SlideShare a Scribd company logo

Practical Approach Risk Based Internal Audit

Download as PPTX, PDF
Manoj Agarwal
Manoj Agarwal

The document provides an overview of risk based internal auditing. It discusses key concepts like the definition of risk, COSO ERM framework, three lines of defense model, definition of internal audit, and risk based internal audit approach. The approach involves identifying the audit universe and processes, risk identification and assessment, risk scoring and heat mapping, developing the risk based internal audit plan, and executing the plan. Various tools for risk based auditing like the audit tracker, audit report templates, and resources are also outlined.

Business
1 of 37
Practical Approach towards Risk Based Internal Audit Presented by CA Manoj Agarwal Feb 10, 2016, Ernakulum, IASB, ICAI
Disclaimer All the contents of the presentation constitute the opinion of the speaker, and the speaker alone; they do not represent the views and opinions of the speaker’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the speaker is, or has been a part of. 2
Agenda • What is Risk? • COSO ERM Framework • 3 Lines of Defence Model • Definition of Internal Audit • Risk Based Internal Audit • Tools 3
4 What is Risk? Risk, in traditional terms, is viewed as a ‘negative’. The Chinese give a much better description of risk • The first is the symbol for “danger”, while • the second is the symbol for “opportunity”, making risk a mix of danger and opportunity. “Risk- let’s get this straight up front – is good. The point of Risk management is not to eliminate it; that would eliminate reward. The point is to manage it – that is, choose to place bets, where to hedge bets, and where to avoid betting together.” - Thomas A. Stewart
5 Risk & Risk Management In economic terms, profit is the reward for entrepreneurship or “Risk Taking” As a lay investor, our investment planning is based on risk perception – bank deposits, life insurance, debentures and GoI bonds, Mutual Funds, Shares, Private Equity…. Risk management is an attempt to identify, measure and monitor risks– so as to manage uncertainty.
6 Risk Management 1 Understand the nature and extent of risks facing the company 2 Understand the extent and categories of risks which it regards as acceptable for a company to bear 3 Understand the likelihood of risks concerned materializing 4 Company’s ability to reduce the incidence and impact on business of risks that do materialize 5 Costs of operating particular controls relative to benefits
7 Classification of Risks Strategic • A strategic risk is a risk that a company is exposed to when pursuing its business objectives, or likely loss arising from a poor strategic business decision. e.g. Too much dependence on one line of business; or a failed acquisition Operational • Operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. e.g. Frauds in Banking; Risk of poor planning e.g. Funds constraint Compliance • Risks a company is exposed to because of breach of law / regulatory requirement. e.g. Non compliance in foreign country due to ignorance.
8 The Need for Risk Management • Complex, ever changing macro environment • Sustainable, profitable growth to meet stakeholder expectation • Trend towards greater transparency & enhanced levels of corporate governance # Move from survival to competitive advantage
9 Eight Components of COSO ERM Model
10 Eight Components of COSO ERM Model ERM Process Objective Setting Strategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerance Event Identification Events – Factors Influencing Strategy and Objectives – Methodologies and Techniques Event Interdependencies Event Categories – Risks and Opportunities Risk Assessment Inherent and Residual Risk – Likelihood and Impact Methodologies and Techniques – Correlation Risk Response Identify Risk responses – Evaluate Possible Risk Responses – Select Responses – Portfolio View Information & Communication Information – Strategic and Integrated Systems – Communication Monitoring Separate Evaluations – Ongoing Evaluations Control Activities Integration with Risk Response – Types of Control Activities – General Controls Application Controls – Entity Specific
Top Risks - Global Risk Report 2016-WEF 11
12 Three groups (or lines) involved in effective risk management: • Functions that own and manage risks. • Functions that oversee risks. • Functions that provide independent assurance. Three Lines of Defence Model
13 1st LoD: Operational Management • Own and manage risks. • Responsible for implementing corrective actions to address process and control deficiencies.
14 2nd LoD: Risk Management & Compliance Functions • Risk management function – Facilitates and monitors the implementation of effective risk management practices by operational management – Assists risk owners in defining the target risk exposure – Reporting adequate risk-related information throughout the organization. • Compliance function – Monitor various specific risks such as noncompliance with applicable laws and regulations. – Multiple compliance functions for specific types of monitoring, such as health and safety, supply chain, environmental, or quality monitoring. • Controllership function – Monitors financial risks and financial reporting issues.
15 3rd LoD: Internal Audit • Comprehensive assurance based on the highest level of independence and Objectivity • Provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve • Risk management and control objectives. • Reported to senior management and to the governing body, usually covers – A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts. – All elements of the risk management and internal control framework, which includes: internal control environment – The overall entity, divisions, subsidiaries, operating units, and functions — including business processes as well as supporting functions.
16 External Auditors, Regulators, Other external Bodies • Can have an important role in the organization’s overall governance and control structure. • Regulators sometimes set requirements intended to strengthen the controls in an organization and on other occasions perform an independent and objective function to assess the whole or some part of the first, second, or third line of defense with regard to those requirements.
17 Coordinating The Three Lines Of Defense • Role of each group in the risk management process
Definition 18 “Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system. Internal audit, therefore, provides assurance that there is transparency in reporting, as a part of good governance.” -The Internal Audit Standards Board of the ICAI “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” -Definition of Internal Auditing by Institute of Internal Auditors (IIA)
Risk Based Audits 19 Risk Based Audit Risk based Internal Audit (RBIA) is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level.[1] It is the risk management framework of the management and seeks at every stage to reinforce the responsibility of management and BOD (Board of Directors) for managing risk http://en.wikipedia.org/wiki/Risk_based_audit
Building a Risk aware enterprise 20 BOD Oversightof Risk Management Risk Management Committee (1) Synthesizes issues forthe Board (2) Establish ERM Policies & Tolerances (3) Reviews significantrisk issues (4) Ensures governance& Infrastructure for managementof risk profile Functional Head (1) Own Risk Management& Mitigation (2) Perform Risk assessments on periodic basis (3) Provide assertions on risk exposure fortheirbusiness area. Risk Governance Risk Infrastructure and Management Risk Ownership
Risk Based Auditing: Approach 21 Identification of Audit Universe Breaking up into Processes Risk Identification Risk Assessment and Evaluation Risk Scoring and Heat Map RBIA Plan Execution of RBIA Plan 1. Identification of Audit Universe 2. Breaking Audit universe into auditable units. 3. Risk Identification 4. Risk Assessment & evaluation 5. Risk Scoring/ Heat Map 6. RBIA Plan 7. Execution 8. Reporting
Risk Identification 22 Risk Identification Analysis of processes: Will facilitate identification of the operational risk Brainstorming: A group of employees put forward their ideas or sensations of risk Analysis of processes: Will facilitate identification of the operational risk Interview: Interview with various management level members in order to elicit their concerns Workshops: Meeting the employees in order to identify the risks and assess impact Comparison with other organisations: Benchmarking is the technique used for comparing one’s own organisation with competitors
Risk Evaluation 23 After identifying and analysing the risk, next step is the evaluate the risk. Probability •Almost certain •Likely •Moderate •Unlikely •Rare What is the consequence if the risk event occurs? Impact •Extreme •Very High •Moderate •Low •Negligible What is likelihood of the risk event occurring?
Components of Risk Evaluation 24 Evaluation of Risk Financial Risk • Process complexity • Volume • Documentation • Staffing • Outsourcing • Importance of MIS & safe-keeping • Fraud control • Auditors’ findings • Budget variations Operational Risk • Size • Industry Trends • Credit risk • Market risk • Forex risk • Settlement risk Information Technology Risk • Dependence on IT systems • Scalability / Up gradation • Documentation • Confidentiality of the data • Number of interfaces • Vendor support • Skills / Training • External agencies involvement Reputation Risk • Impact of Process • Extent of customer interaction • Effect on Future Business Plans • Reputation risk wrt operations outsourcing • Number of Regulators and Acts • Complexity of Acts • Applicability of international Laws Regulatory Risk Legal Risk • Legal Action by Counter – party • Non enforcement of the Legal rights
Example 25 • Likely: 3 • Unlikely: 2 • Remote: 1 Probability of Occurrence • Strategic: 10 • Customer Experience: 8 • Financial: 7 • Regulatory: 7 Impact • High: 25 to 30 • Medium: 20 to 25 • Low: Below 20 Criticality Classification Criticality Classification = Probability of Occurrence * Impact
Risk Scoring/ Heat Map 26 Plotting of Criticality score on a chart.
Risk Based internal Audit Plan 27 A Risk Based Plan will look like this Sr Criticality Criticality Score Process Name Frequency 1 High 25-30 • Revenue • Human Resource Quarterly to Half Yearly 2 Medium 20-25 • Accounts Payable • Fixed Assets • Compliances Half Yearly to Once in a year 3 Low Below 25 • Admin Functions Annual to Once in Two Year
Risk Bases Audit Planning: Financial Coverage 28 Coverage of Key Financial Components in the Audit Plan
Sample Criteria for Rating Observations 29 Risk Factors Critical Major Moderate FINANCIAL Potential Financial Exposure > Rs 5 Cr Rs 1-5 Cr Rs 1 Lakh to < Rs 1 Cr COMPLIANCE AND/OR AND/OR AND/OR Legal & Regulatory Prosecution or penalty exposure > Rs 1 lakh Penalty exposure < Rs 1 Lakh Any technical non- compliance (not resulting in penalty) Fraud Vulnerability Any observation on probability of fraud NA NA OPERATIONAL AND/OR AND/OR AND/OR Policy & Procedures Policy, procedures and practice doesn’t exist Policy, procedures in place but not in practice Policy, procedures not documented but practice exists Transaction Error (incl SLA) > 20% of audit sample selected 5% to 20% of audit sample selected < 5% of audit sample selected Repeat audit finding Last rating Critical or Major Last rating Moderate NA Customer Impact Impacts > 1% of customer base (complaints) Impacts 0.5% to 1% of customer base (complaints) Impacts > 0.5% of customer base (complaints) Systems & Tools Loss or exposure of confidential master or transaction data, System Availibility impacting business performance Lack of adequate system validations/ acess control (incl password management)/ controls which might lead to fraud System bugs or functionality gaps impacting efficiency, speed of execution
Report Rating Criteria 30 Report Rating Critical Major Moderate Acceptable Less than 4 Needs Improvement 1 1 to 2 More than or = 4 Unsatisfactory 2 to 3 3 to 5 Poor More than 3 More than 5 Conversion factor: 1 Critical observation = 2 Major Observations= 4 Moderate Observations
Auditor’s Dilemma 31 Cost Dilemma Giving a level of confidence that IA has captured and assessed ‘all’ material risk that threaten the company
Risk Based Audit 32 Type Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8 RBIA Framework Defining Scope Mapping Risk Registration/ Identificatio n Control Identifica tion Control Investigation Audit Test Audit Report Risk profiling Risk taxonomies Business unit mapping Risk register Risk evaluation Control owner Volume Value Complexity Cost SOP SOD Past losses IT Risk definition card: Description Includes Excludes Driver Impact Processes Systems KPIs Function boundaries Transactions All risks Risk type Risk levels Risk Sizes Statistical tools Material and potential loss from control weakness Criteria to assess whether the control has been operated effectively or compromised by staff What to sample? How much to sample?
My Risk Based Audit 33 Type Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8 RBIA Framework Defining Scope Mapping Risk Registration/ Identificatio n Control Identificatio n Control Investigati on Audit Test Audit Report My IA Financial Scoping Mapping Top 3 Risks Control identificatio n Checkpoin ts Testing Audit report Trial balance Common size statement Identificatio n of major items groups Identifica tion of Major Items with in group Compliance, FA, Bank Tools Pareto Rule Audit Tracker, Excel (Pivot, Sort, Index, vlookup), Benford Law, Pareto Rule (80:20) Audit Report
Tools Audit Tracker 1. Contacts (of auditee/ audit team) 2. Status Tracker (Scope, Start Date, Completion date, Reason for Pending, responsibility, Population, Sample, Sample methodology, remarks) 3. Review Notes 4. Requirement Tracker (Requirement, Area, Responsibility, Request Date, Received date, Time Lag in receipt of data, days lapsed) 5. Checklist (Scope, Sub scope, Risk, Control, Checkpoints, Population, Sample, Exceptions, Observations, Backup paper) 6. Query Sheet (Query, Financial Impact, Risk, recommendations, Area, Annexure, Resolved, Response, Responsibility, Reportable/ Dropped, Backup paper) 7. Audit Completion Checklist 34 Control Failure Vs. impact of business control failure Traffic Light vs. specific financial amounts
Tools Audit Report 1. Cover letter, 2. Background and Objective of audit 3. Scope and approach 4. Detailed Observation (High, Medium, Low) 5. Other Points for Management Attention 6. Positive assurance Audit Presentation 1. Audit Summary (Area, Location, Audit Period, Audit Team, Function Head, Scope, Field audit dates/ period) 2. Scope, Sampling and Limitation to scope 3. Positive Assurance 4. Key Observations 5. Other observations 35
Resources • Risk Based Audit: https://drive.google.com/file/d/0B9LJxar8oKPmQ0JxaEpJRmxMaVU/edit? usp=sharing • Risk Template: https://app.box.com/s/p7tns5kbrliny06mnouu • www.auditnet.org for audit programs • www.knowledgeleader.com for audit program • www.cebglobal.com for audit trends • www.globaliia.org • www.coso.org 36
1. Audit Client Categories 2. Role of Internal Audit 3. Value addition by internal audit 4. Revenue Assurance 5. Companies Act 2013 and Control Catalogues 6. Internal Controls in eCommerce Companies 7. How to create Internal Control Framework for your company 8. Creating An Internal Audit Plan 9. Governance for Approval Matrix 10. Right to Audit 11. Have you included vendor audit as part of your audit plan? Manoj Agarwal manojbagarwal@gmail.com 9820392252 Linkedin: https://in.linkedin.com/in/manojbagarwal 37 My Blogs and Post

Recommended

Ppt on risk based internal audit
Ppt on risk based internal auditPpt on risk based internal audit
Ppt on risk based internal auditAmitaMistry2
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Sazzad Hossain, ITP, MBA, CSCA™
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptLetzconsult.com
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides SlideTeam
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementPYA, P.C.
 
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Ahmad Azwang Aisram Omar
 

Recommended

Ppt on risk based internal audit
Ppt on risk based internal auditPpt on risk based internal audit
Ppt on risk based internal auditAmitaMistry2
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Sazzad Hossain, ITP, MBA, CSCA™
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptLetzconsult.com
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides SlideTeam
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementPYA, P.C.
 
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Ahmad Azwang Aisram Omar
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditingTunde Elijah Kelani
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015Mohammad Kashif
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingAmar Deep Ghimire
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONFrackson Kathibula-Nyoni
 
Enterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEnterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEneni Oduwole
 
Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
Internal audit
Internal auditInternal audit
Internal auditRahul Mithia
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking SectorSanjay Kumbhar
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Internal Audit
Internal AuditInternal Audit
Internal AuditJami Martin
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
An introduction to internal auditing
An introduction to internal auditingAn introduction to internal auditing
An introduction to internal auditinggrifff
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementStephen Ong
 
Erm whitepaper (2)
Erm whitepaper (2)Erm whitepaper (2)
Erm whitepaper (2)MayankGarg200
 

More Related Content

What's hot

Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015Mohammad Kashif
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingAmar Deep Ghimire
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONFrackson Kathibula-Nyoni
 
Enterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEnterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEneni Oduwole
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking SectorSanjay Kumbhar
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
An introduction to internal auditing
An introduction to internal auditingAn introduction to internal auditing
An introduction to internal auditinggrifff
 

What's hot (20)

Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentation
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
 
Enterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEnterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational Excellence
 
Coso framework
Coso frameworkCoso framework
Coso framework
 
Internal audit
Internal auditInternal audit
Internal audit
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking Sector
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing Presentation
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
An introduction to internal auditing
An introduction to internal auditingAn introduction to internal auditing
An introduction to internal auditing
 

Similar to Practical Approach Risk Based Internal Audit

Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementStephen Ong
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfabdo badr
 
IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013Susan Young
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016Rohit Chawda
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmTim Leech
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationDavid Fernandes
 
Risk Management Process in Islamic Banks
Risk Management Process in Islamic BanksRisk Management Process in Islamic Banks
Risk Management Process in Islamic BanksMahyuddin Khalid
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - complianceNeeraj Verma
 

Similar to Practical Approach Risk Based Internal Audit (20)

Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
 
Erm whitepaper (2)
Erm whitepaper (2)Erm whitepaper (2)
Erm whitepaper (2)
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
 
IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016
 
Trustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing riskTrustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing risk
 
Risk management
Risk managementRisk management
Risk management
 
Five lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; ermFive lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; erm
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Risk Management Process in Islamic Banks
Risk Management Process in Islamic BanksRisk Management Process in Islamic Banks
Risk Management Process in Islamic Banks
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Coso erm
Coso ermCoso erm
Coso erm
 
Coso erm
Coso ermCoso erm
Coso erm
 

More from Manoj Agarwal

Reporting to Management and Audit Committee
Reporting to Management and Audit CommitteeReporting to Management and Audit Committee
Reporting to Management and Audit CommitteeManoj Agarwal
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunitiesManoj Agarwal
 
The state of ia pandemic plan
The state of ia pandemic planThe state of ia pandemic plan
The state of ia pandemic planManoj Agarwal
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Manoj Agarwal
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self AssessmentManoj Agarwal
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09Manoj Agarwal
 

More from Manoj Agarwal (14)

Reporting to Management and Audit Committee
Reporting to Management and Audit CommitteeReporting to Management and Audit Committee
Reporting to Management and Audit Committee
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunities
 
The state of ia pandemic plan
The state of ia pandemic planThe state of ia pandemic plan
The state of ia pandemic plan
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013Role and responsibility of Internal Audit under new Companies Act 2013
Role and responsibility of Internal Audit under new Companies Act 2013
 
Functional Audit
Functional AuditFunctional Audit
Functional Audit
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal Audit
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal Audit
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk Management
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self Assessment
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09IIA Report Writing 10 Oct 09
IIA Report Writing 10 Oct 09
 

Recently uploaded

Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadAyesha Khan
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...
Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...
Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...ShrutiBose4
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024Matteo Carbone
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 

Recently uploaded (20)

Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...
Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...
Ms Motilal Padampat Sugar Mills vs. State of Uttar Pradesh & Ors. - A Milesto...
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 
IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 

Practical Approach Risk Based Internal Audit

  • 1. Practical Approach towards Risk Based Internal Audit Presented by CA Manoj Agarwal Feb 10, 2016, Ernakulum, IASB, ICAI
  • 2. Disclaimer All the contents of the presentation constitute the opinion of the speaker, and the speaker alone; they do not represent the views and opinions of the speaker’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the speaker is, or has been a part of. 2
  • 3. Agenda • What is Risk? • COSO ERM Framework • 3 Lines of Defence Model • Definition of Internal Audit • Risk Based Internal Audit • Tools 3
  • 4. 4 What is Risk? Risk, in traditional terms, is viewed as a ‘negative’. The Chinese give a much better description of risk • The first is the symbol for “danger”, while • the second is the symbol for “opportunity”, making risk a mix of danger and opportunity. “Risk- let’s get this straight up front – is good. The point of Risk management is not to eliminate it; that would eliminate reward. The point is to manage it – that is, choose to place bets, where to hedge bets, and where to avoid betting together.” - Thomas A. Stewart
  • 5. 5 Risk & Risk Management In economic terms, profit is the reward for entrepreneurship or “Risk Taking” As a lay investor, our investment planning is based on risk perception – bank deposits, life insurance, debentures and GoI bonds, Mutual Funds, Shares, Private Equity…. Risk management is an attempt to identify, measure and monitor risks– so as to manage uncertainty.
  • 6. 6 Risk Management 1 Understand the nature and extent of risks facing the company 2 Understand the extent and categories of risks which it regards as acceptable for a company to bear 3 Understand the likelihood of risks concerned materializing 4 Company’s ability to reduce the incidence and impact on business of risks that do materialize 5 Costs of operating particular controls relative to benefits
  • 7. 7 Classification of Risks Strategic • A strategic risk is a risk that a company is exposed to when pursuing its business objectives, or likely loss arising from a poor strategic business decision. e.g. Too much dependence on one line of business; or a failed acquisition Operational • Operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. e.g. Frauds in Banking; Risk of poor planning e.g. Funds constraint Compliance • Risks a company is exposed to because of breach of law / regulatory requirement. e.g. Non compliance in foreign country due to ignorance.
  • 8. 8 The Need for Risk Management • Complex, ever changing macro environment • Sustainable, profitable growth to meet stakeholder expectation • Trend towards greater transparency & enhanced levels of corporate governance # Move from survival to competitive advantage
  • 9. 9 Eight Components of COSO ERM Model
  • 10. 10 Eight Components of COSO ERM Model ERM Process Objective Setting Strategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerance Event Identification Events – Factors Influencing Strategy and Objectives – Methodologies and Techniques Event Interdependencies Event Categories – Risks and Opportunities Risk Assessment Inherent and Residual Risk – Likelihood and Impact Methodologies and Techniques – Correlation Risk Response Identify Risk responses – Evaluate Possible Risk Responses – Select Responses – Portfolio View Information & Communication Information – Strategic and Integrated Systems – Communication Monitoring Separate Evaluations – Ongoing Evaluations Control Activities Integration with Risk Response – Types of Control Activities – General Controls Application Controls – Entity Specific
  • 11. Top Risks - Global Risk Report 2016-WEF 11
  • 12. 12 Three groups (or lines) involved in effective risk management: • Functions that own and manage risks. • Functions that oversee risks. • Functions that provide independent assurance. Three Lines of Defence Model
  • 13. 13 1st LoD: Operational Management • Own and manage risks. • Responsible for implementing corrective actions to address process and control deficiencies.
  • 14. 14 2nd LoD: Risk Management & Compliance Functions • Risk management function – Facilitates and monitors the implementation of effective risk management practices by operational management – Assists risk owners in defining the target risk exposure – Reporting adequate risk-related information throughout the organization. • Compliance function – Monitor various specific risks such as noncompliance with applicable laws and regulations. – Multiple compliance functions for specific types of monitoring, such as health and safety, supply chain, environmental, or quality monitoring. • Controllership function – Monitors financial risks and financial reporting issues.
  • 15. 15 3rd LoD: Internal Audit • Comprehensive assurance based on the highest level of independence and Objectivity • Provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve • Risk management and control objectives. • Reported to senior management and to the governing body, usually covers – A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts. – All elements of the risk management and internal control framework, which includes: internal control environment – The overall entity, divisions, subsidiaries, operating units, and functions — including business processes as well as supporting functions.
  • 16. 16 External Auditors, Regulators, Other external Bodies • Can have an important role in the organization’s overall governance and control structure. • Regulators sometimes set requirements intended to strengthen the controls in an organization and on other occasions perform an independent and objective function to assess the whole or some part of the first, second, or third line of defense with regard to those requirements.
  • 17. 17 Coordinating The Three Lines Of Defense • Role of each group in the risk management process
  • 18. Definition 18 “Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system. Internal audit, therefore, provides assurance that there is transparency in reporting, as a part of good governance.” -The Internal Audit Standards Board of the ICAI “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” -Definition of Internal Auditing by Institute of Internal Auditors (IIA)
  • 19. Risk Based Audits 19 Risk Based Audit Risk based Internal Audit (RBIA) is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level.[1] It is the risk management framework of the management and seeks at every stage to reinforce the responsibility of management and BOD (Board of Directors) for managing risk http://en.wikipedia.org/wiki/Risk_based_audit
  • 20. Building a Risk aware enterprise 20 BOD Oversightof Risk Management Risk Management Committee (1) Synthesizes issues forthe Board (2) Establish ERM Policies & Tolerances (3) Reviews significantrisk issues (4) Ensures governance& Infrastructure for managementof risk profile Functional Head (1) Own Risk Management& Mitigation (2) Perform Risk assessments on periodic basis (3) Provide assertions on risk exposure fortheirbusiness area. Risk Governance Risk Infrastructure and Management Risk Ownership
  • 21. Risk Based Auditing: Approach 21 Identification of Audit Universe Breaking up into Processes Risk Identification Risk Assessment and Evaluation Risk Scoring and Heat Map RBIA Plan Execution of RBIA Plan 1. Identification of Audit Universe 2. Breaking Audit universe into auditable units. 3. Risk Identification 4. Risk Assessment & evaluation 5. Risk Scoring/ Heat Map 6. RBIA Plan 7. Execution 8. Reporting
  • 22. Risk Identification 22 Risk Identification Analysis of processes: Will facilitate identification of the operational risk Brainstorming: A group of employees put forward their ideas or sensations of risk Analysis of processes: Will facilitate identification of the operational risk Interview: Interview with various management level members in order to elicit their concerns Workshops: Meeting the employees in order to identify the risks and assess impact Comparison with other organisations: Benchmarking is the technique used for comparing one’s own organisation with competitors
  • 23. Risk Evaluation 23 After identifying and analysing the risk, next step is the evaluate the risk. Probability •Almost certain •Likely •Moderate •Unlikely •Rare What is the consequence if the risk event occurs? Impact •Extreme •Very High •Moderate •Low •Negligible What is likelihood of the risk event occurring?
  • 24. Components of Risk Evaluation 24 Evaluation of Risk Financial Risk • Process complexity • Volume • Documentation • Staffing • Outsourcing • Importance of MIS & safe-keeping • Fraud control • Auditors’ findings • Budget variations Operational Risk • Size • Industry Trends • Credit risk • Market risk • Forex risk • Settlement risk Information Technology Risk • Dependence on IT systems • Scalability / Up gradation • Documentation • Confidentiality of the data • Number of interfaces • Vendor support • Skills / Training • External agencies involvement Reputation Risk • Impact of Process • Extent of customer interaction • Effect on Future Business Plans • Reputation risk wrt operations outsourcing • Number of Regulators and Acts • Complexity of Acts • Applicability of international Laws Regulatory Risk Legal Risk • Legal Action by Counter – party • Non enforcement of the Legal rights
  • 25. Example 25 • Likely: 3 • Unlikely: 2 • Remote: 1 Probability of Occurrence • Strategic: 10 • Customer Experience: 8 • Financial: 7 • Regulatory: 7 Impact • High: 25 to 30 • Medium: 20 to 25 • Low: Below 20 Criticality Classification Criticality Classification = Probability of Occurrence * Impact
  • 26. Risk Scoring/ Heat Map 26 Plotting of Criticality score on a chart.
  • 27. Risk Based internal Audit Plan 27 A Risk Based Plan will look like this Sr Criticality Criticality Score Process Name Frequency 1 High 25-30 • Revenue • Human Resource Quarterly to Half Yearly 2 Medium 20-25 • Accounts Payable • Fixed Assets • Compliances Half Yearly to Once in a year 3 Low Below 25 • Admin Functions Annual to Once in Two Year
  • 28. Risk Bases Audit Planning: Financial Coverage 28 Coverage of Key Financial Components in the Audit Plan
  • 29. Sample Criteria for Rating Observations 29 Risk Factors Critical Major Moderate FINANCIAL Potential Financial Exposure > Rs 5 Cr Rs 1-5 Cr Rs 1 Lakh to < Rs 1 Cr COMPLIANCE AND/OR AND/OR AND/OR Legal & Regulatory Prosecution or penalty exposure > Rs 1 lakh Penalty exposure < Rs 1 Lakh Any technical non- compliance (not resulting in penalty) Fraud Vulnerability Any observation on probability of fraud NA NA OPERATIONAL AND/OR AND/OR AND/OR Policy & Procedures Policy, procedures and practice doesn’t exist Policy, procedures in place but not in practice Policy, procedures not documented but practice exists Transaction Error (incl SLA) > 20% of audit sample selected 5% to 20% of audit sample selected < 5% of audit sample selected Repeat audit finding Last rating Critical or Major Last rating Moderate NA Customer Impact Impacts > 1% of customer base (complaints) Impacts 0.5% to 1% of customer base (complaints) Impacts > 0.5% of customer base (complaints) Systems & Tools Loss or exposure of confidential master or transaction data, System Availibility impacting business performance Lack of adequate system validations/ acess control (incl password management)/ controls which might lead to fraud System bugs or functionality gaps impacting efficiency, speed of execution
  • 30. Report Rating Criteria 30 Report Rating Critical Major Moderate Acceptable Less than 4 Needs Improvement 1 1 to 2 More than or = 4 Unsatisfactory 2 to 3 3 to 5 Poor More than 3 More than 5 Conversion factor: 1 Critical observation = 2 Major Observations= 4 Moderate Observations
  • 31. Auditor’s Dilemma 31 Cost Dilemma Giving a level of confidence that IA has captured and assessed ‘all’ material risk that threaten the company
  • 32. Risk Based Audit 32 Type Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8 RBIA Framework Defining Scope Mapping Risk Registration/ Identificatio n Control Identifica tion Control Investigation Audit Test Audit Report Risk profiling Risk taxonomies Business unit mapping Risk register Risk evaluation Control owner Volume Value Complexity Cost SOP SOD Past losses IT Risk definition card: Description Includes Excludes Driver Impact Processes Systems KPIs Function boundaries Transactions All risks Risk type Risk levels Risk Sizes Statistical tools Material and potential loss from control weakness Criteria to assess whether the control has been operated effectively or compromised by staff What to sample? How much to sample?
  • 33. My Risk Based Audit 33 Type Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8 RBIA Framework Defining Scope Mapping Risk Registration/ Identificatio n Control Identificatio n Control Investigati on Audit Test Audit Report My IA Financial Scoping Mapping Top 3 Risks Control identificatio n Checkpoin ts Testing Audit report Trial balance Common size statement Identificatio n of major items groups Identifica tion of Major Items with in group Compliance, FA, Bank Tools Pareto Rule Audit Tracker, Excel (Pivot, Sort, Index, vlookup), Benford Law, Pareto Rule (80:20) Audit Report
  • 34. Tools Audit Tracker 1. Contacts (of auditee/ audit team) 2. Status Tracker (Scope, Start Date, Completion date, Reason for Pending, responsibility, Population, Sample, Sample methodology, remarks) 3. Review Notes 4. Requirement Tracker (Requirement, Area, Responsibility, Request Date, Received date, Time Lag in receipt of data, days lapsed) 5. Checklist (Scope, Sub scope, Risk, Control, Checkpoints, Population, Sample, Exceptions, Observations, Backup paper) 6. Query Sheet (Query, Financial Impact, Risk, recommendations, Area, Annexure, Resolved, Response, Responsibility, Reportable/ Dropped, Backup paper) 7. Audit Completion Checklist 34 Control Failure Vs. impact of business control failure Traffic Light vs. specific financial amounts
  • 35. Tools Audit Report 1. Cover letter, 2. Background and Objective of audit 3. Scope and approach 4. Detailed Observation (High, Medium, Low) 5. Other Points for Management Attention 6. Positive assurance Audit Presentation 1. Audit Summary (Area, Location, Audit Period, Audit Team, Function Head, Scope, Field audit dates/ period) 2. Scope, Sampling and Limitation to scope 3. Positive Assurance 4. Key Observations 5. Other observations 35
  • 36. Resources • Risk Based Audit: https://drive.google.com/file/d/0B9LJxar8oKPmQ0JxaEpJRmxMaVU/edit? usp=sharing • Risk Template: https://app.box.com/s/p7tns5kbrliny06mnouu • www.auditnet.org for audit programs • www.knowledgeleader.com for audit program • www.cebglobal.com for audit trends • www.globaliia.org • www.coso.org 36
  • 37. 1. Audit Client Categories 2. Role of Internal Audit 3. Value addition by internal audit 4. Revenue Assurance 5. Companies Act 2013 and Control Catalogues 6. Internal Controls in eCommerce Companies 7. How to create Internal Control Framework for your company 8. Creating An Internal Audit Plan 9. Governance for Approval Matrix 10. Right to Audit 11. Have you included vendor audit as part of your audit plan? Manoj Agarwal manojbagarwal@gmail.com 9820392252 Linkedin: https://in.linkedin.com/in/manojbagarwal 37 My Blogs and Post