AA205 Revision Notes
Transcript of AA205 Revision Notes
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 1/32
AY 2008/2009: Year 3 Semester 1
AA205 Revision Notes
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 2/32
Seminar 1: Introduction
CERM Executive Summary
COSO ERM capabilities:
1. Aligning risk appetite and strategy- Considers risks appetite in evaluating fit with strategic alternatives, then sets objectives
aligned with selected strategy in developing mechanisms to manage the related risks
2. Enhancing risk response decisions
- Identify and select: Avoidance, Reduction, Sharing and Acceptance
3. Reducing operational surprises and losses
- Capability to identify potential events, assess risks, and establish responses
4. Identifying and managing multiple and cross-enterprise risks
5. Seizing opportunities
- Considers opportunities, which are channelled back to strategy and objectives
6. Improving deployment of capital
- Helps assess overall capital needs and thus enhance capital allocation
7. Supports sustainable growth
- Integration of risks management in decision making process and strategic planning
ERM helps an entity get to where it wants to go and avoid pitfalls and surprises along the way
Components of ERM
1. Internal Environment
2. Objective Setting
3. Risk Identification
4. Risk Assessment5. Risk Responses
6. Control activities
7. Information and communication
8. Monitoring
Relationships between components and objectives:
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 3/32
To determine the effectiveness of ERM, we need to ascertain that the right components are present and
functioning properly. For that to happen, there can be no material weakness and risks needs to be brought
within appetite
Limitations of ERM:
1. Human Judgement can be faulty (Decisions to consider costs and benefits)
2. Human failures such as simple mistakes
3. Controls can be circumvented by collusions
CERM Chapter 1: Definitions
Entities exist to provide value for stakeholders. All entities face uncertainty, and the challenge for
management is to determine how much uncertainty the entity is prepared to accept as it strives to grow
stakeholders value
Globalisation, Technology, Restructurings, Changing Markets, Competitions and Regulations are all
sources of uncertainty
Value is maximised when management sets strategy and objectives to strike an optimal balance between
growth and return goals and related risks
ERM can be applied in strategy setting, in which management considers risks related to alternative
strategies, assisting them in evaluating and selecting the strategy and objectives
Considers inter-related risks from an entity-level portfolio perspective. Risks for individual units of the
entity may be within risks tolerances, but taken together may exceed the risk appetite of the entity as a
whole
ERM enables management to make informed risks-based decisions, but the particular decision does notdetermine the effectiveness of ERM
Seminar 2: Corporate governance and Internal Environment
CERM Chapter 2: Internal Environment
Internal Environment encompasses the tone of an organisation, influencing the risk consciousness of its
people, and is the basis of other components of ERM
Components of Internal Environment:
1. Risk Management Philosophy- Shared beliefs and attitudes characterising how the entity considers risks in things it does
- Reflected in virtually everything management does in running the entity: Policy statements,
oral and written communications, and decision making
- Ideally, philosophy is well developed, understood and embraced by everyone
2. Risk Appetite
- The amount of risks, on broad level, an entity is willing to accept in pursuit of its goals
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 4/32
- Reflects risk philosophy, which in turn influences the entity culture and operations
- Qualitative: High, Moderate, Low
- Quantitative: Balance goals for growth and return with risks
3. Board of Directors
- Appointed by shareholders to govern the company- Should possess appropriate degree of management, technical, and other expertise, coupled
with the mind-set necessary for oversight responsibilities
- Should be a fair representation of both management and shareholders‟ interest- balance of
internal and independent directors
- Plays a key role in driving corporate governance, and ultimately, the internal environment
4. Integrity and Ethical values
- Top management to set the tone on ethics, their actions embedded in corporate culture
- Ethical behaviour a by-product of corporate culture, the unwritten rules of conduct. Culture,
in turn, is shaped by behaviours
- Individuals may engage in dishonest, illegal and unethical acts simply because the entity
provides them with the strong incentives to do so e.g. undue pressure on results
5. Commitment to competence
- Management decides how well tasks need to be accomplished, weighing the entity‟s strategy
and objectives against plans for their implementation and achievement
- Trade-off between competencies and costs often exists
6. Organisational structure
- Provides the framework to plan, execute, control and monitor activities
- Defines key areas of authority and responsibilities and establish lines of reporting e.g. IAshould be permitted access to top management
7. Assignment of authority and responsibility
- Degree to which individuals and teams are authorised and encouraged to use initiative to
address issues and solve problems
- To strike a balance between delegation and reporting, the former more flexible but more
susceptible to risks; the latter vice versa
8. Human resource standards
- Practices pertaining to hiring, orientation, training, evaluating, counselling, promoting,
compensating, and taking remedial actions
- Sends message regarding expected level of integrity, ethics and competence
- Disciplinary actions send a message that violations of expected behaviours is not tolerated
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 5/32
Tutorial
Matters covered in Corporate Governance 2005:
1. Board matters: Conduct of affairs, composition and guidance, chairman and CEO, board
membership, board performance, access to information
2. Remuneration matters
3. Accountability and audit
4. Communications to shareholders
5. Disclosure of corporate governance arrangements
ERM affects only the personnel in an entity. Melding Corporate Governance with ERM, Directors, Senior
Management, Internal and External auditors, and risk owners must work interdependently
Speculation: Selecting investments with higher risks in order to profit from anticipated price movement
Hedging: Making an investment to reduce the adverse price movements in an asset. Normally, a hedge
consists of taking an offsetting position in a related security
Sophisticated investors use a combination of speculation investments and hedging strategy to limit
potential losses
Seminar 3 and 5: Objective setting and Event identification
CERM Chapter 3: Objective Setting
Steps in setting objectives:
1. In considering alternative ways to achieve strategic objectives, management identifies risks
associated with a range of strategy choices and considers their implications2. The right objectives (entity-level) that support and aligned with the selected strategy are then
established
3. Entity-level objectives are linked and integrated to more specific activities objectives such as for
sales, production and engineering
4. Critical success factors are set to help management identify measurement criteria for performance
Categories of objectives
1. Strategic: High level goals, aligned with and supports entity‟s mission
2. Operations: Effective and efficient use of resources
3.
Reporting: Reliability of entity‟s reporting, including internal and external, financial and non-financial information
4. Compliance: Compliance with applicable laws and regulations
Achieving reporting and compliance objectives is largely within the entity‟s control, while strategic and
operations objectives is not solely within the entity‟s contr ol e.g. outperformed
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 6/32
There is a relationship between an entity‟s risk appetite and strategy. Usually a number of different
strategies can be designed to achieve the desired outcome. ERM helps management select a strategy that
is consistent with its risk appetite
Differences between risk appetite and tolerances:
Appetite: Amount of risks willing to accept in pursuit of mission/strategy
Tolerance: Acceptable level of variation relative to the achievement of a specific objective, best
measured in the same units as those objectives
Performance measures are used to ensure that results will be within established risk tolerances e.g. target
on-time delivery at 98%, with acceptable variation in range of 97%-100%
Operating within risk tolerances provides management with greater assurance that entity remains within
its risk appetite, which in turn, provides higher degree of comfort that objectives are met
CERM Chapter 4: Event Identification
Management identifies potential events that, if they occur, will affect the entity, and determines whether
they represent opportunities or risks
Events may be driven by external or internal factors:
External factors and events (PEST, P5F) Internal factors and events
Economic:
Price movement, capital availability, barriers toentry, new competitiors
Infrastructure:
Increasing capital to preventive measures,improving customer satisfaction
Natural Environment
Floods, fire, earthquakes etc
Personnel:
Workplace infrastructure, fraudulent activities, loss
of available personnelPolitical:
Political agendas, laws and regulations, tax rates
Process:
Process execution errors, inefficiency, customer
dissatisfaction, loss of repeat business
Social:Changing demographics, social mores, family
structures, terrorism activity
Technology:Security breaches, potential system downtime
Technological:New means to electronic commerce, expanded
availability to data
Note: Events can be identified at entity level or activity level
Event identification techniques look to both the past and future:
Past: Focuses on past events and considers trends e.g. payment default histories
Future: Focuses on future exposures e.g. changing demographics
Event identification techniques:
1. Event inventories: Detailed listing of events common to companies in industry
2. Internal analysis: Part of routine business planning cycle e.g. via staff meetings
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 7/32
3. Escalation or threshold trigger: Alert management to areas of concern by comparing current
transactions or events with predefined criteria
4. Facilitated workshops and interviews: Management, staff and other stakeholders
5. Process flow analyses e.g. BPA
6. Leading event indicators: Monitoring date correlated to events, entities indentifies the events that
could give rise to events e.g. monitoring payment patterns enables potential to default bemitigated by timely action
7. Loss event data methodologies: Past individual lost events to identify trends and root causes
Events can be interdependent- one event can trigger another. It‟s important to understand how events
relate to one another so as to determine where best to direct risks management efforts
Event categories are useful:
Develop an understanding of relationships between events
Consider the completeness of event identification
Tutorial
Relationship between objectives and missions:
Implications of clients‟ risk management for external auditors:
Understand client‟s control environment
Sets financial statement expectations
Assess risk of material misstatements
Assess viability of clients
Anticipate clients‟ needs
Entity'smission/vision
Strategic andrelated
objectives
Critical successfactors
Keyperformance
indicators
Feedback: Areobjectives
met?
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 8/32
2 frameworks for identifying events:
1. Entity level: Entity level business Model-> Business Objectives
Usefulness: Considers both external and internal perspective in identifying risks
Disadvantage: Does not look at individual process, may not be in-depth enough, does not
consider which objectives are threatened
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 9/32
2. Process level: Business Process Analysis-> Process objectives
Usefulness
Value chain analysis: Analyses the contribution of individual activities in a business to the overall
level of customer value Considers all supports of a business process e.g. inputs, outputs, systems
Linked specifically to process objectives
Weaknesses
May be too narrowly viewed i.e. lacks linked to strategic objectives
Does not consider effect of other business process on the one analysed
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 10/32
Readings
Point with risks management is not to eliminate risks, but to manage it to an appropriate level- not too
high and not too low. No risks, no reward!
Emergent risks arise from actions taken in multiple areas of the company that by themselves, do not
increase risk (may even reduce it), but combined, they can dramatically increase it. For example, need for
rare metal to develop product:
Purchasing: Hedge by entering long term contracts to purchase metals at locked-price
R&D: Develop new products that do not require the rare metals
Result: New products that no longer require the rare metal committed to purchasing
6 dimensions of risk
1. Likelihood of a relevant trend or event
2. Magnitude of the effects of trend or event
3. Degree of uncertainty in estimating event likelihood4. Degree of uncertainty in estimating event magnitude
5. The ability to influence event likelihood
6. The ability to influence event magnitude
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 11/32
Short comings of ERM
Ability to collect all relevant data needed to manage risks internally and externally
Ability to employ analytical tools that address not only historical data, but can project risks and
impact for events that have never previously occurred
Ability to identify a chain of events that may follow an initial loss event and accurately projectthe impact of „ripple‟ effects emanating that event
Seminar 6 and 9: Qualitative and Quantitative Risk Assessment
CERM Chapter 5: Risk Assessment
Risk assessment allows an entity to consider the extent to which events have an impact on objectives.
Management assess events from 2 perspectives- likelihood and impact- and normally uses a combination
of qualitative and quantitative methods
Inherent risks: Absence of any actions management might take to alter likelihood and impact
Residual risks: After risks responses have been developed
Consideration when assessing risks
1. Time horizon used to assess risks should be consistent with the time horizon of related strategy
and objective. Management needs to be cognizant of objectives with longer timeframe and not
ignore risks that may be further out
2. Impacts should be measured in the same terms that the objective is measured in
3. Certain risks may have slight impacts on their own, but when combined with related risks, it can
become more significant
4. An objective may be affected by several events; an event may also threaten several objectives
5. Perceptions of risks may be different
- Ground level thinks it‟s serious
- High level may think less so (understand the mechanism e.g. hedging in place)
Estimates of likelihood and impact made by using
Internal data: E.g. existing risk registers, company websites, workshops, surveys
External data: E.g. news, credit agencies, analysts report, competitors‟ websites
Assessinherent risks
Identify riskresponses
Assessresidual risks
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 12/32
Assessment techniques
Qualitative Quantitative
Uses words (e.g. high, low) to describe magnitude
of event and its likelihood
Typically bring more precision and are used in
more complex and sophisticated activities to
supplement qualitative techniques
Subjected to biases and can be highly influenced byperceptions
1. Overconfidence: Mitigated by evidence2. Framing biases
- Positively framed questions: Risk adverse
- Negatively framed: Risk seeking
Disadvantages:1. Require higher degree of effort, rigor and
expertise2. Highly dependent on the quality of the
supporting data and assumptions
3. More relevant to risks with a known
history and frequency of variability
Used to provide quick snapshots relatively quickly
and inexpensively or when risks do not lend
themselves to quantification
Simplicity of qualitative risk assessment represents
an inherent risks that quantification method canaddress
Tends to be more accurate and more objective
Provides a basis of comparison with past and forcomparison with others (benchmark)
E.g. “GroupSystem” technology enables real time,
rapid data collection in face-to-face and remote
“risk storm” sessions
E.g. Benchmarking, probabilistic models, and non-
probabilistic models
PwC Lecture: Qualitative Risk Analysis
6 key elements of effective Corporate Governance Framework:
1. Board structure and composition
2. Board operation and effectiveness3. Strategy, Planning and Monitoring
4. Robust Risk Management and compliance processes
5. Transparency and Disclosure
6. Corporate citizenship (Social, ethics and environment)
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 13/32
Process risks are often not given enough emphasis- they may snowball to something serious
Relating strategy, objectives, appetite and tolerance:
Risk categories are identified by considering key drivers and stakeholders, business objectives and current
processes. Breaking risks into categories help ensure the full spectrum of risks is considered. Common
categories:
1. Business and strategic risks
2. Operational risks
3. Financial risks
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 14/32
Qualitative risk measurement scale- Likelihood
Qualitative risk measurement scales- Impact
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 15/32
Seminar 7: Risk Response
CERM Chapter 6: Risk Response
4 main kinds of risks responses:
1. Avoidance: Exiting the activities that give rise to the risk 2. Reduction: Action is taken to reduce likelihood, impact, or both
3. Sharing: Reduce likelihood or impact by transferring a portion of risks e.g. hedging
4. Acceptance: No action is taken to affect response and likelihood
In determining risk response, management should consider things such as:
1. Assessing the effect on risk likelihood and impact i.e. which response options align with entity‟s
risk tolerances
2. Cost and benefits of response
3. Possible opportunities to achieve objectives
As such, the risk response chosen may not always be the one that result in least amount of risk
Sometimes a combination of responses can be used to address a single risk. Conversely, sometimes one
response can affect multiple risks
Recognise that some level of residual risk will always exist, not only because resources are limited, but
also because future uncertainty and limitations inherent in all activities
Tutorial
The TRAP response to risks: Terminate, Reduce, Accept, Pass
If a particular response is unable to bring us down to within appetite, we can carry out responses in a
series of steps or concurrently
Decisions should take account of the need to consider carefully rare but severe risks that may warrant risk
treatment actions that are not justifiable on strictly economic grounds
One should always determine the cause of the risk before deciding on a response- to treat where the
problem comes from!
In coming up with responses, are there any risks that will be invoked which:
Threatens the objective it is trying to protect?
Threaten other business objectives?
Other consideration
Acceptability: Acceptable by relevant stakeholders?
Administrative efficiency: Is it easy to implement?
Compatibility: Is it compatible with others that may be adopted?
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 16/32
Continuity: Short term or long term effect?
Regulatory: Does the treatment breach any regulatory requirements?
Risk creation: Does the treatment introduce more tisks?
Economic, social and environmental: Any effects?
Cost benefit considerations:
Seminar 8: Control activities
CERM Chapter 7: Control activities
While controls are generally established to ensure risks responses are appropriately carried out with
respect to certain objectives, sometimes control activities themselves are the risk response
Includes Approvals, Authorisations, Verifications, Reconciliations, Reviews of Operating Performance,
Security of Assets, and Segregation of Duties
In some instances, a single control activity addresses multiple risk responses. In others, multiple control
activities are needed for one risk response
Selection of controls should include consideration of their relevance and appropriateness to the risk response and related objectives
Categories of controls: Preventive, Detective, Manual, Computer, Monitoring, IT dependent,
Complementary
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 17/32
Types of control activities:
Top-level reviews: Reviews actual performance against budgets, forecasts, prior periods and
competitors
Information processing: Check accuracy, completeness, and authorisation or transactions
Physical controls: Physically secured and periodically counted
Performance indicators: Relating different sets of data, together with analyses of the relationships
and investigative and corrective actions
Segregation of duties: Duties divided to reduce risk of error or fraud
Controls over information Systems can be separated into 2 main kinds:
1. General controls: Apply to many if not all application systems and help ensure their continued,
proper operation
2. Application controls: Computerised steps within application software to control processing, focus
directly on completeness, accuracy, authorisation and validity
General Controls Application Controls
Information Technology Management
- Steering committee to provide oversight
Balancing control activities
- Detect data capture errors by reconciling amountsentered
Information Technology Infrastructure
- Controls applied to installation, configuration,
integration and maintenance
Check digits
- Validate data by calculations
Security Management
- Logical access controls such as passwords
Predefined data listing
- Provide user with predefined lists of acceptable
data e.g. vendor lists
Software acquisition and development
- Manage change, including acceptance testing,stress testing and project risks assessment
Data reasonableness test
- Compare data with a present or learned pattern of reasonableness
Logic tests- Include use of range limits or value or
alphanumeric tests
Tutorial
Information Processing Objectives Definition
Completeness All transactions that occur are processed once and only once
Accuracy Transactions are recorded at the correct amount in the
appropriate amount and proper periodValidity Only authorised economic events that actually occurred areentered
Restricted Access Data protected against unauthorised amendments and access.
Physical assets are appropriately restricted to authorisedpersonnel. Can be difficult to achieve other 3 objectives
without this
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 18/32
Seminar 10: IT Governance and Risk Management
COBIT 4.1 Executive Summary and Framework
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 19/32
Why the need to have a control framework for IT governance
Increasing realisation of importance of information to success of enterprise
To heighten the understanding of IT to leverage it for competitive advantage
The Control Objectives for Information and related Technology (COBIT)‟s characteristics
1. Business-focused
2. Process-oriented
3. Controls-based
4. Measurement-driven
1. Business-Focused
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 20/32
Information criteria IT resources
Effectiveness
Relevant information in a timely, correct,consistent and usable manner
Applications
Automated user system and manual procedures toprocess information
Efficiency
Productive and economical use of resources
Information
Data used by business
IntegrityIn accordance with business values
InfrastructureTechnology and facilitates that enable processing
of applications
AvailabilityAvailable for processes; Safeguarded
PeoplePersonnel required: Internal, contract, outsourced
Compliance
With laws, regulations and contractual obligations
ReliabilityAppropriate information to exercise fiduciary and
governance responsibilities
2. Process- Oriented
The IT activities in a generic process that can be separated into 4 interrelated domains
1. Plan and Organise (PO)
- Provides direction to solution delivery (AI) and service delivery (DS)
- Identifies the way IT can best contribute to achievement of business objectives
2. Acquire and Implementation (AI)
- Provides solutions
- IT solutions developed or acquired, as well as implemented and integrated into process
3. Deliver and Support (DS)
- Receives the solutions and makes them usable for end users- Actual delivery of required services
4. Monitor and Evaluate (ME)
- Monitors all processes to ensure that the direction provided is followed
- Regularly assess IT processes quality and compliance with control requirements
Across these domains, COBIT identifies 34 IT processes
3. Controls-Based
In addition to control objectives for each domain (PO, AI, DS and ME), each process has generic control
requirements identified by PCn. They should be considered together to have a complete picture of controlrequirements.
PC1 Process Goals and Objectives
PC2 Process Ownership- Roles and responsibilities of owners
PC3 Process Repeatability- Repeatable and produce consistent results
PC4 Roles and Responsibilities- Assign and communicate ambiguous roles
PC5 Policy, Plans and Procedures- Documentation, Reviews, Maintenance and Reviews
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 21/32
PC6 Process Performance Improvement
Controls applied to all IT are known as general controls, which is necessary for reliance to be placed on
application controls
General Controls Application Controls
System Development
Change Management
Security
Computer Operations
Completeness
Accuracy
Validity
Authorisation
Segregation of Duties
Boundaries of Business, General and Application Controls
4. Measurement-Driven
Goals are defined at 3 levels:
1. IT goals define what the businesses expects from IT
2. Process goals define what the IT process must deliver to support the IT objectives
3. Activity goals define what needs to happen inside the process to achieve the performance
Metrics are defined as two different types
1. Key Goal Indicators (KGI) indicate whether goals have been met. These can be measured only
after the fact, and therefore, are “lag indicators”
2. Key Performance Indicators (KPI) indicate whether goals are likely to be met. They can be
measured before the outcome is clear, and therefore, are “lead indicators”
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 22/32
Relationships between Goals
Possible Outcome Measures
Tutorial
2 Factor Authorisation (2FA)
What you know (Password)
What you have (Password generating Token)
What you are (Biometrics)-> 3FA
Seminar 11: Information and Communication
CERM Chapter 8: Information and Communication
Financial information is used for developing financial statements for reporting purposes, and also for
operating decisions, such as in monitoring performance and allocating resources (e.g. variance reports,
budgets)
A challenge organisation faces is in establishing an information system infrastructure to source, capture,
process, analyse, and report relevant information
Information systems can be formal and informal. Conversations with customers, suppliers and regulators
can provide critical information. Attendance in seminars can also provide valuable information
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 23/32
Strategic and Integrated System
As enterprises become more collaborative with customers‟ and suppliers‟, the division between
an entity‟s information systems architecture and that of external parties is increasingly blurred
Information systems are increasingly integrated into other aspects of operations (e.g. ERP); this
allows real time sharing of information among departments
Historical data Present data
To track actual performance against
targets, plans and expectations
To identify correlations and trends, and to
forecast future performance
To determine whether entity is remaining
within established risk tolerances
Real-time view to identify variations from
expectations
Information Quality is defined as:
1. Content is appropriate- Is it at the right level of detail?
2. Information is timely- Is it there when required?3. Information is current- Is it the latest available?
4. Information is accurate- Is the data correct?
5. Information is accessible- Is it easy to obtain by those who need it?
Communication should effectively convey
Importance and relevance of effective ERM
Entity‟s objectives
Entity‟s risk appetite and risk tolerances
A common risk-language
The roles and responsibilities of personnel in effecting and supporting the components of ERM
Internal Communications External Communications
Personnel should know how their activities
relate to the work of others
Front-line employees are often in best
position to recognise problems as they arise
Must have open communications channels
and a willingness to listen
Both normal reporting line, and channel
that directs to the chief internal auditor or
legal counsel
Personnel to understand there‟s no reprisalfor reporting relevant information
Code of conduct, employee training
sessions, etc
Customers and suppliers can provide
highly significant inputs
Open communications about risk appetite
and tolerances especially to others in thesupply chain. This helps align risk
philosophies with external parties
Communication to stakeholders, regulators,
financial analysts help them understand thecircumstances and risk the entity faces
Means of communications: Policy manuals, memoranda, e-mails, bulletin boards etc, but nothing speaks
louder than action!
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 24/32
Seminar 12: Monitoring
CERM 9: Monitoring
An entity‟s ERM changes over time. Risk responses that were once effective may become irrelevant;
control activities may become less effective, or entity‟s ob jectives may change. There is a need for
constant monitoring
Monitoring can be done in two main ways: Ongoing activities and Separate evaluations. The greater the
degree and effectiveness of ongoing monitoring, the less need for separate evaluations
Ongoing monitoring Separate evaluations
Performed on a real-time basis, reacts
dynamically to changing conditions, and is
ingrained in the entity
Done in the ordinary course of running the
business
Stems from regular management activities,
such as variance analysis, comparisons of
information, and reviewing reports
Take a fresh look from time to time, focus
directly on ERM‟s effectiveness
Often due to trigger points such as changein management or economy
Usually takes place after something goes
wrong, and can be done by 3rd party
Methodology: Checklists, questionnaires, and flowchart techniques
Readings: Role of IA in ERM
Core IA roles in regard to ERM Legitimate IA roles with safeguards Roles IA should NOT undertake
Giving assurance on risk
management processes
Giving assurance that risks
are correctly evaluated
Evaluating risk management
processes
Evaluating the reporting of
key risks
Reviewing the management
of key risks
Consulting Roles
Facilitating identification and
evaluation of risks
Coaching management in
responding to risks
Coordinating ERM activities
Consolidating the reporting on
risks
Maintaining and developing the
ERM framework
Championing the establishment
of ERM
Developing risk management
strategy for board approval
Setting the risk appetite
Imposing risk management
processes
Taking decisions on risk
responses Implementing risk
responses on
management‟s behalf
Accountability for risk
management
Internal audit can take on consulting services so long it has no role in actually managing risks- to protectobjectivity and independence. Safeguarding conditions are as follow:
1. Should be clear that management remains responsible for risk management
2. Nature of IA‟s responsibilities should be documented in charter and approved by AC
3. IA should not manage any of the risks on behalf of management
4. IA should provide advice, challenge and support to management‟s decision making, as opposed
to taking risk management decisions themselves
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 25/32
5. IA cannot give objective assurance on any part of the ERM for which it is responsible for
developing. Such assurance should be provided by other suitably qualified parties
6. Any work beyond assurance activities should be recognised as a consulting engagement and
relevant standards followed
Reading: Control Self-Assessment
CSA
Unique because internal controls evaluations are performed by operational employees as opposed
to internal or independent auditors
This forces employees to think about control and conditions to improvement
It instils a sense of ownership upon these employees
Can be facilitated by IT such as “GroupSystems”, which can also bypass problems such as lack
of autonomy and groupthink
Advantages Weaknesses
Superior to traditional control evaluations
techniques in the evaluation of techniques
in evaluating “Soft controls”, such ascontrols over effectiveness of
communications, corporate culture, ethics
and integrity of management, and controls
designed to drive customer satisfaction
Strengthen control environment by making
participants realise that internal control is
everyone‟s responsibilities
Conclusions from facilitated team are
typically superior to the results of traditional questionnaire evaluations
May not be suitable for all cultures. Some
employees may fear the consequences of
their negative inputs
Seminar 13: Implementation issues in ERM
CERM Chapter 11: Limitations of ERM
3 distinct concepts must be recognised
1. Risks relate to the future, which is inherently uncertain
- No one can predict the future with certainty
2. ERM can help ensure that management and board is aware of the extent to which the entity is
moving toward achievement of those objectives
- Certain events are outside management‟s controls
3. ERM cannot provide absolute assurance with respect to any of the objective categories
- No process will always do what it is intended to do
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 26/32
Weakness Description
Judgment Effectiveness of ERM is limited by the realities of human frailty in making
business decisions
Breakdowns Personnel may misunderstand instructions, and judgmental mistakes may break
down even the well-designed ERM
Collusion Collusive activities of 2 or more individuals can result in ERM failures, which
cannot be detected by the ERM processCost versus Benefit Due to resource constraints, entities must consider the relative costs and benefits
of decisions
In a competitive industry, it is important to find the right balance in having theright amount of controls. Too much may reduce the competitiveness (e.g.
loaning systems too cumbersome), while too little may increase risks.
Management override Manager with criminal intent may still override the ERM to enhance financial
condition or compliance status.Not to be confused with managerial intervention, which represents actions
departed from the prescribed policies for legitimate purposes
Readings: Success factors for ERM
Success Factors Challenges
1. Focus on Strategy and Business Objectives Do we have strong support from Top Management?
2. Think broadly about the expansive range of
risks facing your organisation
- Many risks are related. Without
understanding them and managing
them in concert, the interplay and
ability to offset some risks may bemissed
Do we have sufficient resources for ERM?
3. Recognise that ERM is a Multi-Year Journey How do we maintain the stamina needed for ERM?
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 27/32
Benefits of ERM
1. Can reduce a bank‟s overall risk profile, which lowers the cost of capital
2. Enables capital to be allocated more appropriately for long-term growth
3. Lead to higher stock valuation and increased shareholder returns
Integrating BSC and ERM framework
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 28/32
Seminar 14: Fraud and Ethics
Readings
Unethical behaviours may not be fraudulent (illegal), but fraudulent activities are definitely unethical
The fraud triangle links the 3 conditions that fraud experts say are always present when fraud occurs. Onecan probably prevent fraud by eliminating one of them. It may be more practical and efficient to eliminate
the „Incentives‟ and „Rationalisation‟.
Branch Description
Opportunity Sealing the cracks and gaps
Most effective, but most difficult way to prevent fraud
Requires anticipation through continuous assessment of possible fraud
schemes, and to implement appropriate preventive control activitiesIncentives/Pressure Protect good people from committing bad acts
Can nullify fraud risk if perpetrator believes that he or she will be detected
and punished
Most powerful motivations derives from the pressure to avoid a loss
Individuals generally do not commit fraud without some form of
incentive/pressure, such as the need to maintain employment, securepromotion, or impress the boss with strong performance
Rationalisation What would their mother say?
Fraudsters generally do not think of themselves as bad people when they
are committing the fraud
They often rationalise by assuring themselves that they will make it up the
next quarter or that they are not hurting anyone. Some may even think thecompany owes them something.
Cynics view is that one with powerful pressure and opportunity will find a
way to rationalise their actions
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 29/32
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 30/32
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 31/32
Effective fraud risk management consists of:
1. Fraud monitoring through detective control activities
2. Contemporaneous management review
3. After-the-facts fraud auditing
Seminar 15: Business Continuity Management
Readings
Business Continuity Management
A holistic management process that identifies potential impacts that threaten an organisation and
provides a framework for building resilience and the capability for an effective response that
safeguards the interest of its key stakeholders, reputation, brand and value creating activities
Frequency of manmade and natural disasters has increased in recent years
Impacts of disasters on businesses have increased thanks to technological advances, progressing
globalisation, and the extension of supply chain Although technology remains very important to businesses, connectivity exacerbates the negative
impact of a prolonged business interruption
BC planning require a cross-company perspective and can‟t be owned by solely the IT
department
Risk assessment: Impact, Likelihood and Time
BCM is a subset of ERM
ERM BCM
Risk management strategies (Avoidance, Reduction
etc) are formulated before an event, or risk occurs
Strategies and tactics focus on the processes that
occur after an event. The objectives of those
processes are to restore the business to normaloperations as efficiently and effectively as possible
Business benefits of BCM
To differentiate their service-delivery or product-delivery resilience to potential customers
Thorough business impact analyses can expose business inefficiencies
Retaining customers following a disaster is less expensive than acquiring new customers
Successful crisis management experiences can boost morale and help prevent employee turnover
following a disaster
Difficulty in implementing BCM
Vividness bias: Prevents individuals from thinking about troubling matters and major risks unless
those issues play out, intensively and repeatedly, before their eyes
Competing priorities: Many companies resist BCM when more immediate and visible demands
occupy them
Lack of standards: New discipline that has undergone dramatic evolutions in recent years
8/2/2019 AA205 Revision Notes
http://slidepdf.com/reader/full/aa205-revision-notes 32/32
Business Continuity Institute (BCI) Good Practice Guidelines:
Understanding the organisation
- Including business impact analysis to determine:
o Critical business functions
o Maximum tolerable period of disruption
o Recovery time objective
Determining BCM strategy
- Resources required, Implementation time line etc
Developing and implementing BCM response
- Monitoring by Business Continuity Team, Media arrangement, Communication with
stakeholders
Exercising, maintaining, and reviewing BCM arrangements
- Review to refresh the relevance of risks and threats identified; Test runs to ensure the
viability of BCM
Embedding BCM in the organisation‟s culture
- Communications with employees, Obtain feedback, Observations
- Deliver through formal training sessions