Vous êtes sur la page 1sur 47

IIA CAG Training Session

RISK IDENTIFICATION & ASSESSMENT

By CA Huzeifa I. Unwala,

Founder, Verita Management Advisors Pvt. Ltd

27 September 2012
SECTION I

EVOLUTION OF RISK & CONTROLS


Gradual Evolution of Risk & Controls

Compliance Transactional Tactical Strategic

4th Generation
1st Generation 2nd Generation 3rd Generation
Enterprise Wide
Controls Control Framework Business Risks
Risk Management

• Emphasis on existing • Emphasis on • Emphasis on thorough • Emphasis on thorough


processes, procedures financial/compliance understanding of the understanding of the
and control activities. risks. business and the various business and its risks.
business risks.
• Audit for compliance • Determine controls that • Determine the Risk
should be in place. • Determine controls that Mgmt. Process (RMP)
should be in place. that should be in place
• Audit for design, to manage key risks.
operational effectiveness • Audit for design,
and compliance. operational effectiveness • Audit each RMP for
and compliance. design, operational
effectiveness and
compliance.
Internal Audit Standards – Glimpse of history

IIA Standards
ICAI Standards
► On Nov. 17, 1941, The IIA's Certificate of ► The Council of the Institute of Chartered Accountants of
Incorporation was filed that officially established India at its 240th meeting held on February 5, 2004
The Institute of Internal Auditors constituted a non-standing committee called
“COMMITTEE ON INTERNAL AUDIT”.
► In 1978, The IIA formally approved the Standards
for the Professional Practice of Internal Auditing ► The Council at its 282nd meeting held on November 5-7,
(Standards), which had the following purposes: 2008, has renamed the Committee on Internal Audit as
o Assist in communicating the role, scope, “INTERNAL AUDIT STANDARDS BOARD (IASB)”.
performance, and objectives of IA.
o Unify internal auditing throughout the world. ► The main function of the Internal Audit Standards Board
o Encourage improved internal auditing. (hereinafter “Internal Audit Standards Board” has been
o Establish basis for consistent measurement of referred to as “Board”) is to review the existing internal
internal auditing operations. audit practices in India and to develop Standards on
o Provide a vehicle by which internal auditing can be Internal Audit (SIAs).
fully recognized as a profession.”
► The first standard was issued in the year 2006 and as of
►IIA standards are broadly categorize under two 2011 there are 17 standards issued by the board.
heads:
o Attribute standards
o Performance standards

►Last revision of IIA standards was done in October


2010, effective from January 2011.
Risk Assessment – major use and applicability

1 COSO – ERM Framework

2 COBIT– IT Governance Framework

3 ISO Standards

4 COSO – integrated monitoring framework

5 Management and measurement technique for quantification of risk

6 Assurance, regulatory and audit bodies

7 Extensive use by auditors to intelligently cover the audit universe as 100% reperformance of
business process is not possible. A “WHAT CAN GO WRONG ANALYSIS” prior to field work will
provide focus and judgement to the auditor on where to deploy his resources.
“Risk is a part of God's game, alike for men and nations.”

- Warren Buffet
Over Simplified version of Risk Management

“Ability to anticipate is the key element in risk management”

“It has two dimensions – potential damage and opportunity”


Need for Business Risk Management

• Economic uncertainty & price volatility

• Monitoring and performance management

• Lack of appreciation of common business issues

• Integrated Planning

• Effective Internal Audit

• Low tolerance for surprises

• Need to increase transparency

• Need to respond on a real time basis

• Need to empower employees to take informed decisions

• Create an environment for Value creation


Results of an opinion poll on practical benefits of ERM
Enterprise Risk Management

The Committee of Sponsoring Organizations, known as COSO, defines enterprise risk management (ERM) as:

“…A process, effected by an entity’s board of directors, management and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.”

India :: Clause 49 of listing agreement:


MANDATORY NON MANDATORY
Annexure I (IV) (C)
Annexure ID (5)
The company shall lay down procedures to inform board members
about the risk assessment and minimization procedures. These A company may train its board members in the business model of the
procedures shall be periodically reviewed to ensure the executive company as well as the risk profile of the business parameters of the
management controls risks through means of a properly defined company, their responsibilities as directors, and the best ways to
framework discharge them

Annexure I (IV) (F)


Management discussion and analysis report should include discussion
on the risk and concerns within the limits set by the company’s
competitive position
Corporate Governance – Sox & Clause 49

GOOD BOARD PRACTICES CONTROL ENVIRONMENT


 Clearly defined roles and authorities  Independent audit committee established
 Duties and responsibilities of directors understood  Risk-management framework present
 Board is well structured  Internal control procedures
 Appropriate composition and mix of skills  Internal audit function
 Appropriate board procedures  Independent external auditor conducts audits
 Director remuneration in-line with best practice  Management information systems established
 Board self-evaluation and training conducted  Compliance function established

TRANSPARENT DISCLOSURE
BOARD COMMITMENT
 Financial information disclosed
 The board discusses corporate governance issues and has created  Non-financial information disclosed
corporate governance committee  Financials prepared according to IFRS
 The company has a corporate governance champion  High-quality annual report published
 A corporate governance improvement plan has been created  Web-based disclosure
 Appropriate resources are committed
WELL DEFINED SHAREOWNER RIGHTS
 Policies and procedures have been formalized and distributed to
relevant staff  Minority shareowner rights are formalized
 A corporate governance code has been developed  Well-organized general assembly conducted
 The company is publicly recognized as a corporate governance  Policy on related-party transactions
leader  Policy on extraordinary transactions
 Clearly defined and explicit dividend policy
Internal Controls & Risk Management are they interconnected?

• Risk is the possibility of an event occurring and adversely affecting the achievement of objectives

• Control activity is the action established through policies and procedures that help ensure that
management’s directives to mitigate risks to the achievement of objectives are carried out

• Controls are designed to manage risks effectively

• Process and control breakdowns increase the vulnerability of the entity

• The Board’s ability to paint a picture and connect the dots from the risk and control exercises determines the
success or failure of the business
COSO : The 5 Components of IC

1 Control Environment

2 Risk Assessment

3 Control Activities

4 Information and Communication

5 Monitoring Activities
SECTION II

IIA STANDARDS
Year 2009,
ICAI – Standards on Internal Audit Economic crisis has led to an
increased attention on improved
risk management for regulators,
rating agencies, and boards. This
presents an opportunity and a
ICAI - SIAs challenge for Internal Auditors. Year
Standard on Internal Audit (SIA) 1-Planning an Internal Audit 2006
Standard on Internal Audit (SIA) 2- Basic Principles Governing Internal Audit 2007
Standard on Internal Audit (SIA) 3- Documentation 2007
Standard on Internal Audit (SIA) 4 - Reporting 2008
Standard on Internal Audit (SIA) 5 - Sampling 2008
Standard on Internal Audit (SIA) 6 - Analytical Procedures 2008
Standard on Internal Audit (SIA) 7 - Quality Assurance in Internal Audit 2008
Standard on Internal Audit (SIA) 8 – Terms of Internal Audit engagement 2008
Standard on Internal Audit (SIA) 9- Communication with Management 2009
Standard on Internal Audit (SIA) 10 Internal Audit Evidence 2009
Standard on Internal Audit (SIA) 11 Consideration of Fraud in an Internal Audit 2009
Standard on Internal Audit (SIA) 12, Internal Control Evaluation 2009
Standard on Internal Audit (SIA) 13, Enterprise Risk Management 2009
Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology Environment 2009
Standard on Internal Audit (SIA) 15, Knowledge of the entity and its Environment 2009
Standard on Internal Audit (SIA) 16, Using the work of an expert 2009
Standard on Internal Audit (SIA) 17, Consideration of Laws and Regulations in an Internal Audit 2010
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI


Attribute Standards

1000 Purpose, authority & responsibility


1010 Code of Ethics and Internal Audit Charter SIA 2 Basic principles governing internal audit

1100 Independence and Objectivity SIA 2 Basic principles governing internal audit
1110 Organisational independence Not covered
1111 Direct Interaction with Board Not covered
1120 Individual Objectivity SIA 2 Basic principles governing internal audit
1130 Impairment to Independence or Objectivity SIA 2 Basic principles governing internal audit

1200 Proficiency and Due professional care SIA 2 Basic principles governing internal audit
1210 Proficiency SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
1220 Due professional care SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
1230 Continuing Professional Development SIA 2 & 15 BASIC PRINCIPLES GOVERNING INTERNAL
AUDIT & knowledge of the entity and its
environment
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI


Attribute Standards

1300 Quality Assurance and Improvement Program SIA 7 Quality Assurance in Internal Audit

1310 Requirements of the Quality Assurance and SIA 7 Quality Assurance in Internal Audit
Improvement Program
1311 Internal assessments SIA 7 Quality Assurance in Internal Audit

1312 External assessments SIA 7 Quality Assurance in Internal Audit

1320 Reporting on the Quality Assurance and SIA 7 Quality Assurance in Internal Audit
Improvement Program
1321 Use of “Conforms with the International SIA 7 Quality Assurance in Internal Audit
Standards for the Professional Practice of
Internal Auditing”

1322 Disclosure of Non-conformance SIA 7 Quality Assurance in Internal Audit


Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI


Performance Standards

2000 Managing the Internal Audit Activity


2010 Planning SIA 1 Planning an Internal Audit
2020 Communication and Approval SIA 9 Communication with Management
2030 Resource Management Not covered
2040 Policies and Procedures Not covered
2050 Coordination Not covered
2060 The chief audit executive should share information SIA 4 Reporting
and coordinate activities with other internal and
external providers of assurance and consulting
services to ensure proper coverage and minimize
duplication of efforts.

2070 External Service Provider and Organizational Not covered


Responsibility for Internal Auditing

2100 Nature of work SIA 12 & 13 Internal Control Evaluation & Enterprise Risk
Management
2110 Governance SIA 12 & 13 Internal Control Evaluation & Enterprise Risk
Management
2120 Risk Management SIA 13 Enterprise Risk Management
2130 Control SIA 12 Internal Control Evaluation
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI


Performance Standards

2200 Engagement Planning SIA 8 Terms of Internal Audit Engagement

2201 Planning Considerations SIA 8 Terms of Internal Audit Engagement

2210 Engagement Objectives SIA 8 Terms of Internal Audit Engagement

2220 Engagement Scope SIA 8 Terms of Internal Audit Engagement

2230 Engagement Resource Allocation Not covered

2240 Engagement Work Program SIA 1 & 2 Planning & Basic Principles

2300 Performing the Engagement SIA 3, 5 & 6 Documentation , Sampling & Analytical
Procedures
2310 Identifying information Not covered

2320 Analysis and evaluation SIA 6 Analytical Procedures

2330 Documenting information SIA 3 Documentation


2340 Engagement Supervision SIA 7 Quality Assurance in Internal Audit
Benchmarking of IIA standards vs. ICAI SIA

IIA Standards SIA - ICAI


Performance Standards

2400 Communication Results Not covered

2410 Criteria for communicating SIA 4 Reporting

2420 Quality of communications SIA 9 Communication with Management

2421 Error of omissions SIA 9 Communication with Management

2430 Use of "Conducted in Conformance with the Not covered


International Standards fro the Professional
Practice of Internal Auditing
2431 Engagement Disclosure of non-conformance SIA 4 Reporting

2440 Disseminating Results SIA 4 Reporting


2450 Overall opinion SIA 4 Reporting

2500 Monitoring Process SIA 4 Reporting

2600 Resolution of Senior Management Acceptance of Not covered


Risk
2070 External Service Provider and Organizational Not covered
Responsibility for Internal Auditing
SECTION III

RISK ASSESSMENT
Understanding Internal Control

A process consisting of on-going tasks and activities. Policies


and procedures exist to effect control.
INTERNAL CONTROL IS DEFINED
Effected by people.
Is a process, effected by an entity’s board of
directors, management, and other personnel, Able to provide reasonable assurance, not absolute assurance.
designed to provide reasonable assurance
regarding the achievement of objectives in the
Geared to the achievement of objectives in a one or more
following categories:
separate but overlapping categories. The categories are:

• Effectiveness and efficiency of operations - Effectiveness and efficiency of Operations Reliability of


• Reliability of reporting Reporting (internal, external and non-financial)
• Compliance with applicable laws and - Adherence to laws and regulations
regulations

Adaptable to the entity structure. IC can be applied as per


management’s decision in the context of legal requirement,
operating model, entity structure or combination of these.
Key Objectives of Internal Control – in a general business environment

Operations Objectives Reporting Objectives Compliance Objectives

 Avoiding wastage  Corporate Laws and Corporate  Adherence to all applicable legal
Filings and regulatory framework
 Avoiding rework
 Pre-requisite for accessing capital  Adherence to code of conduct /
 Reducing cost markets ethics

 Reducing production time  Tax Laws and Tax filings

 Improving customer satisfaction  Dealing with large suppliers and


customers
 Improving employee satisfaction
 Private equity / Resource raising
 Improving innovation

 Accurate & timely financial closure

Overlap is possible and sometimes frequent


Source: COSO
Key Objectives of Internal Control – in a Government environment

Public Interest

Compliance with law

Accountability

Performance

Budget Vs Actuals

Safeguarding of Assets

Overlap is possible and sometimes frequent


Source: COSO
Components of Internal Control / System of IC

Control Environment (Principles) Risk Assessment (Principles) Control Activities (Principles)

 Organization demonstrates a commitment  Risk specific objectives  Organization selects and develops
to integrity and ethical values control activities that contribute to the
 Risk identification and analysis mitigation of risks
 Board demonstrates independence
 Consider the potential for fraud  Organization selects and develops
 Management establishes oversight, general control activities over
reporting lines and authority structure  Identify and assess changes that could technology that contribute to the
significantly impact the system of internal mitigation of risks
 Organization demonstrates a commitment control
to attract, develop and retain competent  Organization deploys control activities
individuals Information and Communication (P) as manifested in policies that establish
what is expected and in relevant
 Individual accountability for IC procedures to effect the policies
responsibilities  Information generation and use

 Internal communications

 External communications

Monitoring Activities (Principles)

 Organization selects, develops and performs on going and/or separate


evaluations to ascertain whether the components of IC exists and
function
 Communicates IC deficiencies
Source: COSO
Risk Assessment as a Component of Internal Control
Risk Assessment (Principles) 1. Circumstances requiring special attention:
1. Changes in external environment
 Risk specific objectives 2. Changes in physical environment (disasters)
3. Significant acquisitions / divestitures
 Risk identification and analysis 4. Foreign operations
5. Rapid growth
6. New technology
 Consider the potential for fraud
7. Significant changes in personnel
 Identify and assess changes that
could significantly impact the system of
internal control
1. Integration with Risk Assessment

Control Activities (Principles) 2. Each entity is unique

3. Business Process Controls / Transaction Controls: Completeness,


 Organization selects and develops Accuracy & Validity
control activities that contribute to the
mitigation of risks 4. Control Activities:
1. Verifications
 Organization selects and develops 2. Reconciliations
general control activities over 3. Direct Observation
technology that contribute to the 4. Authorisations
mitigation of risks 5. Physical controls
6. Controls over standing data
7. Supervisory controls
 Organization deploys control activities
8. Automated controls
as manifested in policies that
9. Segregation of duties
establish what is expected and in 10. Choice of alternative controls
relevant procedures to effect the 11. Technology controls (General, Infra, & Security)
policies 12. Policies & procedures
Source: COSO 13. Reassess policies
Risk Assessment in IA

What is Risk Assessment?

Risk assessment is the determination of quantitative or qualitative value of risk related to a situation and a
recognized threat

Risk assessment measurement is a process used to identify and evaluate risks and their potential effect

Risk assessment is the process where you:


• Identify risk.
• Analyze or evaluate the risk.
• Determine appropriate ways to eliminate or control the risk.

Why is Risk Assessment important?

The auditor should perform risk assessment procedures to obtain an understanding of the entity and its
environment, including its internal control

They help to:


• Create awareness of risks.
• Identify who may be at risk
• Determine if existing control measures are adequate or if more should be done.
• Prioritize risk and control measures.
Risk Assessment in IA

Business Risk and


Understanding Risk Recommend
Process Scope Control
the Organization Assessment and Report
and Plan evaluations

• Understanding of: • Risk • Identification of • Detailed process • Develop


• Business Identification business units understand recommendations
Objectives • Risk and processes (interviews and to bridge the gaps
• Organization Assessment and to be covered walkthroughs) • Summarization of
structure detailed profiling under process • Process issues to be
• Business of each identified review scope validation presented to the
segments risks • Identify management
• Prioritization of processes risks • Rate the findings
• Value chain
for various as per the scale
• Reporting and risks and
activities agreed with the
monitoring mapping on the
• Identify existing Management
framework risk heat map
controls • Process owner
• Evaluate design buy-in
effectiveness • Executive
• Test operating Summary and
effectiveness final report –
• Identify gaps discussion with
• Comparison with the Management
leading practices and Audit
Deliverables Committee
• Prioritized risk
listing Deliverables
• Risk heat map • Risk Based
Internal Audit
Report
Enterprise Risk Management

Source: COSO
Risk Events/ Identification Triggers

Infrastructure Natural Environment Process


• Availability of assets • Biodiversity • Capacity
• Capability of assets • Emissions, effluents and waste • Design
• Access to capital • Energy • Execution
• Complexity • Fire • Suppliers/ dependencies
• Mergers/ acquisitions • Natural disaster
(earthquake, flood, etc.) Technological
Personnel • Sustainable development • Electronic commerce
• Employee capability • Transport • External data
• Fraudulent activity • Water • Emerging technology
• Health and safety
• Judgment
• Malfeasance
• Security practices
• Sales practices

Source: COSO
Risk Events/ Identification Triggers

Technology Economic Business


• Data Acquisition • Capital availability • Brand/ trademark
• Data Maintenance • Credit Issuance • Competition
• Data Distribution •Default • Consumer behavior
• Data Confidentiality •Concentration • Counterparty
• Data Integrity • Liquidity • Fraud
• Data and system availability Capacity •Market • Industry standards
• System Selection Development •Funding • Ownership structure
• Deployment •Cash flow • Publicity
• Reliability •Commodity prices • Product relevance
•Interest rate
•Unemployment Social
Political
•Indices • Demographics
• Governmental changes
•Exchange rate • Corporate citizenship
• Legislation
•Equity valuation • Environmental stewardship
• Public policy
•Real estate values • Privacy
• Regulation

Source: COSO
Risk Management Framework

ERM POLICY Risk Information and


ERM Policy Charter ERM Steering Committee Risk Owners
FRAMEWORK Reporting System

RISK Strategic Risks Financial Risks


CLASSIFICATION
AND PORTFOLIO
Operational Risks Market Risks

Risk Identification and Risk Portfolio and Risk Stress Testing


APPROACH Risk Mitigation Plan
Analysis Profiling Framework

On-going
Risk
Scenario Play
Benchmarking
History
Alignment with COSO Framework

ERM framework is aligned to the COSO framework and it views organization’s objectives at following levels

COSO COSO Risks


Control Activities - Example
Category Level Example RISK CATEGORY;

Wrong  Strategic – high level goals


Strategic – Product / - Productwise cost benefit analysis  Operations – effective and efficient utilization of
high level Entity Level Pricing - Competitive price and product survey resources
goals Differentiatio - Potential pricing benefits  Reporting- accuracy & completeness of
n Strategy reporting
 Compliances – with regulatory requirements
Operations – - Physical security controls
effective and - Application security controls
efficient Entity Level Fraud Risk - Policies & Processes are in place and DRILL-DOWN LEVEL;
utilization of Continuous monitoring of the operations
resources - Fraud indicators  Subsidiary level
 Business unit level
Reporting- Inadequate
- Year end book closure guideline and checklist  Division level
based on recognized good practices of Industry  Entity level
accuracy & financial
Entity Level - Compliance self certification
completeness book closure
- Responsibility matrix on year end book closure
of reporting process EIGHT INTERRELATED COMPONENTS;
process
 Internal environment
Subsidiary, Non - Compliance self certification consisting of
Compliances – Business compliance global business practices, business controls  Objective settings
with regulatory Unit, with and local applicable regulatory requirements  Event identification
requirements Division, regulatory - Responsibility matrix on applicable  Risk assessment
Entity Level requirements compliances  Risk response
 Control activities
 Information and communication
 monitoring
Risk Assessment (example)

Business Impact Analysis

Core Order of Applications Location Worst Case Financial Non-Financial


Process Importance Scenario Impact Impact
Regional XX • Core North Terrorist Strike
Operations application Central
• Non-core

Risk Assessment

Assets Threats Probability Risk Impact Importance Enlist


(Nature, 1 to 5) (1 to 3) (T *P) Control
Measures
Data Centre Inland Flooding, 5 1 5 1
ERM – avoid the common mistakes

• Your risk portfolio should be


comprehensive but concise

• Monitor your risk portfolio and


undertake root cause analysis
for sticky risks

• Update the risk portfolio as


business is dynamic
SECTION IV

PRACTICAL CASE STUDIES


Practical Case Studies on Internal Control
Please respond to the Risk Factors by writing down the Control Activities or
Points of Focus

Risk Scenario I :

Leakage of Classified Information


Practical Case Studies on Internal Control

Risk Scenario 2 :

Damage to Assets
Practical Case Studies on Internal Control

Risk Scenario 3 :

Financial loss/lower value realisation on Asset Disposal


Practical Case Studies on Internal Control

Risk Scenario 4 :

Labour union may call for strikes or work slow downs


Practical Case Studies on Internal Control
Please respond to the Management Objectives by writing down the risk factors
and control activities

Management Objective Scenario 1 :

Accept only materials that meet purchase order specifications


Practical Case Studies on Internal Control

Management Objective Scenario 2 :

Safeguard goods received


Practical Case Studies on Internal Control

Management Objective Scenario 3 :

Accurately forecast cash balances to avoid cash “shortfalls”


Practical Case Studies on Internal Control
Facts of the Case : A company is facing a recurring problem of petty frauds and employee conduct.
The Board believes that as a starting point to control the menace of employee conduct some directive
principles in the form of a Code of Business Conduct and Ethics has to be developed in the area of
Scrap disposal should be developed. You are requested to prepare a brief on the contents of the Code
of Conduct and Ethics as part of the Control Environment Framework.
Case Study: Risk Based Internal Audit

Background of The client entered enters the Indian arena with its international services, dynamic
Client leaders and its mission to be pioneers in the area of Real Estate Development.

The Property is situated at the southern corridor of one of the best II Tier City of India.
Laid on a fairly undulated topography spread across three major levels, the site offers
breathtaking views of the hills and the valley.

Risk Based internal audit. The area covered under audit were;
About Assignment
• Insurance processes
• Safety & Labour compliances
• Contractor selection processes
• Fixed Assets processes
• Cash & Bank Review
• Finance & Accounts
• Book closure process
• Sales & Marketing processes
• Project execution
Case Study: Risk Based Internal Audit

Summary of findings
Risk Category (No. of Observations)
Scope Areas Percentage
High Medium Low Total
Review of Insurance Process X - - X X
Safety Compliances X X - X X
Contractor Selection Process X - - X X

RA Bills and Payment to Contractors X - - X X

Fixed Assets Review X - - X X Area of Concern


Cash & Bank Review X X - X X
Labour Compliances X - - X X
Accounts & Systems X X X X X
Sales & Marketing (Implementation Effectiveness
X X - X X
Review)
Book Closure Review X X - X X
Project Execution X X - X X
Admin Expense and IT X X X X X
Total X X X X 100%
Percentage x% x% x%

Area of Concern
Thank You

The views expressed in this material are personal in nature. Any reliance should be placed only post
consultation with the author.

27 September 2012