OPERATIONS AUDITING - Risk

- Control
- Analyses
- Assessments
- Accountability
- Independence
INTRODUCTION TO OPERATIONS AUDITING IAA – INTERNATIONAL STANDARDS FOR THE PROFESSIONAL
PRACTICE OF INTERNAL AUDITING (STANDARDS)
OPERATIONAL AUDITING ISPPIA – International Standards for Professional Practice of
- Comprehensive review of org or functions within an Internal Auditing
enterprise to appraise:
o Efficiency They are intended to:
o Economy of Operations - State the basic principles for the practice of Internal
o Effectives of those functions Auditing
- Mas focus sa specific areas na inaaudit ex. HR - Provide a framework for performing and promoting value-
- Audit of operating units added internal audit activities
o Manu plans / depots / subsi / overseas - Establish the basis for evaluating internal auditing
o Cover administrative and ope controls, RM, GovP performance
- How functional areas of business account their act and - Improve organizational processes and operation
exercise fin control over them
o Review all ope areas of business
- Audit of any Part of Business
o Review EEE which which the mgt is achieving its
own objectives.
o Review of detailed internal control proce
- Appraisal of operations, policies, proce, use of authority,
quality of mgt, effectiveness of methods, special probs and
other phases

COSO – Committee of Sponsoring Organizations

- View of internal control rightly sees one of the 3 obj of
internal control as being to:
o Give Reasonable Assurance of “Effectiveness
and Efficiency” of Operations
Objectives:
- Economic and efficient utilization Standards:
- Attainment of operational goals and objectives Attribute Performance Implementation
- Applies to all - Paano mo mismo -
Compliance – laws auditors ipeperform ang
- Foundation of IA audit
Relates to the Applicable to perf of Address appropriate
attributes of internal work and address means of applying
auditing org or managing the: Attribute and
attributes personal - IA process Performance
to the IAuditor - Assessing Risk / standards
- Objectivity Control / Gov
- Independence process
- Pro Proficiency - Planning
- Compliance engagement
with Standard - Testing &
analyzing info
- Evaluating
INTERNAL CONTROL evidential matter
- Process, effected by entity’s BOD, mgt, and other personnel, - Communicating
designed to provide RA regarding the achievement of obj in results
ff: - 1000 Purpose, Authority, - 2000 Managing the IA
& Responsibility Activity
o Effectiveness and efficiency of ope - 1100 Independence and - 2100 Nature of Work
o Reliability of fin rep Objectivity - 2200 Engagement
- 1200 Proficiency & Due Planning
o Compliance with applicable laws and regu Pro Care - 2300 Performing the Eng.
- 1300 Quality Assurance & - 2400 Communicating
- Process consisting of ongoing tasks and acts – a means to Improvement Prog Results
- 2500 Monitoring Progress
an end, not an end in itself - 2600 Resolution of Mgt’s
- Effected by people Acceptance of Risk
- Able to provide RA bot absolute to BOD
- Adaptable to the entity structure Audit Universe of Potential Audit Projects
- Formed by the breakdown of the organization into a set of
INTERNAL AUDITING separate audit reviews
- Independent appraisal of the effectiveness of Internal - Auditing Activities in different depts require coordination.
Control - BUSINESS PROCESS
- Institute of Internal Auditors (2009) Definition of IA: o Standard Audit Program from 6 Business
o Independent Processes
o Objective assurance and consulting activity o As an auditor, need na maintindihan ang business
o Designed to add value and improve an org’s process
operations  Business Strategy (end to end
o Help accomplish obj by bringing systematic, process)
disciplined approach to eval and improve the  Departmentalized Limited Scope
effectiveness of:
 Risk Management When approaching the review of ope areas of the org, it is
 Control important that the auditor has an accurate appreciation of the
 Governance Process related key issues.

Value Proposition of Internal Auditing for Key Stakeholders: Audit Process / Audit Approach:
Internal Auditing 1. Planning
Assurance Insight Objectivity o Establish what are mgt’s obj
- Governance - Catalyst - Integrity
 o Define / Establish audit obj and methodology
Represent SHE
 (particular focus that auditors will have during
the AE)
 Send audit notification letter
 Gather background information
 Identify risk
 Create audit program
o Entrance Meeting
 Discuss the planned audit
 Solicit Input
 Explain timing and resources
2. Fieldwork Frontline Ope
o Gather evidence to accomplish audit obj
 Conduct interviews
 Review documentation and processes
 Test transactions and documentation
o Exit Meeting
 Discuss audit results
 Resolve questions and concerns
 Discuss corrective action plans
3. Reporting  nagchecheck
o Communicate audit results
 Provide draft report for comments
 Accountability, reporting |  Delegation, Direction, Resources,
 Obtain corrective action plans
Oversight | > Alignment, Communication, Coordination, Collab
 Distribute final report to appropriate and
required individuals
AUDITORS’ INDEPENDENCE
4. Follow-up
BSP MORB Section 163
o validation
Independence from:
o verify action plan kung nagawa or hindi - Audited Activity
o Review corrective actions plan and results - Operational Control Processes
 Interview staff
 Review new processes and Freedom to:
documentation - Report audit results & opinions directly to the BACC
 Re-audit
Authorized to:
INTERNAL AUDIT ORGANIZATIONAL STRUCTURE - Directly access and communicate with any officer or
employee
- Examine any of the banks’ activities or entities
- Access any information relevant to the audit

Per approved IAG Charter:

- Full, free, & Unrestricted access

RISK- BASED AUDIT PROCESS – focus on high risk

Entity Level Unit / Process Level IAG Level
- Co-develop - Execute Audit Plan - Conduct Internal QA
expectation - Communicate Results - Seek External QA
- Understand the - Follow-up Open Issues - (Every 5 yrs)
CAE bank
- Functionally reporting to the BOD (they have the power to - Assess Risk
Pres) - Develop Audit
- Administratively reporting to the President Plan

THE THREE AND SIX Es

AUDIT TEAM COMPLEMENT 1. 3E: Economy
1. Information System Audit Division Head o Planned input > actual input
2. ____ Department Head o Doing them cheap
3. Supervising Officer o Ratio between what we planned to spend on each
4. Team Leader unit of resource of given quality, and what we
actually spent
- Perform fieldwork 2. 3E: Efficiency
o Actual Output > Actual Input
MISSION OF THE INTERNAL AUDIT o Doing things well
BSP MORB Section 163
o Zero waste
- Audit Services
o Smooth conversion process
- Professional Traits
- Covered Processes 3. 3E: Effectiveness
- Purpose o Actual Output > planned output
o Doing the right things
THE IIA’S THREE LINES MODEL o Actual outputs correspond to the outputs we
planned
o Achieving obj
 o Unless there is a formal measurement protocol in
place, there may be potential for differing
conclusions to be drawn from the same

- Composed of:
o Understand business
o Manage business
o Monitor Performance
o Identify OFI’s / Deviations

4. Ethics
o Bound of code of ethics
o Legal and moral conduct by mgt and staff - Sample:

5. Environment
o Responsible way / laws / regulations
o Acting in environmentally responsible way

6. Equity
o Ensures that the mgt is fair
o Avoidance of discrimination and unfairness;
o Acceptance and promotion of diversity

RESOURCING THE INTERNAL AUDIT OF TECHNICAL ACTIVITIES

1210 Proficiency
- IAuditors should possess the knowledge, skills, and other
competencies needed to perform their indiv responsibilities

1210. A1. CAE should obtain competent advice and assistance if the 1. Workload / Demand PM
IA staff lacks the knowledge, skills or other competencies needed to - Volume of output and when linked to measures of input, give
perform all or part of the engagement info on quality or quantity matters.
o No. of users / units produced / books in lib
1210.C1 CAE should decline consulting engagement / obtain 2. Economy PM
competent advice and assistance of IA staff lacks knowledge, skills or - Highlight waste in provision of resources
competencies needed to perform all or part of engagement - Same resources may be provided more cheaply or that more
enterprise may be conducted at same cost
Standard 2020 on Communication and Approval o Cleaning costs per hour worked / maintenance
- CAE communicate to senior mgt and to the board the impact costs per unit area
of resource limitation 3. Efficiency PM
- Opportunities to convert resources to end product with less
Modern internal auditing act should be multidisciplinary waste
4. Effectiveness PM
Technical Expert - How obj are being achieved regardless of economy,
Internal Tech External / Outside efficiency, equity
Expert Service Provider 5. Equity PM
Cost Mas mahal internal x - Attention to unfairness or potential social irresponsibility in
Fairness Unfair Mas Independent corp policy and practice
Familiar Mas familiar sa ope Unfamiliar
Transfer of VALUE MONEY FOR AUDITING
  - Takes account of the 3 Es
Knowledge
Prioritization   - Involve the assessment of an appropriate range of
performance measurement criteria
CAE - Auditor should consider discussing their proposed
- IAA Standards make it clear that the overall assessment and measurement criteria with the mgt
responsibility remains with CAE even when entire parts
of internal audit have been outsourced Add Value by IIA:
- Responsible for all internal audit engagements - Value is provided by:
- Adopts suitable means to ensure this responsibility is met o improving opportunities to achieve organizational
o Minimize risk that IAuditors make pro judgements activities,
that are inconsistent with CAE’s pro judgement o identifying operational improvement,
o Resolve differences in pro judgment over o reducing risk exposure thru both assurance and
significant issues consulting services.
- Stakeholders benefit from the results of internal audit work.
Other source of Technical Act:
- Programme of Control Self Assessment (CSA) BENCHMARKING
o Source in obtaining assurance about highly - Comparison of one’s own perf in a specific area with that
technical act applied by others in compatible circumstances.
o Different from the traditional internal auditing - It is necessary to understand the existing process, systems,
o Less independent, less obj self-assessment by acts, as a firm basis for subsequent comparison with external
mgt and staff points of reference.
- Incorporates establishment of critical success factors
PRODUCTIVITY AND PERFORMANCE MEASUREMENT SYSTEM - Internal audit can benefit from participating in BM
- Process of collecting, analyzing, and reporting info regarding comparison
the perf of indivi, group, org, system or component - Not an end in itself, it identifies and subsequently launch
- Should be restructured from Macro level indicators to a necessary processes
more detailed (micro level) measures relative to specific
areas or divisions. Objectives:
- Maintain competitive advantage
- Standards - Establish current methods, best practice, related trends
o Measurement data - Ensure future survival
- Maintain awareness of customer expectations
o Provided for interpretation
 - Ensure that org has the appropriate approach to quality 5. Financial Reporting Process – conso and reporting of
issues. results to interested parties
6. Corporate Framework Process – ensuring effective and
CHAPTER 2 appropriate gov process and external accountability
BUSINESS PROCESSES a. Dev of values, ethics, culture, mgt, strat etc
- Tool used by the auditor to understand the AUDIT TRAIL
- Chain of interrelated events or activities is plotted from the More Detailed Classification of BP
origin to the conclusion. 1. Cash Process – payments from customers, settlement of
debts due
AUDIT TRAIL 2. Info Process – gathering and conversion, analysis to
- Process where u can see the input, process, output decisions
- Preparation and detection 3. Integrity Process – control over the creation,
- Detailed element of transaction implementation, security and use of computer programs, and
- Trace back to initial source controls over the security of data files
- Presented in a chronological order and involves all the steps 4. Launching a new product process – market R&D, finance,
of specific transactions such as changes: tooling up, commencement of production
o Add 5. Payment process – expenditures and payments
o Deletion 6. Planning and control process – planning, executing,
o Update measuring results, comparing actual with planned
7. Production process – production of g/s related controls,
AN AUDIT UNIVERSE OF BP inventory transfers and charges to production for labor and
- Defining Audit Universe / Reviews thru OH
o Departmental / Functional Basis 8. Product Life process – commencing with launching
 Advantages: product, thru production, revision, relunch, up to decline
 Area under review is bounded 9. Revenue Process – revenue generating and collection
functions
 Reporting lines to responsible
10. Time Process – not strictly related to trans flows, it includes
mgt are clear-cut
events caused by passage of time, controls that are
- Often at the point of interaction between systems or depts
periodically applied
where controls are critical
o Gov, RM, and IC are usually much weaker over
WHY ADOPT A “CYCLE” OR “PROCESS” APPROACH TO
BP which cut across departmental frontiers
INTERNAL CONTROL DESIGN AND REVIEW?
- it affords a more natural, systems oriented view by following
SELF ASSESSMENT OF BP THRU CSA
a BP thru its entire life span from inception to ultimate
Control Self Assessment (CSA) Approach
disposition
- Workable alternative to traditional internal audit approach
- Auditors appreciated the idea of natural process or flows as
- Provides lesser level of obj assurance
one definition of audit trail
A HYBRID AUDIT UNI
- Internal audit likely to have AU where some of the potential
AUDIT TRAIL
audit engagements are of subjects which correspond to the
- Preparation and retention within an org
org parts of the business (depts, ope units) while others are
o For an adequate period
of BP which cross over the structural frontiers
o In a reasonably accessible form
o Must avoid double auditing  where they
o In enough detail to satisfy the auditors of records
address same issues as part of process audit and
part of functional audit - Allow each detailed element of any trans to be tracked from
its source thru each intermediate stage to its disposition (vv.
REASONS FOR PROCESS WEAKNESSES From final outcome thru the intermediate stages back to
- Control initial sources)
o Weaker between sections than within sections for
- Importance:
behavioral reasons as well.
o Maintain activities / transactions
o There must be an intra-group loyalty than inter-
o Helps in tracing / identifying errors
group rivalry
o Helps auditor to verify / validate
IDENTIFYING THE PROCESS OF AN ORG:  Analyze documented audit evidence
- Business Cycle Approach o Provides base of correlation / rectification
o Focuses in number of related economic events  Error of Omission – popost dapat per
that occur within an organization that in turn may di pinost
generate transactions and interactions with  Error of Commission – pinost mo pero
systems di dapat ipopost
o But should be BP since noy all loop back in - Benefits
cyclical way o Accountability
o Correction of Transaction
Six Ubiquitous Process o Detection of Fraud
1. Revenue Process – exchange p/s for cash  Thru:
a. Credit granting  History
b. Processing orders  Source of document
c. Delivery shipping etc o Maiidentify mga nag
2. Expenditure Process – acquire g/s labor prop, then pay commit ng
3. Production / Conversion Process – utilization and mgt of irregularities
various resources - Also a control (policy /procedure / rules / conduct
a. Key issues  accountability for the movement and implemented)
usage of resources up to point of supply which is
then dealt within in the rev cycle Basic Controls in System:
b. Includes: - Maker and checker controls
i. Product Accounting / costing - Input Controls
ii. Manufacturing Control - Validation Controls
iii. Stock Management - Output Controls
4. Treasury Process – relating to capital funds o Printing and distribution report
a. Cash req cash flow mgt
b. Allocation of available cash to ope
c. Investment planning BP IN THE SAPG
d. Outflow of cash to investors and creditors SAPG
 - Indicates other SAPGs with which the subject of the SAPG 2. Financial and Accounting
interacts – either because what happens in that other area of 3. Personnel
the business impacts on the subject of the SAPG, or what 4. Procurement
happens within the subject covered by the SAPG impacts 5. Stock and Materials Handling
upon other areas of the business 6. Production / Manufacturing
- First four SAPG process categories: 7. Marketing and Sales
o Built around a range of related economic events 8. After Sales Support
which may in turn generate transactions and 9. Research and Development
interactions with systems. 10. Information Technology
- Main / Secondary Relationships of BP in SAPGs: 11. Contracting
o Intended to further assist users in selecting the 12. Governance, RM, IC (web-based SAPG source)
appropriate combinations of SAPGs which can
readily support the structural obj of their FORMAT OF SAPGs
adopted Audit Universe approach. 1. Title Page
o Records the details of subject matter covered by
HALLMARKS OF A GOOD BP / HOW CAN WE SAY THAT AN ORG SAPG and reference bumber
HAS A SOUND BP? o Record dets about the specific audit project
1. Designed to meet obj which are clear o Describes control objectives for the relevant
2. Has regard to competitive issues system
3. Performance can be (and is) measured 2. The Risk / Control Issues
4. Unsatisfactory perf is rectified o Expressed in form of questions
5. Activities are completed in a timely way o Subdivided to:
6. Processes are cost effective  Key Issues – more significant / crucial
7. Controls are “preventative” rather than merely “permissive” points
a. CONTROLS  Detailed Issues – take user into more
 Ex: Information Leakage underlying system considerations
i. Preventive – avoid impact  Utilized if there was a potential
 Controls for access weakness revealed in key
ii. Detective – mitigate / lessened risk issues
 Audit trail detect the o Parts:
unauthorized (audit logs)  Sequence
iii. Corrective  Risk / Control Issues
 Correct user access / update  Current Control / Measure – to address
issues raised.
8. As few “movements / stages” as possible  WP Ref. – working paper cross-ref
9. Unnecessary steps have been eliminated  Effective Yes/No – if effective ung
a. Noting is done which is unimportant to the controls in supporting required obj
achievement of obj  Compliance Testing – record test
10. Proper authorizations applied / summary outcome
11. Controls positioned as early as possible in the process  Substantive Testing
12. Documented  Weakness to report
13. Has an audit trail 3. System Interfaces – alert auditors to the likely interfaces
14. Right people doing the right job between the system / activity being addressed in the SAPG
15. Room for adaptation (OFI) and any others.
16. Defines risks within the process itself o Input / output connections
o Risk assessment
RISK IN OPERATIONAL AUDITING
AUDIT PROGRAM GUIDE: - The use of Risk Assessment of IAuditors can ope at
- Program for auditors to follow different levels of audit planning and act:
- Determine course of action o Tactical Level
- Highlight steps to be taken  apply RA techniques to potential
- Intended for Audit acts universe of possible audit projects
 Involves dev of an audit risk formula
1. SAPG / Standard - Basic for all o Operational Level
2. TAPG / Tailored - More specific  RA linked to an evaluation of control
3. CAPG / Compliance - Regulatory requirements effectiveness
4. FAPG / Fixed / Flexible - As-is / Update or change APG  Auditing efforts are concentrated on
highly risky, poorly controlled
CHAPTER 3
DEVELOPING OPE REVIEW PROGRAMMES FOR MANAGERIAL Nature of Risk
AND AUDIT USE - Inherent Risk – extent / size
o Easy to determine objectively
SAPG - Control Risk / System Risk – probability dimension
- Practical method of documenting all the elements of an o More subjective dimension
operational audit review in a form which resembles the
traditional internal control questionnaire (ICQ) Exposure – unwanted event or outcome that mgt would wish to avoid
- Intended for use during mgt and audit reviews of - Can be financial / nonfinancial (like loss of reputation)
activities within an org - Auditors when considering risk exposures, should take broad
- Most are designed to cover systems which have interfaces view of the potential aspects on the org and not concentrate
with other systems solely on financial aspects.
- Users of it may choose to develop a
o Fact Finding Programme Measuring Risk
o High Level Review Programme RISK = IMPACT x LIKELIHOOD

- Basis in dividing the org for reviewing the effectiveness 2 Elements of Inherent Risk:
of IC: 1. Expression of the type of exposure
o Functionally Based – based on org structure 2. Likely Extent (measure of size)
o Operationally Based - based on prime acts

12 Main Areas (Based on the division of Audit Universe of MEASURING CONTROL EFFECTIVENESS
Potential Review Projects) CE – has a variability
1. Management and Administration - Product of 2 dimensions:
 o Potential effectiveness of a control activity - Effectiveness and efficiency of operations
assuming that it is applied correctly all the time by - Safeguarding of assets
staff and mgt + - Compliance with laws, regulations and contracts
o Actual extent it is complied with
- Vary between exposures it impacts upon COSO’S FRAMEWORK
- Inaadopt sa identification ng IC
CHAPTER 4 - Nonprofit ORG
GOVERNANCE PROCESSES - Help org to identify – achieve org goals

GOVERNANCE Committee of Sponsoring Organization of the Treadway

- Combi of processes and structures implemented by the Commission (COSO) Mission:
board to: - Help the org improve perf by developing thought leadership
o Implement that enhances internal control, RM, gov, and fraud
o Direct deterrence.
o Manage
o Monitor
 Acts of the org toward achievement of
obj
- Fundamental element of the def of IA

Internal Audit
- Primarily involved with internal gov processes
- More active in:
o Reviewing the board
o Providing a service with respect to the
accountability of the org to its stakeholders
(TOP VIEW)
ORG’S RESPONSIBILITIES: Categories of Obj provided by the Framework for ord to focus on
- Complies with society’s legal and regulatory RULES differing aspects of IC:
- Satisfies the GENERALLY ACCEPTED business norms, 1. Operations Obj – effectiveness and efficiency of entity’s ope
ethical precepts, and social expectations of society 2. Reporting Obj – internal and external fin and non-fin
- Provides OVERALL BENEFIT TO SOCIETY | enhances reporting, encompasses reliability, timeliness, transparency
interests of specific stakeholders in LT and ST 3. Compliance Obj – adherence to alws
- Reports fully and truthfully to its owners, regulators, other
stakeholders, and gen public to ensure ACCOUNTABILITY (FRONT VIEW)
for its decisions, actions, conduct and perf. COMPONENTS OF INTERNAL CONTROL:
1. CONTROL ENVIRONMENT
Gov Process – conduct its affairs to meet these objs. - Set of standards
BOD | BOT – accountable for the effectiveness of the gov process. - BOD and SM establish tone at the top regarding importance
of IC
- Comprises:
o integrity and ethical values of the org
o Parameters enabling the BOD to carry out is
governance oversight responsibilities
o Org structure and assignment of authority
o Process of attracting, developing, and retaining
competent
Periodical Assessment of IA - Has pervasive impact on the overall system of IC
- Assess the state of ethical climate of the org and the
effectiveness of its strat, tactics, commu, and other 2. RISK ASSESSMENT
processes in achieving the desired level of legal and ethical - Managing risks from External (noncontrollable) and Internal
compliance. (controllable)
- Involves dynamic and iterative process for identifying and
RELATIONSHIP OF GOV, RM, AND IC assessing risks to the achievement of obj.
- Forms the basis for determining how risks will be managed.
INTERNAL CONTROL - Requires mgt to consider the impact of possible changes in
- integral part of ERM the external env
- COSO model treats it as a process, - Entails:
effected by an entity’s BOD, o Identifying events which represent risk
designed to provide RA regarding o Measuring/Understanding/Assessing risk
achievement of obj
associated w/ events
- Setting up process to mitigate
o Deciding how to respond to them
risk

ERM - IN managing risks:

- Process effected by the BOD o Identify Event
- Applied in strategy setting and across the enterprise. o Assess
- Designed to identify and manage risk within its risk appetite. o Treat
- Provide RA regarding achievement of entity objectives.  Acceptance = Benefits > Cost
- Identify the risk  Transfer = risk ownership in general
cannot be transferred but the risk
Objectives of RM and IC treatment can be.
Accountability
INTERNAL AUDIT ACT  Mitigation = ex. Installing fire preventive
- Should eval: materials
 Risk exposures  Avoidance = neglected, mawawala
 Adequacy and effectiveness yunvg process mismo
of controls ecompassing the o Monitors
gov, ope, Info systems
3. CONTROL ACTIVITIES
Shall include: - Established thru policies and procedures that help ensure
- Reliability and integrity of that mgt’s directives to mitigate risks to the achievement or
fin and ope info obj.
 - Performed at all levels of entity, at various stages, and over o Reliability and Integrity of fin and ope info
the technology environment. o Effectiveness and Efficiency of ope
- May be detective or preventive in nature o Safeguarding of assets
o Segregation of Duties – typically built into the o Compliance with laws / regu / contracts
selection and dev of control acts.
- Compensating Control – pang balance, compensate yung RM process effectiveness depends on Internal Auditor’s
pagkukulang ng isang control Judgement
- Di basta basta jinajudge:
4. INFORMATION AND COMMUNICATION - Auditors assess 5 areas:
- Necessary to carry out internal control responsibilities 1. Organizational obj supports and aligns with org’s
- From both internal ang external sources to support mission
functioning of other components of IC 2. Significant risks are identified and assessed
- Continual, iterative process 3. Appropriate risk responses are selected that align risks
with the risk appetite of organization
o Internal Communication 4. Relevant / All related risk information is being
 Disseminated throughout the org communicated across organization in a timely manner,
 From SM to personnel enabling staff to carry out their responsibilities
o External
 Enables inbound communication of Objectives of RM
relevant external info ERM
 Provides info to external parties in - Process effected by BOD, mgt, personnel
response - Applied in strategy setting and across the enterprise
5. MONITORING ACTIVITIES - Identify potential events that may affect entity
- Ascertain each component of IC is functioning - Manage risks to be within its risk appetite
- Ongoing evaluations - Provide RA regarding achievement of entity obj
- Findings are evaluated against criteria - Optimize SH value
- Helps mgt to:
EFFECTIVE IC: o Reach obj
- Provides RA regarding achievement of obj o Prevent loss of reputation and resources
- Reduces to acceptable level the risks of not achieving an obj o Report effectively
o Present and Functioning 5 components and o Comply with laws and regu
relevant principles
o 5 Components operate together in integrated
manner

USING THE IC – INTEGRATED FRAMEWORK:

(how can be used?)
- By BOD – discuss with SM the state of entity’s IC and
provide oversight
- SM – assess entity’s IC in relation to FW
- Other mgt and personnel – review changes made to this
version and assess implications of those changes on IC
system
- IAuditors – review internal audit plans and how they applied
the 1992 edition of framwork
- Independent Auditors – assess entity’s IC system in
relation to framework focusing on how entity selected,
developed, and deploted controls
- Other Pro Orgs – consider the standards and guidance in
comparisons to Framework
- Educators – concepts and terms should find way to RM – closely working / monitoring business units
university.
Risk may be:
INTERNAL GOVERNANCE PROCESS - Favorable – grab or exploits opportunity  Income
- BOD – clearly an important gov process - Unfavorable – resolve  cost
o Sets direction of org Risk
o Oversees that mgt implements the direction set - Possibility of an event occurring that could have an impact
o Has accountability obligation to SH and stakeH on achievement of obj
o Linked between external gov process and - influencing factor
internal Gov process (BOTH A CORPO GOV - must be evaluated at all levels of org
PROCESS) o Strategic Level
o Business Unit Level
The important interface between CAE and Audit committee of o Info System Level
independent directors is evidence that IAudit is contributing to
the accountability of the board to its SH since a primary role of Properly Managed Risk Framework
independent directors is to safeguard interests of sh. - Addresses the impact of risk at all levels
- Describes how risk at one level may affect other levels as
CHAPTER 5 well
RISK MANAGEMENT PROCESS o Systematic Risk – affected ang 1 risk ng another

RISK MANAGEMENT Effective Risk Governance

- Internal audit act - Helps ensure that RM practices are embedded in the
- Assist org by: enterprise
o Identifying and eval significant exposures to risk - Enabling it to secure optimal risk-adjusted return
o Contributing to the improvement of RM and control - Sets the tone of business how to determine an acceptable
systems level of risk tolerance
- Continuous life cycle that requires regular reporting and
Internal Audit Activity ongoing review
- Monitor and evaluate the effectiveness of the org’s RM
system Risk Governance Objectives
- Evaluate risk Exposures relating to governance op, info 1. Establish and maintain a common risk view
systems regarding:
 o Determines which controls are necessary to o Ongoing mgt acts or separate eval
mitigate risk and how risk-based controls are
integrated to BP and info secu OVERVIEW RM CYCLE
2. Integrate RM into the enterprise RI  RA  RRM  R&CMR
o Enforce holistic ERM approach 1. Risk Identification
o ERM - Establish authority to require all BP to - Process of discovering, recognizing, and documenting
undergo a risk analysis on a periodic basis or the risk an org faces
when there is significant change 2. Risk Assessment
3. Make risk-aware business decisions - Used to identify and eval risk and potential effects: eval of
o Must consider full range opportunities and cons o Critical functions necessary to continue ope
4. Ensure that RM controls are implemented and o Controls in place
o Oversight and due diligence to ensure that o Prioritization of risk
enterprise is following up on implementation and o Risk assoc with each critical functions
monitoring o Rel between risk and enterprise risk appetite and
tolerance

3. Risk Response and Mitigation

- Risk Acceptance
- Risk Mitigation
- Risk Sharing (transfer)
- Risk Avoidance

4. Risk and Control Monitoring and Reporting

- Indicators for both perf and risk should be carefully
considered and deliberately chosen based on their alignment
with org goals

- KRIs and KPIs

ERM Capabilities o Key Risk Indicators and Key Perf Indi improve
1. Consideration of Risk Appetite and Strategy process of continuous monitoring
2. Risk Response decisions - Periodic assessments and testing – for identifying new
3. Reduction of operational and surprises and losses and emerging risks
4. Multiple and cross-enterprise risks
5. Response to opportunities KEY CONCEPTS OF RISK
6. Risk Information Impact – magnitude of loss
Likelihood – measure of frequency of which event may occur
Risk Capacity – obj amount of loss an enterprise can tolerate
Risk Appetite – risk that an entity is willing to accept
Risk Tolerance – acceptable level of variation
Gross Risk – assessing it is the starting point of any exercise to
consider whether threats are being managed effectively.
Inherent Risk – risk level without taking into account the actions that
mgt has taken or might take
Residual Risk – remaining risk after mgt implemented a risk response

Risk appetite and tolerance should be defined and approved by

SM and clearly communicated to all stakeholders, and a process
should be in place to review and approve any exceptions
COSO ERM Framework:
4 Objectives:
1. Strategic – high level goals, aligned with and support entity’s
mission
2. Operations - address effectiveness and efficiency in using
resources
3. Reporting - concern reliability of reporting
4. Compliance - relates to adherence to laws and regulations

Components:
- SHOULD BE PRESENT AND FUNCTIONING
EFFECTIVELY)
o No material weaknesses identified
o Within the risk appetite of organization
1. Internal Environment
o RM, philosophy, risk appetite, integrity, ethical
values, overall env
2. Objective Setting SCOPE OF IAUDIT’S ROLE IN RM
o precedes event identification Assurance Role Consulting Role Mgt Role
3. Event Identification - may opinion - nagiging partner - Setting risk appetite
o relates to internal and external events affecting the - may report ng RM ang IAuditor - Imposing RM
- Assurance on RM - faci identification processes
org - Assurance that risks and eval of risks - Managing assurance
4. Risk Assessment are correctly - coaching mgt - Making decisions on
o considers likelihood and impact as a basis for RM evaluated - coordinating risk response
5. Risk Response - Eval RM processes - consolidating the - Implementing risk
o Should be consistent with org’s risk tolerances and - Eval the reporting of report responses on mgt’s
key risks - maintain and dev behalf
appetite
- Reviewing mgt of ERM framework - Accountability for
6. Control Activities key risks - Championing RM
o Policies and procedures to ensure the establishment of
effectiveness of risk responses ERM
7. Info and Communication - Developing RM strat
o Identifies, captures, and communicates relevant for board approval
and timely info
8. Monitoring Core internal auditing Legitimate internal Roles internal
 roles in regard to auditing roles – with auditing should NOT o Penetration tests
ERM safeguards undertake o Incident reports
o Process reviews
Internal Audit o Mgt input
- Must advise the board and mgt on the adequacy of RM
o Risk scenario creation
process,
o Security assessments
- Draw attention to significant risk that may be overlooking or
focusing upon inadequately in the estimation of internal audit - Must be continuously updated

BASIC TOOLS FOR RM LIMITATIONS OF ERM

Risk Matrix / Map (Y-axis - Impact | X-axis - Likelihood) 1. Faulty Human Judgement
- Used during the risk assessment to define the level of risk 2. Cost-benefit considerations
by considering the category of probability or likelihood 3. Simple errors or mistake
against the category of consequence severity. 4. Collusion
- Simple mechanism to increase visibility of risk and assist 5. Management override of ERM decisions
mgt decision making
- Everyone in the org bears some responsibility for ERM
- No entity operates in a risk-free env, and ERM does not seek
to move towards such an env
- ERM enables mgt to operate more effectively in env filled w/
risks.

Minimum / Acceptable – falls within the risk appetite

Moderate / Review – outside risk appetite but within risk tolerance
High / Unacceptable – outside of risk tolerance

QUAD A – Inherent Risk – very likely to occur and have large impact
QUAD B – IR – not very likely to occur but will have a large impact
QUAD C – IR – very likely to occur, repeatedly, but unlikely to have a
large impact
QUAD D – not very likely and of no great likely significance if it does

Risk Register
- Consolidate risk data into one place
- Permit the tracking of risk
- Show:
o Severity
o source
o potential impact of the risk
o risk owner
o current status and disposition of risk
- Risks are identified thru:
o Audits
o Vulnerability assessments