Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Internal Audit’s Role in Enterprise Risk Management March 22, 2016 Chris Kalafatis, Manager, Risk Advisory Services.

Published byHollie Perkins Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Internal Audit’s Role in Enterprise Risk Management March 22, 2016 Chris Kalafatis, Manager, Risk Advisory Services."— Presentation transcript:

1 1 Internal Audit’s Role in Enterprise Risk Management March 22, 2016 Chris Kalafatis, Manager, Risk Advisory Services

2 2 Agenda Enterprise Risk Management (ERM) – Definition / Framework – Benefits – Structure Role of Internal Audit (IA) – How IA can help – Key considerations – Limitations In-depth Discussion of IA’s Role in ERM

3 3 ERM Definition / Framework Structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Various ERM frameworks exist - describe approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise.

4 4 ERM Benefits Enhanced corporate governance – ERM, Governance, Risk and Compliance are linked Improved regulator, investor and rating agency confidence Improved ability to respond to changing business demands Ability to evaluate the likelihood / impact of major risks Provides an integrated as opposed to silo approach Promotes an open, positive, risk-aware culture

5 5 Typical ERM Structure Plan Coordinate Monitor Report Analyze Aggregate Report Facilitate

6 6 IA’s Role – How IA Can Help Two most important ways that IA provides value to the organization are providing objective assurance that: – major business risks are being managed appropriately (core ERM role) – the risk management and internal control framework is operating effectively

7 7 IA’s Role – How IA Can Help Seat at the Table Understand the organization’s business and strategic risks, risk management philosophy and overall risk appetite In-depth operational and process understanding

8 8 IA’s Role – How IA Can Help Educate - Many senior executives don’t understand ERM. IA can facilitate identification and evaluation of risks. Facilitate - ERM requires quality risk assessments. IA can play a lead role in the organization by facilitating risk assessments and formulation of risk responses. IA can also play a consultative role in coaching management in responding to risks.

9 9 IA’s Role – How IA Can Help Coordinate - IA can play a value-added coordination role to ensure consistent deployment across the enterprise. Evaluate - IA can evaluate risk management, either for the organization as a whole or for a division, subsidiary or a unit.

10 10 IA’s Role – Key Considerations Key considerations to ensure IA’s independence and objectivity is maintained: – Be clear that management is responsible for risk management. – The nature of IA’s responsibilities should be documented in the IA charter and approved by the audit committee. – IA should not manage any of the risks on behalf of management. – IA should provide advice, challenge and support to management’s decision making, as opposed to making risk management decisions themselves. – IA cannot also give objective assurance on any part of the ERM framework for which it is responsible. Such assurance should be provided by other suitably qualified parties. – Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed.

11 11 IA’s Role – Limitations Activities IA should not undertake: – Setting the risk appetite – Authorizing and dictating the implementation of risk management processes – Assuming the role of management in providing assurance on risks and risk management performance – Making decisions on risk responses – Implementing risk responses on management’s behalf – Accepting accountability for risk management

12 12 IA’s Role – Limitations

13 13 In-Depth Discussion of IA’s Role in Risk Management

14 14 Key Points Industry trends include the IA function becoming a strategic advisor on enterprise-wide risks A fully optimized IA function can significantly enhance its ability to help an organization with ERM since it doesn’t have a single view of risk The Three Lines of Defense Model is blurry To properly address risks, the IA function must have: – Courage – Sufficient training – Forward thinking risk management practices – Understanding of emerging risks Failure to have a sufficient IA function that identifies key risks can have major impact on an organization

15 15 Internal Audit Trends and Optimizing the IA Function

16 16 Internal Audit Trends

17 17 Optimizing the Internal Audit Function Develop a strategic roadmap Be a critical part of the organization’s governance structure Be a valued and used as a decision support tool Serve as a catalyst for analyzing risk across the organization Performs a risk assessment and develops an audit plan to include corporate functions, compliance, and IT in the audit universe Be a proactive function that brings value to the organization, identifies better ways to operate, save money, reduce risks and stay compliant Maintain proactive communication with the Audit Committee and External Auditors Ensure your IA activities will be relied upon by third parties Serves as the 3rd Line of Defense

18 18 The Lines of Defense to Manage Risk is Blurry

19 19 The Lines of Defense to Manage Risk is Blurry

20 20 The Lines of Defense to Manage Risk is Blurry

21 21 The Lines of Defense to Manage Risk is Blurry Audit Objective: Determine if responsibility for data privacy is clearly defined and whether strategies are in place to comply with data privacy laws, regulations and standards. Audit Results: There is no owner for data privacy at the company level. There are various efforts in Legal, IT, and HR, but these are not fully coordinated. An inventory of data subject to privacy laws, regulations and standards does not currently exist. Although limited risk assessments at a department level have been completed, management has not performed an enterprise risk assessment related to data privacy to identify and prioritize areas of focus.

22 22 The Lines of Defense to Manage Risk is Blurry It is not acceptable to place boxes of completed credit applications by the trash on a public street in New York….

23 23 Be Courageous

24 24 Be Courageous

25 25 Be Courageous IA must have the courage to tell stakeholders the unvarnished truth, whether they want to hear it or not The business has to know the audit function has power Organizations’ risk management benefits when the business supports the IA function and helps promote its mission and value

26 26 Sufficient Training

27 27 Sufficient Training

28 28 Sufficient Training

29 29 Sufficient Training IA departments need to enhance training efforts to fully assist in risk management – 40% of IA staff receive fewer than 40 hours of training per year – Training doesn’t include sufficient levels of business/industry knowledge, critical thinking and leadership skills = key to helping the organization identify and manage risks

30 30 Forward Thinking Risk Management Practices

31 31 Forward Thinking Risk Management Practices

32 32 Forward Thinking Risk Management Practices

33 33 Forward Thinking Risk Management Practices

34 34 Forward Thinking Risk Management Practices How satisfied are you that your organization’s IA function delivers the value that it should?

35 35 Forward Thinking Risk Management Practices Are IA departments auditing the key risks? How are they doing it without management and Audit Committee feedback? How about emerging risks? How can misaligned audit departments demonstrate the value they add to their organizations’ strategies? Is it surprising Audit Committee’s are not fully satisfied?

36 36 Emerging Technology Risks

37 37 Emerging Technology Risks

38 38 Emerging Technology Risks Technology risks are extremely difficult to manage because they are constantly evolving IA needs to respond proactively by helping organizations identify, monitor, and address emerging IT risks and advising their boards on how best to do so

39 39 Lack of Internal Audit Involvement in Risk Management

40 40 Lack of IA Involvement in Risk Management

41 41 Lack of IA Involvement in Risk Management 60 Minutes cited lab tests that found some samples of laminate flooring contained very high levels of formaldehyde, which is a carcinogen Some pieces had 20 times the limit allowed under California law Long-term exposure to chemicals at those levels "would increase the risk for chronic respiratory irritation, change in a person's lung function, increased risk of asthma" and be especially dangerous for children

42 42 Lack of IA Involvement in Risk Management CEO and CFO resigned, significant legal expenses, damaged reputation, and sales declines Stock - 2 year high was $109, now $11 IA function primarily a SOX function, no audits of vendor management, customs compliance and factory inspections Could IA have helped prevent this???

43 43 Internal Audit Consulting and Advisor Roles for ERM

44 44 IA Consulting and Advisor Roles for ERM Roles IA may undertake to assist in risk management: – Making available to management tools and techniques used by IA to analyze risks and controls – Providing advice, facilitating workshops, coaching the organization on risk and control, and promoting the development of a common language, framework and understanding

45 45 Questions Chris Kalafatis, CPA, CIA, CFE Manager, Risk Advisory Services Phone: 804-474-1270 chris.kalafatis@dhgllp.com www.linkedin.com/in/chriskalafatis/

Download ppt "1 Internal Audit’s Role in Enterprise Risk Management March 22, 2016 Chris Kalafatis, Manager, Risk Advisory Services."

Similar presentations

Internal Auditing in Government: A Global Perspective David A. Richards, CIA Richard F. Chambers CIA, CGAP, CCSA The Institute of Internal Auditors.

Internal Auditing in Government: A Global Perspective David A. Richards, CIA Richard F. Chambers CIA, CGAP, CCSA The Institute of Internal Auditors.
Organizational Governance

Organizational Governance
. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
The Department of Energy Enterprise Risk Management Model

The Department of Energy Enterprise Risk Management Model
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.

Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.
Supervisory Committee Communications with Management and the Board

Supervisory Committee Communications with Management and the Board
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007.

CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
What is Risk Management? Whose responsibility is it in your institution? Mark Weatherley.

What is Risk Management? Whose responsibility is it in your institution? Mark Weatherley.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

Similar presentations

Ads by Google