1. 1 Using ERM Concepts in Managing Controls The Institute of Internal Auditors August 10, 2004 Ed Dudley, CIA, CPA Retired Vice-President & General Auditor-ABB Americas

2. 2 Introduction & Overview Ed Dudley Integrating ERM Concepts in a Facilitated Entity Evaluation Lynn Fountain Using Risk Assessment to Assess Control Deficiencies Paul Sobel Integrating ERM – A Multidimensional View Peg Weir Break Q & A Agenda

3. 3 Key Risk Issues for Today Benefits of Using an ERM Approach Approach For Measuring Entity Level Controls ERM Principles in Assessing Soft Attributes Risk Management for an Entity Evaluation ERM Planning Considerations

4. 4 Key Risk Issues for Today Key Control Deficiency Questions Making Control Deficiency Assessments Understanding Risk Tolerance Considerations Developing Performance Based Culture and Metrics Benefits of Continuous Improvement Life Cycle Approach

5. 5 Integrating ERM Concepts in a Facilitated Entity Evaluation Lynn Fountain VP Risk Assessment & Audit Services Aquila, Inc.

6. 6 Measuring Entity Controls Utilizing ERM Risk AssessmentControl Environment Risk Assessment Risk Assessment Risk Analysis Risk Analysis Risk Strategy Risk Strategy Risk Capabilities Risk Capabilities Do the capabilities (people, process, technology and information) exist to execute the desired state How will actions be monitored? What attributes will be evaluated? Define stages of maturity Determine each attributes maturity stage. What stage of maturity is considered acceptable? Filter: Key attributes that fall below desired stage. Where current stage is less than desirable, what are the underlying reasons and causes? Filter: Consider what attributes Should be improved to meet management strategies Based on managements risk strategy, what attributes should be addressed to improve their current state? Filter: Identify methods to monitor actions Control ActivitiesInformation & Communication Monitoring

7. 7 Facilitated Approach to Measuring Entity Controls ERM principles provide a structured method to assess the soft attributes of Entity evaluation. Benefits using an ERM approach: –Align management risk appetite with risk evaluation –Enhance response to risk identification –Identify how evaluation permeates across the organization –Identify integrated solutions for managing risk areas

8. 8 Planning Considerations Ensure use of ERM principles –Attributes to be voted, as well as session participants, must be reflective of entire organization –Communication of voting stages must include considerations for cost vs. benefit –Voting considerations must include how actions permeate across the organization. Should not be based on one event. –Attributes voted must be able to have actionable items for any remediation to be considered.

9. 9 Session Planning Identify voting attributes –Attributes should cover five components of COSO Define scale and stages –Stages are consistent throughout definitions –Provide for voting in-between stages Identify Participants –Cross-functional representation: financial, operational, compliance Conduct pre-sessions –Review voting scale, attributes and definitions

10. 10 Session Execution Define rules of the day Encourage open feedback –Discussion is most value added portion –Ensure anonymity of individual comments Monitor real-time voting for large variances in opinion –Facilitate discussion when voting is widely dispersed –Consider re-vote Avoid common pitfalls –Group think –Voting creep –Duress voting –Dominant Participant –Fatigue

11. 11 Stage AStage BStage CStage DStage E Process Ad Hoc Results often left to heroics of individuals Informal Processes Not well communicated or executed Formal processes that are adequate Processes may not always be consistent or well communicated Areas of improvement in efficiency and effectiveness Formal processes that are well executed Processes are consistent and well communicated Improvement area exists in relation to monitoring and KPIs Processes are optimal Best practice methods and metrics Risk Management Capability Characteristics Stages: Entity Evaluation

12. 12 Example Attributes Control Environment –Ethics Policy –Ethical Values –Ethics Reporting –Ethics Discipline –Commitment to competence – personnel –Commitment to competence management –Commitment- to competence - external auditors –Mgmt structure & operating style –Mgmt financial reporting philosophy –Mgmt internal control philosophy –Mgmt incentives –Mgmt financial goals –Organization structure and size –Ownership and Accountability –Policy establishment –Approvals –Segregation of Duties –HR Policies and Procedures –Job Screening –Job Descriptions –Job Performance

13. 13 Example Attributes Risk Assessment –Business Objectives –Strategic Plan –Method to identify business risks –Mgmt Risk Tolerance –Acquisitions/Divestures –Budgets –Accounting, Operating and Regulatory Changes Information and Communication –Systems Reliability –Users –Change Control –DR Plan –Business Continuity –Management Communication Control Activities –KPIs –Financial Reports –Reconciliation of Physical Assets –Physical Inventories –Destruction of Assets Monitoring –Monitoring Overrides –Correcting Deficiency –Monitoring process change

14. 14 Deliverables Graphical depiction of voting averages Evaluate areas that fall below desired stage Determine actions & obtain management sign-off Assign target dates and responsibilities Communicate results –Board –Management

15. 15

16. 16 SUMMARY Approach Benefits Planning Considerations Execution of Session Deliverables Post-Session Remediation/Follow-up

17. 17 Using Risk Assessment to Assess Control Deficiencies Paul J. Sobel Vice President, Internal Audit Mirant Corporation

18. 18 Control Deficiency Questions If a control deficiency were to occur, how bad could it be? –Impact on financial reporting –Likelihood of that impact occurring How could that deficiency manifest itself, i.e., what are the scenarios should it occur? What are the levels over which a deficiency becomes significant? Material?

19. 19 Key Risk Decisions What is our tolerance relative to control deficiencies? How would the deficiency occur, i.e., what are the scenarios? What is our risk assessment of the deficiency? Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment OPERATIONS ENTITY - LEVEL DIVISION BUSINESS UNIT SUBSIDIARY STRATEGIC REPORTING COMPLIANCE

20. 20 Deficiency Assessment REMOTE LIKELIHOOD ImpactImpact INCONSEQUENTIAL CONSEQUENTIAL MATERIAL Material Weakness Significant Deficiency Not a Significant Deficiency MORE THAN REMOTE

21. 21 Impact Types Financial Impact Reporting/Filing Delay Fraud Potential Pervasive Impact Technical Violation

22. 22 Likelihood Factors Nature of account, disclosures and assertions Susceptibility to loss or fraud Subjectivity, complexity or judgment involved Cause and frequency of known exceptions Interdependence or redundancy of controls

23. 23 LIKELIHOOD INCONSEQUENTIAL MATERIAL REMOTEMORE THAN REMOTE Not a Significant Deficiency Material Weakness ImpactImpact CONSEQUENTIAL Significant Deficiency Potential Scenarios... evaluating deficiencies and whether they constitute significant deficiencies or material weaknesses will necessarily always involve judgment. – PCAOB Potential Scenarios

24. 24 Tolerance Considerations Quantitative Factors –% of revenues, assets or income Materiality level =.0025 -.005 x revenues (i.e.,.25% -.5%), or 5% of operating income Significance level = 5% - 20% of materiality –Change in EPS (e.g., 1¢) –More than rounding –Change in key financial ratios Qualitative Considerations –Entity-level considerations (e.g., tone at the top) –Nature of controls –Ability to monitor controls –Nature of disclosures (e.g., related party implications) –Non-direct considerations (e.g., credit rating, regulatory compliance)

25. 25 Summary Evaluating control deficiencies requires a great deal of judgment Utilizing risk management concepts, particularly risk assessment, brings some structure to those judgments Must develop and articulate tolerance levels Think through the various scenarios Caution: Dont let it become a black and white decision decision- making process LIKELIHOOD INCONSEQUENTIAL MATERIAL REMOTEMORE THAN REMOTE Not a Significant Deficiency Material Weakness ImpactImpact CONSEQUENTIAL Significant Deficiency

26. 26 ERM – A Multi-Dimensional View Margaret (Peg) Weir Manager, Internal Control Group United States Postal Service

27. 27 ERM - A Multi-Dimensional View United States Postal Service –Independent Government Entity; Self Sustaining –Board of Governors –Management - Internal Control Group –Inspection Service –Internal Auditor-Office of Inspector General –Government oversight –External Auditor

28. 28 Enterprise Risk Hierarchy External and Internal Audit Findings Board - Audit & Finance Committee Oversight Business Environment & Management Priorities/Strategies Transformational Traditional Special cases ERM CONTINUOUS IMPROVEMENT Financial Events External Auditor Internal Auditor Management (Includes Internal Control Group) Fraud Control Environment Control Activities Risk Assessment Monitoring Information & Communication Inspection Service Board

29. 29 Continuous Improvement Life Cycle

30. 30 Business Review Committee/ Internal Control Process Cycle HQ IC meets with HQ Functional peers to discuss risks HQ IC evaluates data related to identified risks HQ IC proposes national risk prioritization (supported by data to Business Review Committee for concurrence) Field IC evaluate local data relative to national priorities to determine appropriate local risk prioritization HQ IC reports to BRC on progress of nationally prioritized risk mitigation efforts

31. 31 Internal Control Process Cycle Management prioritizes risks based on data or other influences IC Analysts analyze additional data and review prioritized internal controls IC Analysts work with process owners to determine root causes and develop risk mitigating solutions Process owners implement risk mitigating solutions IC Analysts monitor results and share best processes enterprise wide

32. 32 Risk Assessment Model

33. 33 ERM - A Multi-Dimensional View Ongoing risk assessment in ERM Lifecycle –Data driven risk analysis –Partnerships to address risks and achieve goals & objectives –Ongoing monitoring –Linkage to national performance metrics Hierarchy of internal and external considerations Prioritization/Evaluation/Improvement/Monitoring Quarterly and Annual assessment and reporting

34. 34 Q & A

35. 35 Use a Facilitated Approach to Measuring Entity Level Controls Ensure the Use of ERM Principles Utilize Facilitated Session Planning and Execution Determine Deliverables and Communicate Results Summary of Main Points

36. 36 Summary of Main Points Ask Key Control Deficiency Questions Key Risk Decisions Must Revolve Around Risk Tolerance, Occurrence Scenarios and Risk Assessment Evaluate Control Deficiencies With Risk Management Concepts - Particularly Risk Assessment

37. 37 Summary of Main Points Consider both internal and external influences Link Key Performance Metrics to ERM Improvements Continuously Improve Controls Through Monitoring and Prioritizing

38. 38 Get Your CPE Certificate: If you are a primary Webcast participant: If you view the live Webcast, you should be receiving your CPE certificate via email today. You can also view the certificate in your account. Just log in and hit the CPE button. If you are viewing the archived Webcast, you will have to take the corresponding quiz which you will find in your webcast account. If you are not the primary participant but will be viewing the Webcast: Additional viewers may obtain CPE for a $15 administrative fee per additional viewer per Webcast. Register online at http://www.auditlearning.org.

39. 39 September 14, 2004 Role of Transition-Year2 Role of Transition-Year2

40. 40 Webcast Evaluation Visit the Login Page