Tuesday 3 January 2012

Topic 4: Related Topics

Approaches to help ensure an anti-fraud culture would required 3 fundamental actions:

  • Create a culture of honesty and high ethics
  • Evaluate anti-fraud processes and controls
  • Develop an appropriate oversight process.
COSO fraud prevention and control:
  • Control environment - Companies must establish an appropriate control environment
  • Fraud risk assessment - Organizations should identify and assess fraud-related risks, including assessing the potential for fraudulent financial reporting, asset misappropriation, improper receipts and expenditures etc.
  • Control activities - Companies should establish and implement effective control practices, including action taken by management to identify, prevent and mitigate fraudulent financial reporting or misuse of the organization's asset. 
  • Information and communication - Companies must establish effective fraud-related information and communication practices.
  • Monitoring - Organizations should conduct ongoing and periodic performance assessments and identify the impact and use of computer technology for fraud deterrence.
There are 3 universally accepted elements of information security: 
  • Confidentiality - policies and practices for privacy and safeguarding confidential information and protection against unauthorized interceptions
  • Integrity - provisions to ensure that data is complete and correct
  • Availability - actions to mitigate downtime and to enhance recovery of data after disruptions, disaster and corruptions of data or information technology services.
Security risk management process:
  • Identification - identifies the exposure to loss in terms of threats and vulnerabilities
  • Probability determination - Determines the probability that a threat or vulnerability will materialized.
  • Quantification of potential loss - quantifies the potential loss in terms of financial and non-financial impact
  • Selection - Evaluates the feasibility of alternative risk management techniques. 

Topic 3: Governance

By it nature, governance is a complex activities. Followings are the activities and initiative that interact with governance:


  • Compliance with legal or regulatory requirements
  • Internal control assessment and reporting
  • Enterprise risk management
  • Quality initiatives
  • Transparency and disclosure
  • Governance structure and processes
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
  • Promoting appropriate ethics and values within the organization
  • Ensuring effective organizational performance management and accountability
  • Communicating risk and control information to appropriate areas of the organization
  • Coordinating the activities of and communicating information among the board, external and internal auditors and management. 
Maturity of the governance processes and structure affects internal audit function. Less matured environment would results audit functions performing:
  • Discrete audits
  • Providing advice regarding optimal structure and practices
  • Comparing the current governance structure and practices against regulations and other compliance requirements
More matured environment:
  • Evaluating the efficiency and effectiveness of company-wide governance components and whether they work together as expected. 
  • Analyzing the transparency and disclosure practices among parts of the governance structure
  • Comparing governance best practices
  • Identifying compliance with applicable statutory and regulatory regulations and governance codes.

It is important to understand that the internal audit activity cannot evaluate management decisions. However, they can serve as catalyst for change and advise or advocate improvements to enhance the organization's governance structure and practices

Corporate values are generally defined as an organization's standards of behavior. They are small set of general guiding principles that are not to be compromised for financial gain or short-term expediency. The auditors are to promote appropriate ethics and values within the organization. This is accomplished through various assurance and consulting activities. 

Corporate values are not typically assessed during routine risk and control evaluations. Instead, self-assessment methods and appropriate audit programs are generally used to measure the comprehension and preservation of corporate values

In consulting engagement, internal auditors are prohibited from accepting any assignment that does not support the organization's values.

Example of Likert scale formats:

Strongly Disagree > Disagree > Neither agree nor disagree > Agree > Strongly Agree



Monday 2 January 2012

Topic 2: Internal Control

Organizations establish goals and objectives and then assess the risk to achieving those objectives. A control strategy and internal control help to ensure that operations are successful, protect resources and enhance the probability of the objectives being met.

Controls may be tangible policies, procedures and activities or they may be embodied in less tangible behavioral aspects such as ethical values. They are designed by management and put into place with the intent of containing risks within risk tolerances established by the organizational risk management process so that business objectives can be achieved at the lowest cost.

Organizational Responsibilities for Internal control:

  • Board of directors - Establish and maintain the organization's governance process and obtain assurances concerning the effectiveness of the risk management and control processes.
  • Senior managers - Oversee the establishment, administration and assessment of the system of risk management and control processes.
  • Operational managers - Design, apply and provide ongoing monitoring of the control processes in their respective areas
  • Chief audit executive - Develop an audit plan that ensure sufficient evidence will be obtained to evaluate the effectiveness of risk management and control processes. 
  • Audit Committee - Oversee the evaluation of the company's internal control system including information technology security and control
  • Internal and External auditors - Provide varying degrees of assurance about the state of effectiveness of the risk management and control processes in selected activities and functions of the organization. 
  • Employees - Perform job responsibilities to the level of identified standards. 
Control framework is a recognized system of concepts encompassing all elements of internal control. Increasingly, organizations are using control frameworks to establish effective internal control systems. Example of recommended frameworks as follows:

COSO Internal Control Framework:
Five interrelated components of the framework:-
  • Control environment - sets the tone of an organization by influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
  • Risk assessment - The identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed. 
  • Control activities - The policies and procedures that help ensure that management directives are carried out. They help to ensure that necessary actions are taken to address risks to achievement of the entity's objectives. 
  • Information and communications - Pertinent information must be identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. 
  • Monitoring - Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. 

CoCo Internal Control Framework:
4 interrelated components:-
  • Purpose - The mission, vision, strategy, risks and opportunities, policies, planning and performance targets and indicators that provide a clear driver for control criteria that people can understand. 
  • Commitment - The ethical values, integrity, human resource policies, authorities, accountability and mutual trust that get people to commit to control philosophy.
  • Capability - The knowledge, skills, tools, communication processes, information, coordination and control activities that provide people with the resources and competence to participate in designing and installing good controls and being able to assess risks.
  • Monitoring and learning - The monitoring of internal and external environments and performance as well as challenging assumption reassessing information needs and information systems, conducting follow-up procedures and effectiveness of control.
The CoCo model presents 20 specific control criteria within these control components. It states that all 20 must be in place for internal control to be effective. 

Cadbury Internal Control Framework:
  • Control environment - The attitude and actions of the directors, management and employees that set the tone for control within the organization.
  • Identification and evaluation of risks and control objectives - The identification and analysis of relevant business risks in a timely manner.
  • Information and communication - The performance indicators, information systems, and other systems that communicate the right information to the right people and enable them to carry out their responsibilities.
  • Control procedures - The policies and procedures or control activities that facilitate the execution of management directives and ensure compliance. 
  • Monitoring and corrective action - The monitoring process that assesses the quality of the internal control system's performance and reports on required changes and weaknesses necessitating corrective action. 
Hard Internal Controls:
  • Policy/procedure
  • Organizational structure
  • Bureaucracy
  • Restrictive formal processes
  • Centralized decision-making
Soft control examples:
  • Competence 
  • Trust
  • Shared values
  • Strong leadership
  • High expectation
  • Openness
  • High ethical standards
One particular useful method for evaluating soft controls is control self-assessment (CSA). CSA refers to a variety of assessment techniques, including facilitated workshops and surveys in which the assessment is performed by people involved in the area or process being assessed rather than by an independent party. 

Even though lack of independence reduces the reliability of the results, well-designed, disciplined CSA technique produces results that are still quite reliable. 

CSA process allows management or work teams to directly involve in:
  • Participation in the assessment of internal control
  • Evaluate risk
  • Develop action plans to address identified weaknesses.
  • Assess the likelihood of achieving business objectives.
Authoritarianism refers to rigid adherance to conventional values and recognized authority.

Empowerment implies that employees have the authority to make decisions and take actions in their areas without prior approval. 

Models of management:
  • Autocratic
  • Custodial - orientation toward security blanket
  • Supportive - promotes participation and involvement
  • Collegial - towards teamwork and creativity instead of superior/subordinate relationship
A change agent is an individual who facilitates change within the organization. 

Types of organizational conflicts and causes:
  • Vertical conflict - Occurs between different hierarchical levels, commonly involves disagreements over resources, goals, deadlines or performance results
  • Horizontal conflict - Occurs between persons or groups at the same hierarchical level, commonly involves goal incompatibilities, resource scarcities or interpersonal factors.
  • Line-staff conflict - Involves disagreements over who has authority or control over certain matters.
  • Role conflicts - Occurs when communication prove to be inadequate or upsetting. Often involves unclear communications of work expectations, excessive expectations and etc.
  • Workflow inter-dependencies - occurs when interdependence is high and people are frustrated in some way while attempting to meet collaborative goals. 
  • Domain ambiguities - Occurs when people do not understand scope of authority or lines of responsibility.
  • Resource scarcity - Occurs when various individuals or groups try to gain or maintain maximum share of scarce or shrinking resources. 
Constructive conflicts - leads to beneficial results
Dysfunctional conflict - lead to experiences that erode relationships and derail progress toward goals. 

Conflict management approaches includes:
  • Interest-based bargaining 
  • Brainstorming
  • Multivoting
  • Avoidance
  • Accommodation
  • Authoritative command
  • Compromise

There are specific type of opinion being expressed by the auditor and what it means regarding the strength of internal controls, as terms may have different meanings in different environments. 
  • Positive assurance - Take a position on the strength of internal controls. Different ratings may be used, such as that internal controls are satisfactory or unsatisfactory, effective or ineffective, meets expectation or does not meet expectations.
  • Negative assurance indicates that nothing come to the internal auditor's attention that would indicate inadequate internal controls. Such an opinion is less valuable than positive assurance as it provides limited assurance that sufficient evidence was gathered to determine whether internal controls were inadequate.
  • In a qualified opinion, specific findings contradict the overall opinion. This type of opinion can be useful in situation where there is an exception to the general opinion. For example, a qualified opinion may indicate that controls were satisfactory, with the exception of accounts payable controls, which require significant improvement. 




Sunday 1 January 2012

Topic 1: Risk Management

Risk management is a core competency for most internal audit departments. Internal auditors contribute to risk management through numerous assurance and consulting activities. Risk management is recommended to be managed from enterprise-wide perspective.

Best practice had shown that using a framework can improve the efficiency and effectiveness of enterprise risk management.

The COSO ERM model is an example of comprehensive framework that applies ERM in a strategic setting. Starting at the top and supporting an organization's mission is what differentiates COSO from most other risk models.

COSO's Enterprise Risk Management - Integrated Framework inludes four categories of organizational objectives:

  • Strategic - Strategic objectives are tied to high-level organizational goals. They are aligned to and support an organization's mission. 
  • Operations - These objectives relate to the effective and efficient use of organizational resources.
  • Reporting - Objectives in this category are related to the reliability of reporting.
  • Compliance - Compliance objectives are related to organizational compliance with applicable laws and regulations. 
COSO ERM Components:
  • Internal environments: The internal environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by the entity's people. 
  • Objective setting: Ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. 
  • Event identification: Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. 
  • Risk assessment: Risks are analyzed, considering likelihood and impact.
  • Risk response: Management selects risk responses - avoiding, accepting, reducing or sharing risk
  • Control activities: Policies and procedures are established and implemented to help ensure that the risk responses are effectively carried out. 
  • Information and communication: Relevant information is identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. 
  • Monitoring: The entirety of enterprise risk management is monitored and modification are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.
Roles of responsibilities for parties in ERM:
  • The board: The board helps to set strategy and formulate high-level objectives. Often the board delegated the monitoring and assurance responsibilities to management, reserving authority for key decisions. (Internal Environment Component)
  • The management: Assumes primary responsibility for identifying and managing risk and for implementing enterprise risk management is structured, consistent and coordinated approach. The CEO has ultimate ownership for the enterprise risk management process. Management authority and accountability are imperative in enterprise risk management. Each manager should be accountable to the next higher level, with the CEO being accountable to the board.
  • Risk officer: provides central coordination for enterprise risk management across the organization. Empowered by the CEO, a risk officer has the resources to work with other managers in establishing effective risk management practices, monitoring progress and assisting those managers in reporting. Need to establish common risk management language and common measures. CFO sometimes being assigned for this job.
  • Financial executives: Finance and controller-ship activities cut across all operating and business units. Budgeting and planning as well as tracking and analyzing performance and reporting are all in part of the responsibility in ERM. 
  • External auditors: Provide an independent and objective view that can contribute to an organization's achievement for ERM.
  • Legislator and regulators: Establish rules that require an entity's risk management and control systems to meet minimum statutory and regulatory requirements. 
  • Business associates: Channel useful information for risk management activities. 
AS/NZS 4360:2004 is another risk management framework.It points out that risk management involves:
  • Involves balancing opportunities for gains while minimizing losses.
  • Represents an integral part of good management practice and an essential element of good corporate governance. 
  • Facilitates continuous improvement in decision making and performance. 
  • Involves establishing an appropriate infrastructure and culture.
  • Applies a logical and systematic method to managing both potential gains and potential losses.
The framework promotes embedding risk management in an organization's culture - its philosophy, practices and business processes - rather than practicing it as a separate entity.

Turnbull Guidance - Internal Control Guidance for Directors on the Combined Code discusses the adoption of a risk-based approach to internal control and the assessment of its effectiveness. 

Turnbull call for companies listed in the London Stock Exchange to implemented risk management and actively managed. Non-compliance would results disclosure in annual report. The principle for Turnbull is for risk to be managed effectively and to embed internal control in business processes to make sound business sense for any entity. Key tenets for this guidance:
  • Focus on significant risk
  • Emphasis on risk management which promoted proactive in managing risk exposures
  • Ongoing, continuous monitoring of risk and control
  • Engaging all employees
  • Streamlining risk management databases - embedding in the organizational processes.
COSO's External and Internal Factors that Drive Events:
  • Economic
  • Natural environment (disasters)
  • Political
  • Social
  • Technological
  • Infrastructure
  • Personnel
  • Process
  • Technology
COSO's Common Event identification techniques:
  • Event inventories: Detailed listings of potential events common to companies within a particular industry or to a particular process or activity common across industries.
  • Internal analysis: Detail analysis of information which may be part of routine operations or information from other stakeholders.
  • Escalation or threshold triggers: Triggers alerting management to areas of concern that may require further assessment or immediate response. 
  • Facilitated workshops and interviews
  • Process flow analysis
  • Leading event indicators: Monitoring of data correlated to events to identify conditions that could give rise to an event
  • Loss event data methodologies - Examination of data on past individual loss events to identify trends and root causes of events.

Risk assessment is a process of identifying, measuring and prioritizing risk. Risk assessments may be micro or macro in their overall scope. 

If an organization lacks dedicated resources for enterprise risk management, the internal audit activity can help facilitate the initial establishment of a generic framework at management's request. Although internal auditors can facilitate or enable risk management processes, they should not own or be responsible for the management of risks identified.

Risk Assessment Techniques involves:
  • Qualitative assessment (interviews and workshops). Used when sufficient credible data required for quantitative assessment is not readily available. 
  • Quantitative assessment. Used when required to make comparison with qualitative measures. 
COSO Risk Management Responses

Avoidance
Action is taken to exit the activities giving rise to risk. E.g. Eliminating a third-world plant because of political instability and the potential for operation interruptions. 

Reduction
Action is taken to reduce risk likelihood or impact or both. E.g. Diversifying product offerings and methods & Investing in technology upgrades that reduce the likelihood of system failures.

Sharing
Action is taken to reduce risk likelihood or impact by transferring or otherwise sharing a portion of the risk. E.g. Entering into joint ventures or partnerships & Purchasing insurance to protect against significant unexpected loss.

Acceptance
No action is taken to affect likelihood or impact. E.g. Accepting risk that conforms to risk tolerance or Deciding not to self-insure against loss because insurance costs and deductibles exceed the cost of replacement. 


Control risk refers to the tendency of the internal control system to loss effectiveness and expose the assets under control.

Ongoing risk monitoring activities are:
  • Typically performed by line-operating or functional support managers based on the information they received.
  • Focused on relationships, inconsistencies or other relevant implications.
  • Differentiated from activities performed in response to policy.
Internal audit activity's role in risk management process may change over time which includes:

  • No role
  • Auditing the risk management process as part of the internal audit plan
  • Active, continuous support and involvement in the risk management process such as participation on oversight committees, monitoring activities and status reporting
  • Managing and coordinating the risk management process
Internal auditor's assurance role in risk management includes assurance on:
  • Risk management processes, including their design and how well they are working
  • Management of key risks, including the effectiveness of the controls and other activities
  • Reliable and appropriate assessment of risks and reporting of risk and control status.
Internal auditor's consulting role in risk management includes:
  • Educating management about the risk and control tools and techniques used by the internal audit activity and sharing those tools
  • Being a champion for introducing ERM into the organization
  • Providing advice, facilitating workshops and coaching the organization on risk and control
  • Acting as the central point for coordinating, monitoring and reporting on risks
  • Supporting managers as they work to identify the best way to mitigate a risk
The following roles the internal audit function should not undertake:
  • Setting the risk appetite
  • Imposing risk management processes
  • Management assurance on risks
  • Taking decisions on risk responses
  • Implementing risk responses on management's behalf
  • Accountability for risk management
When the CAE believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the CAE must report the matter to the board for resolution

Internal audit's role before a disaster include evaluating the organization's readiness to deal with business interruptions. Also to provide assurance that the disaster recovery plan is not outdated. 

Internal audit's role after disaster is to monitor the effectiveness of the recovery and control of operations. Internal audit activity should identify areas where internal controls and mitigating actions should be improved and recommend improvements to the entity's business continuity plan. 

Section 5: The Nature of Internal Audit Work in Risk Management, Control & Governance

The nature of internal auditing work has evolved well beyond the traditional areas of internal control assurance and compliance to also include risk management and governance.

Various definitions and descriptions of risk management, internal control and governance.

Risk management: A process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organizational's objectives.

Enterprise risk Management: Trends and Emerging Practices notes that:

  • Incorporates risks from all sources
  • Makes use of the natural hedges and portfolio effects from treating those risks with a collective approach
  • Coordinates risk management strategies that span risk management, mitigation, financing and monitoring, 
  • Focuses on the impact to the organization's overall financial and strategic objectives
  • Recognizes the upside opportunity and downside nature of risks
Enterprise-wide risk management is defined as: A structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. 

Internal Control: A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
Governance: The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives. Example of effective governance:
  • Starts at the top with the board of directors and cascades throughout the organization to all employess
  • Involves critical relationships among the board, senior management and shareholders
  • Encompasses organizational structure as well as the related legal and regulatory environment
  • Balances economic and social goals
  • Extends to customers, suppliers, partners, creditors and general community.