorized
• Completeness and Accuracy all and only those
  transactions occurring during the period must be
  recorded timely and accurately
• Presentation and disclosure items in the
  financials and related disclosure are presented
  to provide appropriate transparency
• Timeliness closing process must be completed
  according to schedule to ensure timely external
  reporting
• Valuation all valuations are valued in
  accordance with GAAP
• Based on the above the audit team discusses
  tolerance levels with the Controller

36
Audit and Risk ManagementCase Study Close The
Books Risk Identification

• During the brain storming session the audit team
  identified the following as the primary risks
• - Accuracy risk - Performance Meas. risk
• - Disclosure risk - Policies/ procedures risk
• - Human resource risk - Reconciliation risk
• - Integrity risk - Technology risk
• - Organizational risk - Timeliness risk
• - Performance Incentive risk

37
Audit and Risk ManagementCase Study Close The
Books Risk Assessment
38
Audit and Risk ManagementCase Study Close The
Books Audit finding

• Finding no evidence of supervisory review of
  topside entries
• Potential impact Failure to consistently
  document and approve all topside entries may
  result in inappropriate amounts recorded
• Root cause In the rush of the closing this
  appears to be an oversight by the individual
• Recommendation Reinforce the policy to document
  formal review and approval of topside entries
• Management comment
• Conclusion
• Owner
• Target date

39
Audit and Risk ManagementSummary

• Internal Auditors are giving independent
  assurance that the risk management activities are
  effective and the communications are accurate
• Risk management based audit requires strategic
  and operational business knowledge
• Risk management based audit has the following
  characteristics
• Objective
• Approach
• Focus
• Testing approach
• Recommendations

40
Audit and Risk ManagementThe End

• Questions?
• Please contact
• Erich Schumann, CIA, CFE
• Global Atlantic Partners LLC
• Boston, MA
• Phone 617 345 0222
• eschumann_at_globalatlanticpartners.com
• www.globalatlanticpartners.com