RISK MANAGEMENT ASSURANCE:

Developing Internal Audit Strategy

CA. Naval Bajaj

(CIA, CISA, M.Com, DIT)

●

National Seminar on Audit, Risk and Governance, IASB, ICAI – November 8, 2014

● Delhi

Important Note

• The views expressed in this presentation are the personal views of the speaker and are not the views of the organization to which the speaker belongs to.

• For any clarifications / objections on the subject discussed in this presentation, please contact the event co-ordinator or IASB Chairman.

●

National Seminar on Audit, Risk and Governance, IASB, ICAI – November 8, 2014

● Delhi

Risks

“No risk no profit” “Life itself is a risk, why to worry too much” “If you are not willing to risk the unusual, you will have to settle for the ordinary…..etc…” Risk Aware Not Risk Averse 3

29/04/2020

“The bus was late” “No one ordered the biscuits” Some unplanned events are trivial

(depending upon their context)

“No one checked for spelling misteaks” “The bus was early”

4

Other events have had more serious impact

5

Risks and Context

Unplanned Event (Risk) Context

No one checked for spelling mistakes …in the first version of the book published yesterday on Companies Act.

A girl had to wait at the bus stand for 2 hours …at a Delhi bus stand near Saket at 11pm in the night.

I have contracted “eye flu” and not able to read / see anything Tomorrow is my CA Final Exam.

6

Risk Management Definition

Institute of Internal Auditors:

“A process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of organization objectives.” ISO: “Coordinated activities to direct and control an organization with regard to risk”

COSO:

"…process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

7

Risks for a CA in practice

Illustrations purpose

Strategic:

- New branch to be opened in Chennai may not get adequate business - I may not have adequate number of partners to meet eligibility

requirements for a bank audit empanelment in 2015

Operations :

- Shortage of staff at work due to CA exams - A misrepresentation in front of ITAT resulting in heavy tax levy to

client

- Time and Cost overruns on an assignment of internal audit - Out of pocket travel and expense claims are fraudulent

Compliance:

- Regulatory returns not filed timely / accurately - An apparent fraud not discovered which may lead to professional

misconduct / companies act penalties

Reporting:

8

- Firm balance sheet may be materially misstated due to errors

Structured Risk Management

Whenever a business decision is made, some sort of risk assessment is made by the decision makers all the time !

Why do we need a formal Risk management process / function ?

Because of LEGAL REQUIREMENTS (Audit Committee and Independent Directors)

- Because of BUSINESS REQUIREMENTS (Size and operations

complexity)

- Because of INVESTOR EXPECTATIONS (Private equity, angel

investors need assurance on their money)

9

Risk Management Assurance

IA Strategy

Situation 1

(IIA Practice Guide)

Situation 2

(IIA Practice Guide)

No formal Risk Management framework / process exists.

A formal risk management framework exists.

- Internal Audit Risk assessment is the only source board is exposed to.

- Increased effort by CAE to report on risk management and assurance activities to the board / AC - Top-down approach is taken for Annual Audit Planning - Risk Based follow up - Internal Audit may help establish the risk management function (consulting activity) - An audit of the design & effectiveness to be done - CAE needs to coordinate with other assurance providers and also form an opinion based on their assurances - Bottoms up and Top Down Approach for Annual Audit Planning 10

Internal Audit Role

Assurance 1: Risk management framework is: - backed by top management, - is formalized, - defines roles and responsibility clearly - provides guidance on assessment of risks impact - defines the risk appetite - suggests strategies to deal with risk Assurance 2: Organization focusses on training and awareness process to all “decision makers” at middle and senior management level to develop and maintain the organization culture.

Assurance 3: Everyone identifying, assessing and evaluating a risk talks in the same language (risk appetite, risk maps, organization of risk committees) Assurance 4: Defined reporting mechanisms and time scales exist and are consistently applied.

Assurance 5: The organization is able to identify all KEY risks, assess them in a consistent manner, and has clear guidelines to manage the identified risks.

11

Suggested Reading

- IIA Practice Advisory on Risk Management and Assurance - India Risk Survey 2013 by FICCI and Pinkerton - KPMG Fraud Survey - COSO ERM Framework

QUESTIONS ?

12