CONTROL,

GOVERNANCE,
and
RISKS MANAGEMENT
 CONTROL, GOVERNANCE,
and RISKS MANAGEMENT

• are interrelated concepts that are fundamental to the field

of internal auditing and the work of internal auditors.
• internal auditors help an organization accomplish its
objectives by bringing a systematic, disciplined approach
to evaluating and improving the effectiveness of risk
management, control, and governance processes.
 INTERNAL CONTROL

• Control - is the employment of all the means devised in an

enterprise to promote, direct, restrain, govern, and check
upon its various activities for the purpose of seeing that
enterprise objectives are met. (Institute of Internal
Auditors)
 INTERNAL CONTROL
• Control - is any action taken by the management to
enhance the likelihood that established objectives and
goals will be achieved. (IA practice advisory 2100-1)
• Controls may be:
a. Preventive
b. Detective
c. Directive
 INTERNAL CONTROL
• Control - is a process effected by an entity's board of
directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives in the following categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with laws and regulations

(Committee of Sponsoring Organizations of the Treadway

Commission (COSO))
 Committee of Sponsoring
Organizations of the Treadway
Commission (COSO)

• is a voluntary organization dedicated to improving the

quality of financial reporting through business ethics,
effective internal controls, and corporate governance.
 The COSO definition reflects
certain fundamental concepts:
1. INTERNAL CONTROL is a PROCESS
• It is a means to an end, not an end itself. The concept of a
system of control is the integrated collection of control
components and activities that are used by an organization
to achieve its objectives and goals.
• Control Process:
a) Setting Standards
b) Measuring Performance
c) Evaluation and Correction
 The COSO definition reflects
certain fundamental concepts:
2. INTERNAL CONTROL is EFFECTED by PEOPLE
• Control is not merely a policy manuals and forms, but
people at every level of an organization.
• Board of Directors and Senior Management
• Organization's Managers
• Internal and external auditors
 The COSO definition reflects
certain fundamental concepts:
3. Internal control can be expected to provide only a REASONABLE
ASSURANCE
• (due to limitations of control), not absolute assurance, to an entity's
management and board.
• LIMITATIONS of CONTROL
a) Human judgment
b) Manual or automated controls can be circumvented by collusion.
c) Management may inappropriately override internal control.
d) Custom, culture, the corporate governance system, and an
effective control environment are not absolute deterrents to fraud.
e) Costs should not exceed the benefits of control.
 The COSO definition reflects
certain fundamental concepts:
4. INTERNAL CONTROL is GEARED TO THE
ACHIEVEMENT OF OBJECTIVES IN ONE OR MORE
SEPARATE BUT OVERLAPPING CATEGORIES.
• the COSO framework sets forth three categories of
objectives, which allow organizations to focus on separate
aspects of internal control:
a) Operations Objectives
b) Reporting Objectives
c) Compliance Objectives
 THE NATURE OF CONTROL
• control is the process of assuring that plans achieve the
desired objectives and goals.
• Two aspects:
1. Performance is measured against a standard.
2. Performance is regulated or corrected (if necessary) in
light of that measurement (thus, timeliness of feedback is
important)
 PURPOSE OF CONTROL
• purpose of that multifaceted system of control processes is to support
people of the organization in the management of risks and the
achievement of the established and communicated objectives of the
enterprise. More specifically, those control processes are expected to
ensure, among other things, that the following conditions exist:
1. Financial and operational information is reliable and possesses
integrity.
2. Operations are performed efficiently and achieve effective results.
3. Assets are safeguarded.
4. Actions and decisions of the organization are in compliance with
laws, regulations, and contracts.
 COMPONENTS OF CONTROL
1. CONTROL ENVIRONMENT
• it reflects the attitude and actions of the board and management
regarding the significance of control within the organization.
• Elements of control environment
a) Integrity and ethical values.
b) commitment to competence.
c) Board of directors or audit committee participation.
d) Management's philosophy and operating style.
e) Organizational structure.
f) Assignment of authority and responsibility.
g) Human resource policies and practices
 COMPONENTS OF CONTROL
2. RISK ASSESSMENT
• based on a set of complementary operational, financial
reporting, and compliance objectives linked across all
levels of the organization.
• Key elements of risk management process
a) Objective setting
b) Event identification
c) Risk assessment
d) Risk response
 COMPONENTS OF CONTROL

3. CONTROL ACTIVITIES
• are the policies and procedures helping to ensure that
management directives are executed and actions are taken
to address risks affecting achievement of objectives.
• Elements of control activities
• "Policy" establishing what should be done; and
• "Procedures" to effect the policy
 COMPONENTS OF CONTROL

4. INFORMATION AND COMMUNICATION

• relevant internal and external information should be
identified, captured, and communicated in a timely manner
and in appropriate forms.
 COMPONENTS OF CONTROL
5. MONITORING
• is "a process that assesses the quality of the system‘s
performance over time".
 TYPES OF CONTROL

• AS TO FUNCTION they are intended to perform:

1. PREVENTIVE
2. DETECTIVE/CORRECTIVE
3. DIRECTIVE
 TYPES OF CONTROL

• AS TO NATURE:
1. Financial or accounting controls
2. Administrative controls
 CHARACTERISTICS OF
EFFECTIVE CONTROL
1. Economical
2. Meaningful
3. Appropriate
4. Congruent
5. Timely
6. Simple
7. Operational
 CORPORATE GOVERNANCE
• Governance is defined in different ways, such as
"governance" is the combination of processes and
structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization
performed to achieve objectives.
• "Governance" is also defined as the process conducted by
the board of directors to authorize, direct, and oversee
management toward the achievement of the organization's
objectives.
Key points regarding Governance
should be noted:
1. Governance begins with the board of directors and it's
committees.
2. The board must understand and focus on the needs of key
stakeholders.
• Types of stakeholders:
• Direct stakeholders
• Indirect stakeholders
• Influencing stakeholders
3. Day-to-day governance is executed by management of the
organization
4. Internal and external auditors provide management and the
board with assurances regarding the effectiveness of
governance activities.
 ROLE OF INTERNAL AUDIT
ACTIVITY
• Promoting appropriate ethics and values within the
organization
• Ensuring effective organizational performance management
and accountability
• Communicating risk and control information to appropriate
areas of the organization
• Coordinating the activities of and communicating
information among the board, external and internal auditors,
and management
DETAILED RESPONSIBILITIES
OF THE AUDIT COMMITTEE
• 1. Ensuring that financial statements are understandable, transparent, and
reliable.
• 2. Ensuring the risk management process is comprehensive and ongoing,
rather than partial and periodic.
• 3. Helping achieve an organization-wide commitment to strong and
effective internal controls, emanating from the tone at the top.
• 4. Reviewing corporate policies relating to compliance with laws and
regulations, ethics, conflicts of interest, and the investigation of
misconduct and fraud.
• 5. Reviewing current and pending corporate-governance-related litigation
or regulatory proceedings to which the organization is a party.
• 6. Continually communicating with senior management regarding status,
progress, and new developments. As well as problematic areas.
• 7. Ensuring the internal auditors' access to the audit committee,
encouraging communication beyond scheduled committee meetings.
• 8. Reviewing internal audit plans, reports, and significant findings.
• 9. Establishing a direct reporting relationship with the external auditors.
 ENTERPRISE RISK
MANAGEMENT (ERM)
• ERM helps align the risk appetite of the organization with
its strategy, enhances risk response decisions, reduces
operational surprises and losses, identifies and manages
cross-enterprise risks, provides integrated responses to
multiple risks, helps the organization seize opportunities,
and improves the deployment of capital.
Key points that must be understood to
have a better understanding and
appreciation of ERM such as:

• 1. Risks begins with the strategy formulation and objective

setting.
• 2. Risks does not represent a single point estimate.
• 3. Risks may relate to preventing bad things from
happening or failing to ensure good things happen.
• 4. Risks are inherent in all aspects of life.
 ENTERPRISE RISK
MANAGEMENT (ERM)
• is a process to identify, assess, manage, and control
potential events or situations to provide reasonable
assurance regarding the achievement of the organization's
objectives. (IIA)
• is a process, effected by an entity's board of directors,
management, and other personnel, applied in strategy
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
(COSO)
 CHARACTERISTICS OF
EFFECTIVE ERM
• 1. An ongoing entity-wide process to identify, evaluate, analyze,
respond to, monitor, and communicate on risks.
• 2. Is effected by people at all levels
• 3. Occurs in strategy setting
• 4. Applies to every unit.
• 5. Provides reasonable, but not absolute assurance due to the
following limitations:
• judgment
• breakdowns
• management override
• cost over benefit
• 6. Enables continuous improvement in decision-making
• 7. Helps achieve objectives
 ASSURANCE ACTIVITIES

• The internal audit may perform the following "CORE

INTERNAL AUDIT ROLES"
1. Giving assurance on the risk management processes
2. Giving assurance that the risk are correctly evaluated
3. Evaluating risk management processes
4. Evaluating the reporting of key risks
5. Reviewing the management of key risks
 CONSULTING ACTIVITIES
• The internal audit may perform the following
"LEGITIMATE INTERNAL AUDIT ROLES"
1. Facilitating identification and evaluation of risks
2. Coaching management in responding to risks
3. Coordinating ERM activities
4. Consolidated reporting on risks
5. Maintaining and developing the ERM framework
6. Championing establishment of ERM
7. Developing ERM strategy for board approval
 ROLES INTERNAL AUDITING
SHOULD NOT UNDERTAKE
• 1. Setting the risk appetite
• 2. Imposing risk management processes
• 3. Taking decisions on risk responses
• 4. Implementing risk responses on management's behalf
• 5. Accountability for risk management
 BENEFITS OF ERM
• Greater likelihood of achieving company objectives
• Consolidated reporting of different risks at board level
• Improve understanding of risks and implications
• Greater management focus on the issues that really matter
• Fewer surprises or crisis
• More focus internally on doing the right thing in the right way
• Increased likelihood of change initiatives being achieved
• Capability to take on greater risk for greater reward
• More informed risk-taking and decision making
 ACTIVITIES INCLUDED IN
THE ERM
• Articulating and communicating the objectives of the organization
• Determining the risk appetite of the organization
• Establishing an appropriate internal environment, including a risk
management framework
• Identifying potential threats to the achievement of objectives
• Assessing risks and the likelihood of the threat occurring
• Selecting and Implementing reponses to risks
• Undertaking control and other response activities
• Communicating information on risks in consistent manner at all levels
in the organization
• Centrally monitoring and coordinating the risk management processes
and the outcomes
• Providing assurance on the effectiveness with which risks are managed
 COMPONENTS OF ERM

• 1. Internal Environment
• 2. Objective Setting
• 3. Event identification
• 4. Risk assessment
• 5. Risk response
• 6. Control Activities
• 7. Information and Communication
 LIMITATIONS OF ERM
• A) Risk relates to the future which is uncertain.
• B) ERM provides information about risks of achieving
objectives but it cannot provide even reasonable assurance that
objectives will be achieved; and
• C) ERM cannot provide absolute assurance with respect to any
of the objective categories. Specific limitations include the
following:
• The effectiveness of ERM is subject to the limitations of the
ability of humans to make judgments about risk and impact.
• Well-designed ERM can break down
• Collusion among two or more individuals can result in ERM
failures.
• ERM systems can never be perfect due to cost-benefit
constraints.
• ERM is subject to management override.