Professional Documents
Culture Documents
CONTROL
/ RISK
Internal Control
Any action taken by
management to
enhance the
likelihood that
established
objectives and goals
will be achieved.
Process-Level Control
Transaction Level
Specifically focused on reducing risk related to
individual operational task or processing of individual
transactions. They are designed to ensure that individual
transactions are accurately process in a timely manner.
Examples:
Transaction approval, transaction verification,
transaction re-calculation, transaction confirmation
Application Level
Implemented to ensure that systems operate as
intended.
Examples:
System integrity and validation checks
Types of Control
Activities
Key Control Activity
Primary Control Activity
Detective Control
A control activity designed
to
discover
undesirable events
that have already
occurred.
It
must occurred in a timely
basis to be
considered
effective.
Management
Control
Techniques
MANAGEMENT
1. The act or art of
managing : the
conducting or
supervising of
something (as a
business)
2. The collective body
of those who manage
or direct an
enterprise
CONTROL
1. to exercise restraint or direction
over
2. to eliminate or prevent the
flourishing or spread of
TECHNIQUES
1. the body of
specialized
procedures and
methods used in
any specific
field
2. method of
performance;
way of
accomplishing
Types of management
controls
1. Financial reporting
2. Performance monitoring
3. Effective communications
Financial Reporting
it is essential that management
receive a timely, reliable flow of
information about its financial status
and that management initiate
prompt corrective action when the
accounting data indicate a significant
deviation from the budget.
Performance Monitoring
it is essential that
management track the
performance of the
organization against its
stated goals
Effective Communications
managers recognize that
subordinates and front-line workers
perform better if they have a clear
understanding of the mission and
goals of the organization and the
purpose being
1. Supervision
Is a good tool to
ensure
employees know
what they are
doing and
perform to the
required
standard
2. Authorization
Helps ensure activities and
transactions fall in in line with set
standards.
3. Segregation of duties
To guard against the risk of staff
collusion, error, and breach of
procedure.
4. Procedures
Are needed to address the risk of
confusion, abuse, inefficiency, and
breach of regulations or obligations,
and they will be as comprehensive as
called for to manage these risks
5. Reconciliations
INTERNAL CONTROL
FRAMEWORK
CHARACTERISTICS AND USE
FRAMEWORKS
- Is a body of guiding principles
that form a template against which
organizations can evaluate a
multitude of business practices.
- Specific to the practice of internal
auditing, various frameworks are
used to assess the design and
operating effectiveness of internal
controls.
COSO ERM
FRAMEWORK
Risk Assessment
Every entity faces a variety of risks from
external and internal sources that must be
assessed. A precondition to risk assessment is
establishment of objectives, linked at different
levels and internally consistent. Risk
assessment is the identification and analysis of
relevant risks to achievement of the objectives,
forming a basis for determining how the risks
should be managed. Because economic,
industry, regulatory and operating conditions
will continue to change, mechanisms are
needed to identify and deal with the special
risks associated with change.
SOUCE: http://www.snai.edu/cn/service/library/book/0-framework-final.pdf
Control Activities
Control activities are the policies and
procedures that help ensure management
directives are carried out. They help ensure
that necessary actions are taken to address
risks to achievement of the entitys
objectives. Control activities occur throughout
the organization, at all levels and in all
functions. They include a range of activities
as diverse as approvals, authorizations,
verifications, reconciliations, reviews of
operating performance, security of assets and
segregation of duties.
SOUCE: http://www.snai.edu/cn/service/library/book/0-framework-final.pdf
Monitoring
Internal control systems need to be monitoreda
process that assesses the quality of the systems
performance over time. This is accomplished
through ongoing monitoring activities, separate
evaluations or a combination of the two. Ongoing
monitoring occurs in the course of operations. It
includes regular management and supervisory
activities, and other actions personnel take in
performing their duties. The scope and frequency of
separate evaluations will depend primarily on an
assessment of risks and the effectiveness of ongoing
monitoring procedures. Internal control deficiencies
should be reported upstream, with serious matters
reported to top management and the board.
SOUCE: http://www.snai.edu/cn/service/library/book/0-framework-final.pdf
Alternative
Control
Frameworks
Different Frameworks:
Same Goals
- Frameworks provide a systematic
step by step method of evaluating
and addressing the adequacy of
control in multiple dimensions of a
business.
- It provides a tool that helps
management and auditors evaluate
adequacy of control in multiple
dimensions of the business.
Source: http://www.qfinance.com/corporategovernance-checklists/internal-control-frameworkscoso-coco-and-the-uk-corporate-governance-code
Source: http://www.docstoc.com/docs/95666738/Frameworks-ForEvaluating-Internal-Controls
Source: http://www.docstoc.com/docs/95666738/Frameworks-For-Evaluating-
Source: http://www.ifac.org/sites/default/files/publications/files/internal-
Source: http://www.ifac.org/sites/default/files/publications/files/internal-
RISK
VOCABULARY AND
CONCEPT
Definition of Risk
Risk is the possibility of an event occurring that
will have an impact on the achievement of
objectives. It is measured in terms of impact
and likelihood. (IIAs International Standard).
Possibility is a chance that something might exist,
happen, or be true. The state or fact of being possible
something that might be done or might happen.
Impact is the effect on achievement of goals and
objectives when the risk happens.
Likelihood is theprobability of aneventor situation
taking place.
Origin of Risk
Risk came from an Italian word
risicare, which means to dare: a
choice under uncertain conditions
(rather than fate). (Internal
Auditing Assurance & Consulting
Services)
Mitigation Strategy
How are you going to manage a risk?
Accept
Avoid
Control
Manage the Risk
Transfer
Risk Management
is a process for identifying, assessing,
and prioritizing risks of different kinds.
A variety of strategies is available,
depending on the type of risk and the
type of business.[5]
Enterprise-wide risk
management (ERM)
Other Terminologies:
Risk Appetite
is the level of risk that an organization is willing to accept.
Operational Risk
An event, action or occurrence that impacts the effective and
efficient use of the institutions resources to achieve its major
activities through management processes and procedures.
Reporting Risk
An event, action or occurrence that impacts the reliability of the
institutions external and internal reporting.
Compliance Risk
An event, action or occurrence that impacts the institutions
compliance with applicable laws, rules and regulations.
Reputation Risk
An event, action or occurrence that impacts how the institution
is valued or perceived.
Strategic Risk
An event, action or occurrence that impacts the institutions
ability to achieve high level goals aligned with and supporting
the mission.
Audit Risk
The risk that an auditor will not discover errors or
intentional miscalculations while reviewing a
company's or individual's financial statements.
Business Risk
The possibility that a company will have lower than
anticipated profits, or that it will experience a loss
rather than a profit.
Financial Risks
are part ofthe financial structure of your business,
business transactions, and the financial systems
used.
Residual Risk
The remaining risk subsequent to risk management
activities and/or controls.
Risk Responses
are the means by which an organization elects to manage
individual risks. The main categories are to tolerate the risk; to
treat it by reducing its impact or likelihood; to transfer it to
another organization or to terminate the activity creating it.
Internal controls are one way of treating a risk.
Risk Assessment
Process by which risk is evaluated from two dimensions: 1)
probability/likelihood of the risk event taking place, and 2) impact
of the risk event on the institution.
Certification
is the written and signed representation from any manager that
the risk management strategies applicable to that manager have
been properly executed and documented.
Collaborative Assurance
is the partnership of management and internal audit to provide the
governance function with some level of assurance about all the
risk.
Sources:
[7]
www.cmu.edu/erm/resources/docs/CMU_Risk_Vocab
ulary.pdf
[8] http://www.business.vic.gov.au/disputesdisasters-and-succession-planning/how-to-managerisk-in-your-business/types-of-business-risks
[9] http://www.investopedia.com
FRAUD
- The intentional use of deceit, a trick, or
some
dishonest means to
deprive another of money, property, or of a
legal right.
(Principles and Contemporary Issues in Internal Auditing, Second Edition by Lee,
Haron, et al.)
White-collar crime
the misdeeds of people who wear
ties to work and steal with a pencil or
a computer terminal.
Produces ink stains instead of blood
stains.
False Accounting
- Main aim is to present the results and affairs
of the organization in a better light than what is
really the case.
Asset Misappropriation
- Any business asset may be stolen by
employees or third parties, or by employees and
third parties acting in collusion.
Computer Fraud
- A computer is used as the object, subject, or
tool of a fraud.
Management Fraud
(Fraudulent Financial Reporting)
Employee
fraud
Generally consists of:
The fraud act itself
The conversion of
assets to the
fraudsters use
The cover-up
Lose sleep
Drink too much
Take drugs
Become irritable easily
Cant relax
Get defensive, argumentative
Cant look people in the eye
Sweat excessively
Work alone,
Work late, among others.
Characteristics of Fraudsters:
Motivation
Opportunity
Rationalization or lack of integrity
High personal debts or financial losses
Inadequate income to support lifestyle
Perceived inequalities in the
organization
Resentment of superiors
Frustrations with the job.
THANK YOU
FOR
LISTENING.
BE READY FOR
A QUIZ.