AASHTO SUBCOMMITTEE FOR INTERNAL/EXTERNAL AUDIT ANNUAL MEETING - - PowerPoint PPT Presentation

aashto subcommittee for internal external audit annual
SMART_READER_LITE
LIVE PREVIEW

AASHTO SUBCOMMITTEE FOR INTERNAL/EXTERNAL AUDIT ANNUAL MEETING - - PowerPoint PPT Presentation

Mar 15, 2023 97 likes •360 views

AASHTO SUBCOMMITTEE FOR INTERNAL/EXTERNAL AUDIT ANNUAL MEETING Doubletree Hotel Orange, California July 9, 2019 10:30am 11:45am Vicki McIntyre, CIA, CPA, CFSA, CRMA, CGAP AGENDA Introduction to Risk Enterprise Risk Management

slide-1
SLIDE 1

AASHTO SUBCOMMITTEE FOR INTERNAL/EXTERNAL AUDIT ANNUAL MEETING

Doubletree Hotel Orange, California July 9, 2019 10:30am – 11:45am

Vicki McIntyre, CIA, CPA, CFSA, CRMA, CGAP

slide-2
SLIDE 2

AGENDA

  • Introduction to Risk
  • Enterprise Risk Management
  • Opportunities for Internal Audit Teams
  • Opportunities for Internal Auditors
  • OMB Circular A-123
  • COCO Internal Control Framework – Risk

Assessment Component

slide-3
SLIDE 3

INTRODUCTION TO RISK

slide-4
SLIDE 4

INTRODUCTION TO RISK

Mission, Vision, Values Strategic Plans Program, Business Unit Goals and Objectives Risk Analysis Internal Controls

slide-5
SLIDE 5

ENTERPRISE RISK MANAGEMENT

  • NOT a program,
  • NOT a department,
  • NOT a process, either!

Risk management is an integral component of decision making.

slide-6
SLIDE 6

ENTERPRISE RISK MANAGEMENT

In 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published an update to its 2004 COSO Enterprise Risk Management framework. The name of it says it all: Enterprise Risk Management - Integrating With Strategy and Performance.

Risk management is all about strategy and performance.

slide-7
SLIDE 7

ENTERPRISE RISK MANAGEMENT

  • The new COSO ERM lays out a framework for improving risk

management so better decisions are made, helping an

  • rganization accomplish its objectives.
  • The framework is not another process to be sent to the ERM

team or even to a committee or work group.

  • It needs to be incorporated into the fabric of the organization,

providing guidance, tools, processes, and many other elements to improve risk management, regardless of the decision being made.

slide-8
SLIDE 8

ENTERPRISE RISK MANAGEMENT

The updated framework’s five interrelated components:

  • Governance and Culture
  • Strategy and Objective Setting
  • Performance
  • Review and Revision
  • Information, Communication and Reporting
slide-9
SLIDE 9

ENTERPRISE RISK MANAGEMENT

  • Risk Is Not the Focus
  • Risk Is Not an Evil to Be Eliminated
  • There Are Many Ways to Respond to Risk
  • Risk Management is More a Skill and Mindset Than a

Process

  • All of the Framework is Important
  • ERM Does Not Compete With Internal Controls
slide-10
SLIDE 10

OPPORTUNITIES FOR INTERNAL AUDIT TEAMS

  • Coordination and Reliance – IIA Standard 2050
  • IA responsibility for agency’s ERM approach – IIA Position

Paper, “The Role of Internal Auditing In Enterprise Risk Management”

  • Facilitation and training
  • Assessments of Management’s design and execution of

ERM

slide-11
SLIDE 11

OPPORTUNITIES FOR AUDIT TEAMS

slide-12
SLIDE 12

AGENCY’S ERM MATURITY

Enablers

  • People
  • Processes
  • Technology
slide-13
SLIDE 13

OPPORTUNITIES FOR INTERNAL AUDITORS

  • Become conversant with the fundamentals of the ERM framework -

internal auditing is all about risk.

  • While we focus on the adequacy/effectiveness of internal controls,

internal controls should be viewed as a method to implement the "reduce“ response to risk. Risk is central and comes first.

  • Master the concepts of risk - how it is identified, assessed, analyzed,

responded to, reviewed, and reported. Without this context, it is not possible to effectively address internal controls.

slide-14
SLIDE 14

OPPORTUNITIES FOR INTERNAL AUDITORS

  • Talk less about the adequacy/effectiveness of internal controls and talk

more about risk…. managing risk, and reducing risk where advised.

  • Management thinks of the world through the perspective of setting out
  • bjectives and accomplishing them - all with the goal of delivering

performance.

  • The more we talk about those objectives and events that can impact

delivering performance, the more management will understand how internal audit delivers value.

  • We are not here to add bureaucracy with more controls. We are here to

help management deliver on its objectives. This requires us to think and talk in terms of risk, potential impact, and response.

slide-15
SLIDE 15

OPPORTUNITIES FOR INTERNAL AUDITORS

  • Internal auditors should not only evaluate internal controls, but also

management’s choice and implementation of risk responses.

  • Internal controls are but one potential risk response.
  • Internal auditors should be considering all five risk responses in assessing

whether management has selected the optimal way to address a risk.

slide-16
SLIDE 16

OPPORTUNITIES FOR INTERNAL AUDITORS

  • Internal auditors should not focus blindly on always trying to reduce risk.
  • Risk responses should be designed to improve performance.
  • This involves not only ideas to reduce the impact from negative risk

events, but also the cost of risk responses and the possibility of a risk that positively impacts performance.

  • When internal auditors' orientation is toward decision-making and how

risks impact performance, they may conclude more risk is appropriate or the cost of current risk responses is not justified by the benefits.

slide-17
SLIDE 17

OPPORTUNITIES FOR INTERNAL AUDITORS

  • Internal auditors are some of the best in understanding the theory

regarding risk.

  • The revised COSO ERM framework provides us the opportunity to

become even more expert in the material so we can help our

  • rganizations navigate how best to implement it.
  • Not everyone will see the framework as something worth their attention,

this provides a great opportunity for internal auditors!!

slide-18
SLIDE 18

OMB’s REVISED CIRCULAR A-123

  • Revised Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal

Control, establishes various ERM processes in the federal government.

  • Requires federal executive agency leadership to implement ERM concepts to ensure each agency's risks

are being identified and managed effectively.

  • Revised policy engages all agency managers, beyond the CFO community, and "encourages open and

candid conversations about risks facing an organization at all levels.“

  • Envisions significantly more interaction among each agency’s CFO, chief risk officer, risk management

council, and performance improvement officer, and advocates the use of professional-society approaches such as "maturity models.“

  • The OMB guidelines for ERM implementation embrace a modern risk assessment framework, the "risk

maturity model.“

slide-19
SLIDE 19

OMB’s REVISED CIRCULAR A-123

Advice for implementation to employ ERM concepts to improve

  • rganizations:
  • Identify the most significant risks that could prevent your agency from achieving its

mission, objectives and goals. Consider risks to strategic, operational, reporting and compliance objectives.

  • Consider remote or improbable events that could be significant and impactful. Black

swan events can occur – it we’ve failed to consider the risks, results can be catastrophic.

  • Consider fraud risks - financial and nonfinancial aspects, i.e. loss of public’s trust and

confidence.

slide-20
SLIDE 20

COSO INTERNAL CONTROL FRAMEWORK RISK ASSESSMENT COMPONENT

Principle 7 – “Identifies and Analyzes Risk” – Points of Focus:

  • Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
  • Analyzes Internal and External Factors
  • Involves Appropriate Levels of Management
  • Estimates Significance of Risks Identified
  • Determines How to Respond to Risks
slide-21
SLIDE 21

RISK ASSESSMENT - SAMPLE QUESTIONS

  • Is there a systematic risk assessment process?
  • Are there appropriate personnel involved to adequately identify

risks?

  • Are risks identified by level of significance, likelihood of
  • ccurrence, velocity and persistence?
  • Is the risk assessment sufficiently comprehensive?
  • Is there a plan to respond to risks identified?
  • Avoid, Share, Accept, Reduce, Transfer
slide-22
SLIDE 22

OTHER RISK ASSESSMENT CONSIDERATIONS

Identification and analysis of risk, including risks due to change, fraud risk, legal and regulatory risks, social, technological, natural disasters, etc.

  • Risks due to regulatory changes (i.e. SLAA requirements, accounting

requirements and statutory changes)

  • Risks related to contract compliance (i.e. grants and debt covenants)
  • Risks related to personnel changes, off-site communications or structural

changes

  • Risks related to recording of routine transactions (i.e. receipts &

disbursements) and non-routine transactions (i.e. journal entries)

  • Changing risks associated with IT and cybersecurity
  • Changing taxpayer needs or expectations
slide-23
SLIDE 23

OTHER RISK ASSESSMENT CONSIDERATIONS

Other common areas of identified risks

  • Basic controls over information technology
  • Bonded debt covenant compliance
  • Accounting and compliance considerations for new

regulatory requirements

  • Unusual estimates
  • Related party transactions, conflicts of interest
  • Inadequate segregation of duties
  • Areas particularly prone to public scrutiny
slide-24
SLIDE 24

BIBLIOGRAPHY

Sawyer's Internal Auditing: The Practice of Modern Internal Auditing, 5th Edition, Lawrence B. Sawyer COSO 2013 Internal Control - Integrated Framework, The Committee of Sponsoring Organizations of the Treadway Commission Journal of Accountancy, June, 2018, “How formal ERM implementation can help federal agencies,” Donald Holzinger, CPA, and Christopher Parker, CPA Internal Auditor, October, 2017, “COSO ERM – “Getting risk management right,” Doug Anderson