You are on page 1of 2

Drivers of GRM: SGX Listing Rule 719(1): An issuer should have a robust and effective system

of internal controls addressing the financial, operational and compliance risks; Rule 1207(10):
Opinion of the Board with the concurrence of the AC on the adequacy of the internal controls,
addressing financial, operational and compliance risks in the annual report; Principle 11

Shareholders

Regulators

Corporate Governance: set of responsibilities and practices exercised by the Board and
executive management with the goals of strategic direction, achievement of objectives,
management of risks, responsible use of resources; Performance (Value creation and Resource
Utilisation) and Conformance (Accountability and Assurance)

S
P
Board
t
Organisation: Why: Mission; What: Vision; How: Strategy; Board: Oversight role to protect
E
r
stakeholder rights and interests, approve policies, strategies & financial objectives, monitor
RCC
RM
AC
NC
RC
SG: two-tier Board, Comply or Explain Values: transparency, accountability, ethical, respect
u
management performance, oversee processes for evaluating adequacy of IC, RM, FR and
C
O
c
compliance, approve nominations to Board & key personnel, approve budgets, major funding,
1. Board's Conduct of Affairs: Effective board to lead and control the company &
P
t
work with management
investment & divestment, to create long-term business value, assume responsibility for CG;
L
CEO
u
2. Board Independence: substantial shareholder and immediate family member, or
SMART Objectives; Directors: act in good faith in interests of company, with due care and skill,
direct association for past 3 years will not be considered independent; rigorous
RM
r
avoid conflicts of interest, use powers for proper purposes
E
Exec Committee
review for > 9yrs; to reveal independent director's relation to any external
e
Board: Instil culture and approach for risk governance, Oversight of RM systems
organisation making significant transactions with company; if Chairman is directly
ERM
Processes
and IC, review key risks and mitigation plans, monitor exposure, Committees to
linked to CEO, independent directors should make up at least half of Board
Board
meet min twice/year, record minutes, report to Board on proceedings; AC: review
3. Chairman and CEO: Clear division of responsibility between board and
Matters:
adequacy & effectiveness of IC Framework, Oversee FR risk, review effectiveness
RM Process:
management
People
Board
RMC
Establish
Context
4. Board Membership: NC responsible for training and professional development of
of IA and scope, independence, objectivity of EA and appointing/removing EA and
Systematic
Board; disclosure in Annual Report on induction, orientation and training, and
approval of EA”s remuneration & terms of engagement, ; RMC: advise Board on
application of
Oversight
Identify
Risks
number of listed company Board representations of Directors; avoidance of
company’s overall risk tolerance, review & recommend risk strategy & policies,
mgmt. policies,
alternate Directors unless in exceptional cases, check for independence if replacing
Mgmt RMC
oversee design, implementation & monitoring of IC, review adequacy &
proceduresMonitor
and
& Review
Communicate & Consult
Independent Director
Analyse Risks
effectiveness of risk Framework, monitor implementation of risk mitigation plans,
practices;
Mgmt Control
5. Board Performance: Formal assessment of board effectiveness
advice RC on risk weightings tied to remuneration, review & approve risk
Structure
6. Access to information: Access to complete, adequate & timely information
Evaluate Risks
statements in Annual Report; Management Comm: responsible for effective
Resources
Departmental Risk
7. Remuneration Policies: Formal and transparent policies on remuneration
implementation of RM practices at functional levels, review risk assessments carried
RM Policies
Owners
8. Appropriate mix to attract, retain, and motivate directors to provide good
Treat Risks
out by Business Units, assess RM systems and tools, efficiency& effectiveness of
stewardship, key management to manage successfully: Alignment of level and
Remuner
mitigations and coverage of risk exposures
structure of remuneration with long term interests and risk policies of Company; use
ation
Control
Environment:
sets
the
tone,
influence
control
consciousness,
provide
discipline
of contractual provisions to reclaim incentives in exceptional cases
Risk: Effect of uncertainty on objectives; Different aspects, levels; reference to potential events and
Matters:
and structure, includes integrity, values (code of conduct) and competence of people,
9. Disclosure: Link between exec directors, key personnel remuneration and
consequences; Appetite: broad amount (high/moderate/low) and type of risk (category) willing to be
Incentive
management philosophy and operating style, assignment of authority and responsibility,
performance; on a named basis of directors, CEO and top 5 key personnel in 250k
accepted to pursue business objectives, achievement of clarity over risks that org wishes to assume,
bands; details of immediate family members of a director or CEO whose
organisation and development of people, attention and direction provided by Board;
basis for constant communication within stakeholders, explicit articulation of risk attitudes of senior
remuneration > 50k
Controls: actions supported by policies and procedures that, when carried out properly
management, multi-dimensional and balanced view of risk appetite; Tolerance: set by Board, Specific
10. Accountability: Present a balanced and understandable assessment of
and timely, manage or reduce risk, managers’ responsibility, constantly modifying risks;
max risk (%/qty) willing to be undertaken regarding each relevant risk, different expression for
performance, position and prospects
IC: process designed to provide reasonable assurance regarding the achievement of
different classes of risk at different levels (strategic, tactical, operational) of org structure, range of
11. Risk Governance, RM & IC: Responsibility of Board for governance of risk and
objectives in effectiveness & efficiency of operations, reliability of FR, compliance with
levels specific to type of risk, depends on risk capacity (ability to carry and manage risks), varying
determine nature and extent of significant risks which Company is willing to take;
laws and regulations, safeguarding assets; Preventive: proactive attempt to deter or
ensure management maintains sound system of RM and IC; assess appropriate
perspectives from desired credit rating, analyst and shareholder expectations; Risk Matrix: expressed
prevent undesirable events from occurring, emphasize quality, eg. Proper authorization
means to assist in oversight of Company's RM Framework and policies; Board to
in terms of likelihood and consequence; RM: Coordinated activities to direct and control an
comment on assurance received from CEO or CFO on true and fair view of
(general & specific), “blank” approvals, adequate documentation, written policies and
Accounta
organisation in relation to risks affecting the achievement of objectives; Structure, Processes,
Financial Statements and effectiveness of Company's RM & IC systems
biity &
procedures, supporting documentation; Detective: attempt to detect undesirable acts,
People; ISO 31000 5.3.4 Context: (which part of org to apply RM process) Objectives, strategies,
12. AC terms of reference: > 2 members (incl. AC Chair) to have recent and relevant
Audit
prevent losses, provide evidence for functioning of preventive controls, eg. Reviews
scope (depth and breadth), parameters of activities of organisation (time and location), consideration
accounting or related financial management expertise; review independence of EA
(budget to actual, current to prior, performance indicators, consistency and
of need to justify resources used in RM, specification of responsibilities, authorities, records to be
annually, disclose aggregate of fees paid to EA and breakdown of fees for audit and
reasonableness), analyses, variance analyses, reconciliations (identify, investigate,
kept, relationships within projects, processes, activities, risk assessment methodologies and
non-audit services, and whistleblowing policies; ex-partner of existing EA should bot
explain, correct differences), audit; Both: Asset security (physical safeguards,
evaluation methods of RM, focus on critical success factors; 2.13 Internal Context: Governance,
sit on AC within 12 mths from cessation
maintenance of records, periodic checks), segregation of duties (approval, record,
org structure, roles & accountabilities, policies, strategies, objectives, capabilities (time, resources),
13. IA: adequately resourced, independent, appropriate standing, activities
reconcile, review, check preparation & deposit, reduce risk of both errors and
perceptions & values of internal stakeholders, information systems and flows (formal & informal),
conducted according to IIA standards, effectiveness of IA to be reviewed annually
inappropriate actions, prevent collusion), Infosys (general-maintain integrity and
Sharehol
14. Fair and equitable treatment of all shareholders, protection of minority interests;
standards & guidelines adopted, form & extent of contractual relationships; Tools: Value Chain
availability of business application processing, ensure completeness and accuracy,
der
guidelines on Company engagement with shareholders and vice versa
Analysis, (SW)OT, McKinsey 7S; 2.12 External Context: include social, political, legal, regulatory,
Rights
&
access,
data,
program,
physical
security,
disaster
recovery
&
frequent
backups;
financial, technological, economic, natural, competitive environment, key divers and trends, relations,
15. Active engagement, implement proper investor relations policy to promote
Responsi
application-prevent,
detect
and
correct
errors
and
irregularities
as
transactions
flow
regular, effective and fair communication
perceptions and values of external stakeholders; Tools: SWOT, PESTLE, Porter’s Five Forces
bilities:
through
business
system,
end-user
computing
and
responsibility,
input,
processing
and
(Buyers, Suppliers, New Entrants, Substitutes, Industry Rivalry), Stakeholder Analysis (interest &
16. Shareholder Participation: Company should put all resolutions to vote and
Engage
output
controls,
edit
checks,
record
counts,
error
listings);
Effective
Controls:
Both
announce detailed results
power); 2.8 RM Plan: scheme within RM Framework specifying approach, procedures, practices,
ment
Preventive
&
Detective,
strong
soft
controls;
Assessment:
Establish
scope
&
plan,
assignment of responsibilities, timing & sequence of events; 2.9 Risk Owner: relevant knowledge &
consider
responsibilities
(parties
who
can
provide
meaningful
perspective
on
relevant
expertise, accountability & authority to manage the risk; 2.16 Assessment: Overall process of
Effective Governance: Design + Operations; Sound Board (4 pillars), Oversight, Management; Strong
risks), input (RM context, prior assessments, loss data, KRIs), output (specific
identification, analysis and evaluation; 2.17 Identification: Finding, recognizing, describing risk
Governance: require strong ethical base (people); Systemic Failure: Lack of regulation, deregulation,
requirements
of
stakeholders),
[1.
Identify
relevant
business
objectives
(SWOT
to
sources, events, causes, involve historical data, theoretical analysis, expert opinions, stakeholders’
imperfect information in markets lead to failure of theorized market forces, lack of stakeholder
identify
critical
success
factors,
scope
covering
objectives
related
to
strategy,
needs; 2.18 Source: Element with intrinsic potential to give rise to risk; 2.19 Event: Occurrence or
involvement, internal system lapses; Lucifer Effect: situation and toxic environment may induce good
operations,
compliance,
FR)2.
Identify
events
that
could
affect
achievement
(+ve
&
change of circumstances, “near miss” without consequence; 2.23 Analysis: Comprehend and
persons into irrational behaviour; Broken Windows Theory: Lack of punitive action for small crimes may
-ve,
past
events,
analysts,
reviews,
surveys)3.
Determine
risk
tolerance
(same
unit
of
determine (estimate) level of risk, basis for evaluation and treatment; 2.24 Risk Criteria: Terms of
lead to bigger crimes, solves symptoms but not root causes
measure
applied
to
relevant
objective)4.
Assess
inherent
likelihood
and
impact
reference against which significance of risk is evaluated, defined at beginning of RM process (subject
Scandals: News of the World, Madoff, Lehman Brothers, Enron, AirOcean: Lack of disclosure of market(internal
and
external
data,
build
inherent
risk
map
for
comparison
against
other
risks,
to review), based on org objectives (internal & external), values & resources, can be derived from
sensitive information, acquittal of 3 independent directors’ convictions due to dependence on professional
concentration
of
risks
and
analysis
over
time)5.
Evaluate
portfolio
of
risks
and
standards, laws, policies, [definition & measurement of nature & type of causes and consequences,
advice, no material impact
determine
response
(compare
levels
with
risk
categories
and
thresholds
to
determine
likelihood, timeframe, view of stakeholders, “cut-off” point, combinations of risks]; 2.26 Evaluation:
Board Diversity: Complexity of issues, demographic of employees and customers, failure of homogenous
response
strategies,
based
on
cost/benefit,
resources
and
relative
importance
to
Compare level with risk criteria to determine acceptability or tolerance and appropriate treatment;
Boards, gender diversity correlate to company performance
objectives)6.
Assess
residual
likelihood
and
impact
(evaluate
adequacy
and
2.27 Treatment: Modify risk (identify options-accept, reduce, share, avoidassess
Challenges: 1. Market Discipline-meaningful disclosure, active engagement of shareholders, 3rd parties
effectiveness)Monitor
and
document
progress]
feasibilityprepare & implementanalyze and evaluate residual risk), possibly create new risks;
such as analysts, media serve educational role, to provide more holistic assessment of companies; 2.
Risk Register:
Control: Process, policy, device, practice, measures that modify risk; 2.29 Residual Risk: Risk
Board Competency: training to build competency (SID-SMU Directorship program, professional
Obj
Source
Risk
C
b/IC
L
b/IC
Risk
Lvl
Existing
IC
remaining after treatment, aka retained risk; 2.30 Monitoring: Continual checking, supervising,
certification, GTI), diversity to represent a range of backgrounds and expertise to enable robust and
b/IC
observing status to identify change in performance levels expected, can be applied to RM
rigorous considerations due to inherent uncertainty of risks; 3. Right values: Board and management to
H
H
H
Framework, Process, risks, controls; 2.31 Review: Determine suitability, adequacy, effectiveness of
have maintain standards and promote culture rooted in strong ethical frameworks, look to Long-term
C
a/IC
L
a/IC
Risk
Risk
Treat
subject matter to achieve objectives, can be applied throughout RM
maximisation of shareholder value rather than short-term gains, excessive risks
Lvl
Target
ment?
*Failure of Controls: Inadequate knowledge, lack of separation of duties, inappropriate access to
a/IC
assets, form over substance, override, collusion
L
L
L
L
Y/N

30 Monitoring: Continual checking. insufficient capital to continue operations. FIs subject to abuse by launders due to nature of products & services. Prevention: Risk Assessment. 5 forms-lies. explicit or otherwise. evaluation. IA: Independent. SSA RMM-315 Assertions: Representations by management. date of signature Board Diversity & Completeness criteria Channels for dissemination (advertisements. to achieve BCM objectives). comprises of both IA and EA. requisite degree of knowledge or suspicion relating to the source of funds or conduct of client. prioritise certain risks)Treat (prepare Fraud Risk Plan. What. Establishment of Response Team that is multi-disciplinary to attend to different risk categories. classification). compensation of Head of IA. due to its magnitude and severity. location. also consider other reporting responsibilities including communicating with those charged with governance where it is appropriate to do so. Assurance Report: written report containing a conclusion that conveys the assurance obtained about the subject matter information. Respond. Determine & confirm critical functions (identify objective critical functions which will be subsequently prioritised based on their MAO). Identify alternate measures/workarounds (in case of insufficient capability of critical functions until capability can be restored. Test. critical infrastructure. Board/AC oversight. involves 3party relationships: practitioner. completeness. Detection Risk (practitioner may not detect misstatement that exist). knowledge. monitoring functions. beyond capability (ability and capacity) of routine management approaches to resolve Type of Risk Normal Speculative Unknown Likelihood Low to High Low Very Low Consequence Low to High Low to High Very High BCM (integral part of ERM. Determine Constraints (capabilities of people. Determine resources required to resume Core Processes5. 3. external audit firm if IA is outsourced. People (competency. analysis (L&C. assertions about presentation & disclosure (occurrence. business imperative): Provides a Framework to develop plans and responses (BCM more of response strategy due to unpredictableness) to ensure business resiliency and long-term survival following a serious disruptive incident. steps include [Develop BIA communication & consultation (engage & consult key stakeholders on intent of BIA. complete & free from errors. SHers Defence of reputation & brand Protect org’s assets.3 continually improve proficiency. Perform Disruptive Risk Assessment (identify Disruption Risks to address. performed by major shareholder. Deterrence Tone from the top Cultivate risk-adverse culture throughout org Rational (mind) Preventive. Detection: Independent & anonymous channels for reporting. safeguarding of assets. fraud triangle. exp. implement risk responses on management’s behalf. communication methods. detailed insight into extent. Prevention . entity-level factors include integrity of directors and management. whistleblowing policy. formal IA method and process). could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements Fraud: using deception to make dishonest personal gains and/or create loss for another. consistent. legal. lack of internal competency. effective & efficient operations. Truth Bias: tendency to judge a message as truth. applied in strategy setting and across the enterprise.3 IA function should be staffed with persons with relevant qualifications and experience. Process-specific controls. Integrity (1. how to activate BCM. information relating to existence.1 IA’s primary line of reporting should be to the AC Chair. concealments. re-routing. IT. ensure ongoing delivery of accepted minimum level of org capability & performance. Authority. Maximum Tolerable Period of Disruption/Maximum Acceptable Outage: Max time a system can be unavailable before its loss will compromise the org’s objectives or survival. reduce losses.1 not participate in activity or relationship that may impair their unbiased assessment or result in conflict of interest. severity. Who. IA can be in-house. data backup. new product. including manual process. Risk & Business Impact Analysis (Business impact profile. Maintenance (BCM plan properly maintained for operational readiness and tested. unusual or complex transactions at or near year-end. Documentation of BCM plan (for future reference). Good Control Environment: Segregation of Duties. skills etc) Documentation of Criteria Independence of selection panel Disclosure of relationships.4 respect and contribute to the legitimate and ethical objectives of org). factors include increasing globalization and IT developments. rank severity of impact)3. infrastructure. key transactions & processes. helps in accomplishment of objectives by bringing in a systematic. valuation & allocation). How. Process. corruption. Remediation/Discipline. however other forms of advising and consulting should be ancillary to the basic function of IA. IA is concerned with functional independence. that are embodied in the financial statements. as an input and not joint decision-making. Education. Supply etc)2. implement IC. effectiveness. rights & obligations. evaluation process. Response: Protocols for Internal Investigation. strong third line of defence (people. diligence. possibility of secondary risks. Plan (operational readiness & effectiveness)7. whether F/S are true and fair . Good IA: 3P’sPosition (independent reporting.31 Review: Activity undertaken to determine the suitability. 4.2 not use information for any personal gain or unlawful use or detrimental to the legitimate and ethical objectives of org). estimations and contingent accounts. due to ineffective control environment. holding company. IIA-Code of Ethics: principles and expectations governing the behaviour of individuals and organizations in the conduct of IA. susceptibility of assets to loss/misappropriation. Admin. competency. 4. M&R. resources. technology. revisit FRA as part of ERM. costing of options)Develop. 2. availability of resources) and RTO (staggered according to precedence of processes)4. effects on org)Analyse (Establish & determine effectiveness of existing IC. 1. examine RMM from a strategic lens [Objectives of FRFinancial StatementsDetermine risk profile/level of each accountaccounts/assertions @ riskRMM: Residual Risk = inherent risk x control risk (control risk is a function of effectiveness of design & operation of IC)]. Constraints: Budget. incentivisation. sound planning. active international coorperation. accuracy & valuation). Assessment of inherent risks improves efficiency of audit process by reflecting a more detailed level of risk present within certain operations or accounts. Culture. alert. Strength of IA is primarily dependent on AC. external relationships & stakeholders)Identify Fraud Risk (involve personnel from all levels of org. pressures/ incentives/opportunities. undue influence). Review & confirm current preparedness (adequacy of existing measures. Confidentiality (3. Process (IIA standards. practitioner will try to collect evidence to reduce engagement risk to a acceptably low level. management experience. IT systems. critical business functions). Value System Whistleblowing Policy Protection of Whistle blower. reliability of systems & processes. Response Controls. Temptations. compliance.14 Communicate & Consult: Continual and iterative processes that an organisation conducts to provide share or obtain information and to engage in dialogue with stakeholders and others regarding the management of risk. facility. disciplined approach to evaluate and improve the effectiveness of RM. providing reasonable assurance regarding the achievement of entity objectives (CoSo).1 be prudent in the use and protection of information acquired in the course of their duties. communications. fair & equal. including assertions about classes of transactions and events for the period under audit (occurrence. Action & Resources (required to execute strategies. rights & obligations. Additional dimensions for risk measurement: agility (accelerators). return org to long-term operationally acceptable & sustainable capability). Difference b/w TRM: ERM collects information. stakeholders (identify and map relationships for review to ensure proper coordination and alignment of purposes. Confidentiality.2 perform IA services in accordance with ISPPIA. Disruption Treatment: Establish Strategies (measures to stabilize situation. 3. evaluation. Dependencies between capabilities. outsourcing). cost & benefit. analyse and identify connections. select key Risks for response)6. Process. resources include people. critically observing or determining the status in order to identify change from the performance level required or expected. matter of judgement (up to court of law). impacts. Identify Business Processes (Pdn. learning from stakeholders. IA should NOT: set risk appetite. 2. 320 Audit Materiality: Misstatements arising from errors or fraud are considered to be material if they. When. sound education and sound reporting (riven by IIA standards). unusual pressures on management. reflection of best practice. Resource availability. facilities. can be applied to RM Framework. Crime of Conversion on top of Crime of Fraud. independent (not influenced by entity. uses indicators (KRIs. timely. responsible party. as used by the auditor to consider the different types of potential misstatements that may occur. external parties). Singapore: robust AML/CFT legislation. training of staff. Process. IT. data. when. 2. Assurance Engagement Risk: risk that practitioner expresses an inappropriate conclusion when the subject matter information is materially misstated. 1. outsourced. FR Objectives: reliable & relevant. Events that may indicate RMM: Forex fluctuations. develop people. Objectives Prevent impact beyond org Ensure safety of staff Demonstrate effective & efficient governance to media. changes in supply chain. certification.2 AC to ensure that IA is adequately resourced and has appropriate standing within company. Acknowledgement & Approval of Policy by highest authority. design (CoSo Framework) and operational (implementation) effectiveness FR RM: transaction-centric approach by implementing IC over FR. communication & training. Black Swan events. experience. completeness. telecommunications. PCA section 5 Corruption: give or receive gratification as inducement or reward (also bribe). concentrations of risk to help senior management allocate and prioritise resources for risks that affect company strategy and mission. Assurance: an engagement in which a practitioner expresses a conclusion to enhance the degree of confidence of the intended users other than the responsible party about the outcome of evaluation or measurement of a subject matter against criteria (eg. sound board. Supply Chain risks due to complexity of cross border supply chains. Rules of Conduct are 1. treatment or other aspects of RM. 1. Response. types and collection of info required. Where. effectiveness of governance). IA. True & Fair: not defined by statute. evaluate against criteria. Elements: act of laundering. use FRA to refine & focus IA testing)Fraud Reporting (Engage key stakeholders. processes). assign responsibility to senior management. regular update of Fraud Risk Assessment and documentation. AC to oversee whole process)  Monitor & Review (changes to internal & external environment. IA is a 3 rd line of defence. service. Detective. training)]. minimize level of org impact. data. acceptability. Retrospective Data Analysis. risk identification (sources. involves periodic investigation of current situation or actual for comparison with expected/required performance. increase understanding of RM process. comply with FRS Framework & regulations. Recovery to Objective: duration of time within which a business process must be restored after a disruption in order to avoid unacceptable continuity consequence. objectivity. policies. declining conditions may create opportunities or pressures for manipulation. address external factors affecting inherent risk of certain accounts. review. training & training outcomes). Fraud Risk Policy: Purpose. going concern. signed by panel members. operational. equivocations. MAO and Recovery Time objectives (determine MAO & RTO for each critical business process and resources required for minimum operational capability). Proactive Data Analysis. this requires assurance from IA function that IC are well designed and effective. It is designed to identify potential events that may affect the entity and limit risk taken to its risk appetite. value-creating activities Min impact on key stakeholders Meet insurance. C&C and R&M should be continuous and dynamic. a process effected by the Board of Directors. Select Core Processes & Determine MAO (regulations. Terms (constituting Fraud). establish reporting protocol & include regulatory authorities)]. risk level ie. perspectives. Anti-Fraud Program: 1. Responsibility. understatements. simple. Fraud Risk Assessment. attitudinal or behavioural shift). IA to have unfettered access to all company’s documents. administratively to CEO. consists of Inherent Risk (susceptibility of information to material misstatements). completeness etc). formal IA policies and charter). analyse and establish risk disruption profile LxC. confidentiality. contractors. functions. Enforcement & Accountability. Plan Activation & Deployment (who. account for RM Eg. [Placement (funds introduced into financial system)Layering (substantive stage where property’s ownership & source are disguised)Integration (funds re-introduced into legitimate economy)]. Disclosure Fraud RM Prevent. Risk or Control. ability to coordinate efforts. degree of judgement. strength of control environment) ISO 2. responsibility.1 perform work with honesty. SMART). Due Diligence. control and governance processes.3 not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession or org. HR. 3. org risk appetite SGX Listing Maual 1207(10): Require Board of Directors to provide an opinion. which is an independent appraisal function to evaluate internal IC systems. balance cost of monitoring Fraud RM: [Establish Context (understand org’s internal governance. especially with close relationships. influencing target audience. Disruption Impacts (assess level of impact of disruption event on each critical business function). cutoff. risk level. adequacy and effectiveness of the subject matter to achieve established objectives. Listing Manual Assurance Risk-based Financial Statements only FRA and SSA Approval by ACRA-Public Accountants Oversight Committee (PAOC) Audit Report guided by SSA and Companies Act.2 not accept anything that may impair their professional judgement. form. IA can advise senior mgmt on the development of IC. Code of Conduct. transactions not subject to ordinary processing. assertions about account balances at period end (existence. individually or aggregate. completeness. 2. to promote an ethical culture in the profession of IA due to the foundation of trust placed in IA’s objective assurance. Detect. existing IC). suppliers. C&C. classification & understandability. establish RM process. deal with AC/Board Companies Act. report changes & updates to management and Board.2 observe the law and make disclosures expected by law and profession. usually lower than MTPD/MAO. exec & line mgmt. 2. with respect to identified potential impacts)].ERM: Process conducted by management to understand and deal with uncertainties that could affect the org’s ability to achieve its objectives (Institute of Internal Auditors). misrepresentation of information. Costs of Switching). check within checks. account balance & transaction class level factors include susceptibility to misstatement. Review & Update (adequacy of plans. regularoty requirements enables Business Continuity Plans (BCP) to be developed that are tailored to meet the needs of business. active/inactive status. with concurrence of AC. Control Risk (RMM after IC).3 disclose all material facts known to them that may distort the reporting of activities under review if undisclosed). LxC)Evaluate (Compare level with risk targets. Competency (4. IA. time frames and mechanisms of disruptive consequences associated with priority disruption related risks. compliance risks. likelihood. ‘pad’ labour costs). treatment (below). Principles are integrity. Consultation is a two-way process of informed communication b/w org and important stakeholders (high power & influence) prior to making a decision through influence rather than power. on adequacy of IC. records. structure. assurance on risks on management’s behalf. uses Criteria (timeliness. personnel involved to be trained and information continuously updated). payroll fraud (fictitious employees.Detection. AC approves hiring. participants. Objectivity (2. process capabilities. correlations. management and other personnel .1 engage in only those services for which they have the necessary knowledge. Fraud Risk Appetite. 2. Anonymity Warning Signs Red Flags. Disclosure must be transparent. objective assurance and consulting activity designed to add value and improve an org’s operations. nature of business. internal & external operations). assess incident & evaluate against activation criteria. Essential Elements of C&C plan include objectives (building awareness. such as misappropriation of assets. external influences. supervising. can be applied to RM Framework. evaluation (risks beyond routine management capability to be subjected to BIA). 13. strict enforcement & ongoing supervision. relevant. head hunters) Attribute Responsible to Relation to CEO/Mgmt Mandate Objective Approach Subject Matter Criteria Regulations IA (Voluntary) Board Administrative only Best Practice Provide Assurance and/or consultation Risk-based Financial & Non-financial depend on Subject Matter Not regulated Out put IA Report EA (Mandatory) Shareholders None. how it will be used). Deception: intentionally managing verbal /non-verbal messages for the receiver to believe in a way that the sender knows is false. objective (free from bias). accuracy. stand-down and debrief. up to point of deescalation. Risk or Control. industry conditions. skills. Knowledge Irrational (Heart) Circumstances. key personnel. review of learning points). halting of unnecessary parts. 4. 13. Money-Laundering: disguising the original ownership and control of proceeds from criminal conduct by making such proceeds appear to be derived from a legitimate source. quality of accounting systems. properties and personnel including AC 13. Completeness of Assertions in F/S. accept decisions on risk response. RMMF/S: Pervasively to F/S as a whole and many accounts at risk. non-routine checks. enhancements to strategies. involves context (examine interdependency of functions and stakeholders. exaggerations. [1. accounting policies. Resource capability & requirements (establish level of resourcing required following disruption event to maintain minimum level of functionality. Objective: To determine that the selection process is effective Audit Objective (Criteria) Procedures Competency of selection panel (exp. 3 Concepts: Business Impact Analysis: examine and highlight critical business processes which are vulnerable to disruption. consequences). accuracy. KRIs. CPIB Code of CG Principle 13 IA: The Company should (not mandatory) establish an effective internal IA function that is adequately resourced and independent of the activities it audits. quality of their services Proliferation and emerging nature of Disruption Risk (internal & external. unless faced with major deviation of behaviour. markets. 4. complexity. nature. Financial Investigation Division of CAD. removal. addressing financial. Incident Communication (channels and methods of providing information on disruption events to key stakeholders). close partnership with business community. facilities. impairs the receiver’s ability to detect deception and exposes receiver to fraud. intended users.