Embed Size (px)
Citation preview
2 0 0 5
The Connection between Risk Management and Internal Control in Organizations
Mag. Norbert Wagner
Budapest, 11.4.2008
Budapest, 11.4.2008
2
Internal Auditing
Risk Management
Internal Control
Connections
Budapest, 11.4.2008
3
Internal Auditing
Risk Management
Internal Control
Connections
Budapest, 11.4.2008
4
Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization‘s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
(The IIA, Definition of Internal Auditing, 2004)
Budapest, 11.4.2008
5
The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
(IPPF, Standard 2110)
The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.
(IPPF, Standard 2110 A.1)
Budapest, 11.4.2008
6
The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the
• Reliability and integrity of financial and operational information, • Effectiveness and efficiency of operations,• Safeguarding of assets,• Compliance with laws, regulations, and contracts.
(IPPF, Standard 2110 A.2)
Budapest, 11.4.2008
7
Internal Auditing
Risk Management
Internal Control
Connections
Budapest, 11.4.2008
8
Risk Management
Enterprise risk management broadly defined as:
…a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise designed to identify and manage potential events that may affect the entity and to provide reasonable assurance regarding the achievement of entity objectives.
Budapest, 11.4.2008
9
Risk
time
Riskmanagement - Basis
Not identified
Identified
avoid
mitigate
shift
shift
Residual-Risk
Risk Identification
Risk Analysis
Risk Completion
Risk Controlling
Budapest, 11.4.2008
10
Enterprise Risk Management
Internal Environment(ERM philosophy,
Risk Culture)Objective setting(Risk appetite,risk tolerance)
Risk assessment(Likelihood & Impact,
Correlation)Risk response(avoid, reduce,
share or accept)
Event identification(Risks & opportunities)
Control activities(General and
application controls)
Information and Communication
Monitoring(Separate, ongoing
evaluations)
COSO – Enterprise Risk Management - A Process
Budapest, 11.4.2008
11
The Role of Internal Audit regarding RM (1)
Internal Environment
No direct audit fieldBut ERM philosophy and risk culture essential for IA position
Objective Setting
Risk appetite and risk tolerance adequate to enterprise objectivesand RM methods and actions
Budapest, 11.4.2008
12
The Role of Internal Audit regarding RM (2)
Event Identification
Chances and Risks: Focus on completeness of risk identification
Risk Assessment
Quality of risk assessment through risk ownerEfficiency and effectivity of instruments used for risk assessment
Budapest, 11.4.2008
13
The Role of Internal Audit regarding RM (3)
Risk Response
Regularity and completeness of analysis and assessment of applied risk control activities
Control Activities
Quality of risk assessment through risk ownerEfficiency and effectivity of instruments used for risk assessment
Budapest, 11.4.2008
14
The Role of Internal Audit regarding RM (4)
Information and Communication
Regularity and effectivity of information process Completeness, accountability and understandability of directives
Monitoring
Regularity, usefulness and efficiency of each monitoring processEfficiency and effectivity of instruments used for risk assessment
Budapest, 11.4.2008
15
Internal Auditing
Risk Management
Internal Control
Connections
Budapest, 11.4.2008
16
Internal Control
Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations,• Reliability of financial reporting,• Compliance with applicable laws and regulations.
Budapest, 11.4.2008
17
Internal Control (IKS = Internes Kontrollsystem)
Definition of IIA Austria
Internal Control is the entirety of all process orientated monitoring
activities of an enterprise.
Included are the respective organisational regulations and
guidelines of the whole operational Management „top down“ as well
as the defined control activities and the monitoring role of the direct
process owners, NOT the auditing (by the Internal Audit).
Budapest, 11.4.2008
18
Internal Control (IKS) supports and assures:
• a correct management and accounting• compliance with the business policy• compliance with the law and other regulations• adherence to predetermined objectives• the assets of an organization• the completeness and credibleness of informations, documentations and processes• the efficiency and effectivity of processes,• the prevention and detection of failures and irregularities,• the transparency and comprehensibility of actions to protect the
people involved in the process • the safety of people within the organisation and in its environment.
Budapest, 11.4.2008
19
Internal Auditing
Risk Management
Internal Control
Connections
Budapest, 11.4.2008
20
Risk Management - Internal Control
Risk Management is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, applied in strategysetting and across the enterprisedesigned to identify and managepotential events that may affect theentity and to provide reasonableassurance regarding theachievement of entity objectives.
Internal control is broadly defined asa process, effected by an entity'sboard of directors, management andother personnel, designed toprovide reasonable assuranceregarding the achievement ofobjectives in the followingcategories:
• Effectiveness and efficiency of operations,• Reliability of financial reporting,• Compliance with applicable laws and regulations.
Budapest, 11.4.2008
21
Assurance ofEffectivity of RMS
Assessment of RM results
Generation of RM measures
Decision concerning measures
Documentation/Reporting
Internal Auditing - Risk Management
RiskIdentification
Budapest, 11.4.2008
22
Safeguarding of company‘s business and assets
Risk Management(stretegic)
Internal Controloperational, process orientated)
Risk Policy
Early Warning -Red Flags
OperationalRM
Actions
Process-Owner
Control-Activities
Policies,Guidelines
Internal Monitoringsystem
Internal AuditingControlling
strategic operational
Budapest, 11.4.2008
23
Thank you
