Risk Assessment What is Internal Audits Role Learning

Risk Assessment What is Internal Audit’s Role?

Learning Objectives Risk and the Importance of a Risk Assessment Discussion of the COSO Principles Key Steps in Performing a Risk Assessment Communicating the Risk Assessment to the Audit Committee • DOs and DON’Ts • Looking past the horizon • • Presented by Paragon Audit & Consulting 2

Risk and the Importance of a Risk Assessment • What is Risk? – Risk is anything that slows down an organization in achieving its objectives Presented by Paragon Audit & Consulting 3

Risk and the Importance of a Risk Assessment • What is a Risk Assessment? – A Risk Assessment involves the identification and analysis of relevant risks that threaten the achievement of an organization’s objectives, and to determine how those risks should be managed Presented by Paragon Audit & Consulting 4

Risk and the Importance of a Risk Assessment • Why is a Risk Assessment Important? – Proactive approach to removing potential barriers threatening the success of an organization – Helps an organization focus resources – Required by COSO – IIA Performance Standard 2010: the CAE should determine the priorities of the internal audit activity consistent with the organization’s goals, and based on a risk assessment Presented by Paragon Audit & Consulting 5

Discussion of the COSO Principles 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Demonstrates Commitment to Integrity and Ethical Values Exercises Oversight Responsibility Establishes Structure, Authority, and Responsibility Demonstrates Commitment to Competence Enforces Accountability Specifies Suitable Objectives Identifies and Analyzes Risk Assesses Fraud Risk Identifies and Analyzes Significant Change Selects/Develops Control Activities Selects/Develops General Controls over Technology Deploys through Policies and Procedures Uses Relevant Information Communicates Internally Communicates Externally Conducts Ongoing and/or Separate Evaluations Evaluates and Communicates Deficiencies Presented by Paragon Audit & Consulting COSO CUBE 6

COSO Principles Focused on Risk Assessment 1. 2. 3. 4. 5. Demonstrates Commitment to Integrity and Ethical Values Exercises Oversight Responsibility Establishes Structure, Authority, and Responsibility Demonstrates Commitment to Competence Enforces Accountability 6. 7. 8. 9. Specifies Suitable Objectives Identifies and Analyzes Risk Assesses Fraud Risk Identifies & Analyzes Significant Change 10. 11. 12. 13. 14. 15. 16. 17. Selects/Develops Control Activities Selects/Develops General Controls over Technology Deploys through Policies and Procedures Uses Relevant Information Communicates Internally Communicates Externally Conducts Ongoing and/or Separate Evaluations Evaluates and Communicates Deficiencies Presented by Paragon Audit & Consulting COSO ERM CUBE 7

COSO Principles Focused on Risk Assessment 1. 2. 3. 4. 5. Demonstrates Commitment to Integrity and Ethical Values Exercises Oversight Responsibility Establishes Structure, Authority, and Responsibility Demonstrates Commitment to Competence Enforces Accountability 6. 7. 8. 9. Specifies Suitable Objectives Identifies and Analyzes Risk Assesses Fraud Risk Identifies & Analyzes Significant Change 10. 11. 12. 13. 14. 15. 16. 17. Selects/Develops Control Activities Selects/Develops General Controls over Technology Deploys through Policies and Procedures Uses Relevant Information Communicates Internally Communicates Externally Conducts Ongoing and/or Separate Evaluations Evaluates and Communicates Deficiencies Presented by Paragon Audit & Consulting COSO ERM CUBE 8

COSO Principles Focused on Risk Assessment 1. 2. 3. 4. 5. Demonstrates Commitment to Integrity and Ethical Values Exercises Oversight Responsibility Establishes Structure, Authority, and Responsibility Demonstrates Commitment to Competence Enforces Accountability 6. 7. 8. 9. Specifies Suitable Objectives Identifies and Analyzes Risk Assesses Fraud Risk Identifies & Analyzes Significant Change 10. 11. 12. 13. 14. 15. 16. 17. Selects/Develops Control Activities Selects/Develops General Controls over Technology Deploys through Policies and Procedures Uses Relevant Information Communicates Internally Communicates Externally Conducts Ongoing and/or Separate Evaluations Evaluates and Communicates Deficiencies Presented by Paragon Audit & Consulting COSO ERM CUBE 9

COSO Principles Focused on Risk Assessment 1. 2. 3. 4. 5. Demonstrates Commitment to Integrity and Ethical Values Exercises Oversight Responsibility Establishes Structure, Authority, and Responsibility Demonstrates Commitment to Competence Enforces Accountability 6. 7. 8. 9. 10. Specifies Suitable Objectives Identifies and Analyzes Risk Assesses Fraud Risk Identifies & Analyzes Significant Change Selects/Develops Control Activities 11. 12. 13. 14. 15. 16. 17. Selects/Develops General Controls over Technology Deploys through Policies and Procedures Uses Relevant Information Communicates Internally Communicates Externally Conducts Ongoing and/or Separate Evaluations Evaluates and Communicates Deficiencies Presented by Paragon Audit & Consulting COSO ERM CUBE 10

Principle 6: Specifies Suitable Objectives The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Points of Focus Operations Objectives • Reflects Management’s Choices • Considers Tolerances for Risk • Includes Operations and Financial Performance Goals • Forms a Basis for Committing of Resources Presented by Paragon Audit & Consulting 11

Principle 6: Specifies Suitable Objectives External Financial Reporting Objectives • Complies with Applicable Accounting Standards • Considers Materiality • Reflects Entity Activities External Non-Financial Reporting Objectives • Complies with Externally Established Standards and Frameworks • Considers the Required Level of Precision • Reflects Entity Activities Presented by Paragon Audit & Consulting 12

Principle 6: Specifies Suitable Objectives Internal Reporting Objectives • Reflects Management’s Choices • Considers the Required Level of Precision • Reflects Entity Activities Compliance Objectives • Reflects External Laws and Regulations • Considers Tolerances for Risk Presented by Paragon Audit & Consulting 13

Principle 7: Identifies and Analyzes Risk The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Points of Focus • Includes Entity, Subsidiary, Division, Operating Unit, & Functional Levels • Analyzes Internal and External Factors • Involves Appropriate Levels of Management • Estimates Significance of Risks Identified • Determines How to Respond to Risks Presented by Paragon Audit & Consulting 14

Principle 8: Assesses Fraud Risk The organization considers the potential for fraud in assessing risks to the achievement of objectives. Points of Focus • Considers Various Types of Fraud • Assesses Incentive and Pressures • Assesses Opportunities • Assesses Attitudes and Rationalizations Presented by Paragon Audit & Consulting 15

Principle 9: Identifies and Analyzes Significant Change The organization identifies and assesses changes that could significantly impact the system of internal control. Points of Focus • Assesses Changes in the External Environment • Assesses Changes in the Business Model • Assesses Changes in Leadership Presented by Paragon Audit & Consulting 16

Principle 10: Selects and Develops Control Activities The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Points of Focus Integrates with Risk Assessment • Control activities help ensure that risk responses that address and mitigate risks are carried out. Presented by Paragon Audit & Consulting 17

Key Steps in Performing a Risk Assessment Phase One: Create an Audit Universe Map • Note key process owners at the VP level Phase Two: Identify Objectives and Risks • Interview key process owners and analyze data Phase Three: Rate and Rank Risks • Will be used to create audit plan (Risk Response) Throughout the entire process: determine how the organization is complying with the COSO Framework Presented by Paragon Audit & Consulting 18

Key Steps in Performing a Risk Assessment Phase One: Create an Audit Universe Map • Recognizing the nature of the company, identify and document: – All Business Units or Departments – Key Processes – Supporting IT Infrastructure • Determine auditable entities and segment by (1) Business process, (2) Physical location, and (3) IT systems • Discussions with management to understand emerging risks and to discuss prominent risk factors for each entity Presented by Paragon Audit & Consulting 19

Key Steps in Performing a Risk Assessment Example of the audit universe Sales Operations Finance IT Etc. Retail Planning Accounting Development Etc. Business Production Procurement Operations Etc. Sales Operations Distribution Real Estate Infrastructure Etc. Presented by Paragon Audit & Consulting 20

Key Steps in Performing a Risk Assessment Phase Two: Identify Objectives and Risks • Always start with the Organization’s Objectives • Determine whether Objectives are in line with the organization’s mission and vision • Interview employees and do some on-site observations • Review key metrics, trends, processes and documentation • Examine the quality of management • Analyze the Risk Factors disclosed in the annual 10 -K filing • Review the external factors and recent problems identified at other companies Presented by Paragon Audit & Consulting 21

Key Steps in Performing a Risk Assessment Phase Two: Identify Objectives and Risks (Continued) • During discussions with Management, inquire about recent or upcoming changes in the following: – – – Regulatory environment Technology Management Lines of business or business acquisitions/divestitures Risk Appetite Any known or projected economic factors Presented by Paragon Audit & Consulting 22

Top 10 Business Risks in 2016 (Allianz Study) Presented by Paragon Audit & Consulting 23

Top 10 Business Risks in 2016 (Allianz Study) Presented by Paragon Audit & Consulting 24

Key Steps in Performing a Risk Assessment • Phase Three: Rate and Rank Risks • Complete interviews with the IA Team, Corporate Compliance, Senior Management and the External Auditors • Identify current means by which management mitigates risks • Document Key Inherent Risks, Mitigating Controls and the Residual Risks • Design a measurement system for Likelihood and Impact of identified risks and give consideration to Vulnerability • Work with Senior management to rate and rank key risks • Compare risks across departments and normalize outliers Presented by Paragon Audit & Consulting 25

Key Steps in Performing a Risk Assessment Draft rating and ranking measurements for impact and likelihood – Consider the following drivers Impact Likelihood Financial Controls are weak or none existent Reputational Area and processes are complex Regulatory Processes are highly manual Employee Safety High department turnover Staff Morale Department is new Presented by Paragon Audit & Consulting 26

Key Steps in Performing a Risk Assessment Impact Drivers Likelihood Drivers Financial Etc. Avg. Internal Controls Accepting customers with poor credit 4 5 4. 5 1 2 3 2 Sales comp. plan not meeting objectives 3 5 4 4 5 3 4 Risk Presented by Paragon Audit & Consulting Complex Process Etc. Avg. 27

Key Steps in Performing a Risk Assessment Presented by Paragon Audit & Consulting 28

Communicating the Risk Assessment to the Audit Committee • Present an overview of the risk assessment process by highlighting the key steps followed in the three Phases – Phase One: Create an Audit Universe Map – Phase Two: Identify Objectives and Risks – Phase Three: Rate and Rank Risks • Develop a summary of the most significant risks – Categorize risks into financial, operational, and compliance – Consider staying under 20 risk categories and discuss sub risks • Consider using a heat map if not too busy – One with Inherent risks and one with Residual risks • Include risk response and linkage to the audit plan Presented by Paragon Audit & Consulting 29

Communicating the Risk Assessment to the Audit Committee External Factors Dept. Leader s Control Structure External Auditors Risk Assessmen t Board of Director s Key Changes Key Metrics & Trends Presented by Paragon Audit & Consulting 30

Key Steps in Performing a Risk Assessment DOs Use risk self-assessment workshops to take advantage of the insights of other managers. DON’Ts Do not rely on surveys to capture initial thoughts about risks. Get consensus on measuring risks and risk tolerances. Establish participants’ understanding of the effectiveness of controls and other risk responses used in the organization. Ignore financial impact on the organization. Do not forget to consider the state of controls and other risk management practices in the organization. Work closely with leadership to understand strategy and key objectives. Perform the assessment in a vacuum, ignore key objectives only looking backwards at past problems. Communicate a high level clear summary of the Risk Assessment with the Audit Committee. Ignore input from the Audit Committee or give the Audit Committee too much detail about the risk assessment. Presented by Paragon Audit & Consulting 31

Looking Past the Horizon COSO released the draft Enterprise Risk Management (ERM) – Aligning Risk with Strategy & Performance document for Public comments – Comments accepted through September 2016 • • • Adopts a components and principles structure Simplifies the definition of ERM and renews focus on ERM integration Emphasizes relationship between risk and value Examines the role of culture Elevates discussion of strategy Enhances alignment between performance & ERM Links ERM into decision-making more explicitly Delineates between ERM and internal controls Redefines risk appetite (risk tolerance) Presented by Paragon Audit & Consulting 32

Appendix - Paragon Audit & Consulting • Global risk and compliance advisory firm founded in 2003 and headquartered in Denver • Clients range from small privately held and nonprofit organizations to large government and SEC entities with revenue over $75 B • Services include – – Internal audit Sarbanes Oxley Quality Assessment Reviews Process improvement consulting services • Majority of our professionals have between 15 and 30 years of experience in internal audit, IT audit, external audit, IT and Finance • Very nimble firm with competitive pricing Presented by Paragon Audit & Consulting 33