Upload
audra-daniels
View
217
Download
2
Tags:
Embed Size (px)
Citation preview
1
Audit, Control and Risk Management
Budget Management and Financial Accountability
Steven E. Jameson
Lead Auditing Specialist, IAD
March 2, 2004
2
How Is The Audit Profession Changing?
Independence is being re-emphasized
Heavy emphasis on financial reporting
Greater focus on technology
Focus and scope expanding more into governance and risk
Expanded expertise and facilitation skills
Resource for assurance and consulting services
Help the organization manage business risk
3
Factors Identified by the Competency Framework of Internal Auditing (CFIA)
Global and organizational change
Technological innovation
Competition for market share
Legislative imperatives
Shareholders demanding increased accountability
Client’s changing expectations
Strategic alliances
Mergers and acquisitions
What Will Drive Change?
4
Major Areas for Legislation and Regulation Reform Measures
Ethical Climate
Shareholder Involvement
Boards of Directors
Audit Committees
Corporate Management
Public Accounting
Corporate Disclosures
5
Recommendations for Internal Auditors
Focus on and evaluate the control system for effectiveness
Ensure a good Enterprise Risk Management plan
Ensure adequate controls to manage risk
Internal auditors should include their own risk assessment
Keep current on all the investigative committees, press reports, new legislation, etc.
6
Assurance
Internal auditing provides assurance about:Risk management
Control
Provided to:Management
Audit committee
And other stakeholders
7
Framework for Effective Control
Control your environment
Control your risk
Control your activities
Control your information and communication
Monitor and review your control
8
The Bank Uses the COSO Framework
Control EnvironmentControl Environment
Risk AssessmentRisk Assessment
Control activitiesControl activities
MonitoringMonitoring Com
munication
Com
munication
Info
rmat
ion
&
Info
rmat
ion
&
9
Who/what Can Assist?
COSOA good control environment
Properly assessed risks
Effective controls (appropriate polices/procedures)
Relevant/timely information
Focused/timely monitoring/review
10
Benefits of Effective Control Structure
It will:Improve accountability and program delivery
Promote ethical and professional business practices
Advance risk management
Enhance communications, decision making and performance reporting
Contribute to quality outcomes
11
Some Signs of Dysfunctional Control System
Controls mostly “detective” not “preventive”
Practice different from documented procedures
Responsibility difficult to pinpoint
Control not commensurate to risk
Control can be circumvented – “back door”
Mere “appearance” of control
12
Internal Control Reporting
Any organization accepting investor money should have a comprehensive internal control systemThe system should be monitored for effectivenessThere should be public reporting with emphasis on ethics, risk, and related controls
13
Enterprise Risk Management
COSO ERM Project
Linkage to COSO Internal Control
14
Risk profiles are increasingRegulatory/public scrutinyExpanding services increases risksBusiness change increases risk complexity
Risk management not keeping paceNeed for right kind of risk trainingNeed for risk assessment methodologies/technology toolsStakeholders have different risk needsInconsistent risk language used
Gaps in Risk
Coverage
Perceptions in Today’s Risk Environment
15
COSO’s Objectives
Develop the COSO Enterprise Risk Management Framework.
Include conceptual framework and application guidance.
Identify interrelationships between risk and risk management, and with the COSO Internal Control – Integrated Framework.
16
Project Oversight
COSO Board – IIA, AICPA, FEI, IMA, AAA
COSO Advisory Council – two reps from each member organization
Project Coordinator – Moss Adams LLP
PWC project team
17
Intended Users
COSO member orgs
Government
Industry associations
Management of middle market and large companies
Not-for-profit
AcademiaLawyersProfessional orgsRegulators and other rule-makersRisk management professionals and public accounting firms
18
Assessment Phase
Literature search376 web sites
200+ books, periodicals, other pubs
COSO organization forumsFour forums
Stakeholder interviews
Survey
19
Key Benefits From ERM
Awareness of risk increased
Cross-enterprise risk identified
Coordination across business units for more effective mitigation
Complete/consistent risk information
Common risk language established
Shareholder value protected/enhanced
20
Survey Results
19% have a CRO
CRO more common w/ revenue < $1B
20% have a board approved policy
22% have a dedicated ERM committee
84% do not have formal measurements
21
Key Success Factors for Implementing ERM
Provide clear goals and objectives
Establish sponsorship or senior management
Link to performance measures and compensation
Drive the approach from the corporate/head office
Establish a dedicated corporate function
22
What Works What Needs Well Improvement
Bus. units are taking ownership of risk mgmt.Insurance mgmt.Communication of riskSr. mgmt. and exec. support and involvement
Communication and education
Integration of ERM processes
Formalizing the process
23
ERM vs. Internal Control
ERM elaborates and expands on those components of internal control relevant to risk
Significantly expands on the “risk assessment” component
Emphasizes and expands on other components as they relate to risk
24
Internal control and ERM are two separate frameworks w/ considerable overlap
In some respects IC is broader and in others ERM is broader
IC framework remains in tact
ERM framework addresses risk management concepts more broadly and deeply
ERM vs. Internal Control
25
ERM is effective only when:
IC components are present and functioning effectively
ERM components are present and functioning effectively
Addl. features needed to convert RM into ERM:
Application of RM concepts in strategy-setting
Taking a “portfolio” view of ERM components
ERM vs. Internal Control
26
Core concept – You can have effective internal control without enterprise risk management, but you cannot have effective enterprise risk management without effective internal controls.
ERM vs. Internal Control
27
ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
- Proposed by COSO (2003)
- www.coso.org
COSO’s Definition of Enterprise Risk Management
28
Emphasizes “Enterprise” – not just selected “silos of risk”Consideration of risks on “portfolio” basis
Collection of risksInteractions of risks
Done to enhance entity valueHeavily integrated with business strategy
Focus is on identification, measurement, assessment, and response to risks primarily across 2 dimensions
Probability (Likelihood)Criticality (Consequence)
Key part of entity’s corporate governanceResponsibility of senior management and boardPushed down to key business segment management
Key Elements to ERM
29
8 Components of the Framework
30
Coming Soon
COSO’s release of ERM
Framework for enterprise risk management
Application guidance on how to implement ERM