Professional Documents
Culture Documents
Opportunities
Possible Threats
What is:
(Offensive / Defensive)
Operating Performance
Ensure earning stability &
Striving to Achieve business sustainability Strategy
Protect Shareholder Value
What should be:
Downside of Risk
(Defensive)
Compliance & Prevention:
Protect against threats &
losses
Enhance Credit Ratings &
Customer, Shareholder & Possible Threats
Regulator Perceptions
Opportunities
(Defensive)
Compliance & Prevention:
Protect against threats & losses
Enhance Credit Ratings &
Customer, Shareholder &
Regulator Perceptions
• Incident logging and reporting
Possible Threats
• Protection of Directors &
Officers liability
• Security, and privacy
• Business continuity and asset
insurance
• Asset Protection/ Minimise
Loss
Possible Threats
Risk Assessment
Criteria Matrix Risks
(Impact & Likelihood) (Risk
Register)
Assessed Controls
Treatments (Updated
Major 10 14 19 22 23
(Register)
Moderate 6 9 15 17 20
Moderate 6 9 15 17 20
Minor 3 5 8 13 16
Minor 3 5 8 13 16 Controls Register) Moderate 6 9 15 17 20
Insignificant 1 2 4 7 11 Minor 3 5 8 13 16
Insignificant 1 2 4 7 11
LIKELIHOOD
LIKELIHOOD Insignificant 1 2 4 7 11
Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain
Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain LIKELIHOOD
Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain
Likely
Expected to happen at least once in the 4 8 16 32 64 80
next year
Possible
Expected to happen at least once in the 3 6 12 24 48 60
next three years
Unlikely
Expected to happen at least once in the 2 4 8 16 32 40
next 10 years
Rare
Not expected to within the next 10 1 2 4 8 16 20
years
2 4 8 16 20
Escalation of Overall Risk Rating:
Minor Moderate Serious Major Catastrophic
HIGH - Executive Management
and the Audit Committee
Financial, Brand, People or Customer Impact
Multiple Deaths
Minor Injuries Single Serious Injury Multiple Serious Injuries Single Death
People Temporary Loss of Key Loss of some Key Mgt/ for Loss of most Key Mgt/ Staff Loss of all Key Mgt/ Staff
Loss of key Directors and
Exec Mgt/ Mgt/ Staff for > 1
Mgt/ Staff up to 3 months for up to 6 months for up to 1 year
year
[Description]
Control Control
Effectiveness? Effectiveness?
Existing Preventative Controls Existing Detective & Corrective Controls
Control Owner (Not –Effective or Control Owner (Not –Effective or
Linked to the Causes (to reduce causes) Linked to the Effects (to reduce effects)
Partially Effective or Partially Effective or
Effective) Effective)
1. Item 1. 1. Item
2. Etc. 2. etc.
3. 3.
4. 4.
5. 5.
6. 6.
7. 7.
8. 8.
9. 9.
10. 10.
Mitigations (future management actions) Owner Date Mitigations (future management actions) Owner Date
1. Item
2. etc.
3.
4.
5.
Rationale (why this action?) Target Likelihood Risk Rationale (why this action?) Target Consequence Risk
What is Internal Audit?*
• Internal auditing is an independent, objective assurance
and consulting activity
• Designed to add value and improve an Organization's
operations
• It helps an Organisation accomplish its objectives
• By bringing a systematic, disciplined approach to
evaluate and improve the
– effectiveness of risk management
– controls
– and governance processes.
* Definition from the Institute of Internal Auditors Inc.
18
Internal Audit Activities
The internal audit activity evaluates the adequacy and
effectiveness of controls in responding to risks within the an
Organization's governance, operations, and information
systems regarding the:
• Achievement of an Organization's strategic objectives;
• Reliability and integrity of financial and operational
information;
• Effectiveness and efficiency of operations and projects;
• Safeguarding of assets; and
• Compliance with laws, regulations, company policies,
procedures, and contracts.
19
Internal Audit Cycle
Align to
Business Strategy
Understand PSRC :
Act as Positive Change Agent by: Process,
Influencing cost effective, useful and Systems,
relevant improvements in PSRC, Risks, and
Supporting in the achievement of Business Controls
Strategy as they relate to Business
Strategy
20
Internal Audit Principles
To be read with the Internal Audit Cycle Slide
• Alignment
• Integration
• Relevance
• Value Add
21
Alignment
• Assurance Provider to the Board Audit Committee and
Risk & Control service provider to Management
22
Integration
• Audit Plan integrated with Management’s efforts to
control risk
23
Relevance
• Audit Plan in support of Business Strategies
• Understanding Process, Systems, Risk and Controls as
they relate to Business Strategies
• Useful and relevant opinion and commentary on the
Processes, Systems, Risk and Controls that matter to the
Group
24
Value Add
• Providing insight, cost-effective and useful
recommendations regarding:
– Efficiency of Processes and Systems
– Awareness of Risks that may impact on the
achievement of Business Strategies and which
management attention
– Adequacy of Risk Control Design
– Operational Effectiveness of Risk Controls
25
Type
Types of Audits
Nature
Functional Audits End to end process review (i.e. multiple processes) of a single function, division or brand;
providing audit opinion on the effectiveness of controls within that function, division or brand.
Process Audits Single process/ risk review over multiple functions/ divisions/ brands, providing audit opinion on
the effectiveness of that single process across multiple functions/ divisions or brands
Risk and Control Review Risk and control identification and assessment of brands, functions or processes, providing a risk
opinion as to the adequacy of risk management/ internal controls using the TW Group risk
management framework.
Project Audits Formal review of the effectiveness of project management and the adequacy of control design
build into the solution before going live. Provides an audit opinion on the effectiveness of project
risk management and adequacy of control design and may include a post implementation review.
Dual reporting to the Project Manager and to the Project Steering Committees.
Consultative Engagements Informal participation in new initiatives or projects focusing mainly on the provision of business
insight and adequacy of control design build into the solution before going live.
26
Integration with Risk Management -
Risk Assessment
Criteria Matrix
Risks
(Risk
(Impact & Likelihood)
See Slide 14 Internal Audit - Evaluation of Control
Register)
Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain
28
COSO defines internal control as
having five components:
• Control Environment
• Risk Assessment
• Information and Communication
• Control Activities
• Monitoring
29
Control Activities (Examples)
30
Nature of Controls
• Preventative – designed to mitigate the causes of risks,
i.e. pre-risk event
31
Techniques to Evaluate Controls
• Walk-throughs
• Process Mapping with Risk and Controls Matrices
• Bow Ties
• Testing of Controls:
– Inquiry
– Observations
– Re-performance
– Detail Testing
• Analytical reviews using Computer Assisted Audit
Techniques (CAATs)
32
Top Down Risk Management Approach
Risk Assessment
Criteria Matrix Risks
(Impact & Likelihood) (Risk
Register)
Moderate 6 9 15 17 20
Controls Moderate 6 9 15 17 20
(Updated Major 10 14 19 22 23
Minor 3 5 8 13 16
(Register) Minor 3 5 8 13 16
Controls Moderate 6 9 15 17 20
Register)
Insignificant 1 2 4 7 11 Minor 3 5 8 13 16
Insignificant 1 2 4 7 11
LIKELIHOOD
LIKELIHOOD Insignificant 1 2 4 7 11
Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain
Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain LIKELIHOOD
Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain
34