Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is this thing called Internal Controls?

Published byFrank Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "What is this thing called Internal Controls?"— Presentation transcript:

1 What is this thing called Internal Controls?
Review of Concepts Value of Internal Controls

2 Internal Controls Internal controls are a system consisting of specific policies and procedures designed to provide management with reasonable assurance that the goals and objectives it believes important to the entity will be met. Tone at the top Encompasses a high ethical standards and moral values communicated throughout the institution

3 Why have Internal Controls?
Promote operational efficiency and effectiveness Provide reliable financial information Safeguard assets and records Encourage adherence to prescribed policies Comply with regulatory agencies 1. To accomplish your mission goals and objectives Make decisions - no when things are going wrong (poor performance) 2. 3.Are you using resources the best way to accomplish

4 Basic Concepts of Internal Controls
Management, not auditors, must establish and maintain the entity’s controls Internal controls structure should provide reasonable assurance that financial reports are correctly stated No system can be regarded as completely effective Should be applied to manual and computerized systems Responsibility of management Tone at the TOP All responsibilities play some role in effecting controls Cosr -Effective

5 Value of Internal Controls
Transactions are: valid property authorized Recorded properly valued Properly classified Timely Reconciled to subsidiary records

6 Control Environment Consists of:
Management philosophy and operating style Tone at the top Organization structure Separation of duties Fiscal officer reporting lines Assignment of authority and responsibility Does everyone understand their role? Responsibility without authority Tone at the top Ethical values communicated leadership by example (talk the talk walk the walk)walk the Codes of conduct clearly defined in written policy (I.e what is a conflict of interest, illegal or improper activity) Significant, published Penalties for improper behavior Removing temptations = less undesirable behavior communication (ex performance evaluations) weak reporting system administrators unaware

7 Control Environment Consists of:
Competent, knowledgeable personnel Personnel policies and procedures Training and development Communication and information systems Internal audit function Either in-source or outsource External influences Compliance External auditors Tone at the top Ethical values communicated leadership by example (talk the talk walk the walk)walk the Codes of conduct clearly defined in written policy (I.e what is a conflict of interest, illegal or improper activity) Significant, published Penalties for improper behavior Removing temptations = less undesirable behavior communication (ex performance evaluations) weak reporting system administrators unaware

8 Design a Control System
Identify RISKS in your environment Mission - Compliance Transactional - Assets Identify control points Analyze potential EXPOSURES Design system to mitigate RISKS What are risks Threats to you accomplishing you r mission What are the risks in the types of transactions you have and what errors or irregularities could occur compliance - tax exempt stats what assets and how could they be at risk Control points- where could errors,irregularities inefficiencies most likely

9 Internal Control Procedures
Personnel Proper procedures for authorization Adequate separation of duties Adequate documents and records Physical control over assets and records Independent checks on performances Controls Stars with people Tone at the top Hire Competent, trained, knowledgeable - clearly established lines of authority, responsibility documented in written job descriptions,m, code of conduct statements, policy/procedure manuals reduce temptations prevent one person from being able to STEAL and CONCEAL cost- benefit - cost should not exceed expected benefit of control Trust but verify

10 Other Elements to Remember:
Consistency of policy compliance Coordination in a decentralized environment Completeness and relevancy of policies Issue escalation and resolution process Accountability Flow of financial information

11 Other Elements to Remember – con’t
Linkages between technology, process and organizational structure Alignment of University objectives, risks and controls Early warning systems Training and other HR mechanisms Tools and techniques for monitoring

12 Key Concepts to Retain Internal control is a process. It is a means to an end, not an end itself. Internal control is affected by people. It is not just manuals and policies, but the people at all levels of the organization. Internal control can be expected to provide reasonable assurance, not absolute assurance, to an entities management or board.

13 Front Page Test Ask yourself, and ask your boss, how would you feel if this decision were displayed on the front page of the newspaper? This can be a very effective guage for appropriateness

14 Assessing Risks and Internal Controls

15 Your Role as Process Owner
General Expectations Acknowledge your responsibility for the design, implementation and maintenance of the control structure within your business processes Contribute direction to identify, prioritize and review risks and controls Remove obstacles for compliance; remedy control deficiencies Continue or begin a program of self-assessment and testing to monitor the controls within your processes Quarterly, confirm key controls are implemented and effective maintain documentation to support this assessment sign backup certifications supporting overall Section 302 and 404 assertions Immediate Action Items Educate your personnel about these requirements and this effort Reinforce internal focus on controls within your area Surface any risks, concerns or issues promptly to allow adequate attention for correction (don’t wait for an audit!) Fix control gaps as soon as possible

16 What are Risks? For all businesses there are risks that exist and that need to be identified and addressed in order to prevent or minimize losses. Risk is the threat that an event, action, or non-action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully. Risk is measured in terms of consequences and likelihood. The following process is used for assessing risks: identifying risks, sourcing risks and measuring risks. Overall, you should focus on the high risks affecting your operations. Sourcing Business Risks Identifying Risks Sourcing Risks Prioritizing Risks

17 Risk Considerations Considerations
Evaluate the nature and types of errors and omissions that could occur, i.e., “what can go wrong” Consider significant risks (errors and omissions) that are common in the industry or have been experienced in prior years Information Technology risks (i.e. - access, backups, security, data integrity) Volume, size, complexity and homogeneity of the individual transactions processed through a given account or group of accounts (revenue, receivables) Susceptibility to error or omission as well as manipulation or loss Robustness versus subjectiveness of the processes for determining significant estimates Extent of change in the business and its expected effect Other risks extending beyond potential material errors or omissions in the financial statements

18 Assertions For all significant processes identify points within the flow of transactions or process stream where there can be failures to achieve the following assertions: Assertion Description Authorization Management has defined and communicated criteria for recognizing economic events and authorizing transactions. Completeness and Accuracy All transactions and other events and circumstances that occurred during a specific period and should have been recognized in that period, have, in fact, been recorded or considered. Therefore, there are no unrecorded assets, liabilities or transactions and no omitted disclosures.  All, and only economic events meeting management’s criteria are converted to transactions accurately and accepted for processing on a timely basis. All accepted transactions are processed accurately in accordance with management’s policies and on a timely basis. Events affecting more than one system result in transactions that are reflected by each system in the same accounting period.  Recorded transactions represented economic events that actually occurred during a stated period of time. Evaluation of Balances Assets, liabilities, revenues and expenses are recorded at appropriate amounts in accordance with relevant accounting principles. Report and database contents are periodically evaluated. Evaluation involves judgmental determinations of value. Provide reasonable assurance that reported information can be reconciled with reality.

19 Assertions Assertions (Continued) Assertion Description
Presentation, Classification and Disclosure The captions, disclosures and other items in the financial statements are properly described and classified as well as fairly presented in conformity with generally accepted accounting principles. Access to Assets Physical safeguards should permit access to assets only in accordance with management’s authorization. Substantiation of Balances Report and database contents should be periodically substantiated. Substantiation is an independent check of processing results, and is most effective if completed in an environment in which there is segregation of incompatible duties. There is reasonable assurance that reported information can be reconciled with reality. Rights and Obligations Assets and liabilities reported on the balance sheet are bona fide rights and obligations of the entity as of that point in time. Management should clearly identify the personnel who have primary custodial responsibility for each category of assets, critical forms and records, processing areas and processing procedures. To the extent possible, responsibility for the physical custody of an asset should be vested in employees who have no responsibility for, and are denied access to, accounting for the asset and vice versa.

20 What are Internal Controls?
Management must control identified risks to help the Company: achieve its performance and profitability targets, prevent loss of resources, ensure reliable financial reporting, and ensure compliance with laws and regulations, avoiding damage to its reputation and other consequences. In summary, internal controls can help our company get where it wants to go, and avoid pitfalls and surprises along the way. DEFINITION OF INTERNAL CONTROL Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

21 Internal Control Myths and Facts
Internal control starts with a strong set of policies and procedures. Internal control: That’s why we have internal auditors! Internal control is a finance thing. Internal controls are essentially negative, like a list of “thou-shalt-nots.” Internal controls take time away from our core activities of making products, selling, and serving customers. FACTS: Internal control starts with a strong control environment. While internal auditors play a key role in the system of control, management is the primary owner of internal control. Internal control is integral to every aspect of business. Internal control makes the right things happen the first time. Internal controls should be built “into,” not “onto” business processes. Source: Institute of Internal Auditors, 2003

22 Internal Control Structure
In many cases, you perform controls and interact with the control structure every day, perhaps without even realizing it. Monitoring: Monthly reviews of performance reports Internal audit function MONITORING Information & Communication: Vision and values survey Issue resolution calls Reporting Corporate communications ( , meetings) INFORMATION AND COMMUNICATION Control Activities: Purchasing limits Approvals Security Reconciliations Specific policies CONTROL ACTIVITIES Risk Assessment: Monthly Risk Control meetings Internal audit risk assessment RISK ASSESSMENT CONTROL ENVIRONMENT Control Environment: Tone from the top Corporate Policies Organizational authority An internal control structure is simply a different way of viewing the business – a perspective that focuses on doing the right things in the right way.

23 Concepts and Objectives
Control definition reflects certain fundamental concepts: Internal control is a process. It's a means to an end, not an end in itself. Internal control is effected by people. It's not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board. Objectives of Internal Control Internal controls are established to further strengthen: The reliability and integrity of information. Compliance with policies, plans, procedures, laws and regulations. The safeguarding of assets. The economical and efficient use of resources. The accomplishment of established objectives and goals for operations or programs.

24 Control Focus Redefining the control focus
The new approach to controlling business risks may be characterized by the “new rules” of “prevent and monitor” and “build in quality” as opposed to the “old rules” of “detect and correct” and “inspect in quality.” This means a paradigm shift in the traditional viewpoint of control as illustrated in the following table:

25 Control Techniques CONTROL TECHNIQUES
Prevention techniques are designed to provide reasonable assurance that only valid transactions are recognized, approved and submitted for processing. Therefore, many of the preventive techniques are applied before the processing activity occurs. In most situations, preventive techniques are likely to be more effective in a strong control environment, when management authorization criteria are well-defined and properly communicated. Control type definitions: Preventive - Manual Preventive - System Examples of preventive controls include: Segregation of duties (Preventive-Manual) Business systems integrity and continuity controls, e.g., application design standards, change controls, security controls, systems backup and recovery (Preventive – System) Physical safeguard and access restriction controls (human, financial, physical and information assets) (Preventive-Manual) Effective planning/budgeting process (Preventive-Manual) Effective "whistle blowing" processes (Preventive-Manual)

26 Control Techniques CONTROL TYPES
Detection techniques are designed to provide reasonable assurance that errors and irregularities are discovered and corrected on a timely basis. Detection techniques normally are performed after processing has been completed. They are particularly important in an environment that has relatively weak preventive techniques. That is, when front-end approval and processing techniques do not provide reasonable assurance that unacceptable transactions are prevented from being processed or do not assure that all approved transactions are processed accurately. In this case, after-the-fact techniques become more important in detecting and correcting processing errors. Control type definitions: Detective - Manual Detective - System Examples of detection techniques include: Reconciliation of batch balance reports to control logs maintained by originating departments. (Detective – Manual) Reconciliation of cycle inventory counts with perpetual records. (Detective – Manual) Review and approval of reference file maintenance (“was-is”) reports. (Detective – Manual) Comparison of reported results with plans and budgets. (Detective – Manual) Reconciliation of subsidiary ledger balances with the general ledger. (Detective – Manual) Reconciliation of interface amounts exiting one system and entering another. (Detective – System) Review of on-line access and transaction logs. (Detective – System)

27 Conclusion Why all this trouble? What happens if we don’t do this?
Compliance with a very visible law Puts teeth into the value statement, “Do it right the first time” Additional comfort and “tightness” that the company is doing the right things and communicating the right information internally, to the auditors and to the public Over time, the metrics that evolve to monitor the control areas can provide insight for key business decisions Documentation will provide communication tool with management and improve ability to train and share information What happens if we don’t do this? Less formal control structures leave room for risks to become real issues External Auditor may not sign their attestation of our control structure Potential SEC investigation Investor, lender and customer confidence will be further weakened, affecting stock price and available financing What are the next steps? Continue communication Validation of process documentation Identification and sourcing of risks and controls

28 Appendix - COSO Components Defined
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), was formed in 1985 to improve the quality of financial reporting through business ethics, effective internal controls and corporate governance. Based on these principles, they developed and published the COSO framework in 1992 as a foundation for establishing internal control systems and determining their effectiveness. Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

29 Appendix - COSO Components Defined (cont.)
Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders. Monitoring Internal control systems need to be monitored -- a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

30 Applying COSO’s Enterprise Risk Management — Integrated Framework
September 29, 2004

31 Today’s organizations are concerned about:
Risk Management Governance Control Assurance (and Consulting)

32 ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework COSO.

33 Why ERM Is Important Underlying principles:
Every entity, whether for-profit or not, exists to realize value for its stakeholders. Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day. Value is created by informed and inspired management decisions in all spheres of an entity’s activities, from strategy setting to operations. Entities failing to recognize the risks they face, from external or internal sources, and to manage them effectively can destroy value – in absolute or relative terms – for shareholders and other stakeholders, including the community and society at large. For companies, shareholders realize value when they recognize value creation and benefit from share-value growth. For governmental entities, value is realized when constituents recognize receipt of valued services at acceptable cost. Enterprise risk management: Facilitates management’s ability deal effectively with potential future events that create uncertainty. Provides the mechanisms to respond in a manner that reduces the likelihood of downside outcomes and increases the upside Enhances the ability to communicate value creation and preservation programs and goals, communicate with stakeholders, and deliver as planned, with few surprises.

34 Why ERM Is Important ERM supports value creation by enabling management to: Deal effectively with potential future events that create uncertainty. Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. Value is created by informed and inspired management decisions in all spheres of an entity’s activities, from strategy setting to operations. Entities failing to recognize the risks they face, from external or internal sources, and to manage them effectively can destroy value – in absolute or relative terms – for shareholders and other stakeholders, including the community and society at large. For companies, shareholders realize value when they recognize value creation and benefit from share-value growth. For governmental entities, value is realized when constituents recognize receipt of valued services at acceptable cost. Enterprise risk management: Facilitates management’s ability deal effectively with potential future events that create uncertainty. Provides the mechanisms to respond in a manner that reduces the likelihood of downside outcomes and increases the upside Enhances the ability to communicate value creation and preservation programs and goals, communicate with stakeholders, and deliver as planned, with few surprises.

35 Enterprise Risk Management — Integrated Framework
This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

36 The ERM Framework Entity objectives can be viewed in the
context of four categories: Strategic Operations Reporting Compliance

37 The ERM Framework ERM considers activities at all levels
of the organization: Enterprise-level Division or subsidiary Business unit processes

38 The ERM Framework Enterprise risk management requires an entity to take a portfolio view of risk.

39 The ERM Framework Management considers how individual risks interrelate. Management develops a portfolio view from two perspectives: - Business unit level - Entity level

40 The ERM Framework The eight components of the framework
are interrelated …

41 Internal Environment Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity’s risk culture. Considers all other aspects of how the organization’s actions may affect its risk culture.

42 Objective Setting Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.

43 Event Identification Differentiates risks and opportunities.
Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.

44 Event Identification Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile.

45 Risk Assessment Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: - Likelihood - Impact Is used to assess risks and is normally also used to measure the related objectives.

46 Risk Assessment Employs a combination of both qualitative and quantitative risk assessment methodologies. Relates time horizons to objective horizons. Assesses risk on both an inherent and a residual basis.

47 Risk Response Identifies and evaluates possible responses to risk.
Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses.

48 Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls.

49 Information & Communication
Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization.

50 Monitoring Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two. Monitoring helps determine the effectiveness of the processes, technologies and personnel executing enterprise risk management. The entity establishes minimum standards for each component of enterprise risk management. The entity’s performance against these standards can then be monitored objectively. Monitoring can be done in two ways: through ongoing activities or separate evaluations. Enterprise risk management mechanisms usually are structured to monitor themselves on an ongoing basis, at least to some degree. Ongoing monitoring is built into the normal, recurring operating activities of an entity. Ongoing monitoring is performed on a real-time basis, reacts dynamically to changing conditions and is ingrained in the entity. As a result, it is more effective than separate evaluations. The greater the degree and effectiveness of ongoing monitoring, the lesser need for separate evaluations. The frequency of separate evaluations is a matter of management's judgment. In making that determination, consideration is given to the nature and degree of changes occurring, from both internal and external events, and their associated risks; the competence and experience of the personnel implementing risk responses and related controls; and the results of the ongoing monitoring. Usually, some combination of ongoing monitoring and separate evaluations will ensure that enterprise risk management maintains its effectiveness over time. Deficiencies in an entity’s enterprise risk management may surface from many sources, including the entity's ongoing monitoring procedures, separate evaluations and external parties. All enterprise risk management deficiencies that affect the entity’s ability to develop and implement its strategy and to achieve its established objectives should be reported to those who can take necessary action, as discussed in the next section

51 Internal Control A strong system of internal
control is essential to effective enterprise risk management. Risk Assessment - ERM encompasses the need for management to develop an entity-level portfolio view from two perspectives and highlights the notion of inherent and residual risk Risk Response - ERM considers risk responses within categories of avoid, reduce, share and accept. Management considers these responses with the intent of achieving a residual risk level aligned with the entity’s risk tolerances. Having considered responses to risk on individual or group basis, management considers the aggregate effect of its risk responses across the entity. The ERM framework elaborates on other components of IC-IF as they relate to enterprise risk management, most significantly the environment and information and communication Enterprise risk management must also be applied in setting strategy, and there must be an entity level portfolio view.

52 Relationship to Internal Control — Integrated Framework
Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. Expands the control framework’s “Financial Reporting” and “Risk Assessment.” Some differences include (note not all as time is limited): The choice made by management and its implementation is part of management’s broader role, and are not part of ERM The Internal Control – Integrated Framework specified the three objective categories of operations, external financial reporting and compliance. Enterprise risk management also specifies three objective categories – operations, reporting, and compliance. The reporting category expands the scope of financial reporting as defined in the Internal Control – Integrated Framework to include a broader array of reporting, Event identification – ERM considers potential events, defining an event as an incident, or series of incidents emanating from internal or external sources that could affect the implementation of strategy and achievement objectives. ERM also considers alternatives in setting strategy, identifies events using a combination of techniques that consider both past and potential future events as well as emerging trends, considers what triggers events and groups potential events into risk categories.

53 ERM Roles & Responsibilities
Management The board of directors Risk officers Internal auditors The board of directors is responsible for overseeing management’s design and operation of ERM. Knowing the extent to which management has established effective enterprise risk management in the organization; Being aware of and concurring with the entity’s risk appetite; Reviewing the entity’s portfolio view of risk, and considering it against the entity’s risk appetite; and Being apprised of the most significant risks, and whether management is taking appropriate responses. Management: Is responsible for the design of an entity's enterprise risk management framework Promotes the desired risk culture, frames risks in the context of strategy and activities Establishes an entity-level risk appetite Provides a portfolio view of risk Enforces compliance individually and in the aggregate. The risk officer works with managers in establishing and maintaining effective risk management in their areas of responsibility, has the resources to help effect enterprise risk management across subsidiaries, businesses, departments, functions and activities and may have responsibility for monitoring progress and for assisting managers in reporting relevant risk information up, down and across the entity and likely chairs internal risk management committees. We will come back later on the specific role of internal auditors in ERM

54 Internal Auditors Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements Internal auditors contribute to the ongoing effectiveness of the enterprise risk management, normally by their participation in separate evaluations, but they do not have primary responsibility for establishing or maintaining ERM.

55 Internal Auditors Visit the guidance section of The IIA’s Web site for The IIA’s position paper, “Role of Internal Auditing’s in Enterprise Risk Management.”

56 Standards 2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.

57 Key Implementation Factors
Organizational design of business Establishing an ERM organization Performing risk assessments Determining overall risk appetite Identifying risk responses Communication of risk results Monitoring Oversight & periodic review by management

58 Organizational Design
Strategies of the business Key business objectives Related objectives that cascade down the organization from key business objectives Assignment of responsibilities to organizational elements and leaders (linkage)

59 Example: Linkage Mission – To provide high-quality accessible and affordable community-based health care Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this year

60 Establish ERM Determine a risk philosophy Survey risk culture
Consider organizational integrity and ethical values Decide roles and responsibilities

61 Example: ERM Organization
Vice President and Chief Risk Officer Insurance Risk Manager ERM Director Corporate Credit Risk Manager FES Commodity Risk Mg. Director ERM Manager ERM Manager Staff Staff Staff

62 Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.

63 Example: Risk Model Environmental Risks Capital Availability
Regulatory, Political, and Legal Financial Markets and Shareholder Relations Process Risks Operations Risk Empowerment Risk Information Processing / Technology Risk Integrity Risk Financial Risk Information for Decision Making Operational Risk Strategic Risk

64 Risk Analysis Risk Management Monitoring Assessment Control It
Share or Transfer It Diversify or Avoid It Risk Management Process Level Activity Entity Level Monitoring Identification Measurement Prioritization Assessment Source: Business Risk Assessment – The Institute of Internal Auditors

65 DETERMINE RISK APPETITE
Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).

66 DETERMINE RISK APPETITE
Key questions: What risks will the organization not accept? (e.g. environmental or quality compromises) What risks will the organization take on new initiatives? (e.g. new product lines) What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)

67 IDENTIFY RISK RESPONSES
Quantification of risk exposure Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) Residual risk (unmitigated risk – e.g. shrinkage)

68 Impact vs. Probability High I M P A C T Low PROBABILITY High
Medium Risk High Risk I M P A C T Share Mitigate & Control Low Risk Medium Risk Accept Control Low PROBABILITY High

69 Example: Call Center Risk Assessment
High Medium Risk High Risk Loss of phones Loss of computers Credit risk Customer has a long wait Customer can’t get through Customer can’t get answers I M P A C T Low Risk Medium Risk Fraud Lost transactions Employee morale Entry errors Equipment obsolescence Repeat calls for same problem Low PROBABILITY High

70 Example: Accounts Payable Process
Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing Issue: Invoices go to field and AP is not aware of liability.

71 Communicate Results Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) Flowcharts of processes with key controls noted Narratives of business objectives linked to operational risks and responses List of key risks to be monitored or used Management understanding of key business risk responsibility and communication of assignments

72 Monitor Collect and display information Perform analysis
- Risks are being properly addressed - Controls are working to mitigate risks

73 Management Oversight & Periodic Review
Accountability for risks Ownership Updates - Changes in business objectives - Changes in systems - Changes in processes

74 Internal auditors can add value by:
Reviewing critical control systems and risk management processes. Performing an effectiveness review of management's risk assessments and the internal controls. Providing advice in the design and improvement of control systems and risk mitigation strategies.

75 Internal auditors can add value by:
Implementing a risk-based approach to planning and executing the internal audit process. Ensuring that internal auditing’s resources are directed at those areas most important to the organization. Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.

76 Internal auditors can add value by:
Facilitating ERM workshops. Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management.

77 Enterprise Risk Management — Integrated Framework,
For more information On COSO’s Enterprise Risk Management — Integrated Framework, visit or

78 Applying COSO’s Enterprise Risk Management — Integrated Framework
This presentation was produced by

Download ppt "What is this thing called Internal Controls?"

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The Islamic University of Gaza

The Islamic University of Gaza
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Purpose of the Standards

Purpose of the Standards
Board responsibility for internal control and risk management by Kiattisak Jelatianranat Chairman, The Institute of Internal Auditors of Thailand Director,

Board responsibility for internal control and risk management by Kiattisak Jelatianranat Chairman, The Institute of Internal Auditors of Thailand Director,
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Similar presentations

Ads by Google