Download presentation
1
IMFO Audit & Risk Indaba 28-29 June 2012
Complimentary role of CAE and CRO in the provision of combined assurance IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality
2
Discussion topics King 111 on combined assurance-
Where is it risky? Are we focusing where it matters?---- Source PwC statistical information Critical areas of convergence for CAE and CRO Requirements for effective cooperation between CAE and CRO Benefits of combined assurance
3
King 111……… 3.5 The Audit Committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance services Management External Assurance Provide Internal Assurance Provides Combined assurance
4
Combined assurance model
Council and Key Committees OVERSIGHT Audit and Risk Committee Municipal Manager and Key Committees Risk Management Committee MANAGEMENT GOVERNANCE First Line of Defence Second Line of Defence Third Line of Defence ASSURANCE Chief Risk Office Ethics and Compliance Ombudsperson Legal Internal and External Auditors Management of Operations
5
Is there convergence between IA and ERM?
Internal Audit Risk Management
6
Chief Risk Officer 1 Provide overall leadership, vision and direction for ERM 2 Establish an integrated framework for all risks in the organization 3 Develop risk management policies incl quantification of management’s risk appetite 4 Implement a set of risk indicators and reports incl incidents and losses 5 Communicate the organizations risk profile to stakeholders 6 Develop analytical, systems and data management capabilities to support the risk management program 6
7
Chief Audit Executive 1 Evaluate the ERM methodologies and processes to ensure they are working as intended 2 Reviews and provides assurance that the risks of the organization are being systematically identified, evaluated and appropriately managed 3 Monitor and evaluate the adequacy and effectiveness of the risk mitigation responses designed by management. 4 Reporting to the Audit Committee on the effectiveness of the ERM process, procedures and internal controls. 7
8
King 3 on risk management and combined assurance
The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks King 3 on IA and combined assurance The board should receive assurance regarding the effectiveness of the risk management process
9
Can CAE and CRO collaborate?
What does ERM mean? How do both functions fit into the equation? How can internal audit assist and yet independently evaluate risk management activities?
10
ERM Definitions RIMS: ERM is a strategic business discipline that supports achievement of an organization’s objectives by addressing the full spectrum of its risks and managing a combined impact of those risks as a interrelated risk portfolio The IIA: ERM is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of objectives. Source: The IIA and RIMS
11
Common areas of convergence
ISO 31000:2009 IIA International Professional Practice Framework COSO ERM framework Open Compliance and Ethics Group’s Red Book RIMS and IIA 2012 joint report eThekwini Municipality - EXCO ERM
12
Managing risk makes sense……….
12
13
Risks that are generally not perceived as well managed How well is risk being managed?
PwC 2012 State of the IA Profession Study June 2012
14
Stakeholders value internal audit’s contribution… and want more Which risks are receiving too little attention from internal audit? PwC State of the IA Profession Study June 2012
15
Lets reflect…………Can IA provide assurance….
16
The fact of the matter is………
Are risks adequately covered in the risk profile? Is risk information simplified or excessively cluttered? Is risk information credible? Expertise of the CRO Stakeholder consensus on risks raised by management? CAE robust dialogue with CRO around ERM? AG participation in dialogue? Is ERM effective? Is IA specific skill available? Does IA have enough budget?
17
Results of Ineffective Risk Management
Poor identification of risks Breakdown in internal control that could prevent the organization from achieving its objective Reactive responses to potential risks, rather than proactive Changing/ new risks are not adequately identified, controlled and managed Inability to leverage on internal audit expertise e.g root cause analysis, impact assessment etc Inability to leverage on ERM expertise
18
Expectations from CAE Timely recommendations Risk impact insight
Quality of recommendations to improve business performance
19
Critical area of convergence for CAE/CRO
Root cause and impact assessments-IA Controls design and implementation consulting-ERM Action planning and real time assurance on implementation according to plan-IA/ERM Combined assurance Effective and efficient communication
20
An effective combined assurance framework
To ensure success, the organisation requires: A common risk language Enabling technology Clearly defined roles of all assurance providers Approved combined assurance policy to ensure commitment to cooperate A communication plan – encompassing ongoing communication Involvement from senior leadership – “tone at the top” Continued coordination, reporting and communication Provision of necessary and appropriate training
21
Risk Register # Original Risk name Common Risk name Background to risk
Consequence of the risk Impact Likelyhood Inherent risk exposure Current controls Perceived Control Effectiveness Description Perceived Control Effectiveness % Residual risk exposure Risk Owner Actions to improve management of the risk Action owner Due date 1 2 3
22
eThekwini Municipality - EXCO ERM
Acknowledgements King 111 PwC State of Internal Audit Study EThekwini Municipality ERM framework RIMS and IIA 2012 Joint Report eThekwini Municipality - EXCO ERM
23
eThekwini Municipality - EXCO ERM
“Siyabonga kakhulu” ????????????????? eThekwini Municipality - EXCO ERM
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.