COLLEGE OF COMMERCE

Department of Accountancy and Management Accounting

Elective 3 – Operations Auditing

MODULE 2 - PROCESSES AND REVIEW TECHNIQUE IN OPERATIONS

AUDITING

Welcome to Module 2, the first three consecutive units included in this module, tackle,
respectively, governance processes, risk management and internal control. Each contains,
towards the end, a practical guide on the objectives and the audit issues. In this module, we set
out to explain the role of internal audit in corporate governance. The position we take is that
internal audit is primarily involved with (a) internal governance processes but is increasingly
active in (b) reviewing the board and (c) providing a service with respect to the accountability of
the organization to its stakeholders. The practical guides towards the end of this module cover
each of these three dimensions.

At the end of this module, you are expected to know on how to apply the lessons you
learned from this module in reality.

CONSULTATION HOURS:
Cellphone or Messenger: 8 – 11 AM Mondays/ 8 – 11 AM Wednesdays
Virtual Time: 8 – 9 Monday (A2-2) / 8 – 9 Tuesday (A 2-1)

MODULE 2 - LEARNING OBJECTIVES

By the end of this module, the students shall be able to:
1. Explain governance processes
2. Enumerate the objectives of risk management
3. Enumerate and discuss the essential components of effective risk management
4. Explain the scope of internal audit’s role in risk management
5. Identify the different tools for risk management
6. Identify control issues for risk management process
7. Enumerate the objectives of internal control
8. Enumerate the principles of a good internal control
9. Explain the control cost-effectiveness considerations
10. Discuss different issues for internal control processes
11. Explain the objectives for a review of the control environment
12. Discuss the Sarbanes-Oxley Approach and its importance in reviewing internal
control over financial reporting.
COURSE CONTENT FOR MODULE 2:

PROCESSES AND REVIEW TECHNIQUES IN OPERATIONS AUDITING

ACTIVITY DESCRIPTION TIME TO COMPLETE

Lecture Discussion Governance Processes 4 hours
Lecture Discussion Risk Management Processes 4 hours
Lecture Discussion Internal Control Processes 4 hours
Lecture Discussion Review of the Control Environment 4 hours
Lecture Discussion Reviewing Internal Control Over 4 hours
Financial Reporting
Review Quick Reviews and Summarizations 2 hours
Quiz Summative Quizzes for Module 2 1 hours

MODULE 2
UNIT 1 - GOVERNANCE PROCESSES

Governance. Process governance is a major issue, and yet often forgotten and overlooked by
organizations. In short, we can say that process governance is the way in which a company can
consolidate the process management initiatives within standards, rules, and guidelines that all go
together towards a common goal.

The Four Models of Governance

When building an organization from the ground up, there will come a time when you
can’t go at it alone anymore. You’ll need advice, direction, and a few pairs of hands. It’s at this
point where most founders will put together a board of directors. Now, not all boards work the
same - some are distant, some are hands-on, most are somewhere in-between.

There’s a surprisingly broad spectrum of governance models that nonprofit boards

structure themselves around. Let’s look at four of the most common models and see what might
work for you.

1. Advisory Model

The advisory board is one of the most traditional styles of nonprofit governance seen
today. Members of an advisory board typically have little direct decision making power but very
high influence over the CEO, offering them - you guessed it - advice. An advisory board will be
made up of industry luminaries who are able to provide highly professional skills and a vast
network of connections to the nonprofit. The organisation benefits massively from these skills
and connections, leveraging them to boost credibility, fundraising, and advertising.

2. Cooperative Model
 Somewhat uncommon in larger nonprofit organizations, a cooperative board is one where
all members make consensual decisions as equals. It’s the most democratic governance model,
only acting on decisions that have passed proper voting procedures and requiring every member
to be committed to the organization’s mission. There is no real hierarchy in a cooperative board,
only the group consensus.

3. Management Team Model

One of the most popular governance models for small- to medium-sized organizations,
the management team board takes a lot of cues from corporate- style management structures. The
board will be split into ‘department’-esque committees, each responsible for HR, fundraising,
event planning, marketing, any area that needs overseeing.

There will likely be a few more members sitting on this style of board to facilitate this.
This allows board members to focus and develop their skills in a particular area and keep
decision-making as efficient as possible.

4. Policy Board Model

A well-known model developed by author John Carver in his 1990 book “Boards That
Make A Difference.” With this governance method, the board grants most of its authority to the
CEO, allowing them full control over the organization and its workings. The board then becomes
the ‘second-in-command’ of the organization, with the CEO at the top. There is rarely any
standing committees in place when using this structure, as the board and CEO will work together
as a team, applying their whole attention to each task.

While these are four of the most common styles of nonprofit governance, that doesn’t
necessarily mean they’re the perfect ones for you and your organization. There’s as many unique
models as there are businesses that need them, and finding the one that works for you is a matter
of self-analysis and research.

Governance Strategy Examples

Businesses and other organizations have an overall governance corresponding strategy.

There can be different types of sub-governance frameworks within a main governance strategy.
For example, IT governance falls within corporate and nonprofit governance, but it has its own
structure.

Governance encompasses all the processes of governing by some type of organization

which can be a formal or informal organization. Governance refers to how groups or individuals
interact and who has the decision-making authority. The term also speaks to the political
processes that exist between groups. With any type of governance, external actors that don’t have
decision-making authority can influence the governance process. Governance has some type of
recognizable structure or framework that has its own rule and it is accountable to a group or
individual.

IT Governance
IT governance, or Information Technology, is the governing strategy over the processing
of all types of information. An IT governance strategy involves the connections between the
business and its management. Organizations are mandated by other authorities to follow
regulations that govern the protection of confidential information, financial accountability, data
retention, disaster recovery, etc. Organizations are also held accountable by shareholders,
stakeholders, vendors, customers, and others and a governance strategy governs those
relationships.

Nonprofit Governance
The strategy behind nonprofit governance is to continually work toward achieving the
nonprofit’s mission. Nonprofit organizations are governed by a board of directors or board of
trustees who are responsible for ensuring that the organization is in compliance with laws and
regulations and that the organization is sustainable for the long-term. The governance strategy
for nonprofit governance also stands to provide some type of public, social, or community need
which is in the organization’s geographical jurisdiction. A nonprofit organization’s governance
structure must account for accountability, integrity, and transparency which are essential
components to a nonprofit entity.

Corporate Governance
Corporate governance refers to the processes by which businesses interact with other
businesses, customers, and other stakeholders. A corporate governance strategy directly relates to
the company’s mission. The structures and strategies for corporations are regulated and governed
by federal, state, and local governments, as well as other regulatory bodies. A corporate
governance strategy outlines the appropriateness of interactions and relationships for how the
corporate governing board and management control the interested parties, employees, and other
stakeholders connected with the corporation. As part of the corporate governance structure, the
board of directors has fiduciary duties to hold them accountable to those they serve and employ.

Environmental Governance
Environmental governance refers to issues related to political ecology that promotes
protection for the environment and for sustainable human activity. In essence, environmental
principles guide the governance structure. An environmental governance strategy includes a
structure that guides the processes for decision-making around the control and management of
natural resources. The purpose of environmental governance is to strive toward environmentally
sustainable development. Environmental governance often falls within corporate or nonprofit
governance structures whereas a sub-governance structure, it contains policies that respond to
environment-related demands by stakeholders. It’s better known in some arenas as ESG or
environmental, social, and governance.

Project Governance
 Project governance is a governance strategy that guides decision-making over projects
that are being directed by and overseen by a corporation, nonprofit, or other organization. A
project governance strategy outlines the processes, procedures, and authorities that bring a
concept through to completion. Projects are usually things that help companies or other
organizations to build capital. Project governance outlines the relationships between various
groups and individuals that are involved in project management effort.

Internet and Social Media Governance

The World Summit on the Information Society defines internet governance as “the
development and application by Governments, the private sector, and civil society, in their
respective roles, of shared principles, norms, rules, decision-making procedures, and programs
that shape the evolution and use of the Internet.” Internet governance pertains to how
governments, regulating bodies, and the general public can determine what type of content is and
isn’t acceptable for consumption on the internet. Governance strategies for the internet and social
media outline the extent that states should be able to censor content and how to handle sensitive
matters such as cyber-bullying, deaths, fraud, and deception.

Private Governance
A private governance strategy is a structure that’s necessary for non-governmental
entities, including private organizations, to provide standards and rules that are binding and
provide opportunities or benefits for the greater public. Private organizations can sometimes be
involved in making public policies such as an insurance company that governs how they
reimburse policyholders for claims and the processes they use to indemnify their policyholders
for a covered loss. Private, public, or government organizations may be associated with public
policy.

Public Governance
It’s common for people to confuse the concepts of governance and politics as public
governance structures. Politics involves people and processes where groups develop a consensus
of decisions that the group accepts and embraces collectively. The groups’ decisions are
considered binding by the group. Public governance involves the administration and processes of
governance. There are some groups and individuals who believe that governance and politics
both incorporate certain aspects of power and accountability. Public governance structures may
involve public-private partnerships or collaboration between community organizations. Public
governance also refers to companies or organizations that have governance structures that outline
the policies and processes for competitive enterprises that are also governed by one or more
levels of government.

Global Governance
According to “Enhancing Global Governance through Regional Integration“, the
definition for global governance is “the complex of formal and informal institutions,
mechanisms, relationships, and processes between and among states, markets, citizens and
organizations, both inter- and non-governmental, through which collective interests on the global
plane are articulated, right and obligations are established, and differences are mediated”.
Essentially, global governance refers to any regular relationship between a group of free equals
such as relationships between independent states.
 Regardless of what kind of governance structure and strategy that your organization
follows, a Board Effect board portal system is the modern governance system for storing your
organization’s bylaws and other documents that outline the authority of the organization.

UNIT 2 - RISK MANAGEMENT PROCESS

Risk management is the process of identifying, assessing and controlling threats to an

organization's capital and earnings. These threats, or risks, could stem from a wide variety of
sources, including financial uncertainty, legal liabilities, strategic management errors, accidents
and natural disasters. IT security threats and data-related risks, and the risk management
strategies to alleviate them, have become a top priority for digitized companies. As a result, a
risk management plan increasingly includes companies' processes for identifying and controlling
threats to its digital assets, including proprietary corporate data, a customer's personally
identifiable information (PII) and intellectual property.

Every business and organization faces the risk of unexpected, harmful events that can
cost the company money or cause it to permanently close. Risk management allows
organizations to attempt to prepare for the unexpected by minimizing risks and extra costs before
they happen.

Importance of Risk Management

By implementing a risk management plan and considering the various potential risks or
events before they occur, an organization can save money and protect their future. This is
because a robust risk management plan will help a company establish procedures to avoid
potential threats, minimize their impact should they occur and cope with the results. This ability
to understand and control risk enables organizations to be more confident in their business
decisions. Furthermore, strong corporate governance principles that focus specifically on risk
management can help a company reach their goals.

Important Benefits of Risk Management

1. Creates a safe and secure work environment for all staff and customers.
2. Increases the stability of business operations while also decreasing legal liability.
3. Provides protection from events that are detrimental to both the company and the
environment.
4. Protects all involved people and assets from potential harm.
5. Helps establish the organization's insurance needs in order to save on unnecessary
premiums.

The importance of combining risk management with patient safety has also been
revealed. In most hospitals and organizations, the risk management and patient safety
departments are separated; they incorporate different leadership, goals and scope. However,
some hospitals are recognizing that the ability to provide safe, high-quality patient care is
necessary to the protection of financial assets and, as a result, should be incorporated with risk
management.
 In 2006, the Virginia Mason Medical Center in Seattle, Washington integrated their risk
management functions into their patient safety department, ultimately creating the Virginia
Mason Production System (VMPS) management methods. VMPS focuses on continuously
improving the patient safety system by increasing transparency in risk mitigation, disclosure and
reporting. Since implementing this new system, Virginia Mason has experienced a significant
reduction in hospital professional premiums and a large increase in the reporting culture.

Risk Management Strategies and Processes

All risk management plans follow the same steps that combine to make up the overall
risk management process:

Establish context. Understand the circumstances in which the rest of the process will
take place. The criteria that will be used to evaluate risk should also be established and the
structure of the analysis should be defined.

Risk identification. The company identifies and defines potential risks that may
negatively influence a specific company process or project.

Risk analysis. Once specific types of risk are identified, the company then determines
the odds of them occurring, as well as their consequences. The goal of risk analysis is to further
understand each specific instance of risk, and how it could influence the company's projects and
objectives.

Risk assessment and evaluation. The risk is then further evaluated after determining the
risk's overall likelihood of occurrence combined with its overall consequence. The company can
then make decisions on whether the risk is acceptable and whether the company is willing to take
it on based on its risk appetite.

Risk mitigation. During this step, companies assess their highest-ranked risks and
develop a plan to alleviate them using specific risk controls. These plans include risk mitigation
processes, risk prevention tactics and contingency plans in the event the risk comes to fruition.

Risk monitoring. Part of the mitigation plan includes following up on both the risks and
the overall plan to continuously monitor and track new and existing risks. The overall risk
management process should also be reviewed and updated accordingly.

Communicate and consult. Internal and external shareholders should be included in

communication and consultation at each appropriate step of the risk management process and in
regards to the process as a whole.

Risk management strategies should also attempt to answer the following questions:
1. What can go wrong? Consider both the workplace as a whole and individual work.
 2. How will it affect the organization? Consider the probability of the event and whether
it will have a large or small impact.
3. What can be done? What steps can be taken to prevent the loss? What can be done
recover if a loss does occur?
4. If something happens, how will the organization pay for it?

Risk Management Approaches

After the company's specific risks are identified and the risk management process has
been implemented, there are several different strategies companies can take in regard to different
types of risk:

Risk avoidance. While the complete elimination of all risk is rarely possible, a risk avoidance
strategy is designed to deflect as many threats as possible in order to avoid the costly and
disruptive consequences of a damaging event.

Risk reduction. Companies are sometimes able to reduce the amount of damage certain risks
can have on company processes. This is achieved by adjusting certain aspects of an overall
project plan or company process, or by reducing its scope.

Risk sharing. Sometimes, the consequences of a risk are shared, or distributed among several of
the project's participants or business departments. The risk could also be shared with a third
party, such as a vendor or business partner.

Risk retaining. Sometimes, companies decide a risk is worth it from a business standpoint, and
decide to keep the risk and deal with any potential fallout. Companies will often retain a certain
level of risk if a project's anticipated profit is greater than the costs of its potential risk.

Limitations
While risk management can be an extremely beneficial practice for organizations, its
limitations should also be considered. Many risk analysis techniques -- such as creating a model
or simulation -- require gathering large amounts of data. This extensive data collection can be
expensive and is not guaranteed to be reliable.

Furthermore, the use of data in decision making processes may have poor outcomes if
simple indicators are used to reflect the much more complex realities of the situation. Similarly,
adopting a decision throughout the whole project that was intended for one small aspect can lead
to unexpected results.

Another limitation is the lack of analysis expertise and time. Computer software
programs have been developed to simulate events that might have a negative impact on the
company. While cost effective, these complex programs require trained personnel with
comprehensive skills and knowledge in order to accurately understand the generated results.
Analyzing historical data to identify risks also requires highly trained personnel. These
individuals may not always be assigned to the project. Even if they are, there frequently is not
enough time to gather all their findings, thus resulting in conflicts.
Other limitations include:
A false sense of stability. Value-at-risk measures focus on the past instead of the future.
Therefore, the longer things go smoothly, the better the situation looks. Unfortunately, this
makes a downturn more likely.

The illusion of control. Risk models can give organizations the false belief that they can
quantify and regulate every potential risk. This may cause an organization to neglect the
possibility of novel or unexpected risks. Furthermore, there is no historical data for new
products, so there's no experience to base models on.

Failure to see the big picture. It's difficult to see and understand the complete picture of
cumulative risk.

Risk management is immature. An organization's risk management policies are

underdeveloped and lack the history to make accurate evaluations.

Risk management standards

Since the early 2000s, several industry and government bodies have expanded regulatory
compliance rules that scrutinize companies' risk management plans, policies and procedures. In
an increasing number of industries, boards of directors are required to review and report on the
adequacy of enterprise risk management processes. As a result, risk analysis, internal audits and
other means of risk assessment have become major components of business strategy.

Risk management standards have been developed by several organizations, including the
National Institute of Standards and Technology (NIST) and the International Organization for
Standardization (ISO). These standards are designed to help organizations identify specific
threats, assess unique vulnerabilities to determine their risk, identify ways to reduce these risks
and then implement risk reduction efforts according to organizational strategy.

The ISO 31000 principles, for example, provide frameworks for risk management
process improvements that can be used by companies, regardless of the organization's size or
target sector. The ISO 31000 is designed to "increase the likelihood of achieving objectives,
improve the identification of opportunities and threats, and effectively allocate and use resources
for risk treatment," according to the ISO website. Although ISO 31000 cannot be used for
certification purposes, it can help provide guidance for internal or external risk audit, and it
allows organizations to compare their risk management practices with the internationally
recognized benchmarks.

The ISO recommends the following target areas, or principles, should be part of the
overall risk management process:
a. The process should create value for the organization.
b. It should be an integral part of the overall organizational process.
c. It should factor into the company's overall decision-making process.
d. It must explicitly address any uncertainty.
e. It should be systematic and structured.
f. It should be based on the best available information.
 g. It should be tailored to the project.
h. It must take into account human factors, including potential errors.
i. It should be transparent and all-inclusive.
j. It should be adaptable to change.
k. It should be continuously monitored and improved upon.

The ISO standards and others like it have been developed worldwide to help
organizations systematically implement risk management best practices. The ultimate goal for
these standards is to establish common frameworks and processes to effectively implement risk
management strategies.

These standards are often recognized by international regulatory bodies, or by target

industry groups. They are also regularly supplemented and updated to reflect rapidly changing
sources of business risk. Although following these standards is usually voluntary, adherence may
be required by industry regulators or through business contracts.

Risk management examples

One example of risk management could be a business identifying the various risks
associated with opening a new location. They can mitigate risks by choosing locations with a lot
of foot traffic and low competition from similar businesses in the area.

Another example could be an outdoor amusement park that acknowledges their business is
completely weather-dependent. In order to alleviate the risk of a large financial hit whenever
there is a bad season, the park might choose to consistently spend low and build up cash
reserves.

Yet another example could be an investor buying stock in an exciting new company with
high valuation even though they know the stock could significantly drop. In this situation, risk
acceptance is displayed as the investor buys despite the threat, feeling the potential of the large
reward outweighs the risk.

The Role of Internal Auditing in Risk Management

Internal auditing is an independent, objective assurance and consulting activity. Its core
role with regard to risk management is to provide objective assurance to the board on the
effectiveness of risk management. Indeed, research has shown that board directors and internal
auditors agree that the two most important ways that internal auditing provides value to the
organization are in providing objective assurance that the major business risks are being
managed appropriately and providing assurance that the risk management and internal control
framework is operating effectively.

The key factors to take into account when determining internal auditing’s role are
whether the activity raises any threats to the internal audit activity’s independence and
objectivity and whether it is likely to improve the organization’s risk management, control and
governance processes. They form part of the wider objective of giving assurance on risk
management. An internal audit activity complying with the International Standards for the
Professional Practice of Internal Auditing can and should perform at least some of these
activities.

Internal auditing may provide consulting services that improve an organization’s

governance, risk management, and control processes. The extent of internal auditor’s consulting
in risk management will depend on the other resources, internal and external, available to the
board and on the risk maturity of the organization and it is likely to vary over time. Internal
auditor’s expertise in considering risks, in understanding the connections between risks and
governance and in facilitation mean that the internal audit activity is well qualified to act as
champion and even project manager for risk management, especially in the early stages of its
introduction. As the organization’s risk maturity increases and risk management becomes more
embedded in the operations of the business, internal auditing’s role in championing risk
management may reduce. Similarly, if an organization employs the services of a risk
management specialist or function, internal auditing is more likely to give value by concentrating
on its assurance role, than by undertaking the more consulting activities. However, if internal
auditing has not yet adopted the risk-based approach represented by the assurance activities, it is
unlikely to be equipped to undertake the consulting activities.

Consulting Roles
Consulting roles, shows that internal auditing may undertake in relation to risk
management. In general the further to the right of the dial that internal auditing ventures, the
greater are the safeguards that are required to ensure that its independence and objectivity are
maintained. Some of the consulting roles that the internal audit activity may undertake are:
1. Making available to management tools and techniques used by internal auditing to
analyze risks and controls;
2. Being a champion for introducing risk management into the organization, leveraging
its expertise in risk management and control and its overall knowledge of the
organization;
3. Providing advice, facilitating workshops, coaching the organization on risk and
control and promoting the development of a common language, framework and
understanding;
4. Acting as the central point for coordinating, monitoring and reporting on risks; and
5. Supporting managers as they work to identify the best way to mitigate a risk.

The key factor in deciding whether consulting services are compatible with the assurance
role is to determine whether the internal auditor is assuming any management responsibility. In
the case of risk management, internal auditing can provide consulting services so long as it has
no role in actually managing risks – that is management’s responsibility – and so long as senior
management actively endorses and supports risk management. We recommend that, whenever
the internal audit activity acts to help the management team to set up or to improve risk
management processes, its plan of work should include a clear strategy and timeline for
migrating the responsibility for these services to members of the management team.

Safeguards
 Internal auditing may extend its involvement in risk management, provided certain
conditions apply. The conditions are:
1. It should be clear that management remains responsible for risk management.
2. The nature of internal auditor’s responsibilities should be documented in the
internal audit charter and approved by the audit committee.
3. Internal auditing should not manage any of the risks on behalf of management.
4. Internal auditing should provide advice, challenge and support to
management’s decision making, as opposed to taking risk management
decisions themselves.
5. Internal auditing cannot also give objective assurance on any part of the risk
management framework for which it is responsible. Such assurance should be
provided by other suitably qualified parties.
6. Any work beyond the assurance activities should be recognized as a consulting
engagement and the implementation standards related to such engagements
should be followed.

Skills and body of knowledge

Internal auditors and risk managers share some knowledge, skills and values. Both, for
example, understand corporate governance requirements; have project management, analytical
and facilitation skills and value having a healthy balance of risk rather than extreme risk-taking
or avoidance behaviors. However, risk managers as such serve only the management of the
organization and do not have to provide independent and objective assurance to the audit
committee. Nor should internal auditors who seek to extend their role in risk management
underestimate the risk managers’ specialist areas of knowledge (such as risk transfer and risk
quantification and modeling techniques)which are outside the body of knowledge for most
internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and
knowledge should not undertake work in the area of risk management. Furthermore, the head of
internal audit should not provide consulting services in this area if adequate skills and knowledge
are not available within the internal audit activity and cannot be obtained from elsewhere.

Conclusion
Risk management is a fundamental element of corporate governance. Management is
responsible for establishing and operating the risk management framework on behalf of the
board. Enterprise-wide risk management brings many benefits as a result of its structured,
consistent and coordinated approach. Internal auditor’s core role in relation to risk management
should be to provide assurance to management and to the board on the effectiveness of risk
management. When internal auditing extends its activities beyond this core role, it should apply
certain safeguards, including treating the engagements as consulting services and, therefore,
applying all relevant Standards. In this way, internal auditing will protect its independence and
the objectivity of its assurance services. Within these constraints, risk management can help raise
the profile and increase the effectiveness of internal auditing.

Tools for Risk Management

 A risk matrix are probably the inter-industry safety standard for the tool used in risk
evaluation. In aviation SMS programs they are ubiquitous. They use “probability” and “severity”
to quantify the scope of a real or hypothetical safety scenario. The quantification is generally
broken into 3 categories:
Acceptable risk;
Unacceptable risk; and
Ideally risk that is as low as reasonably possible (ALARP) (yellow), though risk
in this middle section should be monitored carefully to ensure that reasonable
controls are in place.

Some organizations use more colors, such as light green and/or orange. Extra colors only
provide further “aesthetic” rather than quantification. Risk matrix are ultimately used risk
management tools used to rank risks with the risk grid.

A Risk Register is a tool for documenting risks, and actions to manage each risk. The
Risk Register is essential to the successful management of risk. As risks are identified they are
logged on the register and actions are taken to respond to the risk.

Risk is evident in everything we do. When it comes to project management,

understanding risk and knowing how to minimize its impacts (or take full advantage of its
opportunities) on your project are essential for success.

The Risk Register is essential to the management of risk. As risks are identified they
should be logged on the register and actions should be taken to respond to the risk.

Most frequently Risk Managers attempt to reduce the likelihood of the risk occurring or
the impact if the risk does occur.
The responses are documented on the Risk Register and the register should regularly reviewed to
monitor progress. Ideally the Risk Register should be reviewed in every project team meeting. It
should certainly be review at the end of each phase of the project lifecycle.

Management of risk should be a constant ongoing process with the project team raising
risks with the Risk Manager or Project Manager who then logs the risk and identifies actions that
can be taken to mitigate the risk. To properly respond to a risk the Risk Manager may need to
bring in experts to understand the actions that can be taken to reduce the likelihood of the risk
occurring or the impact if the risk does occur. Read more on the possible responses to risk.

Control Issues for Risk management Processes

Control Objectives for Risk Management Processes
(a) Organizational objectives support and align with the organization’s mission
(b) Significant risks are identified and assessed
(c) Appropriate risk responses are selected that align risks with the organization’s
risk appetite
(d) Relevant risk information, enabling staff, management, and the board to carry out
their responsibilities, is captured and communicated in a timely manner across the
organization, enabling staff, management, and the board to carry out their
responsibilities.

(a) Organizational Objectives Support and Align with the Organization’s Mission
1 Key Issues
1.1 Have the organization’s objectives been defined?
1.2 Have the organization’s objectives been mapped to the organization’s mission
statement, and is there a close fit?
1.3 Are the mission and objectives of the organization consistent with the
organization’s purpose as set out in the constitutional documents of the
organization?
1.4 Do the owners and other stakeholders of the business share with the board and
senior management a common view about the mission and objectives of the
organization?
1.5 Is the mission, and are the objectives, of the organization clearly communicated
from the top downwards, and is there commitment at all levels to deliver on both?

2 Detailed Issues
2.1 Do the defined organizational objectives correspond to what the organization is
focusing upon?
2.2 If the organization achieves its objectives, will it fulfill its mission?
2.3 How does the organization revisit and redefine its mission and objectives?

(b) Significant Risks are Identified and Assessed

1 Key Issues
1.1 Is there a formal process of risk management (identification, assessment and
response)?
1.2 Is risk management applied at the strategy formulation stage (to avoid adopting
high risk strategies) as well as to the implementation of adopted strategy?
1.3 Is risk management embedded into the culture of the business, so that it is an
attitude of mind of management and staff?
1.4 Does the organization endeavor to identify and assess external as well as
internal risks?
1.5 Does the organization’s risk management appropriately classify risks into appropriate
categories (e.g. funding, marketing, HR, IT, reputational, etc.)?
1.6 Does the organization employ effective risk management methodologies/tools?
1.7 Is the plan of future internal audit engagement based on a risk assessment?
 2 Detailed Issues
2.1 Does the organization’s risk management process embrace extend to considering
the risk to the organization of failing to exploit opportunities which may arise
in the future?
2.2 Have there been any events occurring to the organization which indicate that
not all significant risks were anticipated, and what lessons should be learnt
from this?
2.3 Does the organization consider the likelihood, consequences and effective
mitigation of a number of threats materializing simultaneously?
2.4 Does internal audit invest some audit time reviewing areas of the business which
are perceived to be of low risk, in case significant risks are concealed in those
areas of the business?

(c) Appropriate Risk Responses are Selected that Align Risks with the Organization’s Risk
Appetite
1 Key Issues
1.1 Is responsibility for the ownership and control of risks clearly assigned to appropriate
staff?
1.2 Has the organization defined its overall risk appetite and its varying risk appetites
for the parts (e.g. divisions, processes, operating units, product ranges) of the
business?
1.3 Is the organization running a level of risk which is unacceptable, being beyond
the organization’s risk appetite?
1.4 In assessing risk, is allowance made for the degree of subjectivity involved in
identifying, assessing and deciding how to respond to risks?
1.5 Is there a risk that the organization may be too risk averse?

2 Detailed Issues
2.1 Are the optimal means used to mitigate risks depending upon the character of
the risk?
2.2 Are there cost-effective opportunities to mitigate risks still further, even though
they are assessed as being within the organization’s risk appetite?

(d) Relevant Risk Information, Enabling Staff, Management, and the Board to Carry out
their Responsibilities, is Captured and Communicated in a Timely Manner across the
Organization
1 Key Issues
1.1 How are insights about risks communicated effectively upwards so as to inform
top level assessments of risk?
1.2 How are the concerns about risk at senior levels communicated downwards so
as to be factored into risk assessments at operational levels?
1.3 Does the organization capture and monitor effectively appropriate risk
information to determine whether the key risks to the business are under
control?

1.4 Does the audit committee of the board review (a) the risk management process
 of the organization, and (b) the high level risks to the organization that the
process has identified and assessed?
1.5 Does the audit committee report on risk to the board, so that the board itself
addresses risk management?
1.6 Is available risk information sufficient to enable the business to manage risk
effectively?
1.7 Is the risk management role of internal audit confined to providing assurance
and consulting advice on risk management, rather than having the responsibility
(a) to be the specialist risk management functions of the business, or (b) to take
management decisions and action with respect to risk management?
1.8 Does the organization maintain adequate risk registers at all levels and across
all of the business?
1.9 Does the culture of the organization encourage frankness about risks being run?

2 Detailed Issues
2.1 Has the organization endeavored to develop and use “leading indicators” to
give timely warnings of the likely development of unacceptable levels of risk?

UNIT 3. INTERNAL CONTROL PROCESSES

Internal control, as defined by accounting and auditing, is a process for assuring of an

organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and
compliance with laws, regulations and policies.

The primary purpose of internal controls is to help safeguard an organization and further its
objectives. Internal controls function to minimize risks and protect assets, ensure accuracy of records,
promote operational efficiency, and encourage adherence to policies, rules, regulations, and laws.

The CoCo program of the Canadian Institute of Chartered Accountants has stated that
control is effective to the extent that it provides reasonable assurance that an organization will
achieve its objectives reliably; or, control is effective to the extent that the remaining
(uncontrolled) risks of the organization failing to meet its objectives are acceptable.

Authoritative guidance, for instance the Turnbull Report or the SEC rule on
implementing s. 404 of the Sarbanes-Oxley Act, make it clear that two questions must be
answered before a conclusion can be made about the effectiveness of internal control.
1. Have any outcomes occurred which indicate that internal control has been
ineffective?
2. Is the internal control process robust enough to give reasonable assurance of the
achievement of management’s objectives?

We are not entitled to conclude that there is effective internal control (over the whole
business or over a process which is the subject of our review) just because after careful
investigation we have uncovered nothing that has gone wrong. Organizations may be unaware of
significant failures that have occurred. But if we have discovered something of significance that
has gone wrong, it is likely to mean that we have to conclude that internal control has not been
effective.

A sound approach to addressing the second question is to review the robustness of

COSO’s five essential components of internal control (control environment, information and
communication, risk assessment, control activities, monitoring) so as to be able to conclude that
internal control can be expected to be effective. This will include confirming that these control
components are being applied in the manner that they have been designed to be. A frequent
mistake is to focus just on an assessment of control activities, but to overlook the criticality of
the other four essential components of internal control.

It is to be preferred that the second question (above) is addressed by reference to COSO’s

eight enterprise risk management components as this broadens the assurance that the auditor can
give to embrace both risk management and internal control.

Regardless of whether costly failures are prevented, a process with good control, for
instance through segregation of duties, may not cost more to run than one with weak control.
There may be opportunities to achieve effective control in more economical ways. Duplicate
controls may mean that some controls are redundant and can be eliminated.

Management make many judgment calls as to the extent to which it is worthwhile

investing in enhanced control to provide greater assurance of the achievement of objectives.
Certainly control should be sufficient to mitigate risks so that the residual risks remaining are
within the organization’s risk appetite. Again, that involves judgment as to the potential
effectiveness of control(s) and also as to what the risk appetite should be.

It is desirable to make control as watertight as is practical. Events judged to be unlikely to

occur or of little consequence if they do occur, may turn out to have major repercussions upon
the organization. It is prudent to reconsider the efficacy of the business approach which accepts
that control is imperfect, say to prevent fraud, but rather cynically endeavors to build the
ongoing, routine cost of the fraud into the price of the organization’s products or services. It is
not always possible to assess the potential top-side cost of breakdowns in control. Fraud can be
regarded as a particular type of breakdown in the system of internal control. Then there is the
ethical and practical business challenge of the moral hazard that the organization is allowing by
permitting its business processes to be insufficiently controlled.

ISSUES FOR INTERNAL CONTROL PROCESSES

Objectives of Internal Control Processes
To provide reasonable assurance of:
(a) The reliability and integrity of financial and operational information.
(b) The effectiveness and efficiency of operations.
(c) The safeguarding of assets.
(d) Compliance with laws, regulations, policies and contracts.
1 Key Issues
1.1 Is a control framework applied to the design and assessment of internal
control within the organization?
1.2 Have there been significant errors and/or losses due to control weaknesses that
have not been corrected?
1.3 Over time, are all significant business processes reviewed for their control
effectiveness?
1.4 Does management understand that they are responsible for the effectiveness of
internal control?
1.5 Does the audit committee of the board report to the board the committee’s
overall opinion of the effectiveness of internal control?
1.6 Is the chief audit executive required to report to the audit committee, or to the
board, internal audit’s overall opinion of the effectiveness of internal control?
1.7 Are key processes documented, highlighting their key controls; and is the
design adequacy of these key controls evaluated?
1.8 Is there a satisfactory program for testing the operation of key controls,
executed by management and by internal audit?
1.9 What is the level of risk that management may override controls, and if this
were to occur would it be reported to an independent level?

2 Detailed Issues
2.1 Does the control framework used measure up to COSO, CoCo or Turnbull?
2.2 When necessary, is the internal control of outsourced processes within the
scope of the organization’s design and assessment of internal control?
2.3 Are management and staff trained to understand the meaning of internal
control and how it is achieved?
2.4 Is there evidence that controls are dysfunctional in that they are hampering the
achievement of objectives?
2.5 Is internal control achieved in a cost-effective way?
2.6 Is there over-control through unnecessarily costly control processes, or
through duplicate controls?
2.7 Is line management required to regularly assess, and certify to, the control
effectiveness of their areas of responsibility?
2.8 When the chief audit executive believes that senior management has accepted
a level of residual risk that may be unacceptable to the organization, and has
not resolved the matter through discussion, does the chief audit executive
report the matter to the board, or to the audit committee, for resolution?
2.9 Does a lack of effective internal control create a moral hazard for
management, staff, contractors, customers, suppliers or other parties?
2.10 Would errors, fraud or other avoidable losses be detected?
2.11 Is responsibility for the prevention, detection and investigation of fraud
clearly assigned within the job descriptions of appropriate staff?
UNIT 4 - REVIEW OF THE CONTROL ENVIRONMENT

The control environment sets the tone of an organization influencing the control
consciousness of its people. It is the foundation for all other components of internal control,
providing discipline and structure. Control environment factors include the integrity, ethical
values and competence of the entity’s people; management’s philosophy and operating style; the
way management assigns authority and responsibility, and organizes and develops its people;
and the attention and direction provided by the board of directors.)

First we shall establish the top level control objectives for this subject and then examine
the relative risk and control issues posed in the form of questions. During the course of their
review, auditors will be seeking to answer these questions by, first, determining the controls and
measures that are in place in each instance, and secondly to evaluate the effectiveness of these
controls/measures by performing compliance and substantive testing as appropriate.

CONTROL OBJECTIVES FOR A REVIEW OF THE CONTROL ENVIRONMENT

The following two objectives are deliberately pitched at a top level view of the control
environment. However, it would be straightforward to break these down to a more detailed set.
1. To ensure that management conveys the message that integrity, ethical values
and commitment to competence cannot be compromised, and that employees
receive and understand that message.
2. To ensure that management continually demonstrates, by word and action,
commitment to high ethical and competence standards.

RISK AND CONTROL ISSUES FOR A REVIEW

OF THE CONTROL ENVIRONMENT
In order to evaluate whether the two control objectives listed above are being met, the
auditor will need to consider the underlying risks and control issues. Noted below are a set of
questions related to the risk and control issues that are inherent to the subject of the control
environment.
The issue questions have been divided into two sets, namely the key issues and the
detailed issues. The auditor should always seek to answer the key issue questions, turning to the
detailed set either when there is a noted weakness in the controls in place for the key set or
whenever time permits.

FRAUD
Fraud is an intentional, deceitful act for gain with concealment. As such, it is more than
theft. Defalcation is theft by a person in a position of trust. Fraud may be perpetrated by one
person working on his or her own, but many frauds are able to occur only as a result of collusion
—between collateral associates working in different positions within the business, between a
manager and someone reporting to that manager, or between an insider and an outsider. There
may be mass collusion, for instance, between many salespeople and many customers, even to the
extent that the fraud tacitly may have become regarded as a regular perk.
 It is frequently because of the collusion characteristic that fraud is so difficult to prevent
and detect since effective systems of internal control often become ineffective when collusion
circumvents the segregation features of a control system. This illustrates that an effective system
of internal control requires much more than a good set of control activities such as segregation of
duties—it also always requires the other components of internal control as the COSO report
called them: control environment, risk assessment, information and communication, and
monitoring. We may classify fraud as:
• management fraud, for instance fraudulent financial reporting
• employee fraud
• outsider fraud
• collusive fraud.

Some fraud, especially computer program frauds, may be continuous, working for the
defrauder indefinitely into the future. Some continuous frauds require no further direct action by
the defrauder once they have been set up, as they continue working automatically. Some
continuous frauds require constant maintenance by the defrauder, such as teeming and lading
frauds. Other frauds are not continuous but have a “smash and grab” character with the defrauder
absconding with the gains in a carefully timed way just before the perhaps inevitable detection.

One important deterrent for fraud is for the business to have a good record of detecting
fraud. If a prospective defrauder knows there is a high risk of detection and that the
consequences upon detection will not be pleasant, then that person will be less likely to engage
in the fraud. Given a personal need, an opportunity to perpetrate a fraud and a conviction that
detection is most unlikely or that the consequences upon detection would not be too disgraceful,
then many ordinary people will be sorely tempted to engage in fraud. It is up to management to
make sure that these ingredients are not present in their business.

Difficult though it is to achieve, the most effective antidote to fraud is a strong system of
internal control in all its component parts. Of course, good internal control also reduces the risk
of accidental error or loss. Both fraud and accidental errors and losses share the characteristic of
occurring in part due to a breakdown in the system of internal control.

UNIT 5 - REVIEWING INTERNAL CONTROL OVER FINANCIAL REPORTING

Audit committees play an important role in overseeing an organization’s internal control

processes. Effective audit committees perform their oversight by demanding relevant, timely and
accurate information from management, the internal auditor and the external auditor, and by
asking direct and challenging questions.

Management is responsible to establish and maintain an effective system of internal

control. The audit committee is to oversee these controls and to review the effectiveness of the
system as a whole. An effective internal control system provides reasonable assurance that
policies, processes, tasks, behaviors and other aspects of an organization, taken together,
facilitate its effective and efficient operation, help to ensure the quality of internal and external
reporting, and help to ensure compliance with applicable laws and regulations.
 Internal controls should be used to maintain the risks facing the company within the
defined risk tolerance levels set by the board, bearing cost-benefit considerations in mind. The
audit committee should be satisfied that proper control policies, procedures and activities have
been established and are operating as intended. An effective system of internal controls hinges
on the right tone set at the top of the company – the board and audit committee should send out a
clear message that internal control responsibilities must be taken seriously.

The performance of the system of internal control should be assessed through ongoing
monitoring activities, separate evaluations such as internal audit, or a combination of the two.
Procedures for monitoring the appropriateness and effectiveness of the identified controls should
be embedded within the normal operations of the organization. Although monitoring procedures
are part of the overall system of control, such procedures are largely independent of the elements
they are checking. While effective monitoring throughout the organization is an essential
component of a sound system of internal control, the board cannot rely solely on embedded
monitoring processes to discharge its responsibilities. The board, with the assistance of the audit
committee, should regularly receive and review reports on internal control and be informed about
how the reviews giving rise to the reports have been undertaken.

The reports from management should provide a balanced assessment of the effectiveness
of the system of internal control in the areas covered. Any significant control failings or
weaknesses identified should be discussed in the reports, including the impact they have had,
could have had, or may have on the organization, and the actions being taken to rectify them. It
is essential to have a frank, open dialogue between management and the audit committee on
matters of risk and controls.

The audit committee should define the process to be adopted for its (annual) review of
the effectiveness of internal control and risk management systems. The annual review exercise
should consider the issues dealt with in the reports reviewed during the year, together with
additional information necessary to ensure that the board has taken account of all significant
aspects of internal control.

END OF MODULE 2