Transcript Module 5 - TV Worldwide

Using ERM Concepts in
Managing Controls
The Institute of Internal Auditors
August 10, 2004
Ed Dudley, CIA, CPA
Retired Vice-President &
General Auditor-ABB Americas
1
Agenda
• Introduction & Overview
Ed Dudley
• Integrating ERM Concepts in a Facilitated Entity
Evaluation
Lynn Fountain
• Using Risk Assessment to Assess Control
Deficiencies
Paul Sobel
• Integrating ERM – A Multidimensional View
Peg Weir
• Break
• Q&A
2
Key Risk Issues for Today
• Benefits of Using an ERM Approach
• Approach For Measuring Entity Level
Controls
• ERM Principles in Assessing “Soft”
Attributes
• Risk Management for an Entity
Evaluation
• ERM Planning Considerations
3
Key Risk Issues for Today
• Key Control Deficiency Questions
• Making Control Deficiency Assessments
• Understanding Risk Tolerance
Considerations
• Developing Performance Based Culture
and Metrics
• Benefits of Continuous Improvement Life
Cycle Approach
4
Integrating ERM Concepts in
a Facilitated Entity
Evaluation
Lynn Fountain
VP Risk Assessment & Audit Services
Aquila, Inc.
5
Measuring Entity Controls Utilizing ERM
Control Environment
Control Activities
• What attributes will be evaluated?
• Define stages of maturity
• Determine each attributes maturity
stage.
• What stage of maturity is considered
acceptable?
• Where current stage is less than
desirable, what are the underlying
reasons and causes?
• Based on management’s risk strategy,
what attributes should be addressed to
improve their current state?
• Do the capabilities (people, process,
technology and information) exist to
execute the desired state
• How will actions be monitored?
6
Risk Assessment
Monitoring
Information &
Communication
Risk
Assessment
Filter: Key attributes that fall
below desired stage.
Risk
Analysis
Risk
Strategy
Filter: Consider what attributes
Should be improved to meet
management strategies
Filter: Identify methods to monitor
actions
Risk
Capabilities
Facilitated Approach to Measuring
Entity Controls
• ERM principles provide a structured method to
assess the “soft” attributes of Entity
evaluation.
• Benefits using an ERM approach:
– Align management risk appetite with risk evaluation
– Enhance response to risk identification
– Identify how evaluation permeates across the
organization
– Identify integrated solutions for managing risk areas
7
Planning Considerations
• Ensure use of ERM principles
– Attributes to be voted, as well as session
participants, must be reflective of entire
organization
– Communication of voting stages must include
considerations for cost vs. benefit
– Voting considerations must include how actions
permeate across the organization. Should not be
based on one event.
– Attributes voted must be able to have actionable
items for any remediation to be considered.
8
Session Planning
• Identify voting attributes
– Attributes should cover five components of COSO
• Define scale and stages
– Stages are consistent throughout definitions
– Provide for voting in-between stages
• Identify Participants
– Cross-functional representation: financial,
operational, compliance
• Conduct pre-sessions
– Review voting scale, attributes and definitions
9
Session Execution
• Define “rules of the day”
• Encourage open feedback
– Discussion is most value added portion
– Ensure anonymity of individual comments
• Monitor real-time voting for large variances in opinion
– Facilitate discussion when voting is widely dispersed
– Consider re-vote
• Avoid common pitfalls
–
–
–
–
–
10
Group think
Voting creep
Duress voting
Dominant Participant
Fatigue
Risk Management Capability
Characteristics Stages:
Entity Evaluation
Stage A


Process Ad
Hoc
Results often
left to heroics
of individuals
Stage B
Stage C
Stage D




Informal
Processes
Not well
communicated
or executed


11
Formal
processes that
are adequate
Processes may
not always be
consistent or
well
communicated
Areas of
improvement
in efficiency
and
effectiveness


Formal
processes that
are well
executed
Processes are
consistent and
well
communicated
Improvement
area exists in
relation to
monitoring
and KPI’s
Stage E


Processes are
optimal
Best practice
methods and
metrics
Example Attributes
Control Environment
–
–
–
–
–
–
–
–
–
–
12
Ethics Policy
Ethical Values
Ethics Reporting
Ethics Discipline
Commitment to
competence – personnel
Commitment to
competence management
Commitment- to
competence - external
auditors
Mgmt structure &
operating style
Mgmt financial reporting
philosophy
Mgmt internal control
philosophy
– Mgmt incentives
– Mgmt financial goals
– Organization structure and
size
– Ownership and
Accountability
– Policy establishment
– Approvals
– Segregation of Duties
– HR Policies and
Procedures
– Job Screening
– Job Descriptions
– Job Performance
Example Attributes
• Risk Assessment
– Business Objectives
– Strategic Plan
– Method to identify
business risks
– Mgmt Risk Tolerance
– Acquisitions/Divestures
– Budgets
– Accounting, Operating and
Regulatory Changes
• Information and
Communication
–
–
–
–
–
–
13
Systems Reliability
Users
Change Control
DR Plan
Business Continuity
Management
Communication
• Control Activities
– KPI’s
– Financial Reports
– Reconciliation of Physical
Assets
– Physical Inventories
– Destruction of Assets
• Monitoring
– Monitoring Overrides
– Correcting Deficiency
– Monitoring process
change
Deliverables
• Graphical depiction of voting averages
• Evaluate areas that fall below desired
stage
• Determine actions & obtain management
sign-off
• Assign target dates and responsibilities
• Communicate results
– Board
– Management
14
15
SUMMARY
•
•
•
•
•
16
Approach Benefits
Planning Considerations
Execution of Session
Deliverables Post-Session
Remediation/Follow-up
Using Risk Assessment to
Assess Control Deficiencies
Paul J. Sobel
Vice President, Internal Audit
Mirant Corporation
17
Control Deficiency Questions
• If a control deficiency were to occur, how bad
could it be?
– Impact on financial reporting
– Likelihood of that impact occurring
• How could that deficiency manifest itself, i.e.,
what are the scenarios should it occur?
• What are the levels over which a deficiency
becomes significant? Material?
18
Key Risk Decisions
What is our tolerance
relative to control
deficiencies?
Internal Environment
Objective Setting
How would the deficiency
occur, i.e., what are the
scenarios?
What is our risk
assessment of the
deficiency?
19
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
Deficiency Assessment
I
m
p
a
c
t
MATERIAL
Material
Weakness
CONSEQUENTIAL
Significant
Deficiency
INCONSEQUENTIAL
Not a Significant Deficiency
REMOTE
MORE THAN REMOTE
LIKELIHOOD
20
Impact Types
• Financial Impact
• Reporting/Filing Delay
• Fraud Potential
• Pervasive Impact
• Technical Violation
21
Likelihood Factors
• Nature of account, disclosures and assertions
• Susceptibility to loss or fraud
• Subjectivity, complexity or judgment involved
• Cause and frequency of known exceptions
• Interdependence or redundancy of controls
22
Potential Scenarios
Material Weakness
MATERIAL
I
m
p
a
c
t
“. . . evaluating deficiencies
and whether they constitute
significant deficiencies or
material weaknesses will
necessarily always involve
judgment.”
– PCAOB
Significant Deficiency
CONSEQUENTIAL
INCONSEQUENTIAL
Not a Significant Deficiency
REMOTE
MORE THAN REMOTE
LIKELIHOOD
23
Potential
Scenarios
Tolerance Considerations
• Quantitative Factors
– % of revenues, assets or income
• Materiality level = .0025 - .005 x revenues (i.e., .25% - .5%), or 5%
of operating income
• Significance level = 5% - 20% of materiality
– Change in EPS (e.g., 1¢)
– More than rounding
– Change in key financial ratios
• Qualitative Considerations
–
–
–
–
–
24
Entity-level considerations (e.g., tone at the top)
Nature of controls
Ability to monitor controls
Nature of disclosures (e.g., related party implications)
Non-direct considerations (e.g., credit rating, regulatory
compliance)
Summary
• Evaluating control deficiencies
requires a great deal of judgment
• Utilizing risk management
concepts, particularly risk
assessment, brings some
structure to those judgments
• Must develop and articulate
tolerance levels
I
m
p
a
c
t
• Think through the various
scenarios
• Caution: Don’t let it become a
black and white decision decisionmaking process
25
Material Weakness
MATERIAL
Significant Deficiency
CONSEQUENTIAL
INCONSEQUENTIAL
Not a Significant Deficiency
REMOTE
MORE THAN REMOTE
LIKELIHOOD
ERM –
A Multi-Dimensional View
Margaret (Peg) Weir
Manager, Internal Control Group
United States Postal Service
26
ERM A Multi-Dimensional View
• United States Postal Service
–
–
–
–
–
–
–
27
Independent Government Entity; Self Sustaining
Board of Governors
Management - Internal Control Group
Inspection Service
Internal Auditor-Office of Inspector General
Government oversight
External Auditor
Enterprise Risk Hierarchy
Transformational
Board
Business Environment &
Management Priorities/Strategies
Management
(Includes Internal
Control Group)
Board - Audit & Finance
Committee Oversight
External and Internal
Audit Findings
Traditional
Financial
Internal Auditor
External Auditor
Fraud
Inspection Service
Events
Special cases
ERM CONTINUOUS IMPROVEMENT
Control Environment
Control Activities
28
Risk Assessment
Monitoring
Information & Communication
Continuous Improvement
Life Cycle
29
Business Review Committee/
Internal Control Process Cycle
HQ IC reports to BRC on
progress of nationally
prioritized risk mitigation efforts
Field IC evaluate
local data relative to
national priorities to
determine
appropriate local
risk prioritization
30
HQ IC meets with HQ
Functional peers to
discuss risks
HQ IC evaluates
data related to
identified risks
HQ IC proposes national risk prioritization (supported by data
to Business Review Committee for concurrence)
Internal Control Process Cycle
IC Analysts monitor results
and share best processes
enterprise wide
Process owners
implement risk
mitigating solutions
31
Management prioritizes risks
based on data or other
influences
IC Analysts
analyze additional
data and review
prioritized internal
controls
IC Analysts work with process owners to determine
root causes and develop risk mitigating solutions
Risk Assessment Model
32
ERM A Multi-Dimensional View
• Ongoing risk assessment in ERM Lifecycle
–
–
–
–
Data driven risk analysis
Partnerships to address risks and achieve goals & objectives
Ongoing monitoring
Linkage to national performance metrics
• Hierarchy of internal and external considerations
• Prioritization/Evaluation/Improvement/Monitoring
• Quarterly and Annual assessment and reporting
33
Q&A
34
Summary of Main Points
• Use a Facilitated Approach to
Measuring Entity Level Controls
• Ensure the Use of ERM Principles
• Utilize Facilitated Session Planning
and Execution
• Determine Deliverables and
Communicate Results
35
Summary of Main Points
• Ask Key Control Deficiency Questions
• Key Risk Decisions Must Revolve Around
Risk Tolerance, Occurrence Scenarios
and Risk Assessment
• Evaluate Control Deficiencies With Risk
Management Concepts - Particularly Risk
Assessment
36
Summary of Main Points
• Consider both internal and external
influences
• Link Key Performance Metrics to ERM
Improvements
• Continuously Improve Controls Through
Monitoring and Prioritizing
37
Get Your CPE Certificate:
If you are a primary Webcast participant:
•If you view the live Webcast, you should be receiving your CPE certificate via
email today.
•You can also view the certificate in your account. Just log in and hit the
“CPE” button.
•If you are viewing the archived Webcast, you will have to take the
corresponding quiz which you will find in your webcast account.
If you are not the primary participant but will be viewing the Webcast:
•Additional viewers may obtain CPE for a $15 administrative fee per
additional viewer per Webcast. Register online at
http://www.auditlearning.org.
38
September 14, 2004
“Role of Transition-Year2”
39
Webcast Evaluation
Visit the Login Page
40