Chapter4PPT4thedition.pptxInternal Auditing: Assurance & Advisory Services
4th edition
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Risk Management
Chapter 4
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Learning objectives
Define risk and enterprise risk management.
Discuss the different dimensions of the Committee of Sponsoring Organizations of the Treadway Commission’s exposure draft titled Enterprise Risk Management – Aligning Risk with Strategy and Performance.
Discuss the different dimensions of ISO 31000:2009(E): Risk management – Principles and guidelines.
Articulate the relationship between governance and enterprise risk management.
Describe the different roles the internal audit function can play in enterprise risk management.
Evaluate the impact of enterprise risk management on internal audit activities.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Standards relevant to risk management
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
4
Chapter 4: Risk Management
Risk Management Definition
COSO Definition – “The possibility that events will occur and affect the achievement of a strategy and objectives.”
Begins with strategy formulation and setting business objectives
Involves uncertainty
Does not represent a single point estimate; it’s a range of possible outcomes
May relate to preventing bad things from happening or failing to ensure good things happen
Risks are inherent in all aspects of life
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Enterprise Risk Management
COSO Definition – “The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.”
Recognizes both culture and capabilities
Must be applied in practice
Integrated with strategy-setting and its execution
Manages risk to strategy and business objectives
Linked to creating, preserving, and realizing value
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Other Key COSO definitions
Mission – “The entity’s core purpose, which establishes what it wants to accomplish and why it exists.”
Vision – “The entity’s aspirations for its future state or what the organization aims to achieve over time.”
Core Values – “The entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization.”
Strategy – “The organization’s plan to achieve its mission and vision and apply its core values.”
Business Objectives – “Those measurable steps the organization takes to achieve its strategy.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
COSO ERM components
Risk Governance and Culture - Risk governance and culture together form a basis for all other components of ERM.
Risk, Strategy, and Objective Setting – ERM is integrated into the entity’s strategic plan through the process of setting strategy and business objectives.
Risk in Execution – An organization identifies and assesses risks that may affect an entity’s ability to achieve its strategy and business objectives.
Risk Information, Communication, and Reporting – Communication is the continual, iterative process of obtaining information and sharing it throughout the entity.
Monitoring Enterprise Risk Management Performance – By monitoring ERM performance, an organization can consider how well its components are operating over time.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
8
Chapter 4: Risk Management
Risk Governance and
Culture Principles
Exercises board risk oversight
Establishes governance and operating model
Defines desired organizational behaviors
Demonstrates commitment to integrity and ethics
Enforces accountability
Attracts, develops, and retains capable individuals
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Risk, Strategy, and
Objective-Setting Principles
Considers risk and business context
Defines risk appetite
Evaluates alternative strategies
Considers risk while establishing business objectives
Defines acceptable variation in performance
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Risk in Execution Principles
Identifies risk in execution
Assesses the severity of risk
Prioritizes risks
Identifies and selects risk responses
Develops portfolio view
Assesses risk in execution
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Risk Information, Communication, and Reporting Principles
Uses relevant information
Leverages information systems
Communicates risk information
Reports on risk, culture, and performance
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Monitoring ERM
Performance Principles
Monitoring substantial change
Monitors ERM
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
ISO 31000 Principles
Creates and protects value
Is an integral part of all organizational processes
Is part of decision-making
Explicitly addresses uncertainty
Is systematic, structured, and timely
Is based on the best available information
Is tailored
Takes human and cultural factors into account
Is transparent and inclusive
Is dynamic, iterative, and responsive to change
Facilitates continual improvement of the organization
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
ISO 31000 Framework
Mandate and commitment
Design of framework for managing risk
Implementing the risk management framework and process
Monitoring the framework
Continually improving the framework
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
ISO 31000 Process
Establish the context
Assess the risks
Treat the risks
Monitor risks
Establish a communication and consultation process
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Top-Down View of Risk
Enterprise risk management reduces inherent risk (gross risk) to a more acceptable residual risk (net risk) level.
Inherent Risk - The combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk that exists, assuming there are no internal controls in place.
Residual Risk – The portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk).
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
ERM’s Impact on Assurance
Risks at the process level must relate to strategy and business objectives
Changes in processes or the environment may affect the level of risk
Financial impact and other factors may also impact the level of risk
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 4: Risk Management
Summary
Enterprise risk management must be integrated with strategy and performance
Both COSO and ISO have frameworks and processes to help promote that integration
Internal auditors can serve in many roles related to ERM, some of which are assurance in nature and some advisory
Certain roles may require safeguards be put in place
An organization’s strategy and business objectives create inherent risks, which impact the internal audit function’s charter and annual audit plan
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
