Risk & Internal Audit Synergiesfiamalta.org › downloads › fisher0716.pdf · Risk & Internal Audit Synergies Session 1 - How risk management can interact effectively with internal

Risk & Internal Audit

Synergies

Session 1 - How risk management can interact effectively with internal audit Dominic Fisher, Deloitte Malta, 13 July 2016

How risk management can interact effectively with internal audit © 2016. For information, contact Deloitte Malta. 2

Forum – This session is intended to open a dialogue.

Risk Management – MARM is an association of risk management, not risk managers. Most organisations will have many individuals whose official role does not contain the word ‘risk’, but whose work is relevant to enterprise risk management efforts. In addition to recognised ‘risk managers’ this session is also aimed at you.

Scene Setting For This Session

How ‘Risk Management’ Can Interact Effectively With Internal Audit


About Risk Management 4

Joint Guidance On Risk / Audit Committees 6

Following Up On Internal Audit Work 10

Synergistic Themes 12

• Policies & Procedures 14

• Risk Evaluations 16

• Risk Management Frameworks 21

• Communication 24

Wrapping Up 27

Contents

How risk management can interact effectively with internal audit © 2016 For information contact Deloitte Malta. 4

What Is Risk Management?


‘Risk management aims at creating a disciplined, structured and controlled environment within which risks to the organisation can be anticipated and maintained within predetermined acceptable limits’


Joint Guidance On Risk / Audit Committees


Ideas At The Leading Edge

Risk & Internal Audit Co-ordination

Weblink

http://tinyurl.com/zox9y3s

October 2014


The EU’s 8th Company Law directive includes a requirement for Audit Committees at public interest organisations* to

‘form an independent view on the effectiveness of risk management and internal controls’.

This is the backdrop for this piece of thought leadership.

*About 6,000 organisations across the EU


Key Points Arising

Define Committee roles and responsibilities by a Charter Terms of Reference

Reaffirms the ‘Three Lines Of Defence’ Model

• The Guidance identifies 10 possible responsibilities to share between Audit and

Risk committees – and how they could / should be allocated.

• Recommends the involvement of Heads of Risk / IA in Audit and Risk

Committees.

Common Risk Management Approach

• This means a clearly communicated risk and control framework. For example,

one would expect consistency in ‘risk reporting’ measurements between IA and

Risk.

• If a common risk management approach is in place, you would expect Internal

Audit to use Risk Management’s outputs (e.g. risk register).

• Board sets risk appetite and risk - taking philosophy.

• CEO and senior management responsible for managing of risks and internal

control.

• Suggest enterprise risk mapping for second line of defence.

• Composition of second and third lines depends on resources, staffing and

maturity of the organisation. Costs and benefits need to be balanced.


Following Up Internal Audit Work


Some Basic Expectations

Follow Up Internal Audit Work By Risk Management

Assisting line management with remediation efforts

• Internal audit findings with a bearing on risk should be shared with a suitable audience (e.g. Board of Directors, Risk Committee, Risk Steering Committee, Line Management etc).

•When relevant, internal audit results can be used to reassess the nature and quantum of relevant residual and inherent risks.

• Provide assistance with remediation, especially where line management don’t have the resources and internal auditors are constrained by independence issues.

• Risk experts should be aware of and be able to advise on alternative risk treatments and also the risks arising from process change.

• Line managers should be aware of the availability of expert resource. Build a reputation which leads to line management requesting your input.

Using IA work as a feedback loop


Synergistic Themes

Diagnosing Suitable Action


Risk Maturity Stages

Emerging Risk Intelligent Development stage

Fine-tuning

Maturing

Establishing

Suitable improvement recommendations depend on your organisation’s existing risk maturity.

1

2

3


Synergistic Themes

Formalising Policies & Procedures


Formalising Policies & Procedures

Supporting Internal Audit

1

2

3

Documenting Internal Policies & Procedures

A basic requirement, but one that is often incomplete. Where these are absent, internal audit may struggle to find criteria to audit against.

Flowcharts

Diagrammatic representations of internal processes allow for quicker understanding / critical review of those processes.

Key Control Matrices

In organisations which are seeking to evaluate risk management and internal controls, identification and monitoring of the performance of key controls is critical.

How risk management can interact effectively with internal audit Member firms and DTTL: © 2016 For information contact Deloitte Malta. 16

Synergistic Themes

Risk Evaluations


Risk Evaluations


1

2

3

Risk Registers

A basic building block for effective risk management. There is a danger in taking a big bang approach. A gradual approach which involves line management is recommended.

Process Level Risk Evaluations

There are many ways of identifying organisational risks. At the operational level, process level risk evaluations can be a very effective method.

Risk Monitoring Techniques

This might include risk dashboards, early warning systems and the establishment of a Risk Steering Committee comprising line management heads.


Process Flowcharts & Process Level Risk Evaluations


Process Flowcharts

Diagrammatic representations of internal processes allow for quicker understanding / critical review of those processes.

Process Level Risk Evaluations

There are many ways of identifying organisational risks. At the operational level, process level risk evaluations can be a very effective method.


An overview of legal requirements for income investment derived from investments held by authorised financial intermediaries (AFI) on behalf of clients follows. All AFI payors must register with the Inland Revenue. There is a risk that an AFI payor will not register with the Inland Revenue, but represent to clients that they are registered and then collect tax which is not remitted to the authorities. The process begins when a payee presents for business to the AFI payor. The payee must determine whether they are excluded from tax. There is a risk here that the payee will make an incorrect determination of their tax status. Nevertheless, if they do so, they are classified as requiring to be paid gross by the AFI payor as long as they can provide suitable evidence that they are excluded from tax in Malta. If not, the payee may still elect to be paid gross. In such circumstance they must notify the AFI payor in writing. If a payee is not excluded from tax and does not elect to be paid gross, they ought to be classified by the payor as a recipient payable net. AFI payors must maintain system records to classify all clients as either payable gross or net. When income is received on behalf of a client, the AFI payor must determine whether this is investment income. There is a risk that incorrect determinations are made at this stage. In the case, where the income is not determined to be investment income, there is no further action required of the AFI payor. However, if the income received is determined to be investment income, the AFI payor must next determine whether tax is to be withheld. There is a risk of error here. If no tax is determined to need to be withheld, income is remitted gross to the payee and the AFI payor ought to add this item to the list of investment income paid gross which is remitted to the Inland Revenue on an annual basis. Meanwhile the payee has to determine whether the income is chargeable at the end of the year and where that is the case include due payments within his annual tax return which is remitted to the tax authorities in the following reporting period. There is a risk that taxpayers will omit chargeable income. Where tax is to be withheld, the AFI payor must calculate the amount to be withheld. The net amount and a withholding tax certificate is passed to the payee. The withheld amounts are summarised by the AFI payor and should equal the amounts shown on issued certificates. This summary sheet should be sent to the Inland Revenue on a monthly basis. The withheld amounts are due to be sent by 30 September in the year following the year when the client income was received.

A Written Overview of a Medium Complexity Process


Process Evaluation Points

• A diagrammatic representation shows a chronological flow which is far easier to understand or explain.

• The involved parties and the nature of their involvement are clear.

• Decision Points, document flows, cash flows and system interfaces are clearly marked which provides a user with a clear appreciation of risk points and areas which may be ripe for improvement (e.g. automation, removal of duplicated processes)

• For each step (and across the entire process), users can consider classic audit risks (completeness, accuracy and validity) as well as efficiency.

• This type of document can assist efficient internal audit planning.

Flowcharts Are Better


Synergistic Themes

Implementing Risk Management Frameworks


Implementing Risk Management Frameworks


1

2

3

Framework Lite

A simplified version of a risk standard may be the most effective way of introducing the fundamentals of risk management into your organisation.

Implementing Established Standards

COSO, COBIT, IRM and ISO 31000 are all risk management standards which parts of your organisation may wish to aspire to.

Certification / Independent Verification

Verification whether internally or externally can provide independent assurance as to the effective implementation of the selected risk management framework.


COSO 2013 vs ISO 31000

A Comparison Of Two Of The Most Common Risk Management Frameworks

ISO 31000

• Short

• International

• Focus on enterprise risk management

• Neutral between risks and opportunities

• Little mention of risk appetite

• Risk manager’s view

• Provides a co-ordinated risk process

COSO 2013

• Long

• US standard

• Focus on evaluations

• Emphasis on downsides

• Link to strategy

• Auditor’s view

• Can cherry-pick your focus (i.e. pilot test)


Synergistic Themes

Communication


Communication


1

2

3

Formal Protocols

Ensure that risks are reported in a structured manner which involves internal audit.

Spreading The Risk Gospel

By sharing and reinforcing key risk concepts throughout the organisation, those charged with risk can support the target risk culture.

Risk Conversations At Operational Level

These type of conversations can be effective at facilitating risk improvements from the ‘bottom up’ and across departments.


Achieving Improved Risk Management & Internal Control From The Bottom Up

Healthy Conversations About Internal Controls

What were the problems in carrying out these controls?

To what extent did you carry out the controls which were prescribed or needed?

How well do you think these controls have performed?

What findings did you have from performing your controls (errors, backlogs, missing information etc)

Do you have any ideas to improve the efficiency and effectiveness of the controls for which you are responsible?

Based on your work how well do you think that processes and controls have worked in other areas?

What do these findings suggest and what could we do better?


Wrapping Up


Concluding Comments

‘It is important for organisations to set up an efficient and integrated corporate governance model’ Thijs Smit President of ECIIA

‘Audit and Risk Committees need to rely more than ever on competent risk and internal audit professionals.’ Julia Graham, President of FERMA

‘When it comes to gaining synergies between risk and internal audit, build on what you have, taking into account your organisation’s existing level of risk maturity’ Dominic Fisher, Deloitte Malta

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see http://www.deloitte.com/about to learn more about our global network of member firms.

Deloitte Malta refers to a civil partnership, constituted between limited liability companies, and its affiliated operating entities: Deloitte Services Limited, Deloitte Technology Solutions Limited, Deloitte Consulting Limited, and Deloitte Audit Limited. The latter is authorised to provide audit services in Malta in terms of the Accountancy Profession Act. A list of the corporate partners, as well as the principals authorised to sign reports on behalf of the firm, is available at www.deloitte.com/mt/about.

Cassar Torregiani & Associates is a firm of advocates warranted to practise law in Malta and is exclusively authorised to provide legal services in Malta under the Deloitte brand.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 225,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

© 2016. For information, contact Deloitte Malta.

Dominic Fisher

Senior Manager Enterprise Risk Services

[email protected]

http://www.deloitte.com/about

http://www.facebook.com/deloittemalta

http://www.linkedin.com/company/deloittemalta

http://www.twitter.com/deloittemalta

Documents

Risk & Internal Audit Synergiesfiamalta.org › downloads › fisher0716.pdf · Risk & Internal Audit Synergies Session 1 - How risk management can interact effectively with internal