© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
1
Differing Roles of Internal Auditor and Risk Management in ERM Differing Roles of Internal Auditor and Risk Management in ERM
AdvisoryAdvisory
Lee Min On, Partner10 April 2007
Lee Min On, Partner10 April 2007
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
2
OverviewOverview
Risk and risk management defined
Responsibility for risk management
What internal audit is and role of internal auditor
Can the internal auditor take on the role of a risk manager?
Questions and comments
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
3
RiskRisk““Anything that has the potential to Anything that has the potential to
prevent an organisation from prevent an organisation from achieving its objectives”achieving its objectives”
RiskRisk““Anything that has the potential to Anything that has the potential to
prevent an organisation from prevent an organisation from achieving its objectives”achieving its objectives”
Risk ManagementRisk Management““The identification, measurement & control The identification, measurement & control of risks that impact the assets and earnings of risks that impact the assets and earnings
or essential services of an organisation”or essential services of an organisation”
Risk ManagementRisk Management““The identification, measurement & control The identification, measurement & control of risks that impact the assets and earnings of risks that impact the assets and earnings
or essential services of an organisation”or essential services of an organisation”
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
4
Risk management - paraphrasedRisk management - paraphrasedRisk management - paraphrasedRisk management - paraphrased
Paraphrased from ERM integrated framework - COSO
Appropriate balance between Appropriate balance between opportunities for gain while opportunities for gain while minimizing loss arising from minimizing loss arising from
risk identified risk identified
Achievement of Achievement of corporate objectives corporate objectives
through strategy through strategy settingsetting
A process effected A process effected by the Boardby the Board
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
5
Risk management philosophy
Assurance to stakeholders
Stakeholders
Board
Management
Employees
Risk profileIssues to emerge
Current risk profileAction plans
Establish structured risk management system
Ensure accountabilityRisk aware culture
Risk management- Policy- Philosophy
Responsibility for risk managementResponsibility for risk managementResponsibility for risk managementResponsibility for risk management
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
6
Internal audit as definedInternal audit as definedInternal audit as definedInternal audit as defined
Activity that provides independent, objective assuranceassurance & consultingconsulting services
Designed to add value & improve an organization’s operations
Helps organization accomplish its objectives by:
- bringing a systematic & disciplined approach
- to evaluate & improve
- effectiveness of risk management, control & governance process
International Standards for the Professional Practice of Internal Auditing, IIA
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
7
Role of internal auditorRole of internal auditor
Risk Risk management?management?
Control Control processprocess
Governance Governance processprocess
Assurance Assurance servicesservices
Consulting Consulting servicesservices
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
8
Involvement of IA in risk managementInvolvement of IA in risk management
Assurance role:Assurance role: Examining, evaluating, reporting and recommending improvements on:
adequacy and effectiveness of Management’s risk processes; and
control measures that can be considered by Management to address risks as identified
Consulting role:Consulting role: IIdentifying, evaluating & implementingrisk management methodologies and controlsto address those risks
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
9
Drawing the “boundary”Drawing the “boundary”
Assurance role - compliance
Consulting role - advisory
Risk owner – management of the risk identified (deployment of specific controls to treat the risk)
The Great Divide
The Great The Great DivideDivide
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
10
Drawing the boundary (cont’d)Drawing the boundary (cont’d)
Some pertinent Some pertinent thoughtsthoughts
Does organization Does organization size matter? size matter?
What about What about cost/benefit cost/benefit
consideration?consideration?
Threat of Threat of self review?self review?
Role of Risk Role of Risk OfficerOfficer
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.
11
In conclusionIn conclusion
Ideally, the risk management function should be separate from the internal audit function
If internal auditor is roped in for risk management, a clear line has to be drawn between advisory and ownership of risk
Avoid self-review Avoid self-review threat that mars threat that mars
objectivity!objectivity!
Can the internal auditor take on the role of a risk manager?Can the internal auditor take on the role of a risk manager?
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative.
All rights reserved.
Presenter’s contact details
Lee Min On
KPMG
+60(3) 20953388 (Ext 8401)
www.kpmg.com.my
Presenter’s contact details
Lee Min On
KPMG
+60(3) 20953388 (Ext 8401)
www.kpmg.com.my