Audit Control and Risk Management Budget Management and

Audit, Control and Risk Management Budget Management and Financial Accountability Steven E. Jameson Lead Auditing Specialist, IAD March 2, 2004 1

How Is The Audit Profession Changing? Independence is being re-emphasized Heavy emphasis on financial reporting Greater focus on technology Focus and scope expanding more into governance and risk Expanded expertise and facilitation skills Resource for assurance and consulting services Help the organization manage business risk 2

What Will Drive Change? Factors Identified by the Competency Framework of Internal Auditing (CFIA) Global and organizational change Technological innovation Competition for market share Legislative imperatives Shareholders demanding increased accountability Client’s changing expectations Strategic alliances Mergers and acquisitions 3

Major Areas for Legislation and Regulation Reform Measures Ethical Climate Shareholder Involvement Boards of Directors Audit Committees Corporate Management Public Accounting Corporate Disclosures 4

Recommendations for Internal Auditors Focus on and evaluate the control system for effectiveness Ensure a good Enterprise Risk Management plan Ensure adequate controls to manage risk Internal auditors should include their own risk assessment Keep current on all the investigative committees, press reports, new legislation, etc. 5

Assurance Internal auditing provides assurance about: Risk management Control Provided to: Management Audit committee And other stakeholders 6

Framework for Effective Control your environment Control your risk Control your activities Control your information and communication Monitor and review your control 7

The Bank Uses the COSO Framework Control activities Risk Assessment n on ttiio ca iica un un m m Co Co Inf orm ati on & Monitoring Control Environment 8

Who/what Can Assist? COSO A good control environment Properly assessed risks Effective controls (appropriate polices/procedures) Relevant/timely information Focused/timely monitoring/review 9

Benefits of Effective Control Structure It will: Improve accountability and program delivery Promote ethical and professional business practices Advance risk management Enhance communications, decision making and performance reporting Contribute to quality outcomes 10

Some Signs of Dysfunctional Control System Controls mostly “detective” not “preventive” Practice different from documented procedures Responsibility difficult to pinpoint Control not commensurate to risk Control can be circumvented – “back door” Mere “appearance” of control 11

Internal Control Reporting Any organization accepting investor money should have a comprehensive internal control system The system should be monitored for effectiveness There should be public reporting with emphasis on ethics, risk, and related controls 12

Enterprise Risk Management COSO ERM Project Linkage to COSO Internal Control 13

Perceptions in Today’s Risk Environment Risk profiles are increasing Regulatory/public scrutiny Expanding services increases risks Business change increases risk complexity Risk management not keeping pace Need for right kind of risk training Need for risk assessment methodologies/technology tools Stakeholders have different risk needs Inconsistent risk language used Gaps in Risk Coverage 14

COSO’s Objectives Develop the COSO Enterprise Risk Management Framework. Include conceptual framework and application guidance. Identify interrelationships between risk and risk management, and with the COSO Internal Control – Integrated Framework. 15

Project Oversight COSO Board – IIA, AICPA, FEI, IMA, AAA COSO Advisory Council – two reps from each member organization Project Coordinator – Moss Adams LLP PWC project team 16

Intended Users COSO member orgs Government Industry associations Management of middle market and large companies Not-for-profit Academia Lawyers Professional orgs Regulators and other rule-makers Risk management professionals and public accounting firms 17

Assessment Phase Literature search 376 web sites 200+ books, periodicals, other pubs COSO organization forums Four forums Stakeholder interviews Survey 18

Key Benefits From ERM Awareness of risk increased Cross-enterprise risk identified Coordination across business units for more effective mitigation Complete/consistent risk information Common risk language established Shareholder value protected/enhanced 19

Survey Results 19% have a CRO more common w/ revenue < $1 B 20% have a board approved policy 22% have a dedicated ERM committee 84% do not have formal measurements 20

Key Success Factors for Implementing ERM Provide clear goals and objectives Establish sponsorship or senior management Link to performance measures and compensation Drive the approach from the corporate/head office Establish a dedicated corporate function 21

What Works Well What Needs Improvement Bus. units are taking ownership of risk mgmt. Insurance mgmt. Communication of risk Sr. mgmt. and exec. support and involvement Communication and education Integration of ERM processes Formalizing the process 22

ERM vs. Internal Control ERM elaborates and expands on those components of internal control relevant to risk Significantly expands on the “risk assessment” component Emphasizes and expands on other components as they relate to risk 23

ERM vs. Internal Control Internal control and ERM are two separate frameworks w/ considerable overlap In some respects IC is broader and in others ERM is broader IC framework remains in tact ERM framework addresses risk management concepts more broadly and deeply 24

ERM vs. Internal Control ERM is effective only when: IC components are present and functioning effectively ERM components are present and functioning effectively Addl. features needed to convert RM into ERM: Application of RM concepts in strategy-setting Taking a “portfolio” view of ERM components 25

ERM vs. Internal Control Core concept – You can have effective internal control without enterprise risk management, but you cannot have effective enterprise risk management without effective internal controls. 26

COSO’s Definition of Enterprise Risk Management ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. - Proposed by COSO (2003) - www. coso. org 27

Key Elements to ERM Emphasizes “Enterprise” – not just selected “silos of risk” Consideration of risks on “portfolio” basis Collection of risks Interactions of risks Done to enhance entity value Heavily integrated with business strategy Focus is on identification, measurement, assessment, and response to risks primarily across 2 dimensions Probability (Likelihood) Criticality (Consequence) Key part of entity’s corporate governance Responsibility of senior management and board Pushed down to key business segment management 28

8 Components of the Framework 29

Coming Soon COSO’s release of ERM Framework for enterprise risk management Application guidance on how to implement ERM 30