Академический Документы
Профессиональный Документы
Культура Документы
Difference
• The responsibilities and conduct of audits by
internal and external auditors differ in one
important way.
• Internal auditors are responsible to management
and the board, while external auditors are
responsible to financial statement users who rely
on the auditor to add credibility to financial
statements.
4. Relationship… Cont’d
Similarities: internal and external auditors share many
similarities:
a. Both must be competent as auditors and remain objective
in performing their work and reporting their results.
b. Both follow a similar methodology in performing their
audits, including planning and performing tests of controls
and substantive tests.
c. Both consider risk and materiality in deciding the extent
of their tests and evaluating results. However, their
decisions about materiality and risks may differ because
external users may have different needs than
management or the board.
4. Relationship… Cont’
d. External auditors rely on internal auditors
when using the audit risk model to assess
control risk.
– If internal auditors are effective, the external
auditors can significantly reduce control risk and
thereby reduce substantive testing.
– As a result, external auditors may reduce their
fees substantially when the client has a highly
regarded internal audit function
4. Relationship… Cont’
• External auditors typically consider internal
auditors effective if they are:
i. Independent of the operating units being
evaluated
ii. Competent and well trained
iii. Have performed relevant audit tests of the
internal controls and financial statements
Part II
Enterprise Risk Management
Outline of part II
1. Introduction
2. Risk and Risk Category
3. Enterprise Risk Management (ERM)
4. Risk Maturity and Measurement of Risk
5. Impact of Risk Maturity on Internal Auditing
6. Role of IA in ERM
Discussion
• How risk is defined in your organization
(Comp).
• What kind of risk do you know?
• What causes the risk?
1.Introduction
• Achievement of organizational objectives is
surrounded by uncertainties which
– both poses threats to and offers opportunity for
increasing success.
• Changing circumstances, such as rising interest
rates, can be an opportunity for an organization
with surplus cash and a risk for a borrower.
• Hence these circumstances need to be seen with
reference to the organisation's objective.
Introduction… Cont’d
• When defined narrowly, risks are those
uncertainties which impede the achievement
of the objective.
Introduction… Cont’d
2. What is risk?
– Why are we bothered about risks?
– Because they threaten our objectives.
Introduction… Cont’d
Example
• The risk of a delayed transport service threatens
production/operation of our company because the
required materials/goods may be delayed
• The risk of a competitor's new product (Dakote Cement
Factory/Derba Cement) threatens profits of Mecebo CF
• Dishonest people may use resources of your company for
their selfish interest.
• Inability of placing the right person in the right position
(job) may affect efficiency and effectiveness of
achievement of company objectives.
2. Risk and Categories of Risks
So what is a risk?
A risk is a set of circumstances that hinder
the achievement of objectives.
2. Risk and Categories of Risks
Categories of Risk
Generally risk can be classified as
1. Expected and Unexpected risks
2. Systematic (pure) and Unsystematic Risk
3. Internal or external
2. Risk and Categories of Risks
1. Expected and Unexpected Risks
Expected Risks
– Firm knows with reasonable as to its occurrence
(e.g., the expected default rate of corporate loan
portfolio)
• Unexpected losses
– Are associated with unforeseen events (e.g.
unexpected increase in interest rate, inflation,
increase in foreign exchange, flood etc)
2. Risk and Categories of Risks
2. Systematic (pure) and Unsystematic Risks
Systematic Risk (Uncontrollable Risk)
• Cannot be influenced by the manager and are
independent of business decisions.
Unsystematic Risks (controllable Risks)
• are the result of managerial decision-making and
can either have a negative or a positive outcome.
Q. Give example of each in reference of your
company.
2. Risk and Categories of Risks
3. Internal and External (classification by source)
Internal Risks
• Results from internal managerial decisions and are controllable
(affects that specific company)
• Example:
– Credit risk, liquidity risk, operating risk etc
External Risks
• occur in the business environment of the company and affect
all companies
• Example:
– Political Risk, Legal risks, marketing risk, risk from change in
technology, risk from change in macroeconomic
environment
2.1 Specific Types of Risks
1. Credit Risk
2. Financial Risks
3. Liquidity risk
4. Legal Risk
5. Market Risks
6. Operating Risk
2.1 Specific Types of Risks
1. Credit Risk
• Possible loss due to default of customers
• Example
– Failure (default) of credit customers of Trans
Ethiopia to pay their debt within the stipulated
time
– Risk of bad debts or non-performing loan in
banks
2.1 Specific Types of Risks
2. Financial risk
• Refers to the chance a business's cash flows
are not enough to pay creditors and fulfil
other financial responsibilities
• The more debt a business owes, the more
likely it is to default on its financial obligations.
• Taking on higher levels of debt increases a
business's level of financial risk.
2.1 Specific Types of Risks
3. Liquidity risk
• Liquidity risk is the risk arises when our
company is not able to pay due payments b/s
of inadequate available funds (possibly due to
bad business environment that affects your
sales volume or other factors.
• Liquidity risk is a financial risk due to
uncertain liquidity
2.1 Specific Types of Risks
4. Legal Risk
• Legal risk is risk from uncertainty due to legal
actions or uncertainty in the applicability or
interpretation of contracts, laws or regulations
• Legal risk can be a particular problem for
institutions who transact business across
borders.
2.1 Specific Types of Risks
• Example:
• If Sur construction has a subsidiary company
in outside Ethiopia (eg in South Sudan)
enactment of the following laws or directives
may affect profits of Sur (EFFORT)
– Enactment of new law to increase profit tax
– Investment law- restrictions on operations of
foreign firms
– Restrictions on reparation of proceed from foreign
2.1 Specific Types of Risks
3.5. Market risk
• Market risk is exposure to the uncertain market
value of a portfolio of assets (both financial and
non-financial assets).
• Market risk is the risk of loss due to changes in
market prices.
• Elements of market risks
– Interest rate risk
– Foreign exchange risk
– Commodity risk (price change risk)
2.1 Specific Types of Risks
• Interest rate risk. is the risk of loss resulting from
changes in interest rates.
• Foreign exchange risk. Foreign exchange risk is
the risk of loss resulting from the difference
between assumed and actual foreign exchange
rates
• Commodity price risk/Price Change Risk: this the
risk of loss resulting from a decline in the value of
assets due to changes in the prices of
commodities or securities, etc
2.1 Specific Types of Risks
6. Operational risk
• It is the risk of loss due to actions or by
people, processes, infrastructure, technology
or similar, which has an operational impact
including fraudulent activities.
2.1 Specific Types of Risks
Examples
The following risks (events or problems) may
make achievement of your anticipated profit
difficult or impossible:
– Weaknesses in your supply chain- Delay in delivery
of materials in Mesebo or spare parts in Trans
Ethiopia
– Outdated manufacturing equipment,
– A poor sales force
2.1 Specific Types of Risks
Example of Operating risk ….ctd
– Dishonesty in work force may result in
unreasonable stoppage of operations, theft or
embezzlement of company resources (cash,
inventory, fixed assets etc)
– If your IT department doesn't maintain Internet
security, for example, one hacking incident could
cost you vital corporate information.
Discussion
• Explain how the cause and impact of the
following types of risks from your company point
of view:
1. Credit Risk 2.Financial Risk
3. Liquidity Risk 4. legal Risk
5. Operating Risk
6. Market Risk
– Change in interest rate
– Change in commodity price (Raw M; output etc)
– Change in exchange rate (appreciation or
depreciation in foreign currency)
3. Enterprise Risk Management (IIA)
Introduction
• The importance to strong corporate
governance of managing risk has been
increasingly acknowledged.
• Organizations are under pressure to identify
all the business risks they face;
• Internal auditing, in both its assurance and its
consulting roles, contributes to the
management of risk in a variety of ways.
Enterprise Risk Mgt … Cont’d
Important Glossary
1. Assurance Services: An objective examination of
evidence for the purpose of providing an
independent assessment on governance, risk
management, and control processes for the
organization.
2. Control: Any action taken by management and
the board to manage risk and increase the
likelihood that established objectives and goals
will be achieved.
Enterprise Risk Mgt … Cont’d
3. Enterprise-wide risk management (ERM): A
structured, consistent and continuous process across
the whole organization for identifying, assessing,
deciding on response and reporting on opportunities
and threats that affect the achievement of its
objectives.
4. Risk Appetite-is the level of risk that an organization is
willing to accept.
5. Risk Management Framework: The totality of the
structures, methodology, procedures and definitions
that an organization has chosen to use to implement
its risk management processes.
Enterprise Risk Mgt … Cont’d
6. Risk Maturity is The extent to which a robust risk
management approach has been adopted and
applied, as planned, by management
– The degree to which the organization understands
risks and has implemented risk management is
known as its risk maturity.
7. Risk responses (management) is The means by
which an organization elects to manage individual
risks.
– Tolerate, Treat, Transfer, Terminate etc
Enterprise Risk Mgt … Cont’d
Glossary cont’d
8. Consulting Services: Advisory and related
client service activities, example
– include counsel, advice, facilitation, and training
9. Risk Register is a list of risks identified and
put together by managers who have been
properly trained.
Enterprise Risk Mgt … Cont’d
4.2. What is Enterprise-wide Risk Management
(ERM)?
Enterprise-wide risk management (ERM) is a
structured, consistent and continuous process
across the whole organization for identifying,
assessing, deciding on responses to and
reporting on opportunities and threats that
affect the achievement of its objectives.
Enterprise Risk Mgt … Cont’d
4.2. What is ERM?... Cont’d
• Enterprise risk management is defined by
COSO as a process designed to:
1. Identify potential events that may affect the
organization
2. Manage risk to be within the organization’s
risk appetite
3. Provide reasonable assurance regarding the
achievement of the organization’s objectives
Enterprise Risk Mgt … Cont’d
Eight Components of ERM –COSO
• The COSO definition goes on to outline eight
interrelated components of enterprise risk
management.
1. Internal Environment
The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed
and addressed by an organization’s people, including
risk management philosophy and risk appetite,
integrity and ethical values, and the environment in
which they operate.
Components of ERM… Cont’d
2. Objective Setting
Objectives must exist before management
can identify potential events affecting their
achievement.
3. Event Identification
Internal and external events affecting
achievement of an organization’s objectives
must be identified, distinguishing between
risks and opportunities.
Components of ERM… Cont’d
4. Risk Assessment
Risks are analyzed, considering likelihood and
impact, as a basis for determining how they
should be managed. Risks are assessed on an
inherent and a residual basis.
5. Risk Response
Management selects risk responses:
– avoiding, accepting, reducing or sharing risk
– developing a set of actions to align risks with the
entity’s risk tolerances and risk appetite.
Components of ERM… Cont’d
6. Control Activities
Policies and procedures are established and
implemented to help ensure the risk
responses are effectively carried out.
7. Information and Communication
Relevant information is identified, captured,
and communicated in a form and timeframe
that enable people to carry out their
responsibilities.
Components of ERM… Cont’d
8.Monitoring
The entirety of enterprise risk management is
monitored and modifications are made as
necessary.
Enterprise Risk Mgt … Cont’d
4.3. Responsibility for ERM
• The board (mgt as delegated body) has overall
responsibility for ensuring that risks are
managed.
• Board/Management should incorporate risk
mgt unit (Risk manger)
Enterprise Risk Mgt … Cont’d
4.4 Benefits and Activities of ERM
• Greater likelihood of achieving those
objectives;
• Improved understanding of the key risks and
their wider implications;
• Greater management focus on the issues that
really matter;
• Fewer surprises or crises;
Enterprise Risk Mgt … Cont’d
Benefiters of ERM …..ctd
• More focus on doing the right things in the
right way;
• Increased likelihood of change initiatives being
achieved;
• Capability to take on greater risk for greater
reward and
• More informed risk-taking and decision-
making.
Enterprise Risk Mgt … Cont’d
4.5. Risk Response/Risk Management
• The purpose of assessing and addressing risks is
to constrain them to a tolerable level within the
risk appetite of the organization. So what can we
do about risks? Response to risks can be of the
following types
i. Avoid Risk/Terminate Risk
ii. Transferring Risk
iii. Tolerate them, and plan contingencies
iv. Tolerate them, without planning any
contingencies.
Enterprise Risk Mgt … Cont’d
Risk Response… Cont’d
(i)Avoid Risk/Terminate Risk.
• Management’s response to some risk by
avoidance of risks, for example by not
undertaking/starting up a given business.
• This happens if the cost of managing the risk
does not make the activity viable.
– When cost of risk mgt is greater than its benefit
Q. Provide an example of this type of risk from
your Company point of view
Enterprise Risk Mgt … Cont’d
Risk Response…ctd
(ii) Transferring Risk to other party (the best
example being insurance).
• Insure your importable/exportable goods
• Insure your valuable assets (physical and human)
(iii) Tolerate them, without planning any
contingencies. These are the ‘asteroid hits earth’
type of risk
– The company cannot plan contingency plan to
prevent/to minimize the risks
Enterprise Risk Mgt … Cont’d
(iv) Tolerate them, and plan contingencies.
• These are the ‘hurricane/storm destroys
factory’ type of risk.
• This option, of course, may be supplemented
by contingency planning for handling the
impact that will arise if the risk is realized.
5. Steps to Effective Enterprise Risk
Management
Step 1: Define Management’s Role
• Management’s role is to engage in risk
assessment and prioritization through purely
qualitative assessment
Step 2: Establish/Defining the risk Management
Context
• This involves setting the scope and boundaries of
the risk assessment process, including the time
frame and specific project or activity.
• The context is the level at which management
feels the need to set strategy and assess risk.
5. Steps to Effective ERM
• A context could include the entity as a whole,
a business unit/department/division, a line of
business/product line, a geographic area or all
of the above.
• The context is the level at which mgt feels the
need to set strategy and assess risk.
5. Steps to Effective ERM