ACC 4124: Advanced Audit, Governance & Risk

Session 2 - Enterprise Risk Management, Internal

Control Framework and Internal Auditing

By – Nuwan Sameera
Governance Risk and Controls
The Evolution of Corporate Governance

Owners
(shareholders)

Agency
Theory
Board of Directors

Managers
Employees

Limited liability company

3
 Importance of Good Governance

• Better access to capital

• Aids economic growth
• Positive impact on stock prices
• Positive impact on performance
• Ensures that business is fair and transparent
• Ensures that companies can be held accountable
• Leads to sustainability

4
 Board Committees
Board committees in most CG codes
• Audit committee
• Remuneration committee
• Nomination committee
Other board committees for the oversight of management
• Governance and compliance committee
• Corporate ethics committee
Committees to spread the work of the board
• Executive committee
• Finance committee
• Strategic planning committee
• Risk management committee
5
Audit Committee
NOSES IN. FINGERS OUT.
The audit committee should provide oversight of
• financial reporting, risk management,
• internal control, compliance, ethics,
• management, internal auditors, and the
• external auditors.

Chairman

Members

Invitees
Sri Lankan- Governance Code
Audit Committee- Purpose
ICASL published Code of Best Practice on Audit Committees May
2002
-Independence
-of external auditor &
-monitoring audit function.
Good financial - Management
reporting
of business
system
risks.

Six Areas of
Responsibilities

Report conflictof Management of

interest Internal Controls
situations Compliance with
laws and company
polices
 About COSO
• Committee of Sponsoring Organizations
• Formed in 1985 to sponsor the National Commission on
Fraudulent Financial Reporting
– AKA the Treadway Commission

• Joint initiative of five private sector organizations

• Mission
– “To provide thought leadership through the development of
comprehensive frameworks and guidance on enterprise risk
management, internal control and fraud deterrence designed to
improve organizational performance and governance and to reduce
the extent of fraud in organizations.”
COSO - Sponsoring Organizations
How Does COSO Help?

• Provides a means to apply internal control to any type of entity,

regardless of industry or legal structure, at the levels of entity,
operating unit, or function

• Provides flexibility and allows for judgment in designing,

implementing, conducting internal control—can be applied at the
entity, operating, and functional levels

• A means to identify and analyze risks, and to develop and manage

appropriate responses to risks within acceptable levels and with a
greater focus on anti-fraud measures
 COSO is Principles Based

• The Framework does not prescribe controls to be selected,

developed, and deployed for effective internal control.

• An organization’s selection of controls to effect relevant

principles and associated components is a function of
management judgment based on factors unique to the entity.
Three Dimensions
• Objectives
– Operations
– Reporting
– Compliance
• 5 Components
– Control Environment
– Risk Assessment
– Control Activities
– Information & Communication
– Monitoring Activities
• Organizational Structure
– Entity
– Division
– Operating Unit
– Function
Components & Principles
Control Environment 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

6. Specifies suitable objectives

Risk Assessment 7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

10. Selects and develops control activities

Control Activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & 13. Uses relevant information

Communication 14. Communicates internally
15. Communicates externally

16. Conducts ongoing and/or separate evaluations

Monitoring Activities
17. Evaluates and communicates deficiencies
What is Risk
Possibility that an event will occur and adversely affect the achievement of objectives-
COSO

“Uncertainty”

“effect of uncertainty on objectives”

– positive and negative consequences.

- ISO 31000
Enterprise Risk Management
(ERM)Defined:

“… a process, effected by an entity's board of directors,

management and other personnel, applied in strategy setting
and across the enterprise, designed to identify potential events
that may affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

Why ERM Is Important
Underlying principles:

• Every entity, whether for-profit or not, exists to realize value for its
stakeholders.

• Value is created, preserved, or eroded by management decisions in all

activities, from setting strategy to operating the enterprise day-to-day.

ERM supports value creation by enabling management to:

• Deal effectively with potential future events that create uncertainty.

• Respond in a manner that reduces the likelihood of downside outcomes and

increases the upside.
The ERM Framework
Entity objectives can be viewed in the
context of four categories:
• Strategic
• Operations
• Reporting
• Compliance
The ERM Framework (cont’d)
ERM considers activities at all levelsof
the organization:
• Enterprise-level
• Division or
subsidiary
• Business unit
processes
Components of ERM
Drivers of Risk Management
Scope of ERM
Aligning risk appetite
and strategy

Improved
Compliance/Governance Enhancing risk response
decisions
Financial Reporting

Reducing operational
Seizing opportunities
surprises and losses

Identifying and
managing multiple and
cross-enterprise risks
 Risk Appetite

• Risk appetite is the

amount of risk, on a
broad level, an
entity is willing to
accept in pursuit of
value. It reflects the
entity’s risk
management
philosophy, and in
turn influences the
entity’s culture and
operating style.
Overview of Considerations Affecting Risk Appetite

Existing The current level and distribution of risks across

Riskprofile the entity and across various risk categories

Risk The amount of risk that the entity is able to

Determination
Capacity support in pursuit of its objectives of
Risk
Risk Acceptable level of variation an entity is willing Appetite
Tolerance to accept regarding the pursuit of its objectives

Attitudes The attitudes towards growth, risk, and return

Towards Risk
Risk Heat Map
Internal Control
INTERNAL CONTROL is a process, effected by an entity’s board of
directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to:
• Effectiveness
Operations • Efficiency
• Safeguarding assets
• Reliability
Reporting • Timeliness
• Transparency

Complianc • With regulatory environment

e
Management has a fundamental responsibility to develop and
maintain effective internal control.
Internal Control ( cont’d)
Internal Control are

• Built into operations

Continuous • Not one single event
• Dynamic

• “Only you can prevent

Effected by people forest fires”

Able to provide
• Not absolute assurance
reasonable assurance
• To the entire entity or to a
Adaptable particular division,
business process, etc.
Simple Definition
 Internal control is what we do to see that the
things we want to happen will happen …

 And the things we don’t want to happen

won’t happen.
 Why are Internal Controls Important?

Compliance with applicable laws and regulations.

Accomplishment of the entity’s mission.
Relevant and reliable financial reporting.
Effective and efficient operations.
Safeguarding of assets.
Weak Internal Controls
Increase Risk Through…

Business Interruption
system breakdowns or catastrophes, excessivere-
work to correct for errors.
Erroneous Management Decisions
based on erroneous, inadequate or misleading
information.
Fraud, Embezzlement and Theft
by management, employees, customers,
vendors, or the public-at-large.
 Weak Internal Controls
Increase Risk Through… ( Cont’d)

 StatutorySanctions
penalties arising from failure to comply
with regulatory requirements, as well as
overt violations.
 ExcessiveCosts/Deficient Revenues expenses
which could have been avoided,as well as loss
of revenues to which the organization is
entitled.
 Loss,Misuse or Destruction of Assets
unintentional loss of physical assets suchas
cash, inventory, and equipment.
 Identifying Key Controls
Common Basic Internal Control Principles

Establish Responsibility
• Assign each task to only one person

Segregate Duties
• Don’t make one employee responsible for all parts of a process

Restrict Access
• Don’t provide access to systems, information, assets, etc. unless needed to
complete assigned responsibilities

Document Procedures and Transactions

• Prepare documents to show that activities have occurred

Independently verify
• Check others’ work
33
GROUP RISK
& CONTROL
GROUP RISK
& CONTROL
 Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
 Internal Audit Charter

• Role
• Professionalism
• Authority
• Organization
• Independence & Objectivity
• Responsibility
• Internal Audit Plan
• Reporting and Monitoring
• Quality Assurance
 Evaluating controls

Design Implement Operate

By designed, the Implemented

control is not Designed control controls have not
capable in has not been been in operation
handling the risk implemented continuously
 Business Process level controls

Source- IIA- GTAG 8

Source- IIA- GTAG 8
Role of Internal Auditor in ERM
COSO-ERM V Internal Controls