aashto subcommittee for internal external audit annual
play

AASHTO SUBCOMMITTEE FOR INTERNAL/EXTERNAL AUDIT ANNUAL MEETING - PowerPoint PPT Presentation

AASHTO SUBCOMMITTEE FOR INTERNAL/EXTERNAL AUDIT ANNUAL MEETING Doubletree Hotel Orange, California July 9, 2019 10:30am 11:45am Vicki McIntyre, CIA, CPA, CFSA, CRMA, CGAP AGENDA Introduction to Risk Enterprise Risk Management


  1. AASHTO SUBCOMMITTEE FOR INTERNAL/EXTERNAL AUDIT ANNUAL MEETING Doubletree Hotel Orange, California July 9, 2019 10:30am – 11:45am Vicki McIntyre, CIA, CPA, CFSA, CRMA, CGAP

  2. AGENDA  Introduction to Risk  Enterprise Risk Management  Opportunities for Internal Audit Teams  Opportunities for Internal Auditors  OMB Circular A-123  COCO Internal Control Framework – Risk Assessment Component

  3. INTRODUCTION TO RISK

  4. INTRODUCTION TO RISK Program, Mission, Strategic Business Unit Internal Vision, Risk Analysis Plans Goals and Controls Values Objectives

  5. ENTERPRISE RISK MANAGEMENT  NOT a program,  NOT a department,  NOT a process, either! Risk management is an integral component of decision making.

  6. ENTERPRISE RISK MANAGEMENT In 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published an update to its 2004 COSO Enterprise Risk Management framework. The name of it says it all: Enterprise Risk Management - Integrating With Strategy and Performance. Risk management is all about strategy and performance.

  7. ENTERPRISE RISK MANAGEMENT  The new COSO ERM lays out a framework for improving risk management so better decisions are made , helping an organization accomplish its objectives .  The framework is not another process to be sent to the ERM team or even to a committee or work group.  It needs to be incorporated into the fabric of the organization , providing guidance, tools, processes, and many other elements to improve risk management, regardless of the decision being made.

  8. ENTERPRISE RISK MANAGEMENT The updated framework’s five interrelated components:  Governance and Culture  Strategy and Objective Setting  Performance  Review and Revision  Information, Communication and Reporting

  9. ENTERPRISE RISK MANAGEMENT  Risk Is Not the Focus  Risk Is Not an Evil to Be Eliminated  There Are Many Ways to Respond to Risk  Risk Management is More a Skill and Mindset Than a Process  All of the Framework is Important  ERM Does Not Compete With Internal Controls

  10. OPPORTUNITIES FOR INTERNAL AUDIT TEAMS  Coordination and Reliance – IIA Standard 2050  IA responsibility for agency’s ERM approach – IIA Position Paper, “The Role of Internal Auditing In Enterprise Risk Management”  Facilitation and training  Assessments of Management’s design and execution of ERM

  11. OPPORTUNITIES FOR AUDIT TEAMS

  12. AGENCY’S ERM MATURITY Enablers  People  Processes  Technology

  13. OPPORTUNITIES FOR INTERNAL AUDITORS  Become conversant with the fundamentals of the ERM framework - internal auditing is all about risk.  While we focus on the adequacy/effectiveness of internal controls, internal controls should be viewed as a method to implement the "reduce“ response to risk. Risk is central and comes first.  Master the concepts of risk - how it is identified, assessed, analyzed, responded to, reviewed, and reported. Without this context, it is not possible to effectively address internal controls.

  14. OPPORTUNITIES FOR INTERNAL AUDITORS  Talk less about the adequacy/effectiveness of internal controls and talk more about risk…. managing risk, and reducing risk where advised.  Management thinks of the world through the perspective of setting out objectives and accomplishing them - all with the goal of delivering performance.  The more we talk about those objectives and events that can impact delivering performance, the more management will understand how internal audit delivers value.  We are not here to add bureaucracy with more controls. We are here to help management deliver on its objectives. This requires us to think and talk in terms of risk, potential impact, and response.

  15. OPPORTUNITIES FOR INTERNAL AUDITORS  Internal auditors should not only evaluate internal controls, but also management’s choice and implementation of risk responses.  Internal controls are but one potential risk response.  Internal auditors should be considering all five risk responses in assessing whether management has selected the optimal way to address a risk.

  16. OPPORTUNITIES FOR INTERNAL AUDITORS  Internal auditors should not focus blindly on always trying to reduce risk.  Risk responses should be designed to improve performance.  This involves not only ideas to reduce the impact from negative risk events, but also the cost of risk responses and the possibility of a risk that positively impacts performance.  When internal auditors' orientation is toward decision-making and how risks impact performance, they may conclude more risk is appropriate or the cost of current risk responses is not justified by the benefits.

  17. OPPORTUNITIES FOR INTERNAL AUDITORS  Internal auditors are some of the best in understanding the theory regarding risk.  The revised COSO ERM framework provides us the opportunity to become even more expert in the material so we can help our organizations navigate how best to implement it.  Not everyone will see the framework as something worth their attention, this provides a great opportunity for internal auditors!!

  18. OMB’s REVISED CIRCULAR A-123  Revised Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control , establishes various ERM processes in the federal government.  Requires federal executive agency leadership to implement ERM concepts to ensure each agency's risks are being identified and managed effectively.  Revised policy engages all agency managers, beyond the CFO community, and "encourages open and candid conversations about risks facing an organization at all levels.“  Envisions significantly more interaction among each agency’s CFO, chief risk officer, risk management council, and performance improvement officer, and advocates the use of professional-society approaches such as "maturity models.“  The OMB guidelines for ERM implementation embrace a modern risk assessment framework, the "risk maturity model.“

  19. OMB’s REVISED CIRCULAR A-123 Advice for implementation to employ ERM concepts to improve organizations:  Identify the most significant risks that could prevent your agency from achieving its mission, objectives and goals. Consider risks to strategic, operational, reporting and compliance objectives.  Consider remote or improbable events that could be significant and impactful. Black swan events can occur – it we’ve failed to consider the risks, results can be catastrophic.  Consider fraud risks - financial and nonfinancial aspects, i.e. loss of public’s trust and confidence.

  20. COSO INTERNAL CONTROL FRAMEWORK RISK ASSESSMENT COMPONENT Principle 7 – “Identifies and Analyzes Risk” – Points of Focus:  Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels  Analyzes Internal and External Factors  Involves Appropriate Levels of Management  Estimates Significance of Risks Identified  Determines How to Respond to Risks

  21. RISK ASSESSMENT - SAMPLE QUESTIONS  Is there a systematic risk assessment process?  Are there appropriate personnel involved to adequately identify risks?  Are risks identified by level of significance, likelihood of occurrence, velocity and persistence?  Is the risk assessment sufficiently comprehensive?  Is there a plan to respond to risks identified?  Avoid, Share, Accept, Reduce, Transfer

  22. OTHER RISK ASSESSMENT CONSIDERATIONS Identification and analysis of risk, including risks due to change, fraud risk, legal and regulatory risks, social, technological, natural disasters, etc.  Risks due to regulatory changes (i.e. SLAA requirements, accounting requirements and statutory changes)  Risks related to contract compliance (i.e. grants and debt covenants)  Risks related to personnel changes, off-site communications or structural changes  Risks related to recording of routine transactions (i.e. receipts & disbursements) and non-routine transactions (i.e. journal entries)  Changing risks associated with IT and cybersecurity  Changing taxpayer needs or expectations

  23. OTHER RISK ASSESSMENT CONSIDERATIONS Other common areas of identified risks  Basic controls over information technology  Bonded debt covenant compliance  Accounting and compliance considerations for new regulatory requirements  Unusual estimates  Related party transactions, conflicts of interest  Inadequate segregation of duties  Areas particularly prone to public scrutiny

  24. BIBLIOGRAPHY Sawyer's Internal Auditing: The Practice of Modern Internal Auditing, 5 th Edition, Lawrence B. Sawyer COSO 2013 Internal Control - Integrated Framework, The Committee of Sponsoring Organizations of the Treadway Commission Journal of Accountancy, June, 2018, “How formal ERM implementation can help federal agencies,” Donald Holzinger, CPA, and Christopher Parker, CPA Internal Auditor, October, 2017, “COSO ERM – “Getting risk management right,” Doug Anderson

Recommend


More recommend