10/4/21

Internal Controls and

Risk Management

Learning Objectives
+ Understand what is meant by Internal control using Committee on Sponsoring Organizations (COSO) Framework.

+ Identify the objectives, components, and principles of an effective Internal control framework.

+ Know the roles and responsibilities each group In an organization has regarding Internal control.

+ Identify the different types of controls and the appropriate application for each of them.

+ Obtain an awareness of the process for evaluating the system of internal controls and Its limitations.
+ Define risk and enterprise risk management.

+ Explore the elements and the processes of the risk management processes that can organizations adopt in establishing effective
risk management framework.

+ Examine the objectives, components, roles, and responsibilities of the 2017 COSO Enterprise Risk Management Framework.

+ Describe the different roles the Internal audit function can play In enterprise risk management.
+ Evaluate the impact of enterprise risk management on internal audit activities.

1
 10/4/21

Internal
Controls

What is Internal
Control?
It is designed and effected by an entity's
board of directors, management, and other
personnel to provide reasonable assurance
about the achievement of the entity's
objectives in the following categories:
(1) reliability of financial reporting
(2) effectiveness and efficiency of
operations, and
(3) compliance with applicable laws and
regulations.

2
 10/4/21

Take Note!
+An internal control system consists of all the policies and procedures (i.e.,
related to internal control) and processes adopted by the management of
an entity to assist in achieving management's objective of ensuring, as far
as practicable, the orderly and efficient conduct of its business.
+Under the leadership of the CEO, Management has ultimate
responsibility for the adequate design and effective operation of the
system of Internal controls. Internal auditors play a significant role in
verifying that management has met its responsibility.
+The Internal audit function provides reasonable assurance that the system
of internal controls Is designed adequately and operating effectively.

Limitations of Internal Control

3
 10/4/21

Elements/Components
of Internal Control

Control Risk Control Monitoring Information and

Environment Assessment Activities Communication

Control
Environment
+ The control environment sets the tone
of an organization, influencing the
control consciousness of its people.
+ It is the foundation for all other
components of Internal control,
providing discipline and structure.
+ The importance of control to an entity
is reflected in the overall attitude,
awareness of, and actions of the board
of directors, management, and owners
regarding control.

4
 10/4/21

Factors affecting Control Environment

Integrity and Ethical Values communication and enforcement

Commitment to Competence

Human Resources Policies and Practices

Assignment of Authority and Responsibility

Management's Philosophy and Operating Style

Participation of those charged with governance (Board of Directors/Audit Committee)

Organizational Structure

Control Activities
+The policies and procedures that help ensure that
management's directives are carried out and are implemented
to address risks identified in the risk assessment process.
Control activities may be either automated or manual.

10

5
 10/4/21

Control activities relevant to audit

+Performance reviews.
+Information processing controls, including authorization and
document-based controls.
+Physical controls.
+Segregation of duties.

11

Categories of Control Activities

PREVENTIVE DETECTIVE DIRECTIVE COMPENSATING

12

6
 10/4/21

Information Systems and Communication

+An information system consists of infrastructure (physical and

hardware components), software, people, procedures (manual
and automated), and data.
+The information system relevant to the financial reporting
objective includes the accounting system and consists of the
procedures (whether automated or manual) and records
established to initiate, authorize, record, process, and report an
entity's transactions and to maintain accountability for the
related assets and liabilities.

13

Monitoring
+To allow for continuous improvements and consider changes in the
entity's operating environment, management needs to monitor Its
internal control systems. The fundamental principles of monitoring
include:
1. On-going and separate evaluations. On-going evaluations of controls that
are separate from other types of evaluations (e.g., operational) enable
management to determine whether the other components of internal control
continue to function over time.
2. Reporting deficiencies. Internal control deficiencies are identified and
communicated in a timely manner to those parties for taking corrective
action and to management and the board as appropriate.

14

7
 10/4/21

Risk
Management

15

Risk Assessment
+Risk, under COSO, is the possibility that events will occur and
affect the achievement of a strategy and objectives.
+Organizations ordinarily face a variety of risks from external and
internal sources that threaten their ability to meet their
objectives in the areas of operations, reporting, and compliance.

16

8
 10/4/21

Take Note!
+Risk is a concept used by auditors and managers to express
concerns about the probable effects of an uncertain environment.
Risk assessment is management's process for identifying, analyzing,
and responding to such risks.
+In performing effective risk assessment, organizations should:
+ Clearly specify objectives to allow the identification and assessment of risks
related to those objectives.
+ Identify and analyze risks to the achievement of its objectives to determine
how they may be managed.
+ Consider potential fraud relating to the achievement of objectives.
+ Identify and assess changes that could impact internal control.

17

Types of Risks
+Business and Process Risks
+This is the risk that the organization's processes are not effectively
obtaining, managing, and disposing their assets, that the organization
is not performing effectively and efficiently in meeting customer needs,
is not creating value or Is diluting value by suffering the degradation of
financial, physical, and information assets.

18

9
 10/4/21

Types of Risks
+Business and Process Risks (continued)
+Capacity risk
+Execution risk
+Supply chain risk
+Business interruption risk
+Human resource risk
+Product or service failure risk
+Product development risk
+Cycle time risk

19

Types of Risks
+Business and Process Risks (continued)
+ Health and safety risk
+ Leadership risk
+ Outsourcing risk
+ Competitor risk
+ Catastrophic risk
+ Industry risk
+ Planning risk
+ Organization risk
+ Integrity and fraud risk

20

10
 10/4/21

Types of Risks
+Business and Process Risks (continued)
+Trademark erosion risk
+Reputation risk
+Data integrity
+Infrastructure risk
+Commerce risk
+Access risk
+Availability risk

21

Types of Risks
+Technological and Information Technology Risks
+These risks relate to conditions where IT Is not operating as Intended,
the integrity and reliability of data Is compromised; and significant
assets are exposed to potential loss or misuse. It also relates to the
inability to maintain critical systems and processes.

22

11
 10/4/21

Types of Risks
+Technological and Information Technology Risks
+Data and system availability risk
+Data integrity risk
+System capacity risk
+Data integrity
+Infrastructure risk
+Commerce risk
+Access risk
+Availability risk

23

Types of Risks
+Personnel Risks
+Personnel risks relate to conditions that limit the organization's ability to
obtain, deploy, and retain enough suitably qualified and motivated
workers.
+As organizations increasingly rely on their workforce to produce goods
and services that add value to their customers, management is
confronted with the risk that personnel shortages limit their ability to
deliver consistently with high quality in the short and long terms.

24

12
 10/4/21

Types of Risks
+Personnel Risks
+Availability risk
+Competence risk
+Judgment risk
+Malfeasance risk
+Motivation risk

25

Types of Risks
+Financial Risks
+Financial risks can result in poor cash flows, currency and interest rate
fluctuations, and an inability to move funds quickly and without loss of
value to where they are needed.

26

13
 10/4/21

Types of Risks
+Financial Risks
+Resource risk
+Commodity prices risk
+Foreign currency risk
+Liquidity risk
+Market risk

27

Types of Risks
+Environmental Risks
+Related to the actual or potential threat of negative effects on the
environment by emissions, wastes, and resource depletion. This can
be caused by an organization's activities, and it influences living
organisms, land, air, and water.

28

14
 10/4/21

Types of Risks
+Environmental Risks
+Energy and other resources risk
+Natural disaster risk
+Pollution risk
+Transportation risk
+Pandemic risk

29

Types of Risks
+Political Risks
+A type of risk faced by organizations, investors, and governments. It
refers to the effects that political decisions, events, or conditions can
cause when they affect the profitability of a business, or the ability to
operate freely. It has to do with the complications organizations may
encounter as a result of political decisions.

30

15
 10/4/21

Types of Risks
+Political Risks
+Regulations and legislation risk
+Public policy risk
+Instability risk

31

Types of Risks
+Social Risks
+Relates to dynamics where an issue affects stakeholders who can form
negative perceptions that can cause some form of damage to the
organization.
+It can be influenced by strategic and operational decisions
management makes that affect issues stakeholders care about.

32

16
 10/4/21

Types of Risks
+Social Risks
+Demographics risk
+Privacy risk
+Corporate social responsibility risk
+Mobility risk

33

Effects of Risk
Loss of assets
Negative publicity
Erroneous decisions
Customer dissatisfaction
Fraudulent financial or operational reporting
Erroneous record keeping and accounting
Noncompliance with rules and regulations
Purchase of resources uneconomically
Failure to accomplish established goals

34

17
 10/4/21

Enterprise Risk Management

+According to COSO, Enterprise Risk Management (ERM) is a process,
effected by an entity's board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed
to identify potential events that may affect the entity, manage risk to be
within Its risk appetite, and to provide reasonable assurance regarding the
achievement of entity objectives.
+This enterprise risk management framework is geared to achieving an
entity's objectives, set forth in four categories:
1. Strategic - high-level goals, aligned with and supporting Its mission.
2. Operations - effective and efficient use of its resources.
3. Reporting - reliability of reporting.
4. Compliance - compliance with applicable laws and regulations.

35

Risk Governance and Culture

Risk, Strategy, and Objective

Setting
Five Risk
Components Risk in Execution
(from COSO
exposure draft) Risk Information,
Communication, and Reporting
Monitoring Enterprise Risk
Management Performance

36

18
 10/4/21

Risk Management Process

Risk Identification

Risk Qualification and Prioritization

Risk Monitoring

Risk Mitigation and Avoidance

37

Risk Management Process

1. Risk Identification
+This takes the form of a list of risks.
+Quite often this step is not exhaustive enough or performed by
Individuals with limited knowledge of the process being assessed.
+As a result, only some of the relevant risks are identified.

38

19
 10/4/21

Risk Management Process

2. Risk Qualification and Prioritization
+Once risks are identified, it is important to determine the probability and
impact of each risk on efficient and effective conduct of the business
activities.
+Risks which are more likely to occur and have a significant impact on
the business will be the highest priority risks while those which are
more unlikely or have a low impact will be a much lower priority.

39

40

20
 10/4/21

Risk Management Process

3. Risk Monitoring
+ The auditor moves the process to this step, once the risks are assigned a
probability/impact and placed in the appropriate position on the chart.
+ Normally each control is assigned a number say 1 to 5, 1 is showing the
lowest strength and 5 showing the highest strength of a control.
+ Internal audit assigns these numbers to each control. And after all controls
are marked with these numbers then an average is taken by adding all
numbers and dividing them by the number of controls. The number obtained
defines overall strength of the set of controls being examined.
+ Based on the overall strength of controls extent of work is calculated.

41

42

21
 10/4/21

Risk Management Process

4. Risk Mitigation and Avoidance
+ Once risks have been qualified, the team must determine how to eliminate
those risks which have the greatest probability and impact on the business.
+ This section explains the considerations which must be made and the options
available to the management in mitigating and avoiding these risks.
+ Internal auditor shall exercise his judgment as to how he can eliminate the
risks identified during the process.
+ After examination is completed, he shall recommend management in writing
to follow certain procedures that shall ensure elimination of risks.

43

Risk Responses

Pursue Share
Accept Avoid (Exploit) Reduce (Transfer)

44

22
 10/4/21

The Scope of
Internal
Audit’s Role
in Risk
Management

45

Control
Objectives 1. Organizational objectives support and align with the
organization's mission

for Risk 2. Significant risks are identified and assessed

3. Appropriate risk responses are selected that align
Management risks with the organization's risk appetite

Process
4. Relevant risk information, enabling staff,
management, and the board to carry out their
responsibilities, is captured and communicated in a
timely manner across the organization, enabling
staff, management, and the board to carry out their
responsibilities.

46

23
 10/4/21

Risk Management
Challenges
+ Major Risks that are Concealed
+ The Extra Risks of Less Democratic Organizations
+ Multiple Simultaneous Risks Materializing
+ Opportunities as well as Threats
+ Too Risk Averse?

47

Thank you

48

24