Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte.

Published byJames Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte."— Presentation transcript:

1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 1 Chapter 4 Risk Management

2 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 2 Chapter 4 Learning Objectives Define risk and enterprise risk management. Discuss the different dimensions of the Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management - Integrated Framework. Discuss the different dimensions of ISO 31000:2009(E): Risk management - Principles and guidance Articulate the relationship between governance and enterprise risk management. Describe the different roles the internal audit function can play in enterprise risk management. Evaluate the impact of enterprise risk management on internal audit activities.

3 What is risk? Risk – the possibility that an event will occur and adversely affect the achievement of an objective Because each organization has somewhat different strategies and objectives, each organization will also face different types of risks. Risk does not represent the most likely outcome but rather a range of possible outcomes. In 2004, COSO published its ERM – Integrated Framework (Rubik’s Cube) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 3

4 Enterprise Risk Management (ERM) a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 4

5 ERM is a process, ongoing and flowing through an entity. TF ERM is effected by the BOD and CEO only. TF ERM is applied across the enterprise, at every level and unit, and included an entity-level portfolio view of risk. TF ERM is able to provide absolute assurance to management and the BOD TF Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 5

6 Which of the following is NOT a potential value driver for implementing ERM? a. Financial results will improve in the short run b. There will be fewer surprises from year-to-year c. There will be better information available to make risk decisions d. An organization’s risk appetite can be better aligned with strategic planning e. Critical assets can be deployed more effectively Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 6

7 Components of ERM: (RQ 5) 1. Internal environment is influenced by risk management philosophy, risk appetite, BOD, integrity and ethical values, commitment to competence, organizational structure, assignment of authority and responsibility, human resource standards. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 7

8 According to COSO ERM, all of the following are elements of an entity’s internal environment EXCEPT for: a. Setting organizational objectives b. Establishing the risk appetite c. Developing human resource standards d. Assigning authority and responsibility e. Having predominantly independent directors on the board Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 8

9 Components of ERM: (RQ 5) 2. Objective setting – objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity. Recall that there are 4 types of objectives: (RQ4)  Strategic Objectives: High level goals that are aligned with and support the organization’s mission.  Operations Objectives: Broad goals promoting the effective and efficient use of resources  Reporting Objectives: Goals focusing on the reliability of reporting (both internal and external).  Compliance Objectives: Goals enforcing compliance with applicable laws and regulations Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 9

10 Components of ERM: (RQ 5) 3. Event Identification – External factors include economic, natural environment, political social, technological; Internal factors include infrastructure, personnel, process and technology Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 10

11 Components of ERM: (RQ 5) 4. Risk Assessment – Management assesses events from two perspectives – likelihood and impact – and normally uses a combination of qualitative and quantitative methods. Inherent risk is “gross risk” before any management actions while residual risk is the “net risk” after appropriate controls have been put into place. Risk assessment should be applied first to inherent risks. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 11

12 Components of ERM: (RQ 5) A generic business risk framework looks at four types of risk:  Strategic Risks – risks that relate to doing the wrong things  Operating Risks – risks that relate to doing the right things  Financial Risks – risks that relate to losing financial resources or incurring unacceptable liabilities  Information Risks – Risks that relate to inaccurate or non-relevant information, unreliable systems and inaccurate or misleading reports Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 12

13 Components of ERM: (RQ 5) 5. Risk Response – Terminate, treat, transfer, take. (RQ 6) In considering its response, management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a risk response that brings residual risk within desired risk tolerances. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 13

14 Example Dr. Heath has a 22 year old step-son who has wrecked four cars in four years. She is dissatisfied with this situation and has come to you for advice. You recognize the risk that her step-son’s driving entails. What four responses to this risk can you think of to help Dr. Heath with this situation?  List one from each of the four categories of risk response - terminate (avoidance), treat (reduction), transfer (sharing), and (take) acceptance. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 14

15 Which of the following is NOT an example of a risk-sharing strategy? a. outsourcing a non-core, high risk area b. selling a non-strategic business unit c. hedging against interest rate fluctuations d. buying an insurance policy to protect against adverse weather Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 15

16 Components of ERM: (RQ 5) 6. Control Activities – are the policies and procedures that help ensure that management’s risk responses are carried out; they include top level reviews, direct functional or activity management, information processing, physical controls, performance indicators, segregation of duties. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 16

17 Components of ERM: (RQ 5) 7. Information and Communication – Pertinent information must be identified, captured, and communicated in a form and time frame that will enable personnel to carry out their responsibilities.  Examples - policy manuals, memorandum, emails, bulletin board notices… Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 17

18 Components of ERM: (RQ 5) 8. Monitoring – involves assessing the presence and functioning of ERM components over time. It is accomplished through on-going monitoring or separate evaluations. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 18

19 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 19 Exhibit 4-2

20 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 20 Exhibit 4-3

21 Example Mary is a junior in high school and lives 5 miles from school. She knows that if she attends every summer weights session, she will gain the respect of the coach. Summer weights are at 6:00 a.m. Mary’s car is old and the gas gauge has started to mess up. She is never quite sure how much gas she has in the tank once the gauge reads less than a quarter of a tank of gas. She fills up the car often in order to avoid running out of gas. It is very important to Mary that she make the varsity volleyball team. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 21

22 Example What is Mary’s objective? What is Mary’s strategy? What is the risk that threatens the achievement of Mary’s objective? What control has Mary put in place to mitigate the risk? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 22

23 Roles and Responsibilities of ERM: 1. Board of Directors: the BOD provides oversight by knowing the extent to which management has established effective ERM in the organization, being aware of and concurring with the entity’s risk appetite, reviewing the entity’s portfolio view of risk and considering it against the entity’s risk appetite, being apprised of the most significant risks and whether management is responding appropriately. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 23

24 Roles and Responsibilities of ERM: 2. Management is responsible for all activities of an entity, including ERM. The CEO has ultimate responsibility for ERM. One of the most important aspects of this responsibility is ensuring the presence of a positive internal environment. The CEO sets the tone at the top, influences the composition and conduct of the board, provides leadership and direction to senior managers, and monitors the entity’s overall risk activities in relation to its risk appetite. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 24

25 Roles and Responsibilities of ERM: 3. Risk officer – has the resources to help effect ERM across the organization 4. Financial executives – implement the controls 5. Internal Auditors – plays a key role in evaluating the effectiveness of – and recommending improvements to – ERM Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 25

26 Roles and Responsibilities of ERM: 6. Other Entity Personnel – ERM is, to some degree, the responsibility of everyone in an entity 7. External Auditors – provide a unique, independent, and objective view that can contribute to an entity’s achievement of its external financial reporting objectives, as well as other objectives 8. Legislators and Regulators – through requirements to establish risk management mechanisms or systems of internal controls or through examinations of particular entities Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 26

27 Who is responsible for implementing ERM? a. the chief financial officer b. the chief internal auditor c. the chief compliance officer d. the external auditor e. management throughout the organization Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 27

28 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 28

29 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 29 Exhibit 4-4

30 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 30 Exhibit 4-1

31 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 31 Exhibit 4-5

32 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. 32 Add slides as desired

Download ppt "Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte."

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.

INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
The Government Finance Officers Association

The Government Finance Officers Association
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.

Similar presentations

Ads by Google