IIA CAG Training Session

RISK IDENTIFICATION & ASSESSMENT

By CA Huzeifa I. Unwala,

Founder, Verita Management Advisors Pvt. Ltd

27 September 2012
SECTION I

EVOLUTION OF RISK & CONTROLS

Gradual Evolution of Risk & Controls
Compliance Transactional
1st Generation 2nd Generation
Controls Control Framework
• Emphasis on existing • Emphasis on
processes, procedures financial/compliance
and control activities. risks.
• Audit for compliance • Determine controls that
should be in place.
• Audit for design,
operational effectiveness
and compliance.
Tactical Strategic
4th Generation
3rd Generation
Enterprise Wide
Business Risks
Risk Management
• Emphasis on thorough • Emphasis on thorough
understanding of the understanding of the
business and the various business and its risks.
business risks.
• Determine the Risk
• Determine controls that Mgmt. Process (RMP)
should be in place. that should be in place
to manage key risks.
• Audit for design,
operational effectiveness • Audit each RMP for
and compliance. design, operational
effectiveness and
compliance.
Internal Audit Standards – Glimpse of history
IIA Standards
► On Nov. 17, 1941, The IIA's Certificate of
Incorporation was filed that officially established
The Institute of Internal Auditors
► In 1978, The IIA formally approved the Standards
for the Professional Practice of Internal Auditing
(Standards), which had the following purposes:
o Assist in communicating the role, scope,
performance, and objectives of IA.
o Unify internal auditing throughout the world.
o Encourage improved internal auditing.
o Establish basis for consistent measurement of
internal auditing operations.
o Provide a vehicle by which internal auditing can be
fully recognized as a profession.”
►IIA standards are broadly categorize under two
heads:
o Attribute standards
o Performance standards
►Last revision of IIA standards was done in October
2010, effective from January 2011.
ICAI Standards
► The Council of the Institute of Chartered Accountants of
India at its 240th meeting held on February 5, 2004
constituted a non-standing committee called
“COMMITTEE ON INTERNAL AUDIT”.
► The Council at its 282nd meeting held on November 5-7,
2008, has renamed the Committee on Internal Audit as
“INTERNAL AUDIT STANDARDS BOARD (IASB)”.
► The main function of the Internal Audit Standards Board
(hereinafter “Internal Audit Standards Board” has been
referred to as “Board”) is to review the existing internal
audit practices in India and to develop Standards on
Internal Audit (SIAs).
► The first standard was issued in the year 2006 and as of
2011 there are 17 standards issued by the board.
Risk Assessment – major use and applicability

1 COSO – ERM Framework

2 COBIT– IT Governance Framework

3 ISO Standards

4 COSO – integrated monitoring framework

5 Management and measurement technique for quantification of risk

6 Assurance, regulatory and audit bodies

7 Extensive use by auditors to intelligently cover the audit universe as 100% reperformance of
business process is not possible. A “WHAT CAN GO WRONG ANALYSIS” prior to field work will
provide focus and judgement to the auditor on where to deploy his resources.
“Risk is a part of God's game, alike for men and nations.”

- Warren Buffet
Over Simplified version of Risk Management

“Ability to anticipate is the key element in risk management”

“It has two dimensions – potential damage and opportunity”

Need for Business Risk Management

• Economic uncertainty & price volatility

• Monitoring and performance management

• Lack of appreciation of common business issues

• Integrated Planning

• Effective Internal Audit

• Low tolerance for surprises

• Need to increase transparency

• Need to respond on a real time basis

• Need to empower employees to take informed decisions

• Create an environment for Value creation

Results of an opinion poll on practical benefits of ERM
Enterprise Risk Management

The Committee of Sponsoring Organizations, known as COSO, defines enterprise risk management (ERM) as:

“…A process, effected by an entity’s board of directors, management and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.”

India :: Clause 49 of listing agreement:

MANDATORY
Annexure I (IV) (C)
The company shall lay down procedures to inform board members
about the risk assessment and minimization procedures. These
procedures shall be periodically reviewed to ensure the executive
management controls risks through means of a properly defined
framework
NON MANDATORY
Annexure ID (5)
A company may train its board members in the business model of the
company as well as the risk profile of the business parameters of the
company, their responsibilities as directors, and the best ways to
discharge them

Annexure I (IV) (F)

Management discussion and analysis report should include discussion
on the risk and concerns within the limits set by the company’s
competitive position
Corporate Governance – Sox & Clause 49
GOOD BOARD PRACTICES
 Clearly defined roles and authorities
 Duties and responsibilities of directors understood
 Board is well structured
 Appropriate composition and mix of skills
 Appropriate board procedures
 Director remuneration in-line with best practice
 Board self-evaluation and training conducted
BOARD COMMITMENT
 The board discusses corporate governance issues and has created
corporate governance committee
 The company has a corporate governance champion
 A corporate governance improvement plan has been created
 Appropriate resources are committed
 Policies and procedures have been formalized and distributed to
relevant staff
 A corporate governance code has been developed
 The company is publicly recognized as a corporate governance
leader
CONTROL ENVIRONMENT
 Independent audit committee established
 Risk-management framework present
 Internal control procedures
 Internal audit function
 Independent external auditor conducts audits
 Management information systems established
 Compliance function established
TRANSPARENT DISCLOSURE
 Financial information disclosed
 Non-financial information disclosed
 Financials prepared according to IFRS
 High-quality annual report published
 Web-based disclosure
WELL DEFINED SHAREOWNER RIGHTS
 Minority shareowner rights are formalized
 Well-organized general assembly conducted
 Policy on related-party transactions
 Policy on extraordinary transactions
 Clearly defined and explicit dividend policy
Internal Controls & Risk Management are they interconnected?

• Risk is the possibility of an event occurring and adversely affecting the achievement of objectives

• Control activity is the action established through policies and procedures that help ensure that
management’s directives to mitigate risks to the achievement of objectives are carried out

• Controls are designed to manage risks effectively

• Process and control breakdowns increase the vulnerability of the entity

• The Board’s ability to paint a picture and connect the dots from the risk and control exercises determines the
success or failure of the business
COSO : The 5 Components of IC

1 Control Environment

2 Risk Assessment

3 Control Activities

4 Information and Communication

5 Monitoring Activities
SECTION II

IIA STANDARDS
 Year 2009,
ICAI – Standards on Internal Audit Economic crisis has led to an
increased attention on improved
risk management for regulators,
rating agencies, and boards. This
presents an opportunity and a
ICAI - SIAs challenge for Internal Auditors. Year
Standard on Internal Audit (SIA) 1-Planning an Internal Audit 2006
Standard on Internal Audit (SIA) 2- Basic Principles Governing Internal Audit 2007
Standard on Internal Audit (SIA) 3- Documentation 2007
Standard on Internal Audit (SIA) 4 - Reporting 2008
Standard on Internal Audit (SIA) 5 - Sampling 2008
Standard on Internal Audit (SIA) 6 - Analytical Procedures 2008
Standard on Internal Audit (SIA) 7 - Quality Assurance in Internal Audit 2008
Standard on Internal Audit (SIA) 8 – Terms of Internal Audit engagement 2008
Standard on Internal Audit (SIA) 9- Communication with Management 2009
Standard on Internal Audit (SIA) 10 Internal Audit Evidence 2009
Standard on Internal Audit (SIA) 11 Consideration of Fraud in an Internal Audit 2009
Standard on Internal Audit (SIA) 12, Internal Control Evaluation 2009
Standard on Internal Audit (SIA) 13, Enterprise Risk Management 2009
Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology Environment 2009
Standard on Internal Audit (SIA) 15, Knowledge of the entity and its Environment 2009
Standard on Internal Audit (SIA) 16, Using the work of an expert 2009
Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an Internal Audit 2010
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI

Attribute Standards

1000 Purpose, authority & responsibility

1010 Code of Ethics and Internal Audit Charter SIA 2 Basic principles governing internal audit

1100 Independence and Objectivity SIA 2 Basic principles governing internal audit
1110 Organisational independence Not covered
1111 Direct Interaction with Board Not covered
1120 Individual Objectivity SIA 2 Basic principles governing internal audit
1130 Impairment to Independence or Objectivity SIA 2 Basic principles governing internal audit

1200 Proficiency and Due professional care SIA 2 Basic principles governing internal audit
1210 Proficiency SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
1220 Due professional care SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
1230 Continuing Professional Development SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI

Attribute Standards

1300 Quality Assurance and Improvement Program SIA 7 Quality Assurance in Internal Audit

1310 Requirements of the Quality Assurance and SIA 7 Quality Assurance in Internal Audit
Improvement Program
1311 Internal assessments SIA 7 Quality Assurance in Internal Audit

1312 External assessments SIA 7 Quality Assurance in Internal Audit

1320 Reporting on the Quality Assurance and SIA 7 Quality Assurance in Internal Audit
Improvement Program
1321 Use of “Conforms with the International SIA 7 Quality Assurance in Internal Audit
Standards for the Professional Practice of
Internal Auditing”

1322 Disclosure of Non-conformance SIA 7 Quality Assurance in Internal Audit

Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI

Performance Standards

2000 Managing the Internal Audit Activity

2010 Planning SIA 1 Planning an Internal Audit
2020 Communication and Approval SIA 9 Communication with Management
2030 Resource Management Not covered
2040 Policies and Procedures Not covered
2050 Coordination Not covered
2060 The chief audit executive should share information SIA 4 Reporting
and coordinate activities with other internal and
external providers of assurance and consulting
services to ensure proper coverage and minimize
duplication of efforts.

2070 External Service Provider and Organizational Not covered

Responsibility for Internal Auditing

2100 Nature of work SIA 12 & 13 Internal Control Evaluation & Enterprise Risk
Management
2110 Governance SIA 12 & 13 Internal Control Evaluation & Enterprise Risk
Management
2120 Risk Management SIA 13 Enterprise Risk Management
2130 Control SIA 12 Internal Control Evaluation
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI

Performance Standards

2200 Engagement Planning SIA 8 Terms of Internal Audit Engagement

2201 Planning Considerations SIA 8 Terms of Internal Audit Engagement

2210 Engagement Objectives SIA 8 Terms of Internal Audit Engagement

2220 Engagement Scope SIA 8 Terms of Internal Audit Engagement

2230 Engagement Resource Allocation Not covered

2240 Engagement Work Program SIA 1 & 2 Planning & Basic Principles

2300 Performing the Engagement SIA 3, 5 & 6 Documentation , Sampling & Analytical
Procedures
2310 Identifying information Not covered

2320 Analysis and evaluation SIA 6 Analytical Procedures

2330 Documenting information SIA 3 Documentation

2340 Engagement Supervision SIA 7 Quality Assurance in Internal Audit
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI

Performance Standards

2400 Communication Results Not covered

2410 Criteria for communicating SIA 4 Reporting

2420 Quality of communications SIA 9 Communication with Management

2421 Error of omissions SIA 9 Communication with Management

2430 Use of "Conducted in Conformance with the Not covered

International Standards fro the Professional
Practice of Internal Auditing
2431 Engagement Disclosure of non-conformance SIA 4 Reporting

2440 Disseminating Results SIA 4 Reporting

2450 Overall opinion SIA 4 Reporting

2500 Monitoring Process SIA 4 Reporting

2600 Resolution of Senior Management Acceptance of Not covered

Risk
2070 External Service Provider and Organizational Not covered
Responsibility for Internal Auditing
SECTION III

RISK ASSESSMENT
Understanding Internal Control

A process consisting of on-going tasks and activities. Policies

and procedures exist to effect control.
INTERNAL CONTROL IS DEFINED
Effected by people.
Is a process, effected by an entity’s board of
directors, management, and other personnel, Able to provide reasonable assurance, not absolute assurance.
designed to provide reasonable assurance
regarding the achievement of objectives in the
Geared to the achievement of objectives in a one or more
following categories:
separate but overlapping categories. The categories are:

• Effectiveness and efficiency of operations - Effectiveness and efficiency of Operations Reliability of

• Reliability of reporting Reporting (internal, external and non-financial)
• Compliance with applicable laws and - Adherence to laws and regulations
regulations

Adaptable to the entity structure. IC can be applied as per

management’s decision in the context of legal requirement,
operating model, entity structure or combination of these.
Key Objectives of Internal Control – in a general business environment

Operations Objectives Reporting Objectives Compliance Objectives

 Avoiding wastage  Corporate Laws and Corporate
Filings
 Avoiding rework
 Pre-requisite for accessing capital
 Reducing cost markets
 Adherence to all applicable legal
and regulatory framework
 Adherence to code of conduct /
ethics

 Reducing production time  Tax Laws and Tax filings

 Improving customer satisfaction  Dealing with large suppliers and

customers
 Improving employee satisfaction
 Private equity / Resource raising
 Improving innovation

 Accurate & timely financial closure

Overlap is possible and sometimes frequent

Source: COSO
Key Objectives of Internal Control – in a Government environment

Public Interest

Compliance with law

Accountability

Performance

Budget Vs Actuals

Safeguarding of Assets

Overlap is possible and sometimes frequent

Source: COSO
Components of Internal Control / System of IC

Control Environment (Principles) Risk Assessment (Principles) Control Activities (Principles)

 Organization demonstrates a commitment
to integrity and ethical values
 Board demonstrates independence
 Management establishes oversight,
reporting lines and authority structure
 Organization demonstrates a commitment
to attract, develop and retain competent
individuals
 Individual accountability for IC
responsibilities
 Risk specific objectives
 Risk identification and analysis
 Consider the potential for fraud
 Identify and assess changes that could
significantly impact the system of internal
control
Information and Communication (P)
 Information generation and use
 Organization selects and develops
control activities that contribute to the
mitigation of risks
 Organization selects and develops
general control activities over
technology that contribute to the
mitigation of risks
 Organization deploys control activities
as manifested in policies that establish
what is expected and in relevant
procedures to effect the policies

 Internal communications

 External communications

Monitoring Activities (Principles)

 Organization selects, develops and performs on going and/or separate

evaluations to ascertain whether the components of IC exists and
function
 Communicates IC deficiencies
Source: COSO
Risk Assessment as a Component of Internal Control
Risk Assessment (Principles) 1. Circumstances requiring special attention:
1. Changes in external environment
 Risk specific objectives 2. Changes in physical environment (disasters)
3. Significant acquisitions / divestitures
 Risk identification and analysis 4. Foreign operations
5. Rapid growth
6. New technology
 Consider the potential for fraud
7. Significant changes in personnel
 Identify and assess changes that
could significantly impact the system of
internal control
1. Integration with Risk Assessment

Control Activities (Principles) 2. Each entity is unique

3. Business Process Controls / Transaction Controls: Completeness,

 Organization selects and develops Accuracy & Validity
control activities that contribute to the
mitigation of risks 4. Control Activities:
1. Verifications
 Organization selects and develops 2. Reconciliations
general control activities over 3. Direct Observation
technology that contribute to the 4. Authorisations
mitigation of risks 5. Physical controls
6. Controls over standing data
7. Supervisory controls
 Organization deploys control activities
8. Automated controls
as manifested in policies that
9. Segregation of duties
establish what is expected and in 10. Choice of alternative controls
relevant procedures to effect the 11. Technology controls (General, Infra, & Security)
policies 12. Policies & procedures
Source: COSO 13. Reassess policies
 Risk Assessment in IA

What is Risk Assessment?

Risk assessment is the determination of quantitative or qualitative value of risk related to a situation and a
recognized threat

Risk assessment measurement is a process used to identify and evaluate risks and their potential effect

Risk assessment is the process where you:

• Identify risk.
• Analyze or evaluate the risk.
• Determine appropriate ways to eliminate or control the risk.

Why is Risk Assessment important?

The auditor should perform risk assessment procedures to obtain an understanding of the entity and its
environment, including its internal control

They help to:

• Create awareness of risks.
• Identify who may be at risk
• Determine if existing control measures are adequate or if more should be done.
• Prioritize risk and control measures.
Risk Assessment in IA

Business Risk and

Understanding Risk Recommend
Process Scope Control
the Organization Assessment and Report
and Plan evaluations

• Understanding of: • Risk • Identification of • Detailed process • Develop

• Business Identification business units understand recommendations
Objectives • Risk and processes (interviews and to bridge the gaps
• Organization Assessment and to be covered walkthroughs) • Summarization of
structure detailed profiling under process • Process issues to be
• Business of each identified review scope validation presented to the
segments risks • Identify management
• Prioritization of processes risks • Rate the findings
• Value chain
for various as per the scale
• Reporting and risks and
activities agreed with the
monitoring mapping on the
• Identify existing Management
framework risk heat map
controls • Process owner
• Evaluate design buy-in
effectiveness • Executive
• Test operating Summary and
effectiveness final report –
• Identify gaps discussion with
• Comparison with the Management
leading practices and Audit
Deliverables Committee
• Prioritized risk
listing Deliverables
• Risk heat map • Risk Based
Internal Audit
Report
Enterprise Risk Management

Source: COSO
Risk Events/ Identification Triggers

Infrastructure Natural Environment Process

• Availability of assets • Biodiversity • Capacity
• Capability of assets • Emissions, effluents and waste • Design
• Access to capital • Energy • Execution
• Complexity • Fire • Suppliers/ dependencies
• Mergers/ acquisitions • Natural disaster
(earthquake, flood, etc.) Technological
Personnel • Sustainable development • Electronic commerce
• Employee capability • Transport • External data
• Fraudulent activity • Water • Emerging technology
• Health and safety
• Judgment
• Malfeasance
• Security practices
• Sales practices

Source: COSO
Risk Events/ Identification Triggers

Technology Economic Business

• Data Acquisition • Capital availability • Brand/ trademark
• Data Maintenance • Credit Issuance • Competition
• Data Distribution •Default • Consumer behavior
• Data Confidentiality •Concentration • Counterparty
• Data Integrity • Liquidity • Fraud
• Data and system availability Capacity •Market • Industry standards
• System Selection Development •Funding • Ownership structure
• Deployment •Cash flow • Publicity
• Reliability •Commodity prices • Product relevance
•Interest rate
•Unemployment Social
Political
•Indices • Demographics
• Governmental changes
•Exchange rate • Corporate citizenship
• Legislation
•Equity valuation • Environmental stewardship
• Public policy
•Real estate values • Privacy
• Regulation

Source: COSO
Risk Management Framework

ERM POLICY Risk Information and

ERM Policy Charter ERM Steering Committee Risk Owners
FRAMEWORK Reporting System

RISK Strategic Risks Financial Risks

CLASSIFICATION
AND PORTFOLIO
Operational Risks Market Risks

Risk Identification and Risk Portfolio and Risk Stress Testing

APPROACH Risk Mitigation Plan
Analysis Profiling Framework

On-going
Risk
Scenario Play
Benchmarking
History
Alignment with COSO Framework

ERM framework is aligned to the COSO framework and it views organization’s objectives at following levels

COSO COSO Risks

Control Activities - Example
Category Level Example RISK CATEGORY;

Wrong  Strategic – high level goals

Strategic – Product / - Productwise cost benefit analysis  Operations – effective and efficient utilization of
high level Entity Level Pricing - Competitive price and product survey resources
goals Differentiatio - Potential pricing benefits  Reporting- accuracy & completeness of
n Strategy reporting
 Compliances – with regulatory requirements
Operations – - Physical security controls
effective and - Application security controls
efficient Entity Level Fraud Risk - Policies & Processes are in place and DRILL-DOWN LEVEL;
utilization of Continuous monitoring of the operations
resources - Fraud indicators  Subsidiary level
 Business unit level
Reporting- Inadequate
- Year end book closure guideline and checklist  Division level
based on recognized good practices of Industry  Entity level
accuracy & financial
Entity Level - Compliance self certification
completeness book closure
- Responsibility matrix on year end book closure
of reporting process EIGHT INTERRELATED COMPONENTS;
process
 Internal environment
Subsidiary, Non - Compliance self certification consisting of
Compliances – Business compliance global business practices, business controls  Objective settings
with regulatory Unit, with and local applicable regulatory requirements  Event identification
requirements Division, regulatory - Responsibility matrix on applicable  Risk assessment
Entity Level requirements compliances  Risk response
 Control activities
 Information and communication
 monitoring
Risk Assessment (example)

Business Impact Analysis

Core Order of Applications Location Worst Case Financial Non-Financial

Process Importance Scenario Impact Impact
Regional XX • Core North Terrorist Strike
Operations application Central
• Non-core

Risk Assessment

Assets Threats Probability Risk Impact Importance Enlist

(Nature, 1 to 5) (1 to 3) (T *P) Control
Measures
Data Centre Inland Flooding, 5 1 5 1
ERM – avoid the common mistakes

• Your risk portfolio should be

comprehensive but concise

• Monitor your risk portfolio and

undertake root cause analysis
for sticky risks

• Update the risk portfolio as

business is dynamic
SECTION IV

PRACTICAL CASE STUDIES

Practical Case Studies on Internal Control
Please respond to the Risk Factors by writing down the Control Activities or
Points of Focus

Risk Scenario I :

Leakage of Classified Information

Practical Case Studies on Internal Control

Risk Scenario 2 :

Damage to Assets
Practical Case Studies on Internal Control

Risk Scenario 3 :

Financial loss/lower value realisation on Asset Disposal

Practical Case Studies on Internal Control

Risk Scenario 4 :

Labour union may call for strikes or work slow downs

Practical Case Studies on Internal Control
Please respond to the Management Objectives by writing down the risk factors
and control activities

Management Objective Scenario 1 :

Accept only materials that meet purchase order specifications

Practical Case Studies on Internal Control

Management Objective Scenario 2 :

Safeguard goods received

Practical Case Studies on Internal Control

Management Objective Scenario 3 :

Accurately forecast cash balances to avoid cash “shortfalls”

Practical Case Studies on Internal Control
Facts of the Case : A company is facing a recurring problem of petty frauds and employee conduct.
The Board believes that as a starting point to control the menace of employee conduct some directive
principles in the form of a Code of Business Conduct and Ethics has to be developed in the area of
Scrap disposal should be developed. You are requested to prepare a brief on the contents of the Code
of Conduct and Ethics as part of the Control Environment Framework.
Case Study: Risk Based Internal Audit

Background of The client entered enters the Indian arena with its international services, dynamic
Client leaders and its mission to be pioneers in the area of Real Estate Development.

The Property is situated at the southern corridor of one of the best II Tier City of India.
Laid on a fairly undulated topography spread across three major levels, the site offers
breathtaking views of the hills and the valley.

Risk Based internal audit. The area covered under audit were;
About Assignment
• Insurance processes
• Safety & Labour compliances
• Contractor selection processes
• Fixed Assets processes
• Cash & Bank Review
• Finance & Accounts
• Book closure process
• Sales & Marketing processes
• Project execution
Case Study: Risk Based Internal Audit

Summary of findings
Risk Category (No. of Observations)
Scope Areas Percentage
High Medium Low Total
Review of Insurance Process X - - X X
Safety Compliances X X - X X
Contractor Selection Process X - - X X

RA Bills and Payment to Contractors X - - X X

Fixed Assets Review X - - X X Area of Concern

Cash & Bank Review X X - X X
Labour Compliances X - - X X
Accounts & Systems X X X X X
Sales & Marketing (Implementation Effectiveness
X X - X X
Review)
Book Closure Review X X - X X
Project Execution X X - X X
Admin Expense and IT X X X X X
Total X X X X 100%
Percentage x% x% x%

Area of Concern
 Thank You

The views expressed in this material are personal in nature. Any reliance should be placed only post
consultation with the author.

27 September 2012