Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASSURANCE MAPPING INTERACTIVE CASE STUDY APPROACH 20 APRIL 2016.

Published byAgatha Weaver Modified over 8 years ago

Similar presentations

Presentation on theme: "ASSURANCE MAPPING INTERACTIVE CASE STUDY APPROACH 20 APRIL 2016."— Presentation transcript:

1 ASSURANCE MAPPING INTERACTIVE CASE STUDY APPROACH 20 APRIL 2016

2 Today’s Agenda Why do we need Assurance Mapping ? How do we sell ? How do we collaborate ? How do we implement ? Case study approach

3 Establishing the context

4 We have arrived …….

5 Case 1 – Assurance ? CAE was excited on his new role. He was reporting directly to the ARC (in line with the IIA standards) and administratively to the CEO. In his first Audit & Risk Committee, the Chair welcomed him and posed two questions: a)We don’t understand ‘reasonable assurance’ – can you define the same in the charter ? b)We have big budget constraints this year – do you think we have to redefine ‘reasonable assurance’ later if this continues ? c)We have responsibility to oversee risk management and compliance processes as well – will you define reasonable assurance on their behalf in our charter (because we have only one ARC charter) ?

6 Assurance - A statement or indication that inspires confidence Reason - a basis (which can be limited) or cause, as for some belief, action, fact, event, etc.: 1 Definition will not change Risk has to be accepted by AC and Board 2 Define only in the charter Respective procedure manuals will also define the same 3 Case 1 – Answers

7 Case 2 – Why should I build 2 nd line ? ARC chair instructed CEO to establish risk management and compliance functions. However, CEO has decided not to appoint any FTE for this role due to budget constraints. He has now decided to approach CAE with two options: 1.Establish the function and manage the same for one or two years; or 2.Establish the function and ‘handheld’ any temporary employee (or external consultant) to manage the same for some time until a FTE is on board. CAE cannot say no since the CEO has instructed him to do so. He knows that managing second line of defense is not his primary role. However he has the following dilemma: “ How can I audit the procedures later, if I have developed the same or assisted in developing the same ? and what does the CEO mean by ‘handheld’ ? How can I maintain my independence and split the time spent on RM ?”

8 In this case ARC will approve the procedures and CAE should place any audit recommendations (as a part of regular yearly update process) to ARC for their review and approval. 1 This is a common practice in an evolving GRC market that, IA takes the lead in developing key functions like RM and Compliance. It is advisable that IA provides limited assurance to ARC until such time they are responsible and later limit their assurance once these responsibilities are shifted. It is better to seek an understanding on roles,reporting and accountability while undertaking responsibility to establish such functions. 2 Case 2 – Answers

9 Case 3 – Roles and Responsibilities CEO (who is also an executive board member) finally appointed three new positions to manage – Risk, Quality and Compliance functions. CEO has also approved their job descriptions. However down the line, CAE had the following new challenges : a)Quality is mandated to perform ISO reviews across all functions including IA function. Now our CAE is thinking: “Can 2 nd line of defense audit 3 rd line of defense ?” b)ARC had asked CAE to prepare a combined assurance framework and get the same approved. However CAE is now confused because since the scope of work of RM and Quality has been approved by CEO, does it mean that the combined assurance framework has to be approved by CEO and ARC ? c)CEO has also asked the CAE to utilize RM and QM resources in performing IA work to save costs of recruiting one more IA resource.

10 IA has to conform with the requirements of ISO standards and the same has to be documented in the IA charter. Further, IA can audit Quality function as per their mandate, therefore there is no breach of independence. 1 CAE has to document the combined assurance framework in line with the approved (CEO) procedures of second line functions. However in case of any conflicts or issues related to the scope of work / roles of second line functions, he has to highlight the same to ARC. 2 Case 3 – Answers This should not be an issue as long as ARC is aware of the same and there are no independence issues. 3

11 Case 4 – Planning and Scope of Work CAE has decided to perform his annual risk assessment in line with IIA standards and local regulatory requirements. During the course of discussion with his colleagues (RM, QM and CM), he identified the following new constraints: a)RM framework is limited to monitoring only strategic risks across the organisation. However the IA methodology requires identifying risks across all domains namely strategic, operational, legal, financial etc. What value will combined assurance add in this case especially when the mandate is mutually exclusive? b)CEO believes that there is a fraud incident that may have occurred in procurement. He wants all the assurance providers to get involved in the risk assessment and revert on which assurance provider, should be held accountable for such a failure ?

12 IA has to exclude such risks which are monitored by RM and CM in their scope of work. However IA can audit the effectiveness of RM and CM functions. 1 This is a subjective case. Primary responsibility remains with first line of defense. However final control failures should be ascertained based on evidence and involvement. 2 Case 4 – Answers

13 THANK YOU

Download ppt "ASSURANCE MAPPING INTERACTIVE CASE STUDY APPROACH 20 APRIL 2016."

Similar presentations

Organizational Governance

Organizational Governance
. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
EU funds’ evaluation plan , Latvia

EU funds’ evaluation plan , Latvia
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
W. Richard Frederick Governance Consultant. 1. Is the board effective, passive, or dysfunctional? 2. Is the board composition good?  Skills, experience,

W. Richard Frederick Governance Consultant. 1. Is the board effective, passive, or dysfunctional? 2. Is the board composition good?  Skills, experience,
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
A Consultative Approach to Auditing

A Consultative Approach to Auditing
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)
Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.
The Role and Value of Internal Audit Association of Credit Union Internal Auditors September 26, 2012.

The Role and Value of Internal Audit Association of Credit Union Internal Auditors September 26, 2012.
Areti Moularas, Senior Manager

Areti Moularas, Senior Manager
Can records management improve governance in Government? Paul Mullon South African Records Management Forum April 2009.

Can records management improve governance in Government? Paul Mullon South African Records Management Forum April 2009.
IS Audit Function Knowledge

IS Audit Function Knowledge
Internal Audit Practices A consolidation of suggested and applied models Punta del Este, Uruguay 28 October 2005.

Internal Audit Practices A consolidation of suggested and applied models Punta del Este, Uruguay 28 October 2005.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Purpose of the Standards

Purpose of the Standards
Enhancing Governance through IA Activities”

Enhancing Governance through IA Activities”
Audit Committees in Local Government FinPro Professional Development Seminar Linda MacRae Local Solutions Pty Ltd 25 October 2012 11.

Audit Committees in Local Government FinPro Professional Development Seminar Linda MacRae Local Solutions Pty Ltd 25 October

Similar presentations

Ads by Google