1

Audit, Control and Risk Management

Budget Management and Financial Accountability

Steven E. Jameson

Lead Auditing Specialist, IAD

March 2, 2004

2

How Is The Audit Profession Changing?

Independence is being re-emphasized

Heavy emphasis on financial reporting

Greater focus on technology

Focus and scope expanding more into governance and risk

Expanded expertise and facilitation skills

Resource for assurance and consulting services

Help the organization manage business risk

3

Factors Identified by the Competency Framework of Internal Auditing (CFIA)

Global and organizational change

Technological innovation

Competition for market share

Legislative imperatives

Shareholders demanding increased accountability

Client’s changing expectations

Strategic alliances

Mergers and acquisitions

What Will Drive Change?

4

Major Areas for Legislation and Regulation Reform Measures

Ethical Climate

Shareholder Involvement

Boards of Directors

Audit Committees

Corporate Management

Public Accounting

Corporate Disclosures

5

Recommendations for Internal Auditors

Focus on and evaluate the control system for effectiveness

Ensure a good Enterprise Risk Management plan

Ensure adequate controls to manage risk

Internal auditors should include their own risk assessment

Keep current on all the investigative committees, press reports, new legislation, etc.

6

Assurance

Internal auditing provides assurance about:Risk management

Control

Provided to:Management

Audit committee

And other stakeholders

7

Framework for Effective Control

Control your environment

Control your risk

Control your activities

Control your information and communication

Monitor and review your control

8

The Bank Uses the COSO Framework

Control EnvironmentControl Environment

Risk AssessmentRisk Assessment

Control activitiesControl activities

MonitoringMonitoring Com

munication

Com

munication

Info

rmat

ion

&

Info

rmat

ion

&

9

Who/what Can Assist?

COSOA good control environment

Properly assessed risks

Effective controls (appropriate polices/procedures)

Relevant/timely information

Focused/timely monitoring/review

10

Benefits of Effective Control Structure

It will:Improve accountability and program delivery

Promote ethical and professional business practices

Advance risk management

Enhance communications, decision making and performance reporting

Contribute to quality outcomes

11

Some Signs of Dysfunctional Control System

Controls mostly “detective” not “preventive”

Practice different from documented procedures

Responsibility difficult to pinpoint

Control not commensurate to risk

Control can be circumvented – “back door”

Mere “appearance” of control

12

Internal Control Reporting

Any organization accepting investor money should have a comprehensive internal control systemThe system should be monitored for effectivenessThere should be public reporting with emphasis on ethics, risk, and related controls

13

Enterprise Risk Management

COSO ERM Project

Linkage to COSO Internal Control

14

Risk profiles are increasingRegulatory/public scrutinyExpanding services increases risksBusiness change increases risk complexity

Risk management not keeping paceNeed for right kind of risk trainingNeed for risk assessment methodologies/technology toolsStakeholders have different risk needsInconsistent risk language used

Gaps in Risk

Coverage

Perceptions in Today’s Risk Environment

15

COSO’s Objectives

Develop the COSO Enterprise Risk Management Framework.

Include conceptual framework and application guidance.

Identify interrelationships between risk and risk management, and with the COSO Internal Control – Integrated Framework.

16

Project Oversight

COSO Board – IIA, AICPA, FEI, IMA, AAA

COSO Advisory Council – two reps from each member organization

Project Coordinator – Moss Adams LLP

PWC project team

17

Intended Users

COSO member orgs

Government

Industry associations

Management of middle market and large companies

Not-for-profit

AcademiaLawyersProfessional orgsRegulators and other rule-makersRisk management professionals and public accounting firms

18

Assessment Phase

Literature search376 web sites

200+ books, periodicals, other pubs

COSO organization forumsFour forums

Stakeholder interviews

Survey

19

Key Benefits From ERM

Awareness of risk increased

Cross-enterprise risk identified

Coordination across business units for more effective mitigation

Complete/consistent risk information

Common risk language established

Shareholder value protected/enhanced

20

Survey Results

19% have a CRO

CRO more common w/ revenue < $1B

20% have a board approved policy

22% have a dedicated ERM committee

84% do not have formal measurements

21

Key Success Factors for Implementing ERM

Provide clear goals and objectives

Establish sponsorship or senior management

Link to performance measures and compensation

Drive the approach from the corporate/head office

Establish a dedicated corporate function

22

What Works What Needs Well Improvement

Bus. units are taking ownership of risk mgmt.Insurance mgmt.Communication of riskSr. mgmt. and exec. support and involvement

Communication and education

Integration of ERM processes

Formalizing the process

23

ERM vs. Internal Control

ERM elaborates and expands on those components of internal control relevant to risk

Significantly expands on the “risk assessment” component

Emphasizes and expands on other components as they relate to risk

24

Internal control and ERM are two separate frameworks w/ considerable overlap

In some respects IC is broader and in others ERM is broader

IC framework remains in tact

ERM framework addresses risk management concepts more broadly and deeply

ERM vs. Internal Control

25

ERM is effective only when:

IC components are present and functioning effectively

ERM components are present and functioning effectively

Addl. features needed to convert RM into ERM:

Application of RM concepts in strategy-setting

Taking a “portfolio” view of ERM components

ERM vs. Internal Control

26

Core concept – You can have effective internal control without enterprise risk management, but you cannot have effective enterprise risk management without effective internal controls.

ERM vs. Internal Control

27

ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

- Proposed by COSO (2003)

- www.coso.org

COSO’s Definition of Enterprise Risk Management

28

Emphasizes “Enterprise” – not just selected “silos of risk”Consideration of risks on “portfolio” basis

Collection of risksInteractions of risks

Done to enhance entity valueHeavily integrated with business strategy

Focus is on identification, measurement, assessment, and response to risks primarily across 2 dimensions

Probability (Likelihood)Criticality (Consequence)

Key part of entity’s corporate governanceResponsibility of senior management and boardPushed down to key business segment management

Key Elements to ERM

29

8 Components of the Framework

30

Coming Soon

COSO’s release of ERM

Framework for enterprise risk management

Application guidance on how to implement ERM