© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights...

© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved.

1

Differing Roles of Internal Auditor and Risk Management in ERM Differing Roles of Internal Auditor and Risk Management in ERM

AdvisoryAdvisory

Lee Min On, Partner10 April 2007

Lee Min On, Partner10 April 2007


2

OverviewOverview

Risk and risk management defined

Responsibility for risk management

What internal audit is and role of internal auditor

Can the internal auditor take on the role of a risk manager?

Questions and comments


3

RiskRisk““Anything that has the potential to Anything that has the potential to

prevent an organisation from prevent an organisation from achieving its objectives”achieving its objectives”

RiskRisk““Anything that has the potential to Anything that has the potential to

prevent an organisation from prevent an organisation from achieving its objectives”achieving its objectives”

Risk ManagementRisk Management““The identification, measurement & control The identification, measurement & control of risks that impact the assets and earnings of risks that impact the assets and earnings

or essential services of an organisation”or essential services of an organisation”

Risk ManagementRisk Management““The identification, measurement & control The identification, measurement & control of risks that impact the assets and earnings of risks that impact the assets and earnings

or essential services of an organisation”or essential services of an organisation”


4

Risk management - paraphrasedRisk management - paraphrasedRisk management - paraphrasedRisk management - paraphrased

Paraphrased from ERM integrated framework - COSO

Appropriate balance between Appropriate balance between opportunities for gain while opportunities for gain while minimizing loss arising from minimizing loss arising from

risk identified risk identified

Achievement of Achievement of corporate objectives corporate objectives

through strategy through strategy settingsetting

A process effected A process effected by the Boardby the Board


5

Risk management philosophy

Assurance to stakeholders

Stakeholders

Board

Management

Employees

Risk profileIssues to emerge

Current risk profileAction plans

Establish structured risk management system

Ensure accountabilityRisk aware culture

Risk management- Policy- Philosophy

Responsibility for risk managementResponsibility for risk managementResponsibility for risk managementResponsibility for risk management


6

Internal audit as definedInternal audit as definedInternal audit as definedInternal audit as defined

Activity that provides independent, objective assuranceassurance & consultingconsulting services

Designed to add value & improve an organization’s operations

Helps organization accomplish its objectives by:

- bringing a systematic & disciplined approach

- to evaluate & improve

- effectiveness of risk management, control & governance process

International Standards for the Professional Practice of Internal Auditing, IIA


7

Role of internal auditorRole of internal auditor

Risk Risk management?management?

Control Control processprocess

Governance Governance processprocess

Assurance Assurance servicesservices

Consulting Consulting servicesservices


8

Involvement of IA in risk managementInvolvement of IA in risk management

Assurance role:Assurance role: Examining, evaluating, reporting and recommending improvements on:

adequacy and effectiveness of Management’s risk processes; and

control measures that can be considered by Management to address risks as identified

Consulting role:Consulting role: IIdentifying, evaluating & implementingrisk management methodologies and controlsto address those risks


9

Drawing the “boundary”Drawing the “boundary”

Assurance role - compliance

Consulting role - advisory

Risk owner – management of the risk identified (deployment of specific controls to treat the risk)

The Great Divide

The Great The Great DivideDivide


10

Drawing the boundary (cont’d)Drawing the boundary (cont’d)

Some pertinent Some pertinent thoughtsthoughts

Does organization Does organization size matter? size matter?

What about What about cost/benefit cost/benefit

consideration?consideration?

Threat of Threat of self review?self review?

Role of Risk Role of Risk OfficerOfficer


11

In conclusionIn conclusion

Ideally, the risk management function should be separate from the internal audit function

If internal auditor is roped in for risk management, a clear line has to be drawn between advisory and ownership of risk

Avoid self-review Avoid self-review threat that mars threat that mars

objectivity!objectivity!

Can the internal auditor take on the role of a risk manager?Can the internal auditor take on the role of a risk manager?

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative.

All rights reserved.

Presenter’s contact details

Lee Min On

KPMG

+60(3) 20953388 (Ext 8401)

[email protected]

www.kpmg.com.my

Presenter’s contact details

Lee Min On

KPMG

+60(3) 20953388 (Ext 8401)

[email protected]

www.kpmg.com.my

© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights...

Documents

Transcript of © 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights...