Risk management, Internal control land

Auditing
I. Risk
= the effect of uncertainty on the achievement of objectives
 effect can be positive or negative

 The possibility that a negative event will occur (or a positive event will not occur) and
adversely/negatively affect the achievement of objectives, which can prevent value creation or
erode existing value.

Risks can be described like the first schema.

Risks is what can impact/ impeach a C to go from
A to B.

But IRL, risks can influence in a way to make c go

from A to C or D instead of B.

Business model, tactics, and strategy

Business model
= is defined as the logic of the firm, the way it operates and how it creates value for its
stakeholders.
Tactics
= refers to the residual choices open to a firm by virtue of the business model that it employs.
Strategy
= refers to the contingent plan as to what business model to use.
 Strategy is a high-order choice that has profound implications on competitive outcomes.

1
(Management) Control

= any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives will be achieved.

VS Internal control
▸ All the devices managers use to ensure that the behaviors and decisions of people in the firm are
consistent with the firm's objectives and strategies.
▸ Designed properly, control devices individually and collectively influence employees behavior in
desirable ways and, consequently, increase the probability that the firm will achieve or exceed its
goals

Types of (management) control

1. Result control
=Involves rewarding individuals for generating good results (or punishing them for poor results)

2. Action control
= Ensure that employees perform (or do not perform) certain actions known to be beneficial (or
harmful) to the organization

3. Personnel/ cultural controls

“People controls” (for short) ensure that employees:

• Will control their own behaviors
= Personnel control/Self-monitoring
• Will control each other
= Cultural controls/Mutual monitoring

Ex of culture control:
Mission statement= representation of the company’s culture
Tone of the top: how top managers behave influence ô employees
Giving stocks to employees

2
Objectives, risks, and controls

Types of risks

1. Hazard risks: poses a level of threat to life, health, property, or the environment
2. Control risks: the chance of a material misstatement in a company's financial statements
3. Opportunity risks: possibility that a better opportunity may become available after having
committed to an irreversible decision

Risk management

3
 the identification, assessment, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities

The risk management process steps are a generic guide for any organization, regardless of the type
of business, activity or function.

Traditional risk management

Traditionally, organizations manage risks by placing responsibilities on business unit leaders to

manage risks within their areas of responsibility. Each of these functional leaders is charged with
managing risks related to their key areas of responsibility.

Limitations of traditional risk management:

1. Risks that «fall between the silos»:
Risks don’t follow management’s organizational chart and, as a result, they can emerge anywhere in
the business. As a result, a risk may be on the horizon that does not capture the attention of any of
the silo leaders causing that risk to go unnoticed until it triggers a catastrophic risk event
2. Risks affect multiple silos in different ways
while a silo leader might recognize a potential risk, he or she may not realize the significance of that
risk to other aspects of the business. A risk that seems relatively innocuous for one business unit,
might actually have a significant cumulative effect on the organization if it were to
occur and impact several business functions simultaneously.
3. Individual response to a particular risk impacts other aspects of a
business
In that situation, a silo owner might rationally decide to respond in a particular
manner to a certain risk affecting his or her silo, but in doing so that response may
trigger a significant risk in another part of the business.
4. Focus on internal operations and internal risks
Minimal focus on risks that might emerge externally from outside the business.
5. Not linking risk management to strategic planning

4
Even though most business leaders understand the fundamental connection of “risk and return”,
business leaders sometimes struggle to connect their efforts in risk management to strategic
planning.
6. Lack of appropriate risk culture and language around risk
Unfortunately, some organizations fail to recognize these limitations in their approach to risk
management before it is too late.

Enterprise risk management

“a process, effected by an entity's board of directors, management, and other personnel, applied
in strategy setting and across the enterprise, designed to identify potential events that may affect
the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives” (COSO)

Benefits of ERM:
• Proactively
addressing
risk events
• Embedded
in informed
decision making
• Reducing
operational
surprises and losses

5
• Holistic portfolio view of the most significant risks to the
achievement of objectives
• Providing integrated responses to multiple risks
• Improving deployment of resources
• Top down, enterprise view of all the significant risks
• Reflect a common culture and language around risk

Element of an ERM process

Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing
process. Unfortunately, some view ERM as a project that has a beginning and an end. While the
initial launch of an ERM process might require aspects of project management, the benefits of ERM
are only realized when management thinks of ERM as a process that must be active and alive, with
ongoing updates and improvements.

II. Risk management

Shift towards ERM

The scope of ERM has changed because:
• Business models have fundamentally changed
• Companies are rapidly diversifying their product and service portfolio
• Companies are expanding into new markets and partnering with suppliers and vendors
across the world
• Regulatory change triggered by broader geopolitical and macroeconomic forces (EU GDPR
regulation) which are steadily increasing compliance risks
• New technologies are also leveling the playing field and increasing the competition
• New digital technologies are changing consumer buying patterns and behaviors
• Companies have to be where
their customers are
• They have to worry about data
privacy and security risks, as well
as other risks like
reputational and brand damage
that can be caused
=> Exposure to new types of risk has
increased

6
Growing scope of ERM

Two major frameworks

1. ISO 31000
Risk management relates to coordinated activities to direct and control an organization about risk
• Issued by the International Organization for Standardization in 2009
• Consists of members who are from standards setting organizations
• Published 20,500 standards covering most industries
• Developed by experts from around the world
• Examples: ISO9000-Quality Control, ISO27000-Information Security Management system
• First globally recognized standard related to risk management
• ISO 31000 articulates three sections:
• Principles
• Framework
• Process
2. COSO ERM
The culture, capabilities, and practices, integrated with strategy- setting and performance, that
organizations rely on to manage risk in creating, preserving, and realizing value.
A more in-depth look at the definition of enterprise risk management emphasizes its focus on
managing risk through:
• Recognizing culture
• Developing capabilities
• Applying practices
• Integrating with strategy-setting and performance
• Managing risk to strategy and business objectives
• Linking to value
Published by COSO in the US in 2004, revised in 2017
• Known as Enterprise Risk Management – Integrated Framework
• Expanded on Internal Control – Integrated Framework
COSO ERM Framework

7
COSO ERM Framework:
1. Governance and Culture
Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight
responsibilities for ERM.
Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
1) Exercises board risk oversight
a) Accountability and Responsibility
b) Suitability of Enterprise Risk Management
8
 c) Organizational Bias
d) Competence
e) Independence

2) Establishes operating structures

3) Defines desired culture

a) Culture and desired behaviours
b) Culture is an important element of control.
c) Culture reflects organization’s core values.
d) Culture affects the ERM.
e) Board and CEO are both involved in defining the culture.

4) Demonstrates commitment to core values

a) Reflecting core values throughout the organization
b) tone at the top

2. Strategy and objective setting

ERM, strategy and objective-setting work together in the strategic planning process. A risk appetite is
established and aligned with strategy; business objectives put strategy into practice while serving as
a basis for identifying, assessing, and responding to risk.
1. Analyzes business context – external: PESTLE
Political: tax policies; competition regulation; tariffs; political stability
Economic: interest rates; inflation; minimum wages; GDP growth
Social: demographics; lifestyle changes; fashion; health and welfare
Technological: R&D; internet; automation
9
 Legal: laws (employment, labor,...)
Environmental: climate change; attitudes towards the environment; catastrophes
1. Analyzes business context – internal
Capital
People Process
Technology
2. Defining risk appetite
The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the
entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.

 Risk appetite guides resource allocation

 Risk appetite [assists the organization] in aligning the organization, people, and processes in
[designing the] infrastructure necessary to effectively respond to and monitor risks.
≠ Risk tolerance: application of risk appetite to specific objectives

10
 3. Evaluate alternative strategies

Organization’s resources and capabilities to create, preserve, and realize value.

• the possibility that the strategy does not align with the mission, vision, and core values of
the entity, and
• the implications from the chosen strategy.

4. Formulating business objectives

The organization needs to have a reasonable expectation that a business objective can be achieved
given the risk appetite and capabilities and resources available to the entity.

11
3.
Performance

1) Risk identification
Management identifies potential events that, if they occur, will affect the entity, and determines
whether these events represent opportunities or whether they might adversely affect the entity’s
ability to successfully implement strategy and achieve objectives.
Risk Types
1. Business risk: Wrong business strategy; competitive pressure on price/market
share; Regional economic problems
2. Compliance risk: Breach of listing rules; Breach of financial regulations; Litigation risk
3. Financial risk: Credit risk; Unrecorded liabilities
4. Operational risk: Business process not aligned; Stock-out of raw materials; Loss of key
people; Inability to reduce cost base

• Known Knowns : these are the risks that have been correctly identified and properly measured ->
Things we know that we know; our general knowledge
• Known Unknowns : we know that we don’t know or we don’t know their potential risks -> Things
we thought we know but don’t really know
• Unknown Knowns: these are things that exist and have been influencing our life and our approach
to reality, but we are unaware of knowing them, or we do not realize their value, or worst we refuse
to acknowledge knowing them -> Things we thought we knew but we do not • Unknown Unknowns:
we don’t even know that we don’t know they exist and
they can hit us with serious unexpected impacts -> Things that we do not know at all, are believed to
be impossible to find or imagine in advance
12
Grey and Black Swans

Black Swans: Events characterized by their rarity, extreme impact, and retrospective (but not
prospective) predictability
• The highly unexpected happening
• The highly expected not happening
• Examples: 9/11, Internet bubble, collapses of Enron, Lehman Brothers, ...
• The combination of low predictability and high impact makes Black Swan events highly problematic
Grey Swans: are Black Swans that we can somewhat take into account, but for which it is impossible
to completely figure out its properties and produce precise calculations
Examples of Black Swans:
Digital disruption has already happened:
• World’s largest taxi company owns no taxis (Uber)
• Largest accommodation provider owns no real estate(Airbnb)
• Largest phone companies own no telco infrastructure (Skype, WeChat)
• Most popular media owner creates no content (Facebook)
• World’s largest moviehouse owns no cinemas (Netflix)
• Largest software vendors don’t write the apps (Apple & Google)
• Only 11% of the Fortune 500 companies from 1955 still exist today
• The average time that companies stay in the top 500 has fallen from 75 years
to 15 years
• New York Times reported that the company’s digital transformation is
projected
to make 30% of current jobs obsolete by 2020
How to identify risk?
Interviews
• Open-ended questions (e.g. ‘What are the top three strategic risks that
the organization faces over the next two years?’) vs. Focused questions
(e.g., ‘What are the top 2-3 risks affecting the organization’s ability to
retain the new talent that it needs to execute its growth plans?’)
• Interviews with Board and/or Senior Management
• What keeps us up at night?
• What could go wrong?
• What must go right to succeed?
• What’s emerging that could impact our future performance...and are we prepared?
Workshops
• Facilitated by ERM staff
• Brings together employees from various levels and functions to obtain a
«bottom-up» view
• Must allow for a free exchange of ideas/concerns
• Can be a terrific team-building and educational exercise for participants
• Requires a skilled facilitator to ensure complete participaton and to override dominant voices
13
• Consider using anonymous voting technology

War-gaming
• Assess vulnerabilities to competitors’ strategies
• Develop plausible near-term strategies that existing or potential competitors
might adopt in a 1 to 3 year time frame
• What would you do if you were your competitor?
• What are your vulnerabilities and how might they attack?
• What innovations might emerge that are disruptive technologies?

Post-mortem analysis
• Uses prospective hindsight to identify potential risks to strategy
• Instead of asking «what could go wrong», ask «what whent wrong?»
• Can open whole new avenues of cause-effect observations that haven’t been considered

Use of IA to identify risk

2)Risk assessment

14
2 factors: Probability and impacts

Different types of risk

 Inherent risk
 Residual risk
 Target residual risk
 Actual residual risk

3) Prioritize risks
a. Adaptability
b. Complexity
c. Velocity
d. Persistence
e. Recovery

4)Risk responses
Management determines how it will respond to risks:
- Accept
- Avoid: stop doing what make it happens
- Pursue: actively pursue in the area anyway
- Reduce: if it happens, the csq will be ok
- Share: transfer the risks (outsourcing)

15
 5. Review and revision

5. Information, communication, and reporting

1)Risk reporting:
Data are «raw» observations (e.g., survey responses, website metrics)
• Information comes from processing the data (e.g., a survey can show the response to a
marketing campaign)
• Information is data that have been organized and processed into meaning to a user
• Information supports decision-making
• Transforming data into information is a crucial success factor for every entity
• Normally: more and better information translates into better decisions, but...
Less-is-More: less information, computation, and time can improve accuracy
 Communication is the continual, iterative process of providing, sharing, and obtaining
necessary information
 Essential in creating the «right» internal environment and to support other enterprise
risk management components
 Relevant information is identified, captured, and communicated in a form and
timeframe that enable people to carry out their responsibilities

16
Internal communication: Information is disseminated through the entity
• The importance and relevance of ERM
• The entity’s objectives
• The entity’s risk philosophy, risk appetite and risk tolerance
• A common risk language
• The roles and responsibilities of personnel
 Communication between the Board and top executives is crucial
External communication:
Opportunity to manage stakeholders’ risk perception
Provides information to external stakeholders in response to requirements and expectations
• The entity’s objectives
• The entity’s risk appetite and risk tolerance
Frequency and nature of reporting
• Most report to full Board at least annually; 50% report quarterly to a committee
• Discussion typically led by CRO, VP Strategy or Chief Audit Executive
• Typically, 30 minutes presentation
• Most report TOP10-15 risks
2)Risk monitoring
To ensure the (continued) effectiveness of ERM, the process and components of ERM itself are
evaluated
• ERM is not a one time special project
• Objectives change over time
• The environment (and associated risks) change over time
Assessing the presence and functioning of its components over time:
• Ongoing monitoring activities
• Separate evaluations
• Key risk indicators
Roles and responsibilities
Board of directors
 Strategic role
 Monitoring role
o Knowing the extent to which management has established effective ERM
o Being aware of and concurring with the organization’s risk appetite
o Being apprised of the most significant risks and whether management is responding
appropriately
 Part of the internal environment
 Composition
 Board subcommittee
Chief Executive Officer (CEO)
 Ultimate responsibility for the effectiveness and success of ERM
• «tone at the top» (= ethical environment within the firm created through management practices
and espoused values)
17
• Establish ERM fundaments
• Follow-up, monitoring
Chief Risk Officer (CRO)
• Risk manager
• Establish, direct, and manage effective risk management function
• Establishing ERM policies and participating in setting goals for implementation
• Framing authority and accountability (roles and responsibilities) for ERM
• Promotes ERM and facilitates development of technical ERM expertise
• Guides integration between ERM and other management activities
• Establishes a common risk language troughout business units
• Reports to the CEO on ERM progress
• Assess all the risks
• Prepares the risk heatmap
• Takes actions if misalignments with risk criteria
• Follow-up, monitoring
=> He/She doesn’t own any risk!!!
Senior managers
• Operational responsibility for managing risks related to their specific units’ objectives
• Delegate to line management / Risk Owners (processes, functions, departments ) responsible for
conducting ERM on a daily basis
Internal Audit
• Independent and objective
• Evaluation of adequacy and effectiveness of ERM
• Recommendations for improvement
• Supporting role vis à vis Board of Directors ( Risk Committee ) and senior management (CEO)
Limitations of ERM
• No one can predict the future with certainty
• Certain events are outside management’s control
• Reasonable assurance vs. absolute assurance
• Human judgement (cf. risk assessment which can be based on perceptions/ biases
• Costs vs. benefits

18
 III. Internal control
Internal control: definition

Internal control is broadly defined as a process, effected by an entity’s board of directors,

management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations
4. Safeguarding of assets
(COSO)

 To put it simply
• A control will be those activities that are performed on a periodic and consistent basis to
provide management with comfort that an objective is being achieved.
• Activities designed to mitigate risk and reinforce the validity of the desired outcome
Ex: With SOX, internal controls over financial reporting are designed and operate with the objective of
preparing financial statements that completely and accurately reflect the results of operations

19
Features of internal controls

Three IC frameworks
recognized globally:
1. Internal control – Integrated
Framework (COSO)
2. Guidance on Control (CoCo)
3. Internal Control: Revised
Guide for Directors on the
Combined Code (Turnbull Report)
COSO IC –
Integrated Framework
Objectives:
1. Operations: effectiveness and
efficiency of the entity’s operations,
including operational and financial
performance goals, and
safeguarding of assets against loss
2. Reporting: internal, external, and
non-financial reporting

20
3. Compliance: adherence to law and regulations to which the entity is subject, but also policies,
plans, rules, procedures, contracts, or other requirements

Components:
1. Control environment: norms, values, ethics, style of management, history, culture, shared
values
2. Risk assessment : identification and evaluation
3. Control activities: actions taken by management, the board and other parties to mitigate risk
and increase the likelihood that established objectives and goals will be achieved
4. Information & communication: High quality information must be communicated appropriately
(relevant, accuracy, timely, availability, appropriate)
5. Monitoring: ongoing evaluations of the entire process and recommendations for improvement

21
22
Control activities
Preventive: prevent that an error or misstatement can occur (e.g., storing cash in a locked safe and
segregating duties)
Detective: detect that an error or misstatement has occurred. It alerts the proper people after an
unwanted event (e.g., a burglar alarm)
Directive: Policy and procedure or guidance with instructions how to perform a task. It causes or
encourages the occurrence of a desirable event (e.g., policy and procedures, employee training, job
descriptions, etc.)
Corrective: Correct the negative effects of unwanted events (e.g., a requirement that all cost
variances over a certain amount be justified). Also, another control that covers the failure of one
control and corrects the error or misstatement caused by the failure of one control.

 Control activities occur throughout the organization, at all levels and in all functions.
Entity level controls: Help to ensure that management directives pertaining to the entire entity are
carried out
e.g. job descriptions, code of conduct, controls over the period-end financial reporting
process, whistle-blower hotline
Process/transaction-level controls: Operate over one or more relevant assertions within a single
process/transaction
e.g. invoice approval
Authorization and approval: formal authorization and approval
System access: The ability that individual users or groups of users have within a computer
information system processing environment, as determined and defined by access rights configured
in the system
Safeguard controls: The restriction of access to information or physical assets
Exception/edit reports: A report that is generated by an entity to monitor something and followed
up on through to resolution
Reconciliation: The matching of two independent data sources leading to the identification and
investigation of discrepancies on a timely basis
Segregation of duties: assigning different people the responsibilities of authorizing transactions,
recording transactions, and maintaining custody of assets
Key performance indicators: Financial and non-financial quantitative measurements that are
collected by the entity, either continuously or periodically, and used by management to evaluate

23
 Management
review: Review
of information
by the
management of
an organization
on a regular
basis.

Monitoring activities
Internal control deficiencies
Shortcoming in a component and relevant principle that reduces the likelihood that the entity can
achieve its objectives.
• Identified during monitoring or separate evaluations
• Must be reported timely to the appropriate individuals (e.g., board)
• Important consideration in the evaluation/effectiveness of the system of internal controls
Key aspects of IC
• Linked to the achievement of objectives
24
 • It’s a process, not an end in itself
• Effected by people
• Providing only reasonable assurance
• Adaptable to the entity structure

Limitations of IC
1. Human errors
2. Management override
3. Collusion
4. Changing conditions
5. Lack of/insufficient segregation of duties
6. Inadequate knowledge of policies, procedures, or governing regulations
7. Form over substance

25
 SOX internal controls over financial reporting

Section 404: requires CEO and CFO of publicly traded companies to opine on the design adequacy and
operating effectiveness of internal controls over financial reporting, as part of financial statements.
• All publicly traded US corporations are required to maintain an adequate system of internal controls
• Corporate executives and boards of directors must ensure that these controls are reliable and
effective
• Independent external auditors must attest to the adequacy of the internal control system
• Section 302 mandates disclosure of any changes in internal controls
COSO, CoCo, and Turnbull used as frameworks for the assessment

IV. Fraud
What is fraud?
A knowing misrepresentation of the truth or concealment of a material fact to induce another to act
to his or her detriment.
Consequently, fraud includes any intentional or deliberate act to deprive another of property or
money by guile, deception, or other unfair means.
(Definition by ACFE- Association of Certified Fraud Examiners)
 The act is done intentionally

26
Economic crime
Economic crime, also known as financial crime, refers to illegal
acts committed by an individual or a group of individuals to
obtain a financial or professional advantage
Fraud is a type of crime, and all fraud is considered as a economic
crime but not all the economic crimes are fraud.
Ex: money laundry is a financial crime but not a fraud
According to PwC in 2020, 47% of organizations globally said
they’ve been a victim of fraud and economic crime. This the 2 report # in
22y. What about the 53%? Fraud is usually committed in the shadow, thus
these orga ca not be awarded => related to dark #.

Type of economic crime and fraud

C fraud= the most common type of fraud

 involve use of unfair or deceptive buss practices. Ex: id thief to open bank
account
Cybercrime =ex: hacking, fishing
 increasing crime

The dark number

Only 20% of fraud are detected AND
prosecuted.
In certain case, companies don’t want to
prosecute and will conclude a settlement
bw the 2 parties.
The last 40% are the undetected fraud or
Dark number.

Fraud detection
According to ACFE, almost the half of the detection happen by a tip.
= someone who saw smt, or a whistleblowing
The second way are audit
The third are management review. Managers should
perform frequently a performance review. If they spot
an unusual fluctuation in performance, it could trigger
a deep dive into the numbers that can highlight a
fraud.
The fraud triangle
This a framework commonly used to explain the
reason behind ind decisions to commit fraud. It
outlines 3 components that contribute to the decision

27
of committing fraud. If these 3 components are present, this might lead to a fraud like behaviour,
but it also depends on the personality. You will still get the gut to commit it.
 Pressure: fr might feel pressure to commit fraud
 Opportunity: fr can commit fraud
 Rationalization: fraudsters usually justify their behaviour

1. Pressure/incentives
Personal pressure:
• High personal debts and unusual financial losses
o Gambling
o Substance abuse (drugs, alcohol, …)
o Living beyond one's means
o Extensive investment speculations
Work related pressure:
• Job frustration
• Resentment of superiors
• Protection of supplier or competitor
• Bonuses on a “formula” basis (based on financial performance only)
• Unfavorable economic conditions in the industry
• Heavy losses/investments that didn’t pay off
• Insufficient working capital/high debts
• Credit problems
2. Opportunity
1. Ineffective or no internal controls
a. Procedures not well understood/ designed
b. No internal audit (monitor)
c. Substance vs. Form
2. Weak management
a. tone et the top
3. Close associations with suppliers or competitors
4. Ineffective board or management
a. Lack of accountability
5. Ineffective internal audit staff / risk management
6. Ineffective auditor

3. Rationalization
• “Everyone does it”
• “I’m not hurting a person, it’s a company”
• “I was going to pay it back”
• “The company owed it to me”
• “I will only do it once”
Fraud risk management
 usually part of a broader Risk management program
Constitued by different elements:
28
 • Risk assessment: list and assess all the risks a c is exposed to; define prob and impact
• Standards and procedures: code of conduct define what is the acceptable behavior and
what should be done in case smt is detected
• Whistleblowing: outline or tool to allow people to anonymously report fraud
• Investigation: and follow up after receive report
• Accounting procedures: important to have a good understanding of the controls that
are in place in the organization to address the risk and to know that they work properly
• Training and communication: on what is fraud and should they do in case of fraud
• HR measures: stick or carrot (=santion if stealing or reward if good behavior)
• Audit and monitoring : external and internal audit to monitor the effectiveness the
Internal control

29
 V. Auditing
What is auditing
In general, an audit is a professional assessment by a competent and independent person of an
entity's financial statements, internal control, organization, procedures, or transactions against a
standard.
Financial auditing
the process of examining an organization’s financial records to determine if they are accurate and in
accordance with any applicable rules (including accepted accounting standards), regulations, and
laws.
≠ Internal and external auditor

External auditing
• Auditors sell an opinion on the truth and fairness of financial information
• Reasonable assurance
• There is always some audit risk left, no matter how good the audit service is
• ≠ type of opinion:
- Unqualified opinion: fin. Stat. are true/ fair
- Qualified opinion: auditor find some mistake in FS BUT no evidence of systemic
errors
- Adverse opinion: Auditor think that FS doesn’t represent the actual situation/ C
don’t follow the rules
- Disclaimer: auditor has not enough info to have an opinion
 Auditors are always prudent and will always warn c about any mistakes they found

Experience good or credence good

The audit service has attributes of an ‘experience good’ or even a ‘credence good’:
• an experience good
30
a product or service where product characteristics, such as quality or price, are difficult to observe in
advance, but these characteristics can be ascertained upon consumption.
• Credence goods
goods for which it is difficult for consumers to ascertain the quality even after they have consumed
them, such as vitamin supplements.
Hence: auditor reputation is crucial for the audit service to be valuable
Auditor reputation: example of Enron
and creatively planned accounting fraud
• US corporate energy giant
• Loss of credibility in corporate reporting
• Employed 20,000 staff and earned $101 billion in 2000 • Dissolution of Arthur Andersen
• "America's Most Innovative Company" for 6 Y by Fortune • Negatively impacted reputation of accountancy
• 2001: revealed that its reported financial condition was profession
sustained substantially by institutionalized, systematic
Why is there auditing?
• Because it is mandatory:
E.g. in Belgium: firms exceeding certain size thresholds;
in US: publicly listed firms
• Because it is valuable to stakeholders: benefits exceed costs (e.g. information demand)

Audit evidence
ISA 500: Information used by the auditor in arriving at the conclusions on which the auditor’s
opinion is based.
 Audit evidence includes both information contained in the accounting records underlying the
financial statements and other information.
Audit evidence must be appropriate (= quality of the audit service) and sufficient (= qt)

1. Which audit procedures to use?

 See YouTube video
Audit programme = detailed instruction about the all the evidence that is being collected for a part
of the audit or the complete audit.
• Consists of all audit procedure
2. Which sample size? (or is audit of entire population possible?)
• Auditing all financial transactions would be costly: the cost
of the audit would exceed the benefit of the audit
• The benefit of auditing an additional transaction is declining in the amount of transactions already
audited.
• The auditor will only review a sample of transactions • Which transactions?
• How many?
• However, for some accounts, audit procedures based on the entire population are possible (e.g.
Sales/Accounts Receivables audit) with data analytics tools
3. If sample-based: Which items to select?
Sample selection methods: two types of methods
• Statistical:
1. Random selection of sample items
2. The use of probability theory to evaluate sample results
31
• Non-statistical methods: samples that does not have characteristics (1) and (2)
Either approach can provide sufficient evidential matter when applied properly
4. Timing of the evidence collection
2 aspects of timing:
• When will the audit procedure be performed?
• Which period will be investigated?

Persuasiveness of audit evidence

How do we know that we have sufficient and appropriate audit evidence? And how persuasive is this
evidence?
4 facets of persuasiveness of evidence:
• Relevance
• Reliability
• Completeness
• Timeliness
Trade-off: persuasiveness vs cost
 YouTube video
The audit process
Planning & risk assessment:
1. Understand the business and industry of the client
2. Risk analysis
3. Determine materiality

4. Understand internal control system

5. Develop audit plan
 YouTube video

Materiality (ISA 320)

Information is material if its omission or misstatement could influence the economic decisions of
users taken on the basis of the financial statements. Materiality depends on the size of the item or
error judged in the particular circumstances of its omission or misstatement.
 Video YouTube

Internal auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.

32
 VI. Guest lecture by Dirk Bebruyne

1. The role today as Group Internal Audit Director

Audit is like walking on the ice. The auditors must balance a lot of things. Like the circus people,
preparation and training are key in their work.
Vision
Internal audit wants to be perceived as a value adding activity for Group.
We will achieve this by
 Assist management with identifying and managing risk.
 Working proactively at the prevention of risk
 Reporting timely on Internal control observations
 Reviewing inherent risk for holding/dormant companies
 Providing adequate training & awareness regarding internal controls, risks & risk prevention
 Developing talent for the finance organization
 Growing as a professional organization and adhere to the International Standards for the
Professional Practice of Internal Auditing at the time this will be desired for Group
 Building a platform to deliver consistent high value Internal Audit Services
Mission statement
 Interna lAudit is an independent, objective assurance and consulting activity designed to add
value and improve Group operations and performance.
 Internal Audit helps the Group accomplish its objectives by bringing a systematic, disciplined
approach to assess and improve the effectiveness of risk management, control, and
governance processes.
 Internal audit seeks to:
o Review the controls over the integrity of financial reporting
o Ensure a proper safeguarding of the Group’s assets
o Ensure that the creation of shareholder value is achieved within the values of proper
business conduct

33
Internal audit cycle:

 High view of IA
Audit universe: all the entities that needed to be audited
1. Audit risk assessment
2. Plan & organize the audit
3. Perform the audit
4. Report on observation
5. Remediation & follow-up

Life as an internal auditor:

Internal Audit:
Financial Statement Audit:
 Broad focus
 Specific focus
– Accurate financials
– Accurate financial statements
– Efficiency/effectiveness
– Going concern
– Accomplishing objectives
– Reviewing historical data
– Compliance w/laws, policy – Compliance with accounting and other
– Safeguarding assets regulations
– And more!  Primarily accounting skills
 Diverse skills sets are required  Independent from the organization
 Integral part of the organization
 Independency required

What is the difference between efficiency and effectiveness?

Effective governance
Internal auditors assess risks
 To help keep bad things
from happening
 To help assure good
things can happen
 To help management
understand
o Where their
risks are
o Whether the
risks are under
control
o Whether the
risks are worth
taking
Internal auditors
34
  Find out what’s working and what’s not
 Keep an eye on the corporate climate
 Look at the organization with fresh eyes
 Look beyond the financial statements
 Advocate improvements
 Raise red flags
 Tell it like it is
Auditors tell it like it is
 Keep senior management aware of critical issues
 Ensure factual communications of financial, operational and compliance data
 Make suggestions based on knowledge of operations throughout the organization
International professional practices framework
 Mandatory Guidance
–  International Standards for the Professional Practice of Internal Auditing
–  Definition of Internal Auditing
–  Code of Ethics
 Strongly Recommended
– Position Papers
– Practice Advisories –
Practice Guides

Life as an internal auditor

Career opportunities:
What is the career path?

What is internal auditing?

 Com. Very important

35
 Should look to opp & techn

Does internal audit have to exist?

The raison d’être of audit is to limit abuse by unethical companies. There were companies who have
been accuse of scams and fraud.

Who we are & what we do?

Internal auditor basics: who are internal auditors?
 a valuable resource to executive management and boards of directors in accomplishing
overall goals and objectives, as well as in strengthening internal controls and organizational
governance
 provide objective, independent,
professional advice to management and
strive for continuous improvement
 have extensive knowledge of computer
systems and the Internet, regardless of
background or industry
 internal auditors are key to an
organization’s success in today’s
business world
 professionals with an in-depth
understanding of the business culture, systems, and processes
 diversity of knowledge gives internal auditors a broad perspective on the organization
 education and expertise can differ broadly. They come from diverse areas such as
engineering, operations, finance, and information technology

How does internal audit decide what to audit?

36
INTERNAL AUDIT: WHAT DO WE DO?
Business Process Audits:
 Operational Audits: Determining if resources are being used effectively and efficiently to fulfill
the organization's mission and objectives
 Financial Audits: Reviewing accounting /financial transactions accuracy and proper treatment.
 Compliance Audits: Determining if entities are complying with applicable laws, regulations,
policies and procedures
 Internal Control Reviews: Review of operation and adequacy of controls around major business
functions (i.e. payroll, accounts payable and financial reporting)

Information Technology Audits

 Penetration/Network Vulnerability Testing: Evaluating security of a system using proprietary
tools used to identify exploits and vulnerabilities
 Database Audits: Monitoring and analyzing a DB for authorization and authentication issues
 Application/Automated Controls Audit: Evaluating an organization's systems, practices, and
operations
 Ethical Hacking Audits: Simulated hacker attack to break into systems/networks to identify and
exploit security flaws

WHAT IS INTERNAL AUDIT’S ROLE IN THE ORGANIZATION?

37
 Auditors refer to the CEO but mainly to the Audit Committee

Challenges: Internal audit management & challenges 

What are some factors to consider when conducting an internal audit?
 Stakeholders’ expectations
 People
 Financials
 Regulatory requirements
 Communication
 Timeliness
What are some challenges of internal auditing?
 Prioritization of Audits
 Skill / Knowledge Requirements
 Regulatory Requirements
 Corporate/Management Buy-in
 Staffing / Resources
Required skillset to be a good auditor
 Be critical
 Be patient
 Be curious
 Be fair
 Be open to new experiences
 Be open to learn
 Be flexible

Certification & associations:

CERTIFICATION PROGRAMS
 Certified Internal Auditor (CIA)
 Certified Public Accountant (CPA)
 Certified Information Systems Auditor (CISA)
 Certified Fraud Examiner (CFE)
 Certified Government Auditing Professional (CGAP)
 Certified Financial Services Auditor (CFSA)

38
 PROFESSIONAL ASSOCIATIONS
 Institute of Internal Auditors (IIA)
 Association of Certified Public Accountants (AICPA)
 Information Systems and Control Association (ISACA)
 Association of Certified Fraud Examiners (ACFE)

Is it for you?
What's in it for you?
 Work with multiple clients in diverse industries
 Not locked into a specific audit area/function
 Exposure to different methods and approaches to auditing
 Exposure to high level executives and audit committee members
 You perform your work from various locations – not stuck in the same office
 Possibility to obtain multiple certifications (i.e., CIA, CISA, etc.)
 Travel to fun/exciting locations
 Premier status on multiple airlines and with multiple hotels
 A ton of frequent flier miles and hotel points (free vacations)
What's the catch?
 Frequent change in work type and subject matter
 Hard schedules/deadlines (get in, get out)
 Accountable for every hour of work day (i.e., bill clients by the hour)
 Challenging work environment
 Work with and for different people throughout the year
 Often work and travel alone
 Required to maintain multiple certifications (i.e., CIA, CISA, CPA, etc.)
 Required training and firm policy compliance
 Travel to small locations with little to do in the evenings.
 The hotel staff knows your name and family history.
 Staying at home is a "fun" vacation.
What are the keys to success?
 Be comfortable with being uncomfortable.
 Learn from those around you and above you.
 Find the learning opportunity in every mistake you make.
 Ask questions!

List of available services offered by an Internal Audit Department:

1) Internal Control Reviews (“ICR”)
o Financial
o Operational
o IT
2) Integrated Audit - Coordinate PwC Relationship
3) System Implementation Reviews

39
 4) FCPA Reviews
5) Fraud Investigations
6) Physical Inventory Exemption
7) Hire, Train, and Develop staff for future IR Finance roles
8) On call function to support acquisitions, special projects, etc.
Reflection about the audit of tomorrow (digitalization, data analytics, predictive continuous
auditing, automation...)

Data Analysis - Approach 

Centralized approach 
 For X we use a centralized approach from the global head office in Belgium
 Central testing covering multiple geographical sites, units and entities
 Data analysis results are pushed to different entities in South and Central America. The
entire region runs on SAP except Argentina and Industria Plastica Ltda.
Benefits 
 One set of standardized data analysis for all entities
 Enables comparison and benchmarking between countries
 Data analyses are performed centrally by one team
 Exception follow-up with great assistance from Internal Audit Department

Data analysis status:

 All the data analysis reports have been generated for the
scope A and scope C countries for the following three main
processes:
o Order to Cash (OTC)
o Purchase to Pay (PTP)
40
 o Record to Report RTR).
 Scope A countries (green countries):
o After a first validation exercise by internal audit, reviewed by KPMG, several false
positives/negatives were identified. Based on these false positives/negatives, the
scripts behind the data analysis reports have been further fine-tuned.
o The revised scripts provided more comfort about the test results once these were
analysed.
o The validation of internal audit, reviewed by KPMG for the scope A countries,
indicates that the remaining exceptions have no significant impact on the
consolidated financial statements.
 Scope C countries (yellow countries):
o The validation of internal audit, reviewed by KPMG for the scope C countries,
indicates that the remaining exceptions have no significant impact on the
consolidated financial statements.

Data Analysis – Findings on Key Application Controls

Data Analysis - Other Findings 

41
Data analytics: example of outputs: (only for illustration)

42
43
Continuous monitoring and auditing
Purpose
Continuous Monitoring:
« Continuous monitoring enables management / the business to continually review business
processes for adherence to and deviation from their intended levels of performance and effectiveness
»
Continuous Auditing:
« Continuous auditing enables internal audit to continually gather from processes data that supports
auditing activities »
Benefits of Continuous Monitoring Systems:
Control:
 Automated report generation (consistency over time)
 Automatic notification to the control performer
 Ease of control transfer (no modification of ERP permissions)
 Automatic escalation process
 Timely detection of invalid transactions
 Traceability of control performance (evidences, timing, etc.)
Flexibility:
 Flexible frequency: no burden on the IT staff
 Centralization of the control documentation in one place
Technical aspects:
 Control offloading: no additional customization of the ERP
 As long as the data structure remains the same, the control will operate

Examples of Events Monitored in LATAM.

44
Example MCQ:
 When implementing an enterprise risk management (ERM) framework, a large
organization should be aware that ERM:
o only allows for risks to be measured in financial terms
o relies largely upon the analysis and evaluation of risks against criteria that are set
by the board
o will always improve the competitive position of the organization
o will always require assessment of risk management processes from both internal
and external auditors

 Which statement is not correct?

o Risk capacity is the maximum amount of risk an entity can absorb in the pursuit of
business objectives
o An entity’s risk appetite is always set above its risk capacity
o Risk tolerance represents the application of risk appetite to specific objectives
o An entity’s risk tolerance should always be aligned with its risk appetite

 Which of the following components are supporting aspects of the COSO ERM framework?
o Governance and culture; review and revision
o Performance; review and revision
o Governance and culture; information, communication, and reporting
o Strategy and objective-setting; performance

 An entity determined that its variable interest rate on borrowing will increase significantly
in the near future. Consequently, the entity hedged its variable rate by locking in a fixed
rate for the relevant period. According to COSO, this decision is which type of response to
risk?
o Reduction
o Acceptance
o Avoidance
o Sharing

 Which of the following elements is not a feature of an (effective) internal control?

o Is performed by the internal auditor
o Contains error handling
o Is well documented
o Can be evidenced

 A procedure for confirming that the balance in a chequebook matches the corresponding
bank statement is a:
o Safeguard control
o Reconciliation
o Exception report
o Management review

45
  Auditing has characteristics of a credence good because:
o It is difficult to observe the audit quality in advance
o It is difficult for consumers/users of audit services to ascertain the quality even
after the audit happened

 The most important difference between an internal auditor and an external auditor is that
the internal auditor is always an employee of the organization:
o True
o False

 A type I error in auditing occurs when:

o The auditor issues an unqualified opinion but in reality the FS are materially
misstated
o The auditor issues an adverse opinion but in reality the FS are fair

46