Posts filed under ‘Internal Auditing’

COSO introduces updated Internal Control Framework

Many in the Internal Audit Community would be aware that COSO (the Committee of Sponsoring Organizations of the Treadway Commission) released an updated Internal Control Framework on May 14, 2013.

The COSO Framework initially introduced in 1992 and possibly the most widely accepted internal control framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting.
The business environment has witnessed significant changes since the original framework was released and the Board felt it was time to align the framework to the emerging landscape and stakeholder expectations including:

  • Expectations for governance oversight
  • Globalization of markets and operations
  • Changes and greater complexities of business
  • Demands and complexities in laws, rules, regulations, and standards
  • Expectations for competencies and accountabilities
  • Use of, and reliance on, evolving technologies
  • Expectations relating to preventing and detecting fraud

The framework solidifies some of concepts mentioned in the previous versions as specific principles to assist management to implement a sound internal control framework.

What should companies do?

Senior Management should work closely with their internal audit groups to:

  •  Review the updated COSO Framework and evaluate how it impacts their internal control structures and procedures for each of the COSO components and principles. If the company had adopted the original framework management would need to focus their attention on the key changes
  •  Apprise their Audit Committee on any impact to their organizations and how the internal controls will be changed or enhanced as a result of the new guidance.
  •  Consider adopting the changes within their internal control system as soon as feasible.

May 24, 2013 at 8:39 pm Leave a comment

An Effective Risk Identification Approach

Linked in groups feature many interesting discussions on risk management practices. In the Enterprise Risk Management (ERM) group on Linked in, I came across an interesting question posed by a member.

“In terms of operational risk in the financial environment, what would be the best approach to follow to “teach” someone how to identify risks in their environment? Thinking about an effective risk identification approach, instead of the “top-of-mind” approach to identifying “top 10″ risks.”

There were a couple of other interesting responses, but my own view is that “top of the mind” risks are not necessarily a bad place to start. An effective risk identification approach would include the following steps:

1. Start with the “Top of Mind Risks”

Top of the mind items are usually there – occupying center stage in people’s minds because they are usually the most critical issues facing the industry, the organization or the function.

2. Develop a more comprehensive risk universe

Obviously  its not enough to stop at just those top of the mind items – we should supplement this with other items  both from within the organization combined with external factors. Sources of this risk information could be  – current issues facing the business or the industry, past trends, known loss events, emerging risk scenarios, potential black swans etc. So a more comprehensive universe of potential risks would be the result of this exercise.

3.  Identify the critical risks facing the business

Its also crucial to get organization wide views into which of these risks are most critical to your business, and have the highest potential impact and probability of occurrence. Consolidating the views of the C suite and the business functions can help create a shared view of the risks facing the organization and develop appropriate response strategies.

February 10, 2013 at 7:34 pm Leave a comment

IIA Gain Report on Top Ten Risk Management Imperatives for Internal Audit

The Institute of Internal Auditors (IIA) published a report on the 10 Risk Management Imperatives for Internal Auditing. 

The timely and insightful report based on a recent IIA Global Audit Information Network (GAIN) survey  highlights the  evolving role of the Internal Audit profession in light of heightened expectations of their organizations and their key stakeholders. The IIA GAIN report provides a useful guide to Chief Audit Executives to proactively transform their internal audit functions to meet these expectations and deliver increasing value.

The report emphasizes how today’s business environment is characterized by mounting pressures for stronger, more effective risk management. It also states that there is a sharp focus on risk oversight, considered by many observers to be the top governance issue facing corporate boards in a post-meltdown world since audit committees are pushing for holistic risk management, stepped-up risk mitigation, and enterprise wide risk assessments.

The cornerstone of the increased focus on risk management is the need for rebuilding trust in our corporate society. Since the economic crises, many companies have gone into intense soul-searching mode to identify what went wrong and what they could have done differently and more importantly what they can improve in future. Companies are trying to better balance risks and rewards and taking a hard look at compensation practice and their corporate governance and oversight functions. In addition, Standard & Poor’s assessment of the Enterprise Risk Management function of companies is expected to bring greater  scrutiny on the company’s risk management and oversight functions.

Many internal audit groups are stepping up to the plate and taking on the role of integrating various governance, risk and compliance initiatives including SOX 404, Information Technology, financial reporting and compliance to provide deeper visibility to senior management and the Board on key risk indicators and the organization’s performance metrics in those areas.

It’s important to focus on the key strategic risks that can “put a company out of business” as also reputational risks that can lead to negative public, investor and regulator perceptions. Risk Management groups must look beyond past events as a guide to focus on an aggregated  picture of  “what could go wrong” across the enterprise. Leading companies now use scenario planning and leading indicator analysis to identify potential risks and opportunities and the likelihood and impact of such events on the organization’s business goals.

Studies have shown that companies with robust risk management and governance are perceived as quality organizations and attract greater valuations over the long term than companies that are not so perceived. Therefore effective risk management should permeate the entire organization and involve a collaborative effort with the senior management in a risk management implementation and ownership role, Internal Audit as a value added independent assessment function and the Board in an oversight and monitoring role.

November 4, 2009 at 4:05 pm Leave a comment

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 26 other followers