Transcript Slide 1
Complementary role played by CAE and CRO towards good governance and sustainable service delivery Makhosandile Kwaza IMFO Audit & Risk Indaba 08 April 2013 Agenda • Who is the CAE • What is Internal Auditing • Role of Internal Audit in Governance processes in terms of ISPIA • Role of Internal Audit in Risk Management in terms of ISPIA • Role of Internal Audit in control as required by ISPIA • Who is the CRO in terms of the COSO framework • Definition of RM in term of the COSO framework • Risk Management process in terms of the COSO framework – complementary role of the CAE and CRO Who is the Chief Audit Executive (CAE) • According to the IIA ISPIA glossary: - Top position within the organisation responsible for internal audit activities. Normally this would be internal audit director. - In the case where internal audit activities are obtained from outside service providers, the CAE is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to the senior management and the board regarding internal audit activities and follow-up engagement results. - The term also include such titles as general auditor, chief internal auditor and inspector general. What is Internal Auditing • Independent, objective assurance and consulting services designed to add value and improve an organization’s operations. • The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the: - effectiveness of governance, - risk management, and - control processes. Standard 2110 – Governance • The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors, and management. Standard 2120 – Risk Management • The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. • Determining whether risk management processes are ffective is a judgment resulting from the internal auditor’s assessment that: • Organizational objectives support and align with the organization’s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization’s risk appetite; Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. • Risk management processes are monitored through ongoing management activities, separate evaluations, or both. Standard 2130 – Control • The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. • The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: • • • • Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations; Safeguarding of assets; and Compliance with laws, regulations, and contracts. Who is the Chief Risk Officer (CRO) • According to COSO Integrated Framework, CRO is a centrally coordinated point within an organisation established to facilitate the enterprise risk management. • CRO works with other managers in establishing effective risk management in their areas of responsibility. • The office of the CRO is established by and under the auspices of the chief executive and therefore CRO has the resources to help effect enterprise risk management across departments, functions and activities. COSO Definition of Risk Management – Risk management is a continuous, proactive and systematic process, effected by a municipal Council, Municipal Manager, management and other personnel, – applied in strategic planning and across the organisation, designed to identify potential events that may affect the municipality, and manage risks to be within its risk tolerance, to provide reasonable assurance regarding the achievement of the municipal objectives. Organisational Objective Risk Defined Risk Experience Controls Risk Risk Description Risk Risk Contributing Factors Risk Category Risk Analysis and weighting Completion Date Owner Organisational Objective Frequency Operational Summary Nature of Control Control Procedure Risk Experience Controls Timing of Control Frequency IT/Governance Control Risk Causal Category Risk Description A description of the risk Risk Risk Description Previous occurrences Contributing Factors Risk Category Risk Sub Category Minor Moderate Quantitative Analysis Priority Risk Analysis and weighting Major Weighting Post Control Risk Details Qualitative Analysis Accept Avoid Control Strategy Manage Status Owner Completion Date Actions Plans Weighting Pre Control COSO : Committee of Sponsoring Organisations of Treadway commission Internal control – Integrated framework Internal Environment Risk Management Philosophy and Risk Appetite Objective Setting Objectives and Unit of measure Inventory of opportunities Event Identification Inventory of risks Risk Assessment Inherent risks Risk response Residual risk Risk Response Risk responses & Portfolio Control Activity Information and Communication Outputs, Indicators, Reports Monitoring Risk Tolerance THE END