erm and internal auditing 2016 tea talk v2a

IIAM ERM & IA - DSK Leong

20161

ERM AND INTERNAL AUDITING

INTERNAL AUDIT DIVISION

David S K Leong

BCA ,CA(NZ), CA (M), ACIB (UK), MBA (Henley), CIA(US), CMIIA.

Brainstorming of risks and controls session in progress.

Brief Introduction & Background

David S K Leong

BCA ,CA(NZ), CA (M), ACIB (UK), MBA (Henley), CIA(US), CMIIA.


20162

HSBC Malaysia Bhd. (1980-2005) serving as Risk Manager, Strategic

Planner, Chief Internal Auditor & Head, Sarbanes-Oxley Project.

Kuwait Finance House (Malaysia) Bhd. (2005-11) – Chief Officer, Internal

Audit.

Bank Islam Malaysia Bhd. (2012-2014)– Chief Internal Auditor. (Senior

General Manager)

Credit Guarantee Corporation Malaysia Bhd. – Director, Internal Audit.

(Total of 35 years in banking of which 12 years as Chief Internal Auditor.)

Additional :

Member of Board of Governors, Institute of Internal Auditors, Malaysia.

Deputy Chairman, IIAM’s Research, Technical & Advisory Committee..

Examiner, Asian Institute of Chartered Bankers.

OIC Current Accounts/Savings, HSBC, Johor Bahru. 4 years

OIC, Trade Finance, HSBC Kuching, Sarawak -4 years.

Assistant Manager Marketing, HSBC Kuching, Sarawak - 2years

Credit Manager, HSBC, Kota Kinabalu, Sabah - 4 years

Bank Branch Manager HSBC Bank, Labuan -2.5 years

Manager Risk & Policy, HSBC Malaysia, Kuala Lumpur. -4 years

Head of Strategy, HSBC Malaysia, Kuala Lumpur -1 year

CIA, HSBC Malaysia -3 years.

IIAM ERM & IA - DSK Leong 2016 3

HSBC Work Experience 1980 - 2005

Risk Management ExperiencesThe Nightmares!


20164

No risk management !

Want to go own way (i.e. no way)!

No definition of risk. (i.e. don’t know)

Don’t know what is risk!

Uses new unproven model risk.

Ad hoc and unorganized approach/incomplete coverage.

No monitoring/follow-up of controls.

Inadequate risk staffing and skills

Excessive power/arrogance

Lack of power!

Very defensive!

Don’t want to be audited.

Any more?

SIMPLE SURVEY

How many don’t have Risk Management function?

How many have not audited Risk Management?

How many have audited Risk Management?

How many of these are really happy with their Risk Management Audit?

How many are really comfortable with the Risk Management activities?

How many have Risk Management Divisions that really manage important risks effectively?

IIAM ERM & IA - DSK Leong 2016 5


2016

1. Your internal audit findings are challenged 70 % of the time?

2. Your internal audit findings are 95% accepted all the time?

3. Your internal audit recommendations get implemented only 50% of the time?

4. Your internal audit recommendations are implemented 90 % even before presentation to the Board.

5. Your internal auditors’ performance and remuneration are assessed by management.

6. Your internal auditors’ performance and remuneration are assessed by the Board.

7. You have a higher than average attrition rate among your internal auditors than in the organization.

8. You have several other staff requesting to join internal audit department.

HONESTLY, WHAT SITUATION ARE YOU IN?


2016

Most Frequent Experience:

CRO says, “We have Enterprise-wide Risk

Management!” –when actually he does not even

know what is risk.

CRO says, “CIO will look after IT Risk Management.

RM don’t have the IT expertise.”

CRO says: “ We have a ERM Policy.” But on paper

and in name only but not practiced. No

development.

CRO says: “We cannot introduce ERM because

Head Office overseas should lead such an

initiative.”


2016

1. Must be Enterprise –wide (From Top to Bottom)

2. There must not be any “Golden Boy” unit.

3. Includes All Risks (Strategic/Operational/Financial/Compliance/Governance)

4. Focuses on Key Risks. ( Not more than 30-50 Biggest Risks)

5. Integrates Across All Risk Types. (Not Siloed-approach)

6. Aggregated at the Enterprise Level (based on the Risk Appetite/HEAT Map).

7. Decision-making Required to Reduce/Treat Risk.

8. Appropriate Risk Disclosures. (Show how much shareholder value can be damaged.)

9. Measure Value Impacts and Opportunity Impact.

10.Focuses on Main Stakeholders (Shareholders).

Source: Adapted from Jared Wade

10 Absolute Essential Features of ERM


20169

In other words,

Do you have these?

Benefits in Layman’s Language to the Company with an Integrated Risk Framework and ERM Program


2016

Risk Management becomes easy to apply. We will have substance instead of

form.

ERM gives the Board better real assurance over internal controls

All departments work on the same internationally recognized methodology.

Risk registers are easily available online to all users.

We have less work and less stress (no duplicated controls).

Each entity will know their main risks and controls. This leads to more

focused work.

Entities will pass internal audits.

Internal audits reports will be comprehensible.

Company will suffer less losses make higher profits and be competitive.

Company has more time for strategy and be more focused.

Company will have compliance with Law, regulations and policies.


201611

1. Must be Enterprise–wide.

1. Led by the Board and CEO. And have a Project Champion.

2. Must Involve all Risk Areas.

3. Participation and Buy-in from all material areas on Initial Risk

Universe Assessment.

4. Participation and Mind-set must be integrated into operations,

remuneration and culture.

5. Supported and complemented by Internal Audit.

6. All use common methodology and be solution oriented.

2. There must not be any “Golden Boy” unit


201612

All are Included without Exception.

No “Special Treatment” even for “star performers”.

(This is exemplified by the case in Barings Bank in 1996 in which

the Bank eventually collapsed. Barings

Singapore was so profitable that Risk Management

and Internal Audit were told to go lightly on Nick

Leeson, the “Wonder Boy”. Loss:GBP860 Million.

Another tell-tale sign:

The “only expert” in complicated derivatives trading

in the 2008 Societe Generale Bank case – a

GBP3.7 Billion loss).

Enron 2004 –”The Smartest Guys in the Room.”

3. Includes All Risks (Strategic/Operational/Financial/

Compliance/Governance)Aligning All the Main Components –Making Sure We All look at the

Same Things to Achieve Corporate Objectives.

Vision, Strategy,

Corporate Objectives

Risk Manage-

ment

Training/ HR

Key

Performance

Indicators

Internal Audit

Performance

Measure-ment

IIAM ERM & IA - DSK Leong 2016

Achieve Corporate ObjectivesSTRATEGIC DIRECTION

YEARLY BUDGETS

RISK APPETITE


201614

Where are your risks?

All these have to be

coordinated!


201615

5. Integrates Across All Risk Types. (Not Siloed-

approach)

Definition of Risk / What is Risk?

“ The possibility of an event occurring that will have an impact

on the achievement of objectives. Risk is measured in terms of

impact and likelihood.”

IPPF Glossary

In ISO 31000-2009 – “Risk is Uncertainty Over Objectives.”

By having the same methodology, everyone speaks the same

language and allows for aggregation of the enterprise’s risk.


201616

4. Focuses on Key Risks. (30-50 Biggest Risks)

These should be the risks that keep you awake at night.

Once these risks are identified using a collaborative brain-storming

session for all units using a common methodology measuring risks in

terms of impact and probability.

Are All Risks Covered? The ERM method prescribes inclusion of all

major risks and measures effectiveness of their treatment. This

requires workers’ participation.

Are you having excessive procedures? Board and Management

attention followed by action are aligned on real risks; and their

treatment and the monitoring. The process will find many traditional

processes are actually redundant. Therefore SOPs can be

streamlined/processes become efficient.

Are your operations guys clueless and dissatisfied?

Implementers of ERM and workers often find more meaning in what they

do and are motivated because they now understand how to get real value

for their time. They know what and why they had to do and what auditors

will audit them on.


201617

Use the “HEAT MAP” tool to help disseminate risk

assessment methodology.

6. Aggregated at the Enterprise Level (Set the Risk Appetite/ HEAT Map). HEAT MAP. Where the Risks are!

TABLE A:

HEAT MAP (Operations) < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

00

-9

,99

9

(MIN

OR

)

RM

10

,00

0-4

9,9

99

(MO

DER

ATE

)

RM

50

,00

0-1

99

,99

9

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

KeyCatastrophic/High

Low IMPACT Very High

Medium1 2 3 4 5

Low

ALMOST CERTAIN (1-6 months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5 5.1 5.2 5.3 5.4 5.5

VERY PROBABLE (every 6-12 Months) 4 4.1 4.2 4.3 4.4 4.5

PROBABLE (Every 1-3 years 3 3.1 3.2 3.3 3.4 3.5

UNLIKELY (Every 4-10 years 2 2.1 2.2 2.3 2.4 2.5

RARE (Every more than 10 Years) 1 1.1 1.2 1.3 1.4 1.5

2..1

2..2

2..42.32

1.32

1.1

1.22

3.1


201618

Finding 2.4 is plotted on Heat Map

5.4: Denotes probability 5, Impact of 4.

7. Decision-making by Management to Reduce/Treat Risk.


201619

Once a material risk is identified, there are 4 “T s” of Risk

Mitigation.

I. Treat (Implement Control to reduce/prevent the occurrence)

II. Transfer ( Reduce impact by transferring risk to another entity

or take out insurance/outsource.)

III. Terminate ( Abandoning /selling the business if risk impact is

deemed unbearable or cannot be controlled.)

IV. Tolerate – Accept the risk if within Risk Tolerance limits.

Action is taken is to ensure all risks accepted are within the risk appetite

(green) as shown in the following HEAT Map.

ERM is not to report risks only but to ensure correct control action is

taken.

Appraisal of performance is on action taken effectively.


201620

7. IMPACT OF CONTROLS ON TREATED RISKS (RESIDUAL RISK)

TABLE A:

HEAT MAP (Mill Operations) < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

00

-9

,99

9

(MIN

OR

)

RM

10

,00

0-4

9,9

99

(MO

DER

ATE

)

RM

50

,00

0-1

99

,99

9

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

KeyCatastrophic/High

Low IMPACT Very High

Medium1 2 3 4 5

Low

ALMOST CERTAIN (1-6 months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5 5.1 5.2 5.3 5.4 5.5

VERY PROBABLE (every 6-12 Months) 4 4.1 4.2 4.3 4.4 4.5

PROBABLE (Every 1-3 years 3 3.1 3.2 3.3 3.4 3.5

UNLIKELY (Every 4-10 years 2 2.1 2.2 2.3 2.4 2.5

RARE (Every more than 10 Years) 1 1.1 1.2 1.3 1.4 1.5

Inherent Risk

Residual Risk


201621

OVERALL COMPANY:

HEAT MAP < R

M 1

000/

INSI

GN

IFIC

AN

T)

RM

1000

-9,

999

(MIN

OR

)

RM

10,

000

-49,

999

(MO

DER

ATE

)

RM

50,

000

-199

,999

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

Key Catastrophic

/High

Low IMPACT

Very High

Medium1 2 3 4 5Low

ALMOST CERTAIN

(1-6 months)

Lo

wL

IKE

LIH

OO

D

Ve

ry H

igh

5 5.1 5.2 5.3 5.4 5.5

VERY PROBABLE

(every 6-12 Months)4 4.1 4.2 4.3 4.4 4.5

PROBABLE (Every 1-

3 years3 3.1 3.2 3.3 3.4 3.5

UNLIKELY (Every 4-

10 years2 2.1 2.2 2.3 2.4 2.5

RARE (Every more

than 10 Years)1 1.1 1.2 1.3 1.4 1.5

OVERALL COMPANY:

HEAT MAP < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

00

-9,9

99

(MIN

OR

)

RM

10

,00

0-

49

,99

9

(MO

DER

ATE

)R

M 5

0,0

00

-

19

9,9

99

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

Ke

yCatastrophic/High

Low IMPACT

Very High

Medium

1 2 3 4 5Low

ALMOST CERTAIN (1-6

months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5

5

.

1

5

.

2

5

.

3

5

.

4

5

.

5

VERY PROBABLE (every 6-

12 Months)4

4

.

1

4

.

2

4

.

3

4

.

4

4

.

5

PROBABLE (Every 1-3

years3

3

.

1

3

.

2

3

.

3

3

.

4

3

.

5

UNLIKELY (Every 4-10

years2

2

.

1

2

.

2

2

.

3

2

.

4

2

.

5

RARE (Every more than 10

Years)1

1

.

1

1

.

2

1

.

3

1

.

4

1

.

5

OVERALL COMPANY:

HEAT MAP < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

00

-9,9

99

(MIN

OR

)

RM

10

,00

0-

49

,99

9

(MO

DER

ATE

)R

M 5

0,0

00

-

19

9,9

99

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

Ke

yCatastrophic/High

Low IMPACT

Very High

Medium

1 2 3 4 5Low

ALMOST CERTAIN (1-6

months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5

5

.

1

5

.

2

5

.

3

5

.

4

5

.

5


12 Months)4

4

.

1

4

.

2

4

.

3

4

.

4

4

.

5

PROBABLE (Every 1-3

years3

3

.

1

3

.

2

3

.

3

3

.

4

3

.

5


years2

2

.

1

2

.

2

2

.

3

2

.

4

2

.

5


Years)1

1

.

1

1

.

2

1

.

3

1

.

4

1

.

5

OVERALL COMPANY:

HEAT MAP < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

00

-9,9

99

(MIN

OR

)

RM

10

,00

0-

49

,99

9

(MO

DER

ATE

)R

M 5

0,0

00

-

19

9,9

99

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

Ke

yCatastrophic/High

Low IMPACT

Very High

Medium

1 2 3 4 5Low

ALMOST CERTAIN (1-6

months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5

5

.

1

5

.

2

5

.

3

5

.

4

5

.

5


12 Months)4

4

.

1

4

.

2

4

.

3

4

.

4

4

.

5

PROBABLE (Every 1-3

years3

3

.

1

3

.

2

3

.

3

3

.

4

3

.

5


years2

2

.

1

2

.

2

2

.

3

2

.

4

2

.

5


Years)1

1

.

1

1

.

2

1

.

3

1

.

4

1

.

5

OVERALL COMPANY:

HEAT MAP < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

00

-9,9

99

(MIN

OR

)

RM

10

,00

0-

49

,99

9

(MO

DER

ATE

)R

M 5

0,0

00

-

19

9,9

99

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

Ke

yCatastrophic/High

Low IMPACT

Very High

Medium

1 2 3 4 5Low

ALMOST CERTAIN (1-6

months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5

5

.

1

5

.

2

5

.

3

5

.

4

5

.

5


12 Months)4

4

.

1

4

.

2

4

.

3

4

.

4

4

.

5

PROBABLE (Every 1-3

years3

3

.

1

3

.

2

3

.

3

3

.

4

3

.

5


years2

2

.

1

2

.

2

2

.

3

2

.

4

2

.

5


Years)1

1

.

1

1

.

2

1

.

3

1

.

4

1

.

5

OVERALL COMPANY:

HEAT MAP < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

,00

0-

49

,99

9

(MO

DER

ATE

)R

M 5

0,0

00

-

19

9,9

99

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

Ke

yCatastrophic/High

Low IMPACT

Very High

Medium

1 2 3 4 5Low

ALMOST CERTAIN (1-6

months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5

5

.

1

5

.

2

5

.

3

5

.

4

5

.

5


12 Months)4

4

.

1

4

.

2

4

.

3

4

.

4

4

.

5

PROBABLE (Every 1-3

years3

3

.

1

3

.

2

3

.

3

3

.

4

3

.

5


years2

2

.

1

2

.

2

2

.

3

2

.

4

2

.

5


Years)1

1

.

1

1

.

2

1

.

3

1

.

4

1

.

5

OVERALL COMPANY:

HEAT MAP < R

M 1

00

0/

INSI

GN

IFIC

AN

T)

RM

10

00

-9,9

99

(MIN

OR

)

RM

10

,00

0-

49

,99

9

(MO

DER

ATE

)R

M 5

0,0

00

-

19

9,9

99

(MA

JOR

)

> R

M 2

00

,00

0

(Cat

astr

op

hic

)

Ke

yCatastrophic/High

Low IMPACT

Very High

Medium

1 2 3 4 5Low

ALMOST CERTAIN (1-6

months)

Lo

wL

IKE

LIH

OO

D

Very

Hig

h

5

5

.

1

5

.

2

5

.

3

5

.

4

5

.

5


12 Months)4

4

.

1

4

.

2

4

.

3

4

.

4

4

.

5

PROBABLE (Every 1-3

years3

3

.

1

3

.

2

3

.

3

3

.

4

3

.

5


years2

2

.

1

2

.

2

2

.

3

2

.

4

2

.

5


Years)1

1

.

1

1

.

2

1

.

3

1

.

4

1

.

5

Finance

Mill Operations

Marketing

Plantations

Compliance

Human Resources

7. See One Picture of the Aggregated Risks of Your

Company

You can see one picture or drill down into

component areas, even specific issues, because

of consistency of risk methodology.

Overall Enterprise-Wide HEAT MAP

Based on COSO ERM & IIA’s IPPF

PART 2.

COSO – Enterprise-wide Risk Management.


201622


201623

5. Where Do We Start?

Before we even implement anything,

We have to understand the methodologies used –ERM and IIA’s IPPF.

Risk Evaluation Objectives according to IPPF Standard 2130-A1.

24

It Started in 1992 with the First Internal Control COSO Cube.

26

COSO/COSO ERM in 7 Different Languages!

The World’s Best Known and Only Established ERM Framework for Integrated

Control.


COSO (1) Evolved into COSO-ERM (2004)

ERM Re-defined / Improved:

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: “COSO Enterprise Risk Management – Integrated Framework” 2004. COSO.


201628

So why Enterprise-wide Risk Management?


19922004

May 2013

The Development of the Three COSO Frameworks. The 2013 COSO Framework (17 Principles) is the Best yet.

1992 COSO has been replaced

NEW!


2016

A Quick View of the Overall

Framework that should be achieved.


201631


201632

RISK APPETITE

FRAMEWORK

ERM

Internal control is defined as follows:

“Internal control is a process, effected by an entity’s board of

directors, management, and other personnel, designed to

provide reasonable assurance regarding the achievement of

objectives relating to operations, reporting, and compliance”

“Internal Control—Integrated Framework.”

COSO Publication May 2013


The Requirement is Integrated Internal Control.

Board must lead and sponsor!

“The combination of processes and structures implemented by

the Board to inform, direct, manage and monitor the activities

of the organization towards achievement of its objectives.”

IPPF Glossary


Definition of Governance – What the Board is now expected to do.

Specimens of Internal Audit Report based on COSO (2013) Format.


201635


201636

CA02 Control Activities No review performed on audit trail report for MYSTICS system Criteria The BNM Audit in 2013 has highlighted on the absence of Policy and Procedures on the requirement to review audit trail in MYSTIC System (Issue No. 15). FIN has since revised the Policy and Procedures effective 19MAR14 to incorporate periodic revision of audit trail by officer. Section 1.1 of Audit Trail Review for MYSTIC is to guide FIN in the preparation of Audit Trail Report where the system administrator is responsible for the review of audit trail every month for at least two (2) modules. Condition However, Audit's observation was that the review of audit trail for MYSTIC system was not implemented / carried out as now required under Section 1.1. Cause a) Guideline was not strictly followed and enforced

accordingly. b) Unawareness of staff in-charge on the

usefulness/benefits of audit trail in monitoring activities of MYSTIC users and preventing fraud risks.

Risk (High) a) Non-compliance with Section 1.1 of Audit Trail Review

for MYSTICS Manual.

b) System control lapses may go undetected.

FIN must ensure that the Audit Trail Review for MYSTICS Manual are adhered accordingly and to report to Risk Management Department (RMD) on any unusual activities under incident reporting (if any).

Management’s Response: We have reviewed the audit trail for the month of March 2014, April 2014, May 2014, Jun 2014 and July 2014 and have been concurred by FC accordingly on 2 September 2014. Target Date: Implemented Person Responsible: Zahid Muhammad, Head of Section

Detailed Audit Finding as per Implementation Guide 2410-1


201637

TABLE 1: COSO 5 COMPONENTS & 17 PRINCIPLES MATRIX

CONTROL ENVIRONMENT

1. The organization demonstrates a commitment to integrity and ethical values.

Answer: Yes. Board of Directors is committed to ethical and integrity values.

2. The board of directors demonstrates independence from management and exercises

oversight of the development and performance of internal control.

Answer: Yes. Board of Directors is independent and exercises oversight. New Board

members in 2014.

3. Management establishes, with board oversight, structures, reporting lines, and

appropriate authorities and responsibilities in the pursuit of objectives.

Answer: Yes. Board has established reporting lines and structures. In 2013, Board has

changed the external auditors to PwC.

4. The organization demonstrates a commitment to attract, develop, and retain

competent individuals in alignment with objectives.

Answer: FIN lost 6 experienced staff in 2013 and 2014 (including the Head of Department)

5. The organization holds individuals accountable for their internal control

responsibilities in the pursuit of objectives.

Finding IMP01: Absence of internal/manual attendance record for staff working during

public holidays Opinion: Tightening of controls and discipline seems obvious given the nine control lapses in

this report.

RISK ASSESSMENT

6. The organization specifies objectives with sufficient clarity to enable the identification

and assessment of risks relating to objectives.

Opinion: This should be improved as staff do not seem to implement controls as they should.

7. Organization identifies risks to the achievement of its objectives across the entity and

analyzes risks as a basis for determining how the risks should be managed.

Opinion: The Identification of Risk is not adequate or systematic enough. Probably

coupled it with lack of responsibility, the control lapses occur.

8. The organization considers the potential for fraud in assessing risks to the

achievement of objectives.

Finding RA01: User ID (MYSTICS) logged in during staff's absence. (Medium Risk)

9. The organization identifies and assesses changes that could significantly impact the

system of internal control.

Answer: Yes. GST was highlighted to management.

CONTROL ACTIVITIES

10. The organization selects and develops control activities that contribute to the

mitigation of risks to the achievement of objectives to acceptable levels.

Yes: Controls are in manuals but not implemented. Hence, see findings in Principle No.12,

11. The organization selects and develops general control activities over technology to

support the achievement of objectives.

Finding CA05: No adjustments made for TPUB-i profit charged due to limitation in

Contract Financing Module (CFM-BOS) (Medium)

Finding CA08: Six (6) IDs of resigned staffs were not deactivated (Medium Risk)

12. The organization deploys control activities through policies that establish what is

expected and procedures that put policies into action.

Finding CA01: Inappropriate month end closing (High Risk)

Finding CA02: No review performed on audit trail report for Mystics System (High Risk)

Finding CA03: Non-compliance with Accounting Policy -Checklist not used (High Risk)

Finding CA04: Incomprehensive updates in Manual (Medium Risk)

Finding CA06: Wrong Preparation of Accounts: Written off asset was treated as loss on

disposal of asset. (Medium Risk)

Finding CA07: Security Cabinet containing cheque book was not locked. (Medium Risk)

INFORMATION & COMMUNICATION

13. The organization obtains or generates and uses relevant, quality information to

support the functioning of internal control.

See related comments in Principle No. 16.

14. The organization internally communicates information, including objectives and

responsibilities for internal control, necessary to support the functioning of internal

control.

Answer: Meetings are held with other internal parties.

15. The organization communicates with external parties regarding matters affecting the

functioning of internal control.

Answer: Yes. This is done with PwC, the external auditors.

MONITORING

16. The organization selects, develops and performs ongoing and / or separate

evaluations to ascertain whether the components of internal control are present and

functioning.

Answer: FIN will ensure the figures and information related to FIN are correct .

17. The organization evaluates and communicates internal control deficiencies in a

timely manner to those parties responsible for taking corrective action, including

senior management and the board of directors, as appropriate.

Answer: Yes, CGC as a whole communicate deficiencies but implementation is hampered

by staff quality and IT issues. See CA 03, 04, 05 and Finding Other 01 (Un-reconciled

receipts).


201638

Risk Rating and

Type

Reported this

Audit

Maximum for

Satisfactory

Maximum for

"Needs

Improvement"

High Risk 3 2 4

Medium Risk 6 6 6

Other Department

Risk

1 NA NA

Improvement 1 NA NA

TOTAL 11

Rating the Internal Audit Consistently/No Surprise Approach..


201639

“The former JP Morgan Chase trader known as the “London

Whale” has broken cover to say he was not responsible for the

scandal that lost the bank $6.2bn. In a letter sent late on Monday

night to news outlets including Financial News and Bloomberg,

Bruno Iksil said he was “instructed repeatedly” by his superiors to

carry out the trading strategy that led to the losses.”

Bruno Iksil (The “London Whale”)

The Independent

Does Senior Management (and Board) really know their Risk

Appetite?

(Mr Iksil is helping the US authorities bring a case against key figures at JP Morgan, but he is

not among those being prosecuted. JP Morgan lost USD 6.2 Billion and was fined USD 1

Billion by regulators.)

Jamie Dimon, JP Morgan’s

CEO.

Appeals court rules company directors liable for offences committed during their tenure

Published: 28 September 2015


201640

The Court of Appeal today ruled that Section 122(1) of the Securities

Industry Act 1983 (SIA) – which states that when an offence has been

committed under the act by a corporate body, a director or chief

executive officer (CEO) or one purporting to act in such a capacity for

the organisation is deemed liable – does not violate the Federal

Constitution.

The decision overturned the High Court’s ruling that the section was

unconstitutional when Transmile Group Bhd’s founder and former

CEO Gan Boon Aun and its former executive director Khiuddin

Mohd challenged the validity of a charge brought against them.

–

Is your Board

aware of this Risk?


Implication: Making COSO-ERM Thinking the Way of Life for Achievement of Company Objectives.

5 Components 8 Components !

Is your Board & Management

aware of COSO?

Implication: Changes Required for Internal AuditIA is prime mover and player in ERM


201642

Professional & Proactive Internal

Audit. (IIA qualified)

Risk-Based Internal Audit (Uses

COSO 2013).

Implement International

Professional Practices Framework

(IPPF) which require IA to give

assurance on effectiveness of the

governance, risk management and

internal control systems.

Will IA’s Participation in ERM compromise IA’s

Independence? ANSWER – NO.


2016

Starting ERM Risk Assessment - How to Identify Risks in Your Division?


2016

•Brainstorming (Participation by implementers)

•Delphi System (Asking Experts)

•Monte Carlo Simulation (IT Program)

Separation of Roles.ERM Promotes Ownership of Risks.


201645


201646

• Identification of Risk

Universe.

• Organize Brainstorming

sessions in risk areas.

• Identify risks and identify

the controls.

• Document the high &

medium risks.

• Prepare each area’s top risks

and controls.

• Institute monitoring to

ensure identified controls

are implemented /working.

• Institute regular reporting to

ERM centre.

• Review controls and update

risk registers.

• Institute annual review

by Internal Audit.

• Internal Audit to test

ERM system in internal

audits of each area.

• Aggregate and update

quarterly reporting to

Risk Committee.

• Continuous training and

annual updating of Risk

Universe.

• Integrate into Strategic

review and annual

budgeting.

• Add stress testing to

ERM.

• Establish Scope and

Objectives of ERM

Project

• Establish ERM Project

Roles and Project

Structure.

• Identify key executives.

• Conduct training for key

individuals.

• Appoint CIA and Head of

ERM/CRO.

• Establish Risk Committee.

• Identify resources for

ERM.

In Summary:Benefits of Coordinating the Company with an Integrated ERM Program and IA


2016

Risk Management becomes easy to apply. We will have substance instead of

form. Collaborative Risk Management achieved.

Internal audit recommendations become understandable and implemented.

ERM gives the Board better real assurance over internal controls.

All departments work on the same internationally recognized methodology.

Risk registers are easily available online to all users. Related risks are

identified. Redundant controls are eradicated.

We have less work and less stress (no duplicated controls).

Each entity will know their main risks and controls. This leads to more

focused work and efficiency. Logical and fair internal audits.

Entities will pass internal audits. More value-add from internal audits.

Company will suffer less losses make higher profits and be competitive.

Company has more time for strategy and be more focused.

Company will have compliance with Law, regulations and policies.

For manufacturers, better safety in the operations area.

Less staff turnover – Better staff Morale.

Final Take Away Pointers


201648

Look at Risks using COSO/COSO ERM Frameworks

Establish with AC the Risk Appetite and COSO ((2013)/COSOERM.

Do Risk Universe Analysis using Brainstorming

Emphasize the Biggest Risks and review every three months.

Do Internal Audit Planning using the COSO (2013) Framework.

Discuss with Auditees the use of COSO (2013) Framework.

Determine/Measure Risk using risk appetite set and risk registers.

Report risks based on Criteria, Condition Impact and Cause into High

and Medium Risks,.

Establish Real Cause with Auditees to recommend action.

Hold the person/entity with responsibility/authority accountable.

Be consistent with standards of evidence (No evidence, it’s an opinion)

Write report based on COSO (2013) format.

Be consistent with ratings across the board (No exception.)

If you have any serious opinion (e.g. corruption) to share, write a

management memorandum separately to Management or Board.


201649

REMEMBER THIS?

Finally, where is your current risk management maturity

level?


201651

Thank you. Any Crushing Questions?

erm and internal auditing 2016 tea talk v2a

Documents