What is Internal Audit’s Role? Risk Assessment What is Internal Audit’s Role?

Presented by Paragon Audit & Consulting Learning Objectives Risk and the Importance of a Risk Assessment Discussion of the COSO Principles Key Steps in Performing a Risk Assessment Communicating the Risk Assessment to the Audit Committee DOs and DON’Ts Looking past the horizon Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Risk and the Importance of a Risk Assessment What is Risk? Risk is anything that slows down an organization in achieving its objectives Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Risk and the Importance of a Risk Assessment What is a Risk Assessment? A Risk Assessment involves the identification and analysis of relevant risks that threaten the achievement of an organization’s objectives, and to determine how those risks should be managed Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Risk and the Importance of a Risk Assessment Why is a Risk Assessment Important? Proactive approach to removing potential barriers threatening the success of an organization Helps an organization focus resources Required by COSO IIA Performance Standard 2010: the CAE should determine the priorities of the internal audit activity consistent with the organization’s goals, and based on a risk assessment Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Discussion of the COSO Principles 1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies and Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

COSO Principles Focused on Risk Assessment 1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

COSO Principles Focused on Risk Assessment 1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

COSO Principles Focused on Risk Assessment 1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

COSO Principles Focused on Risk Assessment 1. Demonstrates Commitment to Integrity and Ethical Values 2. Exercises Oversight Responsibility 3. Establishes Structure, Authority, and Responsibility 4. Demonstrates Commitment to Competence 5. Enforces Accountability 6. Specifies Suitable Objectives 7. Identifies and Analyzes Risk 8. Assesses Fraud Risk 9. Identifies & Analyzes Significant Change 10. Selects/Develops Control Activities 11. Selects/Develops General Controls over Technology 12. Deploys through Policies and Procedures 13. Uses Relevant Information 14. Communicates Internally 15. Communicates Externally 16. Conducts Ongoing and/or Separate Evaluations 17. Evaluates and Communicates Deficiencies COSO ERM CUBE Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Principle 6: Specifies Suitable Objectives The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Points of Focus Operations Objectives   Reflects Management’s Choices Considers Tolerances for Risk Includes Operations and Financial Performance Goals Forms a Basis for Committing of Resources I noticed an interesting statistic when preparing this presentation. There are 27 points of focus in the risk assessment principle evaluation section of the COSO framework and over half of them, 15 are in the section on objectives. Presented by Paragon Audit & Consulting

Principle 6: Specifies Suitable Objectives External Financial Reporting Objectives   Complies with Applicable Accounting Standards Considers Materiality Reflects Entity Activities External Non-Financial Reporting Objectives Complies with Externally Established Standards and Frameworks Considers the Required Level of Precision Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Principle 6: Specifies Suitable Objectives Internal Reporting Objectives   Reflects Management’s Choices Considers the Required Level of Precision Reflects Entity Activities Compliance Objectives Reflects External Laws and Regulations Considers Tolerances for Risk Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Principle 7: Identifies and Analyzes Risk The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Points of Focus Includes Entity, Subsidiary, Division, Operating Unit, & Functional Levels Analyzes Internal and External Factors Involves Appropriate Levels of Management Estimates Significance of Risks Identified Determines How to Respond to Risks Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Principle 8: Assesses Fraud Risk The organization considers the potential for fraud in assessing risks to the achievement of objectives. Points of Focus Considers Various Types of Fraud Assesses Incentive and Pressures Assesses Opportunities Assesses Attitudes and Rationalizations Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Principle 9: Identifies and Analyzes Significant Change The organization identifies and assesses changes that could significantly impact the system of internal control. Points of Focus Assesses Changes in the External Environment Assesses Changes in the Business Model Assesses Changes in Leadership Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Principle 10: Selects and Develops Control Activities The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Points of Focus Integrates with Risk Assessment Control activities help ensure that risk responses that address and mitigate risks are carried out. Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Phase One: Create an Audit Universe Map Note key process owners at the VP level Phase Two: Identify Objectives and Risks Interview key process owners and analyze data Phase Three: Rate and Rank Risks Will be used to create audit plan (Risk Response) For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Throughout the entire process: determine how the organization is complying with the COSO Framework Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Phase One: Create an Audit Universe Map Recognizing the nature of the company, identify and document: All Business Units or Departments Key Processes Supporting IT Infrastructure Determine auditable entities and segment by (1) Business process, (2) Physical location, and (3) IT systems Discussions with management to understand emerging risks and to discuss prominent risk factors for each entity Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Example of the audit universe Sales Retail Business Sales Operations Etc. Operations Planning Production Distribution Finance Accounting Procurement Real Estate IT Development Infrastructure For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Phase Two: Identify Objectives and Risks Always start with the Organization’s Objectives Determine whether Objectives are in line with the organization’s mission and vision Interview employees and do some on-site observations Review key metrics, trends, processes and documentation Examine the quality of management Analyze the Risk Factors disclosed in the annual 10-K filing Review the external factors and recent problems identified at other companies For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Phase Two: Identify Objectives and Risks (Continued) During discussions with Management, inquire about recent or upcoming changes in the following: Regulatory environment Technology Management Lines of business or business acquisitions/divestitures Risk Appetite Any known or projected economic factors For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

Top 10 Business Risks in 2016 (Allianz Study) Study contacted through interviews with 800 + risk experts across 40 countries. More than one risk can be selected so all %s won’t add to 100% Presented by Paragon Audit & Consulting

Top 10 Business Risks in 2016 (Allianz Study) For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks. Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Phase Three: Rate and Rank Risks Complete interviews with the IA Team, Corporate Compliance, Senior Management and the External Auditors Identify current means by which management mitigates risks Document Key Inherent Risks, Mitigating Controls and the Residual Risks Design a measurement system for Likelihood and Impact of identified risks and give consideration to Vulnerability Work with Senior management to rate and rank key risks Compare risks across departments and normalize outliers Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Draft rating and ranking measurements for impact and likelihood – Consider the following drivers Impact Financial Reputational Regulatory Employee Safety Staff Morale Likelihood Controls are weak or none existent Area and processes are complex Processes are highly manual High department turnover Department is new Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Impact Drivers Likelihood Drivers Risk Financial Etc. Avg. Internal Controls Complex Process Accepting customers with poor credit 4 5 4.5 1 2 3 Sales comp. plan not meeting objectives Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment Presented by Paragon Audit & Consulting

Communicating the Risk Assessment to the Audit Committee Present an overview of the risk assessment process by highlighting the key steps followed in the three Phases Phase One: Create an Audit Universe Map Phase Two: Identify Objectives and Risks Phase Three: Rate and Rank Risks Develop a summary of the most significant risks Categorize risks into financial, operational, and compliance Consider staying under 20 risk categories and discuss sub risks Consider using a heat map if not too busy One with Inherent risks and one with Residual risks Include risk response and linkage to the audit plan You could combine inherent and residual and show the movement to a safer part of the graph after applying controls Presented by Paragon Audit & Consulting

Communicating the Risk Assessment to the Audit Committee External Factors Leaders Dept. Key Changes Key Metrics & Trends Board of Directors External Auditors Control Structure You could combine inherent and residual and show the movement to a safer part of the graph after applying controls Presented by Paragon Audit & Consulting

Key Steps in Performing a Risk Assessment DOs DON’Ts Use risk self-assessment workshops to take advantage of the insights of other managers. Do not rely on surveys to capture initial thoughts about risks. Get consensus on measuring risks and risk tolerances. Ignore financial impact on the organization. Establish participants’ understanding of the effectiveness of controls and other risk responses used in the organization. Do not forget to consider the state of controls and other risk management practices in the organization. Work closely with leadership to understand strategy and key objectives. Perform the assessment in a vacuum, ignore key objectives only looking backwards at past problems. Communicate a high level clear summary of the Risk Assessment with the Audit Committee. Ignore input from the Audit Committee or give the Audit Committee too much detail about the risk assessment. Risk self-assessment workshops are usually led by an internal auditor with a Certification in Control Self-Assessment and is most successful when management is actively engaged in discussing risks and controls. This tends to shed a lot of light on how educated management is on risks and controls. It will give them a better understanding of their business, their risk and control environment, and usually gives rise to a better relationship with the internal audit and compliance team. Presented by Paragon Audit & Consulting

Looking Past the Horizon COSO released the draft Enterprise Risk Management (ERM) – Aligning Risk with Strategy & Performance document for Public comments – Comments accepted through September 2016 Adopts a components and principles structure Simplifies the definition of ERM and renews focus on ERM integration Emphasizes relationship between risk and value Examines the role of culture Elevates discussion of strategy Enhances alignment between performance & ERM Links ERM into decision-making more explicitly Delineates between ERM and internal controls Redefines risk appetite (risk tolerance) Risk Assessment Down the horizon - biggest take away integrate risks upfront (strategy and objectives setting) and throughout the process of executing objectives - risk management should be understood by all departments not just IA and Risk Management   1. Similar to the COSO framework structure with principles and points of focus 2. Easier for people outside of risk management to understand & Integration of risk - think about risk as strategy and objectives are being set and manage risks up front and as objectives are executed 3. Value - opportunities  4. Culture - how strategies are chosen and risk response  5. Strategy - does it align with vision and mission 6. Aligns risks with performance  7. All organizations should understand risk management 8. Compliments the COSO framework but doesn't repeat a discussion of controls 9. Redefine risk appetite - level of risk acceptance for a given level of performance - the new focus is on performance Presented by Paragon Audit & Consulting

Appendix - Paragon Audit & Consulting Global risk and compliance advisory firm founded in 2003 and headquartered in Denver Clients range from small privately held and nonprofit organizations to large government and SEC entities with revenue over $75B Services include Internal audit Sarbanes Oxley Quality Assessment Reviews Process improvement consulting services Majority of our professionals have between 15 and 30 years of experience in internal audit, IT audit, external audit, IT and Finance Very nimble firm with competitive pricing Management and auditors need to consider all risks that could hinder the company from achieving it’s goals. Material misstatement is just the most important of those in the eye of the auditor. Presented by Paragon Audit & Consulting