CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

LECTURE NOTES ENTERPRISE RISK MANAGEMENT

MODULE 1: FUNDAMENTAL CONCEPT OF RISK AND RISK MANAGEMENT

Learning objectives:

A. Discuss the definition of Internal Auditing according to the Institute of Internal Auditing (IIA)
B. Share the risk management-related profession by providing trends, career opportunities, and
global certifications (i.e., CIA, CRMA) – refer to the PowerPoint Presentation
C. Illustrate Governance, Risk Management, and Controls
D. Explain the different definitions of Risk and Risk Management
E. Discuss globally accepted frameworks on Risk Management (i.e., COSO ERM, ISO 31000, GAIT,
NIST, CoCo, COBIT)
F. Discuss the Risk Management Process according to the following COSO.

PART 1: Overview of the Definition of Internal Auditing

What is Internal Auditing?

According to the Definition of Internal Auditing in The IIA's International Professional Practices
Framework (IPPF), internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness
of risk management, control, and governance processes.

At its simplest, internal auditing involves identifying the risk that could keep an organization from
achieving its goal, making sure the organization’s leaders know about these risks and proactively
recommending improvements to help reduce the risks.

For internal auditing to be effective, the organization’s leaders must be open to discussing tough issues
and seizing opportunities to make necessary changes for improvement. And the internal auditors must
have an independent reporting line to the highest governing body (e.g., the audit committee of the
board of directors), ensuring them the requisite authority to access all areas of the organization and
know that they will be supported when their views differ from those of management.

Internal auditors’ independence and broad perspective of the organization make them a valuable
resource to executive management and the board of directors. They ensure that the organization is held
accountable to its stakeholders, whether those stakeholders are investors (as in the case of a publicly
traded company) or the public, served by a government organization.

Ultimately, internal auditors add value to their organizations by providing assurance, insight, and
objectivity.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |1

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

Source: Institute of Internal Auditors (IIA – Global)

Who are Internal Auditors?

Internal auditors are explorers, analysts, problem-solvers, reporters, and trusted advisors. They bring
objectivity and a variety of skills and expertise to the organization. They come from diverse areas such
as finance, operations, IT, and engineering. Today’s internal audit professionals are revered for their
critical thinking and communication skills, as well as their general IT and industry-specific business
knowledge. Still, people often confuse internal auditors with accountants or external auditors (entities
the organization engages to provide an annual review of the financial statements). The differences are
significant:

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |2

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING
Internal Audit Responsibilities

Depending on the structure, maturity, and resources of the function, internal auditors may perform
some or all the following tasks.

OFFER INSIGHT AND ADVICE – There are times when internal auditors’ expertise, knowledge of
controls, and broad perspective of the organization make them ideal candidates for consulting on a
project to ensure that risks are considered and controls are built into a process on the front end (e.g.,
mergers and acquisitions, new technology implementation). Internal auditors may offer insight
regarding strategic risks and advice, though management must maintain ultimate responsibility for the
processes in their area.

EVALUATE RISKS – Risks are everywhere (natural disasters, loss of key suppliers, reputation
damage, inefficient operations, fraud, lawsuits, policy violations, regulatory compliance, theft, etc.). It’s
the internal auditor’s job to assess the significance of the organization’s many risks and the effectiveness
of risk management efforts, communicate these to management and the board, and develop
recommendations to improve risk management.

ASSESS CONTROLS – Internal auditors evaluate control efficiency and effectiveness and provide
management and the board assurance that the controls in place are adequate to respond to the risks
that threaten the organization.

ENSURE ACCURACY – Internal auditors ensure financial statement accuracy. They examine the
reliability and integrity of financial and operational information.

IMPROVE OPERATIONS – With a solid understanding of the organization’s objectives, internal

auditors examine operations to determine whether they are efficient and effective.

PROMOTE ETHICS – Professional internal auditors agree to abide by a Code of Ethics that upholds
the principles of integrity, objectivity, confidentiality, and competency. They raise red flags when they
discover improper conduct.

REVIEW PROCESSES AND PROCEDURES – Internal auditors review operations closely and assess
whether existing processes are well designed to help the organization achieve its goals.

MONITOR COMPLIANCE – Internal auditors assess the organization’s compliance with applicable
laws, regulations, and contracts to ensure that management is addressing these requirements
adequately. They also offer insight into the impact that non-compliance would have on an organization
and inform senior management and the board of noncompliance.

ASSURE SAFEGUARDS – The organization’s tangible property, human resources, and intellectual
property are valuable and must be guarded against potential damage. Internal auditors evaluate the
procedures used to safeguard assets from theft, fire, illegal activities, or other types of loss. They bring
deficiencies to light and make recommendations for enhanced protection.

INVESTIGATE FRAUD – Because fraud can affect any level of the organization, it’s important that
the board of directors grants the internal audit function access to all records and authority to conduct
audits and investigate possible fraudulent behavior throughout the organization.

COMMUNICATE RESULTS – After auditing a particular area, internal auditors report their findings
and recommend appropriate courses of action.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |3

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

Internal Audit Activity Independence

The very nature of the internal audit activity’s unique and valuable perspective is it is independent of
senior management and from the decision and responsibilities of senior management. Its work must
be free from interference and bias. It cannot take managerial decisions or “own” risk. If it does, then it
is unable to provide credible, authoritative, and objective assurance and advice over the activity. At the
same time, independence should not be mistaken for isolation and aloofness.

Understanding independence, its nature, and its importance are critical to determining an appropriate
balance of assurance and advisory services.

Standard 1100 – Independence and Objectivity:

Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out
internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to
effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and
unrestricted access to senior management and the board. This can be achieved through a dual-reporting
relationship.

That “direct and unrestricted access” both to senior management and the board is one of the core
requirements for independence.

The internal audit activity provides reports to both senior management and the board, but the primary
(functional) reporting line of the CAE is the board. A secondary (administrative) reporting line may be
to an appropriate member of the senior management.

Being “free from interference” is a further integral component of internal audit independence. The key
requirements can be summarized as follows:

• The presence of a formally defined charter (i.e., a mandate) establishing the internal audit activity’s
purpose, authority, and responsibilities.
• Unfettered access to the people, resources, and information needed to carry out its work as well as
the requisite resources to deliver the scope and level of assurance required by the board.
• The absence of interference from senior management in determining and carrying out its work
• Accountability (i.e., “functional reporting”) to the board, either directly or through an independent
audit committee, including time without senior management being present.
• Access (including the freedom to report) to the board and senior management, which usually
includes “administrative reporting” at a level in the organization that enables the completion of its
work without interference.

Moving beyond the provision of “pure” assurance to provide consulting (or advisory) services is
sometimes regarded as “stepping over the line” beyond the “proper limits” of internal audit. However,
there is significant value the internal audit activity can deliver through consulting, and which can be
achieved without compromising independence by not assuming decision-making, risk-taking
responsibility.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |4

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

Internal Auditor Objectivity

Independence is closely related to, but not the same as, objectivity. It may be reasonably claimed
independence is not valuable for its own sake but only as a means for establishing credibility, authority,
and objectivity.

Objectivity is further defined in the IPPF glossary as:

…an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they
believe in their work product and that no quality compromises are made. Objectivity requires that internal
auditors do not subordinate their judgment on audit matters to others.

There are clear links to independence – and the appearance of independence – but there is also more to
achieving objectivity. The requirements include the “systematic, disciplined approach” referred to in
the definition of internal auditing; following professional standards; being subject to performance
review and monitoring.

Requirements for Independence of the Requirements for Objectivity of the Internal

Internal Audit Activity Auditor
(Organization Independence) (Individual Objectivity)
• Internal Audit Charter • Functional independence of the internal audit
• Freedom from interference activity from senior management
• Access to people, resources, and information • Absence of, and the appearance of, conflict of
• Necessary resources interest
• Accountability and functional reporting line • Objective and systematic procedures
to the board • Adherence to professional standards
• Administrative reporting line to senior • Supervision, monitoring, and quality
management at an appropriate level assurance
• Annual confirmation to the board of the • Application of safeguards when required.
organizational independence and disclosure
of any interference
• Application of safeguards when required.

Threats to Independence and Objectivity

Threats to the Independence of the Internal Threats to the Objectivity of the Internal Auditor
Audit Activity
• No clear mandate • Self-interest
• Restricted access to people, data, and • Self-review
resources • Advocacy
• Insufficient resources • Familiarity
• Restricted access and reporting to the board. • Intimidation
• Restricted access and reporting to senior • Lack of proficiency
management. • Lack of due professional care
• Inappropriate level of reporting
• Conflicting roles beyond internal auditing.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |5

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

Safeguards for Independence and Objectivity

Safeguards for Threats to Independence of the Internal Audit Activity and Objectivity of Internal
Auditors
• Conformance with the requirements of the IPPF
• Alignment of activity with the internal audit charter
• “Cooling off” periods, such that internal auditors do not provide assurance on areas of the
organizations where they have recently had responsibility or provided consultation.
• Adherence to the requirements for internal auditor competence
• Clearly defined and time-limited consulting engagements
• Consultation with the board on impairments
• Continuous professional development
• Appropriate policies and procedures, as reflected in the audit manual.
• Audit supervision and performance management.

Assurance and Consulting Services

Assurance Services Consulting Services

An objective examination of the evidence for
the purpose of providing an independent
assessment of governance, risk management,
and control processes for the organization
Advisory and related client services activities, the
nature and scope of which are agreed upon with
the client, are intended to add value and improve
an organization’s governance, risk management,
and control processes without the internal
auditor assuming management responsibility.

Principal Differences Between Assurance and Consulting Engagements

Assurance Services Consulting Services

Main Purpose To offer an independent audit opinion To offer advice, usually at the request
based on an objective assessment of of management
evidence, from which assurance may be
gained.
Main parties (i) Internal Auditor (i) Internal Auditor
(ii) The owner of the activities being (ii) The recipient of the advice (the
audited. client)
(iii) The recipient of the assurance
(typically senior management and the
board)
Objective, Determined by the Internal Auditor Agreed between the client and the
Scope, and internal auditor
Approach
Objectives Must be based on risk assessment and Must be consistent with the
take into consideration the possibility of organization’s strategic aims.
error, fraud, and non-compliance.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |6

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING
Governance Must be included within the scope and May be included within the scope
and risk addressed by the objectives. and addressed by the objectives as
management required by the client.
(including
control
processes)
Skills The CAE must obtain the necessary skills The CAE must either obtain the
to deliver the engagement if they are not necessary to deliver the engagement
available from within the internal audit if they are not available from within
activity. the internal audit activity or decline
the engagement.
Conflict of Internal Auditors must not audit areas of Internal auditors provide consulting
Interest operation for which they had direct services in respect of any areas of
responsibility within the past 12 months. operation even if they had direct
responsibility for them within the
past 12 months

Blended Assurance and Advisory Services

As required by Standard 2130 – Control, “Internal auditors must incorporate knowledge of controls gained
from consulting engagements into the evaluation of the organization’s control processes.

In some situations, a consulting opportunity arises during or as a consequence of an assurance engagement.

Some extensions to the scope would need to be agreed upon with management and approved by the
engagement supervisor, including the time needed, and, as always, it should be clear that senior
management remains responsible for any decision taken and for managing the risk.

It sometimes works the other way around when consulting engagement identified the need for some
assurance work.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |7

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

PART 2: Introduction to Risk and Enterprise Risk Management

Risk Management is an essential ingredient of organizational success. Whenever we act with a goal in mind,
there is uncertainty. It is in focusing on desirable outcomes and acting (sometimes inaction) to achieve them
that we are taking (accepting) risks. As risk exists at every level of activity and objective, failure to manage
it effectively (which includes measures to reduce or exploit risk) can result in failure to maximize
performance and guard against failure. Risk management is an attempt to understand risk and deal with
it in such a way as to optimize outcomes. Risk management enables successful risk-taking rather than
trying to prevent it, and does so through a process of identification, analysis, and evaluation, followed by
selection, implementation, and monitoring of responses, together with continuous attentiveness.

Risk management assurance through internal audit provides an independent and objective review and
assessment of the adequacy and effectiveness of risk management, either to give confidence to senior
management and the board that everything is operational as it should or to alert them to significant issues
that can and should be addressed.

As senior management is responsible for achieving organizational objectives, it is also responsible for
managing risk. Senior management benefits considerably from looking to the internal audit activity for an
independent perspective on opportunities for greater effectiveness and efficiency.

The board values assurance from senior management and from other internal and external providers, but
assurance from internal audit provides the highest level of confidence and can validate information
received from other sources.

A. What is Risk?

SOURCE DEFINITION

The possibility of an event occurring that will have an impact on the achievement of
IIA objectives. Risk is measured in terms of impact and likelihood. (IPPF Glossary, 2016)

ISO The effect of uncertainty on objectives. (ISO 31000:2018 Risk Management)

The possibility that events will occur and affect the achievement of objectives.
COSO (Enterprise Risk Management – Integrating with Strategy and Performance, COSO,
2017)

Concept of Risk

• Risk is the effect of uncertainty on objectives.

• Risk is the combination of the probability of occurrence of harm and the severity of that harm.
• Risk is the possibility that events will occur and affect the achievement of business objectives.
• Risk is the probability of an event occurring that will have an impact on the achievement of the
objectives. Risk is measured in terms of impact and likelihood.
• Risk is the deviation from expectations. It can be positive or negative.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |8

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

B. Enterprise Risk Management

Enterprise risk may be individual risks with very high impact or a combination of risks that together are
more significant. Often, when discussing enterprise-wide risk, we are considering new and emerging risks
not yet well understood due to limited prior experience if such circumstances as well as broader potential
sources of risk, such as technology, climate, and demographics.

ERM represents a concerted effort to focus on significant risk in a systematic, coordinated fashion. There
are different approaches to achieving this, but they have common characteristics.

• ERM is owned by Management.

• The Board, supported by internal audit, provides risk oversight.
• ERM is focused on objectives.
• ERM is strategic in nature.
• ERM is a way to achieve the following goals:
o Board comfort and confidence.
o Risk-informed strategic decisions
o Achievement of the organization’s strategic objectives.
o Reduction of reputational damage and operational surprises.
o Portfolio view of risk.
o Risk management functional synergies and efficiencies
o Risk-based capital allocation
o Risk-informed business decisions
o Achievement of the organization’s business unit goals.
o Cost savings

Common ERM Pitfalls

• Lack of visible, active support from the CEO.
• Trying to implement ERM without a framework and a strategic plan.
• Overselling ERM’s value, especially during early implementation
• Confusing risk assessment with ERM.
• Treating ERM as a project rather than a long-term commitment.
• Falling to carry risk management through the entire process.
• Failing to realize the need for change management.
• Failing to truly integrate ERM into key processes such as strategic planning, capital allocation,
and budgeting.

ERM requires three (3) main components:

• Oversight by the Board, setting a tone, providing leadership, and establishing the processes and
structures for organization-wide risk governance.
• Systems, infrastructure, and implementation by management through the application of people,
technology, and processes. This includes the management of risk (“risk ownership”) in order to perform
within parameters, set by the board.
• Independent monitoring, review, analysis, assurance, and insight from internal audit.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA |9

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING

Primary Documentation for ERM Strategy

Document Purpose Ownership

ERM Policy Sets the tone for the organization and Board
establishes statements of risk appetite
ERM strategy and Establishes the processes and structures Senior Management
strategic risk register for implementing ERM, including entity-
level responses
Departmental risk Establishes process-level controls and Business unit managers
registers and tolerances, other response
including risk treatment
plans
Guidelines and Defines processes and responsibilities for Business unit managers
procedures controls and other responses with support from the
second line

ERM Responsibilities

Function Typical Responsibilities with Respect to ERM

Board (may delegate tasks to • Work closely with senior management to:
one or more committees
focused on an audit and risk)
Senior Management
o Set and maintain the appropriate tone at the top and risk
culture.
o Act as a champion for ERM
o Identify and support the ERM leader.
o Ensure regular review and maintenance of ERM policies and
other key documents.
• Understand the value drivers of the organization and how these
may be impacted by risks.
• Provide oversight of ERM at the highest level of governance
• Review reports and assurances received from management,
ERM, other providers, and internal audit.
• Be accountable to stakeholders for fulfilling the purpose of the
organization.
• Define and communicate entity-wide risk appetite.
• Work closely with the boards to:
o Set and maintain an appropriate tone at the top and risk
culture.
o Act as a champion for ERM
o Identify and support the ERM leader.
o Ensure regular review and maintenance of ERM policies and
another key documents.
• Integrate and communicate awareness of risk as ore to strategic
and operational planning and delivery.
• Adopt and adapt an appropriate risk management framework
consistent with culture, vision, mission, values, and strategy.
• Monitor risk appetite.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA | 10

2022
 CONFIDENTIAL

FAR EASTERN UNIVERSITY

INSTITUTE OF ACCOUNTS, BUSINESS, AND FINANCE
DEPARTMENT OF ACCOUNTANCY AND INTERNAL AUDITING
• Provide regular enterprise risk reports and analyses to the
board.
ERM Leader • Implement ERM systems and processes.
• Promote consistent entity-wide risk management practices.
• Lead on identifying, analyzing, evaluating, responding to,
controlling, monitoring, and reporting on enterprise risk,
including a periodic assessment of risk.
• Coordinate enterprise risk assessments.
• Monitor risk registers and risk treatment plans.
• Ensure managers and staff receive ERM training as required.
• Provide regular enterprise risk reports and analyses to senior
management.
Operational managers • Integrate awareness of risk as core to decision-making
• Develop and maintain risk registers for areas of responsibility.
• Establish risk tolerances.
• Identify appropriate risk responses at the process and
transaction level consistent with entity-wide risk appetite.
Second-line functions for risk, • Work closely with business unit managers to provide assistance
control, and compliance in designing, monitoring, testing, analyzing, improving,
reporting, etc.
Internal Audit • Provide independent and objective assurance, insight, and
advice to senior management and the board on the adequacy
and effectiveness of ERM.
• Maintain an independent assessment of risk, leveraging
management’s assessment to avoid unnecessary duplication.
• Support management in identifying new and emerging
enterprise risks.

Prepared by: M.C.M. Mabbun, CIA, CRMA, CC, CICA | 11

2022