AUDB433

INTERNAL AUDITING
6. RISK AND CONTROL

1
Course Outcome
At the end of this course, students should be able to:
CO4: Explain the nature and the role of internal audit in relations to risk
management, internal control identification & evaluation and
governance. (C6, CS4, CT3, A3)

2
Definition of Internal Auditing
“An independent, objective assurance and consulting activity designed
to add value and improve an organization’s operations. It helps an
organisation accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance process”

• Internal audit function encompasses evaluating and improving the

effectiveness of risk and control functions of the organizations.

3
Risk
• The possibility of an event occurring that would have an impact on
the achievement of objectives.
• May pose as a threat to an organisation or may also be an
opportunity.
• Example: Plane crash for an airline company (threat)
Introduction of GST to accounting firm (opportunity)
• Is measured by its impact and likelihood.

4
Types of Risks
• Financial risk – a loss incurred as a result of uncertainties in an
economy such as changes in the exchange rates, liquidity risk and
credit risk.
• Strategic risk – a loss that might arise from an unsuccessful business
plan as a result of poor business decisions, substandard execution of
decisions, inadequate resource allocation or failure to respond to
changes in the business environment .
• Operational risk - the possibility of a loss that occurred due to
internal inadequacies of a firm or a breakdown in its controls,
operations or procedures.

5
Risk Management
• A process that identifies, assesses, manages and controls an
organisation’s risk exposure.
• Requires strategic and tactical decisions to ensure that organisations
can minimise losses.
• Is a part of management’s responsibilities.
• The most widely known – Enterprise Risk Management (ERM)

6
Top-Down Approach of ERM

Events
•Goals •Residual
•Inherent Risk
Risk
Objectives Responses

7
External Risk Factors
 Economic – price movements, capital availability, low barriers to
competitive entry.
 Natural environment – flood, fire, earthquake or weather related
event.
 Political – election, change of government policy or enactment of
new laws.
 Social – demographics, family structures or societal norms.
 Technological – advances in information technology and system
security.
8
Internal Risk Factors
 Infrastructure – capital allocation for preventive maintenance.
 Personnel – fraudulent activities, problems with labour union or
safety of employees.
 Process – change in manufacturing process or outsourcing decision.
 Technology – system downtime or security breaches.

9
Measurement of Risk
• Part of risk evaluation, which takes into consideration the cumulative
effect of likelihood and impact of risks.
• Helps management prioritise in resource allocation
• Likelihood—the probability of the risk, and
• Impact—the outcome of risk should the event occur.
• The output of risk evaluation can be depicted in risk maps.

10
11
Enterprise Risk Management (ERM)
COSO defines ERM as:
• A process, effected by an entity’s BOD, management and other
personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.

12
13
Risk Management Philosophy:
• Set of shared beliefs and attitudes characterizing how the
organization considers risk in everything it does. Some companies are
risk averse (don’t like taking too much risks); some other companies
are risk takers (challenge themselves by taking on risks in hope of
higher returns).

14
Risk Appetite:
• The level of risk that an organization is willing to accept in pursuit of
its business objectives. Some companies prefer to do business in low
risk industries; some other companies are willing to do business in
higher risk industries.

Risk Tolerance:
• The acceptable levels of risk size and variation relative to the
achievement of objectives which must align with the organization’s
risk appetite.

15
Core Roles of IA - Risk Management
• Giving assurance on risk management processes
• Giving assurance that risks are correctly evaluated
• Evaluating risk management processes
• Evaluating the reporting of key risks
• Reviewing the management of key risks

16
Legitimate Roles of IA - Risk Management
• Facilitating identification and evaluation of risks
• Coordinating ERM activities
• Consolidating reporting on risks
• Maintaining and developing the ERM framework
• Championing the establishment of ERM
• Developing risk management strategy for board approval.

17
Roles IA should not undertake:
• Setting the risk appetite
• Imposing risk management processes
• Managing assurance on risks
• Taking decisions on risk responses
• Implementing risk responses on management‘s behalf
• Being accountable for risk management

18
Control
Control is any action taken to mitigate risk and increase the likelihood
of achieving the organisational objectives.

COSO (2013) defines internal control as:

... a process, effected by an entity’s board of directors, management
and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations,
reporting and compliance.

19
COSO Integrated Internal Control Framework

20
5 Components of Internal Control
• Control environment
• Risk assessment
• Control activities – control policies and procedures
• Information and communication
• Monitoring activities

21
Control Environment Elements
• A commitment to integrity and ethical values
• The board of directors has an oversight function and is independent
of management
• Management establishes structures, clear assignment of authority
and responsibility
• The organisation is committed to hiring competent individuals
• Every individual is held accountable for the internal control assigned

22
Risk Assessment
• Is the process of identifying and analysing risk.
• This process forms the basis of an organisation’s risk management.
• 4 principles of risk assessment:
i. The organisation has clear objectives to identify and assess
risk.
ii. The organisation identifies risk across the entity and analyses
risk as a basis to determine how the risk should be managed.
iii. The organisation considers the potential for fraud when
assessing risk.
iv. The organisation identifies and assesses changes that could
significantly impact the system of internal control.

23
Control Activities
• Control activities are actions taken to address risk.
• The activities occur at all levels of an organisation:
• Entity wide - ‘tone at the top’, the organisational climate and
management philosophy .
• Business process level - performance evaluation, reconciliations
of accounts and physical inventory counts.
• Specific transactions - Adequate separation of duties, proper
authorisation of transactions and activities, adequate documents
and records, physical control over assets and records,
independent checks on performance

24
Types of Control Activities
• Preventive controls: proactive controls that deter undesirable events from
occurring. An example of preventive control is an alarm system.
• Detective controls: reactive controls that detect undesirable events that
have occurred. An example of a detective control is the use of smoke
detectors in a building.
• Directive controls: proactive controls that encourage a desirable event to
occur. Examples of directive controls are training, guidelines and incentives.
• Mitigating controls: reactive controls that reduce any potential negative
impact if an undesirable event occurs. An example of mitigating control is
insurance.
• Compensating controls: controls that work as an additional control
mechanism should an expected control fail. An example of a compensating
control is a supervisory review. 25
 RISK AND CONTROL MATRIX
TASK RISKS RISK ASSESSMENT RISK CONTROL RESULT OF ADEQUACY
ACTIVITY LIKELIHOOD IMPACT RATING MEASURES TEST OF
CONTROL
(Y/N)
Payment to Payment to C 2 M - Require 3 -No
vendors unauthorized signatories deviation N
<RM50,000 party - Prenumbered - 5 checks Follow up
checks date not procedures
- Reconciliatio consistent may be
n to monthly with series necessary
statement - Not done
for month
june and
August
Payment to Payment to A 1 H - Require 3 -No
vendors unauthorized signatories deviation Y
>RM50,000 party - Prenumbered -No
checks deviation
- Approval by -No
managers in deviation
charge -Not done
- Reconciliation for month of
to monthly June and
statement August
Petty cash Loss due to theft C 4 L Recording of No deviation Y
handling transaction in noted
petty cash
book 26
Control Effectiveness –Characteristics
• Timely identification of actual or potential deviation from approved
procedures
• Reasonable assurance of achieving the objectives with minimum cost
and negative side effects
• Clear accountability that outlines persons in charge
• Identification of root cause so that corrective action can be taken
• Clear alignment with management strategies and business objectives

27
3 principles –Information and Communication
1. Information to support the functioning of internal control must
be relevant and of high quality.
2. All relevant information including objectives and responsibilities of
internal controls are communicated internally to enable the
functioning of internal control.
3. The organisation should also communicate to external party
regarding matters related to internal control.

28
Information and Communication Process
• All employees must receive a clear message from top management to
take control of activities seriously.
• Information must be identified, captured and communicated to the
employees in a timely manner.
• Access to internal (operational, financial and compliance) reports
must be provided to employees to perform their tasks.
• External communication with customers, suppliers, regulators,
investors and shareholders must be part of the framework
• Effective communications by employees of their findings to those in
management and the board of directors must be established.
29
Monitoring Activities
• Is a process that assesses the presence and function of controls over
time.
• Can be done on an ongoing basis or on a separate evaluation basis or
a combination of the two.
• Ongoing monitoring occurs during the normal course of operation.
• A separate evaluation occurs based on management’s requests.

30
2 Principles of Monitoring Activities
1. The monitoring process is carried out to ascertain whether the
components of internal control are present and functioning.
2. The organisation evaluates and reports on internal controls
deficiencies in a timely manner to those responsible to take
corrective actions, including senior management and the board of
directors for serious matters.

31
Limitations of Controls
• Judgment errors
• Management override
• External events such as flood or land slides
• Excessive or redundant controls
• Overreliance on controls
• Obsolete controls that are caused by changes in the business process
• Negative attitudes on the controls by employees

32
Questions and Answers

33