1 Using ERM Concepts in Managing Controls The Institute of Internal Auditors August 10, 2004 Ed...
-
Upload
nicholas-mckenna -
Category
Documents
-
view
214 -
download
1
Transcript of 1 Using ERM Concepts in Managing Controls The Institute of Internal Auditors August 10, 2004 Ed...
1
Using ERM Concepts in Managing Controls
The Institute of Internal AuditorsAugust 10, 2004
Using ERM Concepts in Managing Controls
The Institute of Internal AuditorsAugust 10, 2004
Ed Dudley, CIA, CPA
Retired Vice-President & General Auditor-ABB Americas
2
• Introduction & Overview Ed Dudley• Integrating ERM Concepts in a Facilitated Entity
EvaluationLynn Fountain
• Using Risk Assessment to Assess Control Deficiencies Paul Sobel
• Integrating ERM – A Multidimensional ViewPeg Weir
• Break• Q & A
AgendaAgenda
3
Key Risk Issues for TodayKey Risk Issues for Today
• Benefits of Using an ERM Approach• Approach For Measuring Entity Level
Controls• ERM Principles in Assessing “Soft”
Attributes• Risk Management for an Entity
Evaluation• ERM Planning Considerations
4
Key Risk Issues for TodayKey Risk Issues for Today
• Key Control Deficiency Questions• Making Control Deficiency Assessments• Understanding Risk Tolerance
Considerations• Developing Performance Based Culture
and Metrics• Benefits of Continuous Improvement Life
Cycle Approach
5
Integrating ERM Concepts in a Facilitated Entity
Evaluation
Integrating ERM Concepts in a Facilitated Entity
Evaluation
Lynn Fountain
VP Risk Assessment & Audit Services
Aquila, Inc.
6
Measuring Entity Controls Utilizing ERMMeasuring Entity Controls Utilizing ERM
Risk AssessmentControl Environment
RiskAssessment
RiskAssessment
RiskAnalysis
RiskAnalysis
RiskStrategy
RiskStrategy
RiskCapabilities
RiskCapabilities
• Do the capabilities (people, process, technology and information) exist to execute the desired state
• How will actions be monitored?
• What attributes will be evaluated?• Define stages of maturity• Determine each attributes maturity
stage.• What stage of maturity is
considered acceptable?
Filter: Key attributes that fallbelow desired stage.
• Where current stage is less than desirable, what are the underlying reasons and causes?
Filter: Consider what attributes Should be improved to meet management strategies
• Based on management’s risk strategy, what attributes should be addressed to improve their current state?
Filter: Identify methods to monitor actions
Control Activities Information & Communication
Monitoring
7
Facilitated Approach to Measuring Entity Controls
Facilitated Approach to Measuring Entity Controls
• ERM principles provide a structured method to assess the “soft” attributes of Entity evaluation.
• Benefits using an ERM approach:– Align management risk appetite with risk evaluation– Enhance response to risk identification – Identify how evaluation permeates across the
organization– Identify integrated solutions for managing risk areas
8
Planning Considerations Planning Considerations
• Ensure use of ERM principles– Attributes to be voted, as well as session
participants, must be reflective of entire organization
– Communication of voting stages must include considerations for cost vs. benefit
– Voting considerations must include how actions permeate across the organization. Should not be based on one event.
– Attributes voted must be able to have actionable items for any remediation to be considered.
9
Session Planning Session Planning • Identify voting attributes
– Attributes should cover five components of COSO
• Define scale and stages – Stages are consistent throughout definitions– Provide for voting in-between stages
• Identify Participants– Cross-functional representation: financial,
operational, compliance
• Conduct pre-sessions– Review voting scale, attributes and definitions
10
Session ExecutionSession Execution• Define “rules of the day”• Encourage open feedback
– Discussion is most value added portion– Ensure anonymity of individual comments
• Monitor real-time voting for large variances in opinion– Facilitate discussion when voting is widely dispersed– Consider re-vote
• Avoid common pitfalls– Group think– Voting creep– Duress voting– Dominant Participant– Fatigue
11
Stage A Stage B Stage C Stage D Stage E
Process Ad Hoc
Results often left to heroics of individuals
Informal Processes
Not well communicated or executed
Formal processes that are adequate
Processes may not always be consistent or well communicated
Areas of improvement in efficiency and effectiveness
Formal processes that are well executed
Processes are consistent and well communicated
Improvement area exists in relation to monitoring and KPI’s
Processes are optimal
Best practice methods and metrics
Risk Management Capability Characteristics Stages:
Entity Evaluation
Risk Management Capability Characteristics Stages:
Entity Evaluation
12
Example AttributesControl Environment
Example AttributesControl Environment
– Ethics Policy– Ethical Values– Ethics Reporting– Ethics Discipline– Commitment to
competence – personnel– Commitment to
competence management– Commitment- to
competence - external auditors
– Mgmt structure & operating style
– Mgmt financial reporting philosophy
– Mgmt internal control philosophy
– Mgmt incentives– Mgmt financial goals– Organization structure and
size– Ownership and
Accountability– Policy establishment– Approvals– Segregation of Duties– HR Policies and
Procedures– Job Screening– Job Descriptions– Job Performance
13
Example AttributesExample Attributes
• Risk Assessment– Business Objectives– Strategic Plan– Method to identify business
risks– Mgmt Risk Tolerance– Acquisitions/Divestures– Budgets– Accounting, Operating and
Regulatory Changes• Information and
Communication– Systems Reliability– Users– Change Control– DR Plan– Business Continuity– Management
Communication
• Control Activities– KPI’s– Financial Reports– Reconciliation of Physical
Assets– Physical Inventories– Destruction of Assets
• Monitoring– Monitoring Overrides– Correcting Deficiency– Monitoring process
change
14
DeliverablesDeliverables
• Graphical depiction of voting averages• Evaluate areas that fall below desired
stage• Determine actions & obtain management
sign-off• Assign target dates and responsibilities• Communicate results
– Board– Management
15
16
SUMMARYSUMMARY
• Approach Benefits
• Planning Considerations
• Execution of Session
• Deliverables Post-Session
• Remediation/Follow-up
17
Using Risk Assessment to Assess Control DeficienciesUsing Risk Assessment to
Assess Control Deficiencies
Paul J. Sobel
Vice President, Internal Audit
Mirant Corporation
18
Control Deficiency QuestionsControl Deficiency Questions
• If a control deficiency were to occur, how bad could it be?– Impact on financial reporting– Likelihood of that impact occurring
• How could that deficiency manifest itself, i.e., what are the scenarios should it occur?
• What are the levels over which a deficiency becomes significant? Material?
19
Key Risk DecisionsKey Risk Decisions
What is our tolerance relative to control deficiencies?
How would the deficiency occur, i.e., what are the scenarios?
What is our risk assessment of the deficiency?
Monitoring
Information and Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
OPERATIONS
EN
TIT
Y - L
EV
EL
DIV
ISIO
N
BU
SIN
ES
S U
NIT
SU
BS
IDIA
RY
STRATEGIC
REPORTIN
G
COM
PLIANCE
20
Deficiency AssessmentDeficiency Assessment
REMOTE
LIKELIHOOD
Impact
INCONSEQUENTIAL
CONSEQUENTIAL
MATERIAL MaterialWeakness
SignificantDeficiency
Not a Significant Deficiency
MORE THAN REMOTE
21
Impact TypesImpact Types
• Financial Impact
• Reporting/Filing Delay
• Fraud Potential
• Pervasive Impact
• Technical Violation
22
Likelihood FactorsLikelihood Factors
• Nature of account, disclosures and assertions
• Susceptibility to loss or fraud
• Subjectivity, complexity or judgment involved
• Cause and frequency of known exceptions
• Interdependence or redundancy of controls
23
LIKELIHOOD
INCONSEQUENTIAL
MATERIAL
REMOTE MORE THAN REMOTE
Not a Significant Deficiency
Material Weakness
Impact
CONSEQUENTIAL Significant Deficiency
Potential ScenariosPotential Scenarios
“. . . evaluating deficiencies and whether they constitute significant deficiencies or material weaknesses will necessarily always involve judgment.”
– PCAOB
PotentialScenarios
24
Tolerance ConsiderationsTolerance Considerations• Quantitative Factors
– % of revenues, assets or income• Materiality level = .0025 - .005 x revenues (i.e., .25% - .5%), or 5% of
operating income• Significance level = 5% - 20% of materiality
– Change in EPS (e.g., 1¢)– More than rounding– Change in key financial ratios
• Qualitative Considerations– Entity-level considerations (e.g., tone at the top)– Nature of controls– Ability to monitor controls– Nature of disclosures (e.g., related party implications)– Non-direct considerations (e.g., credit rating, regulatory compliance)
25
SummarySummary• Evaluating control deficiencies
requires a great deal of judgment
• Utilizing risk management concepts, particularly risk assessment, brings some structure to those judgments
• Must develop and articulate tolerance levels
• Think through the various scenarios
• Caution: Don’t let it become a black and white decision decision-making process
LIKELIHOOD
INCONSEQUENTIAL
MATERIAL
REMOTE MORE THAN REMOTE
Not a Significant Deficiency
Material Weakness
Impact
CONSEQUENTIAL Significant Deficiency
26
ERM – A Multi-Dimensional View
ERM – A Multi-Dimensional View
Margaret (Peg) WeirManager, Internal Control Group
United States Postal Service
27
ERM -
A Multi-Dimensional View ERM -
A Multi-Dimensional View • United States Postal Service
– Independent Government Entity; Self Sustaining – Board of Governors– Management - Internal Control Group– Inspection Service– Internal Auditor-Office of Inspector General– Government oversight– External Auditor
28
Enterprise Risk HierarchyEnterprise Risk Hierarchy
External and Internal Audit Findings
Board - Audit & Finance Committee Oversight
Business Environment &Management Priorities/StrategiesTransformational
Traditional
Special cases
ERM CONTINUOUS IMPROVEMENT
Financial
Events
External Auditor
Internal Auditor
Management (Includes Internal
Control Group)
Fraud
Control EnvironmentControl Activities
Risk Assessment MonitoringInformation & Communication
Inspection Service
Board
29
Continuous Improvement Life Cycle
Continuous Improvement Life Cycle
30
Business Review Committee/Internal Control Process CycleBusiness Review Committee/
Internal Control Process CycleHQ IC meets with HQ Functional peers to
discuss risks
HQ IC evaluates data related to identified risks
HQ IC proposes national risk prioritization (supported by data to Business Review Committee for concurrence)
Field IC evaluate local data relative to national priorities to
determine appropriate local risk prioritization
HQ IC reports to BRC on progress of nationally
prioritized risk mitigation efforts
31
Internal Control Process CycleInternal Control Process CycleManagement prioritizes risks
based on data or other influences
IC Analysts analyze additional
data and review prioritized internal
controls
IC Analysts work with process owners to determine root causes and develop risk mitigating solutions
Process owners implement risk
mitigating solutions
IC Analysts monitor results and share best processes
enterprise wide
32
Risk Assessment ModelRisk Assessment Model
33
ERM -
A Multi-Dimensional View ERM -
A Multi-Dimensional View • Ongoing risk assessment in ERM Lifecycle
– Data driven risk analysis– Partnerships to address risks and achieve goals & objectives– Ongoing monitoring – Linkage to national performance metrics
• Hierarchy of internal and external considerations
• Prioritization/Evaluation/Improvement/Monitoring
• Quarterly and Annual assessment and reporting
34
Q & AQ & A
35
• Use a Facilitated Approach to Measuring Entity Level Controls
• Ensure the Use of ERM Principles
• Utilize Facilitated Session Planning and Execution
• Determine Deliverables and Communicate Results
Summary of Main PointsSummary of Main Points
36
Summary of Main PointsSummary of Main Points
• Ask Key Control Deficiency Questions
• Key Risk Decisions Must Revolve Around Risk Tolerance, Occurrence Scenarios and Risk Assessment
• Evaluate Control Deficiencies With Risk Management Concepts - Particularly Risk Assessment
37
Summary of Main PointsSummary of Main Points
• Consider both internal and external influences
• Link Key Performance Metrics to ERM Improvements
• Continuously Improve Controls Through Monitoring and Prioritizing
38
Get Your CPE Certificate:Get Your CPE Certificate:
If you are a primary Webcast participant:•If you view the live Webcast, you should be receiving your CPE certificate via email today.•You can also view the certificate in your account. Just log in and hit the “CPE” button.•If you are viewing the archived Webcast, you will have to take the corresponding quiz which you will find in your webcast account.
If you are not the primary participant but will be viewing the Webcast:
•Additional viewers may obtain CPE for a $15 administrative fee per additional viewer per Webcast. Register online at http://www.auditlearning.org.
39
September 14, 2004
““Role of Transition-Year2Role of Transition-Year2””
40
Webcast EvaluationVisit the Login Page
Webcast EvaluationVisit the Login Page