Module 6

RISK ASSURANCE

TOPICS
1. The Control Environment and the Risk Assurance Techniques;
2. Internal Audit Activities And Reporting on Risk Management

LEARNING OUTCOMES
At the end of the lesson, you should be able to:
1. summarize the importance of the control environment in an
organization;
2. describe the nature and purpose of internal control and the
contribution that internal control makes to risk management; and
3. discuss the importance of risk reporting;

TOPIC 1: THE CONTROL ENVIRONMENT AND THE RISK ASSURANCE

The system of internal control within an organization is an important component

in the successful management of its risks. Internal control is concerned with the methods,
procedures and checks that are in place to ensure that a business or organization meets
its objectives. Internal controls can be considered to be the actions taken by management
to plan, organize and direct the performance of sufficient actions to provide reasonable
assurance that objectives will be achieved. The phrase ‘control environment’ is preferred
by internal auditors.
Internal control is all the elements of an organization that, taken together, support
people in the achievement of the organization’s objectives. The elements include
resources, systems, processes, culture, structure and tasks.
A process, effected by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:
✓ effectiveness and efficiency of operations;
✓ reliability of financial reporting;
✓ compliance with applicable laws and regulations.

PURPOSE OF INTERNAL CONTROL

The primary purpose of internal control activities is to help the organization
achieve its objectives. Typically, internal controls have the following purposes:
safeguard and protect the assets of the organization;
✓ ensure the keeping of accurate records;
✓ promote operational effectiveness and efficiency;
✓ adhere to policies and procedures, including control procedures;
✓ enhance reliability of internal and external reporting;
✓ ensure compliance with laws and regulations;
✓ safeguard the interests of shareholders/stakeholders.
 The internal control system includes internal control activities and the structure
and responsibilities that relate to them. The purpose of this internal control system is to
enable directors to drive the organization forward with confidence, in both good and bad
times. A further purpose of the internal control system and internal control activities is
to safeguard resources and ensure the adequacy of records and systems of accountability.
The purpose of the control environment is to ensure consistent responses to risks that
materialize. A well-developed control environment will also ensure that preplanned
responses to a crisis situation are efficiently and effectively implemented.

CONTROL ENVIRONMENT
The Criteria of Control framework, otherwise known as CoCo, produced by the
Canadian Institute of Chartered Accountants (CICA) is a structured means of measuring
the quality of the control environment within an organization. The control environment,
which the COSO ERM framework labels as the ‘internal environment’, is a measure of
the risk culture within the organization. The view taken by the CoCo framework is that if
the control environment is satisfactory, risk management and internal control activities
will be successfully and appropriately undertaken.
A number of organizations use the CoCo framework as a means of benchmarking
compliance with the internal control component of the COSO ERM framework. There is
a strong interface between risk management activities and internal control, and the CoCo
framework therefore provides a useful means of evaluating the risk culture of an
organization. CoCo defines three major objectives of controls:
✓ effectiveness and efficiency of operations;
✓ reliability of internal and external reporting;
✓ compliance with applicable laws and regulations and internal policies.

Components of the CoCo framework

Purpose
✓ Objectives should be established and communicated.
✓ Significant internal and external risks should be identified and assessed.
✓ Policies should be established, communicated and practiced.
✓ Plans should be established and communicated.
✓ Plans should include measurable performance targets and indicators.
Commitment
✓ Shared ethical values should be established, communicated and practiced.
✓ HR policies should be consistent with ethical values.
✓ Authority, responsibility and accountability should be clearly defined.
✓ Mutual trust should be fostered to support the flow of information.
Capability
✓ People should have the necessary knowledge, skills and tools.
✓ Communication processes should support the values of the organization.
✓ Sufficient and relevant information should be identified and communicated.
✓ Decisions and actions within the organization should be coordinated.
✓ Control activities should be designed as an integral part of the organization.
Monitoring and learning
✓ Environment should be monitored to re-evaluate controls.
✓ Performance should be monitored against the targets.
✓ Assumptions behind objectives should be periodically challenged.
✓ Information needs and related information systems should be reassessed.
✓ Procedures should be established to ensure appropriate actions occur.
✓ Management should periodically assess the effectiveness of control.
Audit committees
An increasing number of organizations have decided that it is appropriate to have
an audit committee. Almost invariably, the audit committee consists of non- executive
directors, with senior executive directors in attendance at audit committee meetings. It
is chaired by a non-executive director, often referred to as the lead non- executive
director, but usually not the non-executive chairman of the organization. The audit
committee is generally not considered to be a sub-committee of the board, but has a
status and a seniority that enables the audit committee to evaluate all activities in the
organization, including the activities of the board itself.
Although the audit committee may be considered to be the guardian of
compliance within the organization, the terms of reference are usually much broader than
just compliance. The board of an organization will be responsible for governance
throughout the organization, including coordinating the activities of specialist risk
management functions. In this way, the board is responsible for the first and the second
lines of defense. In other words, the board is responsible for the governance and risk
components of governance, risk and compliance.

Responsibilities of the Audit Committee

External audit
✓ recommend the appointment and re-appointment of external auditors
✓ review the performance and cost-effectiveness of the external auditors
✓ review the qualification, expertise and independence of external auditors
✓ review and discuss any reports from the external auditors
Internal audit
✓ review internal audit and its relationship with external auditors
✓ review and assess the annual internal audit plan
✓ review promptly all reports from the internal auditors
✓ review management response to the findings of the internal auditors
✓ review activities, resources and effectiveness of internal audit
Financial reporting
✓ review the annual and half-year financial results
✓ evaluate annual report against requirements of the governance code
✓ review disclosure by CEO and CFO during certification of annual report
Regulatory reports
✓ review arrangements for producing the audited accounts
✓ monitor and review standards of risk management and internal control
✓ develop a code of ethics for CEO and other senior management roles
✓ annually review the adequacy of the risk management processes
✓ receive reports on litigation, financial commitments and other liabilities
✓ receive reports of any issues raised by whistleblowing activities

RISK ASSURANCE
Risk assurance is an important component of the overall risk management
process. The audit committee will seek assurance that all of the significant risks are
being adequately managed and that all of the critical controls are effective and that they
have been efficiently implemented.
Assurance will also be required in relation to the risk management activities
themselves. The review and monitoring stage of the risk management process is usually
represented as an information and experience loop that provides feedback to the
beginning of the process. When considering the review and monitoring activities that
need to be undertaken, the following stages should be borne in mind:
✓ review of the process as it operates in the organization;
✓ review of the standards of risk control in force;
 ✓ review of the level of success in reducing risk exposures;
✓ review of the level of success in achieving business objectives;
✓ review of why a high-risk strategy, project or operation was
successful;
✓ delivery of risk assurance across this whole range of activities.

When a company plans to borrow more money from the bank, it may be askedto
demonstrate how the board obtains assurance that the management of significant risks
is satisfactory. The sources of assurance available might include:
✓ evaluation of the risk culture of the organization;
✓ quality of audit reports produced by internal audit;
✓ quality of reports produced by the various departments;
✓ overall business success of individual departments.

Sources of risk assurance

Culture measurement by use of a recognized framework such as CoCo or COSO

in order to gain a quantitative evaluation of the control
environment.

Audit reports produced by internal audit and external auditors on a

range of issues including risk assessment, implementation,
compliance and training.

Unit reports on such issues as risk performance indicators, CRSA,

response to audit recommendations and reports on
incidents that have occurred.

Performance of the unit on risk-related issues, losses, significant weaknesses in

control measures and details of any material losses
suffered by the unit.

Unit documentation on topics such as the risk management policy, health and
safety policy, business continuity plans and disaster
recovery plans.

BENEFITS OF RISK ASSURANCE

Corporate governance is a major concern for all organizations and their
stakeholders. Therefore, risk assurance should not be an administrative or box-ticking
exercise. Organizations need to demonstrate that corporate governance is a priority for
management. Many organizations recognize the need for openness of risk reporting. This
requires effective communication activities to be in place at all times.
Obtaining risk assurance is an important part of the corporate governance
arrangements for all organizations, as well as being of benefit to the strategic, tactical,
operational and compliance (STOC) core processes, activities and decisions of the
organization. The benefits of adequate risk assurance are that it:
✓ builds confidence with stakeholders;
✓ provides reassurance to sponsors and financiers;
✓ demonstrates good practice to regulators;
✓ prevents financial and other surprises;
✓ reduces the chances of damage to reputation;
✓ encourages the risk culture within the organization;
✓ allows more secure delegation of authority.
 TOPIC 2: INTERNAL AUDIT ACTIVITIES AND REPORTING ON RISK

UNDERTAKING AN INTERNAL AUDIT

Planning
1. Initial contact: to inform the client (audit target) or involved association about
the auditing and its objectives.
2. Initial meeting: conference meeting, so that the client can describe the areas for
review and state the available resources and processes.
3. Preliminary survey: the auditors will gather all the needed data so they can have
a good overview of the auditing.
4. Review internal control structure: the auditor will determine the priority areas
for the audit to review.
5. Audit programme preparation: the audit programmes will outline the required
fieldwork related to the audit topic/area.

Fieldwork
1. Testing for the critical internal controls: this process tests if randomly selected
records are accurate.
2. Regular updates: the auditor will carry out financial reporting, mostly in oral
communication and the client may help in resolving any issues raised.
3. Drafting the audit summary: when fieldwork is done, the auditor will summarize
findings, conclusions and recommendations.

Audit report
1. Audit report: the report will be reviewed by the audit team before presenting it
to the client for further review.
2. Creating the report: comments and suggestions on the first draft are taken into
account in producing the final report.
3. Distribution of the final audit reports to people involved, senior management,
audit committee, as agreed.

Follow-up
1. Audit follow-up: response from the client will be reviewed, so that the findings
may be tested and resolved.
2. Reporting the audit follow-up: the effects of resolved and unresolved findings
will be included in the follow-up.

GOVERNANCE, RISK AND COMPLIANCE

The GRC approach is based on the overall view that the board is responsible for
governance issues across the whole organization. In this role, the board will look to all
three lines of defense to ensure adequate attention is paid to risk. The non-executive
directors, in particular, will look to internal audit to provide assurance on the broad range
of compliance issues within the organization.
An area where risk management and internal control can work together is in
establishing the risk management/internal control priorities for the coming year. When
an organization sets up a risk-based audit programme, it will be seeking to ensure that
internal audit activities are focused on the priority significant risks facing the organization.
The board may well be looking for a joint risk management/internal audit contribution
that will achieve better strategic decisions, more successful delivery of projects and more
efficient core processes.
The introduction of a risk-based audit programme will be facilitated by ensuring
that internal audit participates in risk assessment workshops and that risk management
and internal audit produce a joint annual programme of work. The overall intention is to
ensure that control measures discussed at risk assessment workshops are described in
the risk register as fully auditable controls, and to ensure that managers have greater
awareness of their control responsibilities and fulfil those responsibilities in practice.

MANAGEMENT RESPONSIBILITIES
An alternative way of allocating the responsibilities is that internal audit is
responsible for the activities that are identified as core internal audit roles. Risk
management should facilitate and support the activities in the center of the fan identified
as legitimate roles for internal audit (with safeguards), and line management at the
appropriate level should have responsibility for the roles identified as activities that
internal audit should not undertake. This alternative means of allocating the
responsibilities:
Internal audit activities
✓ giving assurance on risk management processes
✓ giving assurance that risks are correctly evaluated
✓ evaluating risk management processes
✓ evaluating the reporting of key risks
✓ reviewing the management of key risks
Risk management support
✓ facilitating identification and evaluation of risks
✓ coaching management in responding to risks
✓ coordinating ERM activities
✓ consolidated reporting on risks
✓ maintaining and developing the ERM framework
✓ championing establishment of ERM
✓ developing RM strategy for board approval
Management responsibilities
✓ setting the risk appetite
✓ imposing risk management processes
✓ management assurance on risks
✓ taking decisions on risk responses
✓ implementing risk responses on behalf of management
✓ accountability for risk management

The five lines of assurance model suggests the following sources of assurance:
1. The board of directors with overall responsibility for ensuring that effective risk
management processes are in place and the other lines are managing risk to within
appetite.
2. Senior executives and senior managers with overall responsibility for building and
maintaining a robust risk management process and delivering reliable information
on the principal risks.
3. Business unit leaders with assigned ownership or responsibility for reporting on
specific risks, and ensuring resources are protected and objectives are being
achieved.
4. Specialist units providing expertise on specific types of risk, such as treasury,
safety, environment, legal and insurance with responsibility for related risk
management processes.
5. Internal audit activities, providing independent and timely information to the
board on reliability of the risk management processes in the organization and
producing consolidated reports.
RISK REPORTING
Risk performance and certification reports include operational management
reports as well as more formal declarations and certified reports to stakeholders. In
certain cases, certification of the financial results of operations of the organization will be
undertaken as a formal attestation by a third party. Typically, this third-party attestation
will be undertaken by an external auditor. Such a written attestation will also include an
evaluation of the effectiveness of the control activities related to financial reporting.
Reporting requirements have become increasingly detailed and it is sometimes
necessary for organizations to produce separate reports for different regulatory
authorities. Also, some organizations may decide to issue specific reports to achieve a
high profile for certain aspects of their organization. In particular, several organizations
issue separate corporate social responsibility reports to highlight their achievements in
this important area.

Government Risk-Reporting Principles

Openness and transparency

✓ Government will be open and transparent about its understanding of the
nature of risks to the public and about the process it is following in
handling them.
Involvement
✓ Government will seek wide involvement of those concerned in the
decision
process.
Proportionality
✓ Government will act proportionately and consistently in dealing with risks
to the public.
Evidence
✓ Government will seek to base decisions on all relevant evidence.
Responsibility
✓ Government will seek to allocate responsibility for managing risks to
those best placed to control them.
 REFERENCES

Wiley, John (2018). An Introduction to Banking Principles, Strategy and Risk

Management (2nd ed). United Kingdom: TJ International Ltd.
Hopkin, Paul (2017). Fundamentals of Risk Management (4th ed). United States: Kogan
Page Limited.
Fraser, John R., et al (2015). Implementing Enterprise Risk Management Case Studies
and Best Practices. Hoboken, New Jersey: John Wiley & Sons, Inc.
Borghesi, Antonio, et al (2013). Risk Management - How to Assess, Transfer, and
Communicate Critical Risks. Italy: Springer-Verlag Italia.
Chance, Don M., et al (2008). An Introduction to Derivatives and Risk Management (7th
ed.). Canada: Thomson South-Western.
Trieschmann, James S., et al (2001). Risk Management and Insurance (11th ed.). United
States of America: South-Western College Publishing.
Andres, Tomas Q.D (1999). Risk Management & Disaster Control. Quezon City,
Philippines: Giraffe Books.