Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

294 Risk assurance and reporting

Table 31.2 Components of the CoCo framework

Purpose

Objectives should be established and communicated

•

Signiﬁ cant internal and external risks should be identiﬁ ed and assessed •

Policies should be established, communicated and practised •

Plans should be established and communicated •

Plans should include measurable performance targets and indicators •

Commitment

Shared ethical values should be established, communicated and practised

•

HR policies should be consistent with ethical values •

Authority, responsibility and accountability should be clearly deﬁ ned •

Mutual trust should be fostered to support the ﬂ ow of information •

Capability

People should have the necessary knowledge, skills and tools

•

Communication processes should support the values of the organization •

Sufﬁ cient and relevant information should be identiﬁ ed and communicated •

Decisions and actions within the organization should be co-ordinated •

Control activities should be designed as an integral part of the organization •

Monitoring and Learning

Environment should be monitored to re-evaluate controls

•

Performance should be monitored against the targets •

Assumptions behind objectives should be periodically challenged •

Information needs and related information systems should be reassessed •

Procedures should be established to ensure appropriate actions occur •

Management should periodically assess the effectiveness of control •

The rationale behind CoCo is explained in the framework as follows:

A person performs a task guided by an understanding of its purpose and supported by

capability. The person needs a sense of commitment to perform the task well. The

person monitors his or her performance and the external environment to learn how to

do the task better and any required changes. In any organization of people, the essence

of control is the four components set out above.

There are similarities between the CoCo approach and the LILAC measure of risk awareness

or risk culture that has been mentioned previously. The LILAC approach suggests that risk

Evaluation of the control environment 295

management activities will be embedded when the risk culture displays leadership, involve-

ment, learning, accountability and communication. Individual organizations should decide

how they wish to measure the control environment/risk-aware culture within the organiza-

tion. Whatever method is used to measure the risk culture, there is no doubt that it is critical

to the successful implementation of risk management.

CoCo is an internal control framework, but it is described in this chapter because it is an estab-

lished framework. There is a strong interface between risk management activities and internal

control and therefore the CoCo framework provides a useful means of evaluating the risk

culture of an organization. CoCo deﬁ nes three major objectives of controls:

effectiveness and efﬁ ciency of operations; •

reliability of internal and external reporting; •

compliance with applicable laws and regulations and internal policies; •

including objectives. •

Features of the control environment

There are signiﬁ cant differences between COSO and CoCo, as well as several key similarities.

CoCo has a broader approach to the control environment than is set out in COSO. To give

two examples of the broader approach in CoCo, it recognizes that controls are required in the

setting of objectives, strategic planning and corrective actions; it also recognizes that the

control environment of an organization is important when making decisions.

When undertaking an evaluation of the control environment using the structure of CoCo, a

company may discover that good scores were obtained for purpose, commitment and capabil-

ity of the organization. However, the score for the monitoring and learning component may

not be good enough. This information will enable the company to identify that it needs to pay

more attention to the areas of challenging objectives and the assumptions that lie behind them.

Better auditing of controls and a structured senior management review of risk management

and internal control activities can then be introduced.

The main differences in approach between COSO and CoCo are that CoCo is more explicit

about the following issues:

identiﬁ cation of need to exploit opportunities; •

mitigation of weaknesses in business resilience; •

the importance of individual trust to the quality of the control environment; •

the need to periodically challenge assumptions. •

296 Risk assurance and reporting

There are two versions of COSO, and it is the COSO ERM framework (2004) that is consid-

ered in detail in this book. The early version of the framework is COSO Internal Control

(1992) and the ﬁ rst component of the COSO Internal Control framework is called the control

environment. The features of the control environment that are considered to be important by

COSO Internal Control are:

commitment and competence; •

audit committee; •

philosophy and operating style of management; •

organizational structure; •

assignment of responsibility and authority; •

human resources policies and practices. •

CoCo framework of internal control

The ﬁ rst component of the CoCo framework is concerned with the establishment and com-

munication of objectives, the signiﬁ cant internal and external risks faced by the organization

and the policies designed to support achievement of the organization’s objectives. Plans to

assist with the achievement of objectives and the inclusion of measurable performance targets

and indicators are also important aspects of the purpose component of CoCo.

When establishing and analysing the purpose of the organization, CoCo makes it clear that the

risks and opportunities facing the organization should be analysed in detail. The importance

of risk assessment and organizational resilience is emphasized, together with the importance

of recognizing the sources and origins of risk.

The commitment component of CoCo is concerned with shared ethical values, including

integrity. It is also concerned with human resource policies and practices and communication

throughout the organization. Authority, responsibility and accountability are also included,

together with the requirement to achieve an atmosphere of mutual trust.

The capabilities component of CoCo is concerned with the fact that people should have neces-

sary knowledge and skills to support the organization’s objectives, as well as its values. Sufﬁ -

cient relevant information should be identiﬁ ed and communicated, together with decisions

and actions of different parts of the organization. Activity should be co-ordinated and designed

as an integral part of the organization.

The monitoring and learning component of the CoCo framework is concerned with external

and internal environments and the fact that they should be monitored to obtain information.

Performance should be monitored against targets and indicators and assumptions behind the

objectives of the organization should be periodically challenged.

Evaluation of the control environment 297

The information needs and related information systems should be assessed when objectives

change, and a procedure should be established and performed to ensure appropriate change

actions occur in these circumstances. Finally, management should periodically assess the effec-

tiveness of control in the organization and communicate results to appropriate stakeholders.

An example of an organization evaluating its control environment is set out in the box

below.

Evaluating the control environment

Many organizations have created their own formulas for educating employees about

why controls are important and what adopting such measures means to them. The

common element among these organizations is a commitment by senior management

that embraces the internal control model.

Canada Post Corporation uses eight major groupings to evaluate the control

environment, as follows:

leadership; •

planning; •

customer focus; •

people focus; •

process management; •

partnership; •

business performance; •

continuous improvement. •

During self-assessment workshops, executives receive the ﬁ

nal results of all audit work

performed throughout the year. The group then discusses business objectives for the

coming year and the risks that could interfere with achieving them. The participants

rate themselves on a scale of 1 to 10 for each of the criteria. Internal audit then

compares the information it received directly from a business process to the

information the group acquired about that process during other workshops.

Using the workshop results, internal audit develops an audit opinion on the

effectiveness of controls and an audit plan for the coming year. Additionally, internal

auditing provides a summary of the results to the board of directors to consider in its

strategic planning session. The report includes a commentary on the company’s ﬁ ve

highest risks and ﬁ

ve weakest controls.

298 Risk assurance and reporting

Risk-aware culture

Ensuring a risk-aware culture in the organization is vitally important. A risk-aware culture will

be achieved when all members of staff and management understand and accept the impor-

tance of adequate risk management. In addition, management and staff need to understand

the role they will play in the successful management of risks and have a desire to fulﬁ l that role

enthusiastically.

There are many ways in which a risk-aware culture can be demonstrated. Clearly, one of the

ways of demonstrating such a culture is to achieve high scores in a CoCo analysis. COSO ERM

also has an internal environment component, although this is not as comprehensive as the

CoCo framework. Nevertheless, evaluation of the internal environment and the level of risk

awareness within the organization can be undertaken using the COSO ERM framework.

Many organizations regard the combination of COSO and CoCo as an ideal way of combining

the detailed approach within CoCo with the more comprehensive approach of COSO. ISO

31000 refers to the context of risk management. Context has three components in ISO 31000,

described as the internal context, the external context and the risk management context.

Together, analysis of these three contexts will provide information on the status of the risk-

aware culture in the organization.

A subset of a good risk-aware culture is a strong safety culture. Following a major rail crash at

Ladbroke Grove near London Paddington railway station in 1999, the Ladbroke Grove Inquiry

heard various deﬁ nitions of the word ‘culture’. Counsel to the Inquiry submitted that:

A good safety culture is the product of individual and group values, of attitudes and

patterns of behaviour that lead to a commitment to an organization’s health and safety

management. Organizations with a positive safety culture are characterized by com-

munication founded on mutual trust, by shared perception of the importance of safety

and by conﬁ dence in the efﬁ ciency of preventative measures.

Research by the Health and Safety Executive into the components of a safety culture produced

a detailed report and the key components of the safety culture were identiﬁ ed as leadership,

involvement, learning, accountability and communication. This gives rise to the acronym

LILAC, which is described in more detail in Chapter 11. This represents an alternative approach

to the purpose, commitment, capability, monitoring and learning components of the CoCo

framework.

Activities of the internal

audit function

Scope of internal audit

Internal control is concerned with the methods, processes and checks that are in place to

ensure that a business organization meets its objectives. Because internal control is concerned

with the fulﬁ lment of objectives, there is a clear link with risk management activities. Internal

control activities within a large organization are likely to be evaluated by the internal audit

department. In some cases, the internal audit function may be outsourced to an external

accountancy ﬁ rm.

Although there is a distinction between the approach and activities of internal audit and of risk

management, there are areas of common interest. It is generally accepted that risk manage-

ment is an executive function that should be undertaken by the executive members of the

organization. This leads to the conclusion that the risk management committee should be

chaired by an executive board-level director.

Internal audit is primarily concerned with risk assurance, and this will be the concern of the

non-executive audit committee in a large organization. Given that internal audit is validating

the controls and procedures in place to manage risk, it is inappropriate for internal auditors to

fulﬁ l an executive function by assisting management with the identiﬁ cation, design and imple-

mentation of those risk control measures.

Financial assertions

A principal role of internal audit in the overall risk management process is ensuring accurate

reporting. The scope of reporting can spread from informal reporting on risks and risk events

through to formal reporting in the annual report and accounts of the organization. In organi-

zations where the Sarbanes–Oxley requirements apply, internal audit will frequently get

299

300 Risk assurance and reporting

involved in the certiﬁ cation of ﬁ nancial performance, prior to attestation of the results by an

external auditor.

Both internal and external auditors use the concept of materiality. Materiality is a measure of

the importance of an item of ﬁ nancial data. For example, external auditors will need to decide

whether the non-availability of an item of information or the incomplete nature of that infor-

mation is material to the overall ﬁ nancial performance of the organization.

Materiality is an important concept and may be used as a factor when deciding whether a risk

is signiﬁ cant. There will be a relationship between the test of materiality used by auditors and

the test used to determine whether a risk is signiﬁ cant. Typically, the materiality test used by

external auditors will be about 0.05 per cent of annual turnover. So, for an organization with

an annual turnover of £2 billion, the test of materiality is likely to be about £1 million. This

ﬁ gure may be too low to use as the benchmark test for signiﬁ cance of a risk. Typically, the

benchmark test would be ﬁ ve times higher, or £5 million.

The presentation of ﬁ nancial data relies on ﬁ ve basic ﬁ nancial statement assertions, which are

related to:

existence of the information; •

completeness of the ﬁ nancial

data; •

rights and obligations; •

valuation or allocation; •

presentation and disclosure. •

It is important for risk managers to understand the basis of ﬁ

nancial reporting and the agenda

of the ﬁ

nance director. In order to demonstrate the beneﬁ ts of risk management, it will be nec-

essary to quantify the beneﬁ ts and present them in terms that will be understood and accepted

by the ﬁ nance director, as well as external and internal auditors.

Risk management and internal audit

In many large organizations, the working relationship between risk management and internal

audit can be difﬁ cult. Internal audit will be working to an agenda that concentrates on the

effective implementation of efﬁ cient controls. In general, the head of internal audit will have a

senior reporting line to the most senior non-executive member of the board, perhaps even the

chairman.

The risk manager will often have a less senior reporting line, typically to an executive member

of the board. This is likely to be the company secretary or ﬁ nance director. The difference in

reporting lines can be a frustration for the risk manager, but the complementary roles of risk

Activities of the internal audit function 301

management and internal audit should be seen as an opportunity to ensure more effective

implementation of the risk management protocols and procedures.

Both parties should look for areas where they can co-operate without compromising the

overall aims of their individual contributions. For example, both risk management and inter-

nal audit should attend risk assessment workshops. Risk managers may facilitate the risk

assessment workshop, but the responsibility for managing risk will always rest with the

manager of each operational department. Also, the presence of an internal auditor at the risk

assessment workshop should not be seen as a threat by line management.

Internal audit professionals require that control measures are identiﬁ ed in very precise terms

that can be audited. The focus of internal audit activities is on the impact that the control

measures actually have in practice. During an audit, internal auditors will request and be pro-

vided with information and data. The approach of the internal auditor is to test that informa-

tion, so that the facts of the situation may be established. In summary, internal auditors take

the somewhat challenging view that information plus testing equals facts.

An area where risk management and internal control can work together is in establishing the

risk management/internal control priorities for the coming year. When an organization sets

up a risk-based audit programme, it will be seeking to ensure that internal audit activities are

focused on the priority signiﬁ cant risks facing the organization. The board may well be looking

for a joint risk management/internal audit contribution that will achieve better strategic deci-

sions, more successful delivery of projects and more efﬁ cient processes.

The introduction of a risk-based audit programme will be facilitated by ensuring that internal

audit participate in risk assessment workshops and that risk management and internal audit

produce a joint annual programme of work. The overall intention is to ensure that control

measures discussed at risk assessment workshops are described in the risk register as fully

auditable controls. The overall intention is to ensure that managers have greater awareness of

their control responsibilities and fulﬁ l those responsibilities in practice.

There are advantages and disadvantages in having a close working relationship between the

risk management and internal audit. In many ways, there is a complementary ﬁ t between the

two disciplines and there are beneﬁ ts in having a common focus and co-ordinated planning

related to the management of risk. Also, there is an opportunity for sharing best practice

regarding risk management tools and techniques.

However, there are also disadvantages in a common approach. It is desirable that line manage-

ment realize that responsibility for deciding the level of control of a particular risk, the respon-

sibility for implementing enhanced controls and the responsibility for auditing compliance

are separate issues. Also, there will often be different reporting relationships in an organiza-

tion between risk management and internal audit. Finally, internal audit are proud of their

independent status and closer involvement in the risk management decision making could

compromise that independence.

302 Risk assurance and reporting

Risk management outputs

When working together, risk management and internal audit should always concentrate on

the outputs from the risk management process and the impact that is sought. The contribu-

tion of risk management is to ensure a greater chance of the achievement of the objectives of

the organization and this is also a stated intention of internal audit activities.

Overall, risk management/internal audit outputs are intended to achieve enhanced perform-

ance of the organization in three important areas:

efﬁ cacious strategy; •

effective processes; •

efﬁ cient

operations. •

These outputs will be achieved by ensuring minimum disruption to routine operations from

hazard risks, together with selection of effective processes that are appropriate for the organi-

zation. Selection of effective processes requires informed decision making and the successful

implementation of projects. Risk management and internal audit should work together to

achieve these outputs.

The most important decisions taken by an organization relate to strategy. Risk management

and internal audit both have roles to play in helping the organization reach strategic decisions

that result in the development of efﬁ

cacious strategy. Risk management should ensure that

risk assessment workshops address strategic decisions and internal audit should evaluate the

quality of the strategic decision-making processes.

The required outputs from risk management/internal audit can be summarized as compli-

ance, assurance, decision making and efﬁ ciency/effectiveness/efﬁ

cacy (CADE3). Risk manage-

ment and internal audit should work together to achieve these outputs. Due regard should

always be paid to the desire of internal audit to remain independent in their activities. The

need to retain this independence is another reason why internal audit should not become too

closely involved in the executive role and responsibilities related to the management of a risk.

Role of internal audit

Figure 32.1 illustrates the range of activities that need to be undertaken in order to fulﬁ l a suc-

cessful ERM initiative. The diagram identiﬁ es those activities that are core to the work of the

internal audit department. These activities include reviewing the management of key risks,

evaluating the reporting of those risks and evaluating risk management processes.

The diagram also identiﬁ es activities that should not involve internal audit. These activities

include setting the risk appetite, imposing risk management processes and taking decisions on

Activities of the internal audit function 303

Core internal audit roles

in regard to ERM

Giving assurance that risks are correctly evaluated

Giving assurance on the risk management processes

Evaluating risk management processes

Evaluating the reporting of key risks

Reviewing the management of key risks

Facilitating identication & evaluation of risks

Coaching management in responding to risks

Co-ordinating ERM activities

Consolidated reporting on risks

Maintaining & developing the ERM framework

Championing establishment of ERM

Developing ERM strategy for board approval

Setting the risk appetite

Imposing risk management processes

Management assurance on risks

Taking decisions on risk responses

Implementing risk responses on management’s behalf

Accountability for risk management

Legitimate internal audit

roles with safeguards

Roles internal audit

should not undertake

Figure 32.1 Role of internal audit in ERM

This diagram is taken from ‘Position Statement: The Role of Internal Audit in Enterprise-wide Risk

Management’, reproduced with the permission of the Institute of Internal Auditors – UK and Ireland. For

the full statement visit www.iia.org.uk.

risk responses. In between these two sets of activities there are activities where it is legitimate

for internal audit to become involved, provided that suitable safeguards are in place. These

activities include facilitating the identiﬁ cation of risks, co-ordinating ERM activities, develop-

ing the ERM framework and championing the establishment of ERM.

Establishing audit priorities is an important function of the audit department. In relation to

risk management activities, internal auditors will need to establish their priorities for the

testing of controls. There is an important interface between risk management and internal

control. Risk management professionals are very good at assessing risks and identifying the

appropriate type of control that should be in place. The risk register will often record current

controls and make recommendations for the implementation of additional controls.

The core work of the internal auditor starts at this point. Having identiﬁ ed the critically impor-

tant controls, the auditor will need to check that the controls are implemented in practice and

that they are the correct and effective controls. The outcome of testing of controls is to ensure

that the intended level of risk is actually achieved in practice. In other words, the control actu-

ally moves the level of risk from the inherent level to the intended current level in the way that

was planned and often assumed.

If the control is not effective and efﬁ cient, it will need to be modiﬁ ed. This is another area

where risk management and internal audit share expertise. Although these discussions on

controls can be facilitated by risk management and internal audit, the ultimate decisions on