Risk Management Developing an Effective Audit Plan

Similar documents
2012 CliftonLarsonAllen LLP. A Practical & Tactical Approach to. Management (ERM) Cooperatives (NSAC) Jennifer Leary, Partner National Risk Management

Risk Assessment - Balancing Risk While Enhancing Controls

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Strengthening Your Enterprise Risk Management Process

Balancing Risk While Enhancing Controls

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Enterprise Risk Management

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Oversight by Board, Risk Management & Audit Committee (RMAC) and other committees. Second line of defense

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

B U S I N E S S R I S K M A N A G E M E N T L T D

Risk Management in the 21 st Century Ameren Business Risk Management

The 10 th Annual Management Accounting Conference

Sample Corporate Risk Management Policy

29/11/2017. Risk Management Policy

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Enterprise Risk Management Discussion American Gas Association Risk Management Committee Meeting

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

Third Party Risk Management ( TPRM ) Transformation

CLAconnect.com/creditunions. Impact the Future of Credit Unions

Leveraging ERM to meet. and create business value. Management Flora Do, Senior Manager, Enterprise Risk Management

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Financial CIA-I. Certified Internal Auditor (CIA) Download Full Version :

INTERNAL CONTROLS ON OUR CAMPUS. Kara Kearney-Saylor Director of Internal Audit, UB

Enterprise Risk Management Defined and Explained

Firm Profile TURNING RISKS INTO OPPORTUNITIES

ERM 101. Casualty Loss Reserve Seminar, Fall /5/ Practical Enterprise Risk Management (ERM) Agenda ERM 101 2

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

Risk Management Policy

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Supplier risk compliance obligation or source of competitive advantage? Improve supplier reliability to lift business performance

Fraud Risk Management

Sample Strategy and Value Oversight Policy

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

risk and compliance department business plan

Enterprise risk management for consumer products companies

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

A Risk Management Framework for the CGIAR System

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Road map for. March 19, Enterprise Risk Management USI Insurance Services National, Inc. All rights reserved.

A robust and systematic review.

Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

A Risk Management Framework for the CGIAR System

5 Core Must-Haves for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Key Takeaways. Course Requirements. Delegates must meet the following criteria to be eligible for certificate of completion:

Performance Risk Management Jonathan Blackmore, May 2013

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

LI & FUNG LIMITED ANNUAL REPORT 2016

Next-generation enterprise risk management

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

SRI LANKA AUDITING STANDARD 315 (REVISED)

Treasury and Risk- Vision 2009 March 25 th, 2009 Michele L. Turner- Sr. Manager Operations Enterprise Risk Management (OERM)

Statement on Risk Management and Internal Control

Texas Tech University System

Institute of Internal Auditors. Dallas Chapter August 6, 2009

Enterprise Risk Management

So You Have Your Baseline Risk Assessment For ERM, What Next? San Antonio IIA I Heart Audit Conference February 2018

AUDITING. Auditing PAGE 1

Evolving Core Tasks for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

International Standard on Auditing (Ireland) 315

Make money, save money and manage risk

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

Creating a Risk Intelligent Enterprise: Risk governance

Risk Management Culture: The Linkage Between Ethics & Compliance and ERM September 14, 2009

Enterprise Risk Management. Focus on the Future June 2017

Risk Management Policy and Framework

Improved Risk Management via Data Quality Improvement

Using data analytics and continuous auditing for effective risk management

Business Plan

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Risk Management in Istat: from the project to the process

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Agenda. Agenda. Definitions and Processes. Risks. Audit & ERM. Key Strategies. Conclusions ERM and Audit 1. ERM and Audit.

Audit of the UNESCO Statement on Internal Control

Risk Assessment as a Foundation for Disaster Preparedness

Risk Management Strategy

Strengthening Vendor Risk Management Program

Executive Summary THE OFFICE OF THE INTERNAL AUDITOR. Internal Audit Update

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

EY Center for Board Matters. Leading practices for audit committees

2/20/2014. Agenda. Allen Still & Ryan Merryman March 31, CLAconnect.com CliftonLarsonAllen LLP Continuous Auditing Programs

Risk frameworks. Driving business strategy with effective risk frameworks

IMPLEMENTING PUBLIC SECTOR ENTERPRISE RISK MANAGEMENT. Oh, Please Tell Me More!

Self Assessment Workbook

Outsourcing banking processes: The question is no longer if, but how to effectively manage extended enterprises

STRAGETIC RISK MANUAL

Informed Decision Making

Effectively Communicating Enterprise-Wide Business Continuity to Senior Management and Stakeholders. October 7, 2014

Job Family Matrix. Core Duties Core Duties Core Duties

Road to Self Governance

A Guide to IT Risk Assessment for Financial Institutions. March 2, 2011

ERM for Small to Mid-sized Companies

Evolving Risk Management: Risk-Enabled Performance Management. GHBER July 17, 2014

Transcription:

2013 CliftonLarsonAllen LLP Risk Management Developing an Effective Audit Plan Association of Credit Union Internal Auditors P L n L e A l n o s a r n L o t f i l C 3 1 0 2 cliftonlarsonallen.com

Discussion Objectives 1.Identify factors driving the need for Risk Management functions and processes 2.Discuss a process for identifying, assessing and prioritizing risks, and how to align this with an internal audit plan 3.Recognize key items and leading practices for building a robust, mature, and effective audit plan/strategy 2

Factors Driving Risk Management: Why Do You Do It? 3

What is Risk Management? Enterprise risk management is a process, effected by the entity s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives. - COSO Enterprise Risk Management Integrated Framework 2004 Organizational definitions of Enterprise Risk Management (ERM) can vary. At its basic core, it involves having a better understanding of the risks your organization faces, and have a sustainable and repeatable process to successfully mitigate and monitor them. By extension, Risk Management can be applied not just on an enterprise level, but can be deployed by business unit (Lending, IT, Accounting, etc.), functional area (Operations, Strategy, Finance, etc.), etc. The key is understanding what risk and/or risk management related processes and functions exist, and at which levels, within your organization. 4

Benefits of Risk Management (or ERM) Create a more risk aware culture Align risk appetite and strategy Enhance risk response decisions Minimize operational surprises and losses Identify and manage cross-enterprise risks Provide integrated responses to multiple risks Seize opportunities Support cost management efforts Improve operational performance Provide better basis for allocating resources And thereby: Restore and/or retain stakeholder trust and confidence Protect and increase value for the organization and your customers BETTER ALIGN AND IDENTIFY INTERNAL AUDIT ACTIVITIES 5

Questions Many Organizations Are Asking What is our appetite for risk and what is our tolerance for deviating from expected results? What risks should we be focusing on? Do we know what our true top risks are? Once we know what the risks are, how prepared are we to address them? How well are we doing with the risks we are focusing on? Do we have a sustainable process to make risk management more than a one time event? How do we capture future risks and integrate them into the process? How aligned are we as an organization to make this happen? Are key risks and audit activities aligned?? 6

What types of risks are Credit Unions focusing on? Many credit unions are realizing that they need to focus on the full spectrum of risk categories to ensure that they have identified their true top risks, and focusing on the right things. We must expand our risk universe (and audit universe) beyond what we learn through interviews or what keeps you up at night questions. We need to continually update our risk universe, including: 5300 Reporting Accounts Payable ACH Allowance for losses ATM ALM Board Governance Branches Personal Devices Call Center Borrowing/Lending Corporate CU acct Credit Cards Delinquency tracking Deposits/Demands Digital signatures Dormant accounts Dual controls loan Employee activity Fixed Assets Gift cards Imaging Loan servicing Marketing IT & Data Security New accounts Checks OREO Overdrafts Payroll Pension Troubled Debt Union Contracts Conflict of Interest Investments Vendor Mgt. Safe Deposit Security Wires MANY OTHERS including competitive and external conditions 7

Perspective on Risk Whether through internal audit, or organizationally, certain aspects of risk management should be defined across the entity. These parameters will help enable consistent approaches to risk and assessment for audit planning. Risk Tolerance acceptable level of uncertainty or variability of outcomes related to performance measures or specific objectives of the organization Risk Appetite broad description of the level/amount of risk an organization is willing to take as part of its goals/strategy Definitions vary so make certain your organization has a consistent definition and framework for these concepts. https://www.rims.org/resources/erm/documents/rims_expl oring_risk_appetite_risk_tolerance_0412.pdf 10

Identifying, Assessing, and Prioritizing Risk: How Do You Do It? 10

The Two Sides of the Risk Coin RISK TYPES Unrewarded Risk: Risks that must be taken Regulatory Compliance is a good example Rewarded Risk: Risks where you have an option to take Strategy and business decisions, where value can be created Fail to manage the Unrewarded Risks and bad things happen Fail to take the right amount of Rewarded Risks and you don t fully reap the reward 10

Communicate & Consult Monitor & Review Two Popular Risk Frameworks COSO integrated framework AS/NZ - ISO 31000:2009 Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks 11

Goals of Risk Management & Risk Assessment Finance Internal Control, Disclosure, Credit, Liquidity, Commodity, Risk Analytics & Modeling Compliance and Ethics Information Management IT Security, Data Integrity, Information Adequacy, Business Process/Continuity Risks Operations Ethics and Business Conduct, and Regulatory Compliance Risks Business Development Market and Strategy Risks General Counsel Legal and Intellectual Property Internal Audit Risk informed audits, risks to internal control, key exposures and vulnerabilities, and assurance Security Risks to property and people Quality of care, Customer Relations, Market and Pricing, Competitive, People/Process/Asset Performance, Environmental and Safety Risks Insurance Property, Casualty, Liability, and Hazards Challenge is how to align and integrate all these various groups; and how to get internal to align and overlap with each area 12

Where Does Internal Audit Live? VALUE RISK OVERSIGHT & INSIGHT Board & Executive Management Alternatives, Decisions, Scenarios & Events RISKS GOVERNANCE Ethics/Decision Authority Oversight/Independence Compensation/Other STAKEHOLDER VALUE Revenue Growth Operating Margin Asset Efficiency Expectations Reporting Risk Avoidance Strategy & Execution Risk Taking People Process Technology Compliance Risk Avoidance Operations Risk Avoidance STAKEHOLDER VALUE STRATEGY Strategic Plan/Acquisitions/ Divestitures Succession Planning Brand/Marketing /Pricing Reputational OPERATIONS Service Delivery Inventory Management Staffing and Employment Quality Standards Cost Management INFRASTRUCTURE Compliance Finance & Accounting Tax Information Technology Insurance BCP Safety/Physical Security Legal/IP/Litigation Environmental / Other EXTERNAL FACTORS Competition/Economic Conditions Geo-political/Regulatory Activism/Public Safety Natural Disasters/Other Internal Audit & the Audit Committee need to leverage RM and determine where best to help with risk mitigation and monitoring, as well as helping to drive stakeholder value 13

Progression to Integrate Risk Management Phase 1 Phase 2 Phase 3 Phase 4 Buy-In Understand, Accept, Commit to Pilot Assess Assess risks and risk management capability Recommend Detailed recommendations to resolve capability gaps in effectiveness & efficiency Implement, Operate & Continuously Improve Implement sustainable RM capabilities Value Proposition Clarify RM needs & expectations Executive awareness and commitment Agree on scope, criteria, process Establish RM as a priority Communicate Pilot test Set risk appetite and key performance metrics Assess vulnerability to selected key risks Qualify before quantify Assess interactions and risk experience Assess current capabilities Develop risk profile Identify gaps & set priorities Define authorities, requirements, resources Design sustainable process Identify capabilities for design Design change management Proof of Concept Decision to proceed Deploy tools Train personnel Monitor & Report Integrate into core management processes Change management Continuously improve Red items indicate areas where Internal Audit could/should play a key role 14

Leading Practices: Audit Planning How To Integrate Risk Management Effectively for Audit Planning? 10

Shortcomings of the COSO approach Estimating Likelihood and Impact Uncertainty of potential events is evaluated from two perspectives likelihood and impact. Likelihood represents the possibility that a given event will occur, while impact represents its effect... It is important that the analysis be rational and careful The time horizon used to assess risks should be consistent with the time horizon of the related strategy and objectives For example, a company operating in California may consider the risk of an earthquake disrupting its business operations. Without a specified risk assessment time horizon, the likelihood of an earthquake exceeding 6.0 on the Richter scale is high, perhaps virtually certain. On the other hand, the likelihood of such an earthquake occurring within two years is substantially lower. By establishing a time horizon, the entity gains greater insight into the relative importance of the risk and an enhanced ability to compare multiple risks. COSO ERM Sept 2004 p. 58

Problems With the Likelihood Model Little or no predictive value in context of typical planning horizons 80% of all major value losses are high impact / low likelihood Biases management to direct resources to high impact / high likelihood events at the expense of high impact / low likelihood events Typically focuses on single events rather than a series of events or domino effect Audit activities are often mis-directed to the red zone Other models can include various assessment and classifications, including: Frequency to onset (has become quite common/popular) Pervasiveness (relative based on organization size and complexity) Complexity Etc.

Another Way to Think/Conceptualize the Risk Assessment and Planning Key is to utilize an approach and framework that works for the organization and can integrate with the internal audit and audit committee objectives. Illustrative Model: Level of Control Documentation and Governance Size or Volume of Transactions/Accounts New Products or Systems Personnel Quals and Turnover Complexity Susceptibility to Fraud Results/Time of Last Review or Audit Information and Reporting (confidential, financial, sensitive, etc.) Prior Issues Reported/unresolved Evaluate each item on scale, and apply weightings for each risk category across functions, units, processes, etc.

Example of a Risk Report &/Or Audit Monitoring Risk Description Risk Direction Risk Response Status Risk Owner Status of Additional Risk Management Activities Initiated Failure to comply with Federal regulatory standards Mr. Avoid Performing review of last 12 months of adverse compliance Developing action plans for key trend areas identified from the review Inaccurate billing for services Ms. Accept Assess customer concerns Measure customer satisfaction Insufficient business continuity planning Mr. Reduce A project has been initiated to develop appropriate business continuity plans for all major operations and facilities. Inadequate IT backup and disaster recovery processes Ms. Transfer Key steps have been completed to improve IT BCM: consolidated and improved the data center, documented processes, and retrained personnel. 19

Risk Rankings? What is the model to utilize for ranking risks? High, Medium, and Low What if the risk universe/population is 200 items? Standard expectation would be 20% High, 60% Medium, and 20% Low That could mean as many as 40 high risk items Can audit or RM effectively monitor/assess 40 risks? Numeric Quantification Apply ratings of 1-5 for each risk category Numeric calculated values for each risk Helps to delineate and refine the listing See example on next page

Audit Planning Other Considerations: Separate Compliance from IA Planning? Depends on culture and organizational structure Consider a rolling audit plan Have a 3 year audit plan Update the plan every 6 months Still demonstrates consideration of other risks for the future Integrated Audit Opportunities? Incorporate and integrate an IT and business/functional approach to the same audit Not just entirely separate/disparate IT and operational/financial audits Build in flexibility Allot time for unanticipated projects, issues, emerging risks

Transition to a Risk Integrated IA Function CORPORATE GOVERNANCE / RISK OVERSIGHT & INSIGHT Board of Directors / Audit Committee Delegation of Authority & Risk Appetite Risk Informed Decision-Making Senior Management Corporate Risk Management Capability Internal Audit Business Unit Leaders Priority Risk Issues & Mitigation Plans Risk Aggregation, Monitoring & Reporting Validation, Challenge & Assurance Operational Units Risk & Control Assessment Performance Indicators & Risk Metrics Advisory / Specialized Support Policies, Procedures, Processes & Systems Risk intelligence is embedded in the Risk-Informed Decision Making process, such as Business Planning and Capital Allocation, and improves preparedness for adverse events

Questions? 24

2013 CliftonLarsonAllen LLP Thank you! Jim Kreiser, CRMA, CISA, CFSA Principal Business Risk and Specialty Advisory Services James.Kreiser@CLAConnect.com 215-643-3900 CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 25 25

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback