Successfully reported this slideshow.

Risk assessment and internal controls - Internal Audit

3,924 views

Published on

Provides an overview of a risk assessment process, some of the fundamentals and correlations with internal controls of an organisation

Published in: Business, Economy & Finance
  • Be the first to comment

Risk assessment and internal controls - Internal Audit

  1. 1. Internal Audit: Risk management & Control Evaluation Smitesh Bhosale smitesh.bhosale@yahoo.co.in
  2. 2. What is Risk? An event or action that causes a possible threat to the achievement of an organization’s/function’s objectives Risk is just an expensive substitute for information Unwarranted Business Exposures are not Risks….
  3. 3. Risk Assessment Risk Assessment is a three step process of risk analysis and evaluation involving the determination of Management optimistic 1 The level of impact or outcome of risk Consequence 2 The likelihood of risk getting realised Probability 3 The nature of the risk Auditors quite sceptical Inherent Risk Resolving the differences in perception of risk crucial for an effective control evaluation…
  4. 4. Risk Assessment • Where do you devote considerable internal effort in order to control? • What areas receive considerable management reporting? • Where have you devoted significant resources? • What are the analysts and rating agencies most interested in? • What wouldn’t you want on the front page of the newspaper? • What are key obstacles to taking advantage of opportunities? • What is impeding growth? A “WHAT CAN GO WRONG ANALYSIS” prior to field work will provide focus and •What do people complain about within the organization? judgement to the auditor on • If you could fix one thing at the company, what would it be where to deploy his resources • What do your competitors do better? • What keeps you up at night?
  5. 5. Risk Assessment - Comprehensive EXTERNAL RISKS  Capital Availability  Competitor  Customer Needs  Economy  Financial Markets  Industry  Legal  Natural Hazard/Catastrophe  Public Relations  Regulatory  Terrorism  Sovereign/Political  Technological Innovation INTERNAL RISKS Strategic Operational Financial Process  Business Model          Business Portfolio  Delivery Channels  Intellectual Property  Marketing/ Advertising     Alignment Business Interruption Capacity Change Response Compliance Contract Commitment Customer Satisfaction Cycle Time Efficiency Environmental Health & Safety Knowledge Management  Measurement  Partnering  Collateral  Physical Security  Product/Service Development  Product/Service Liability  Product/Service Failure  Product/Service Pricing  Relationship Management  Sourcing  Strategy Implementation  Supply Chain  Transaction Processing  Resource Allocation  Social Responsibility  Counterparty  Credit  Equity Management Information  Organization Structure  Product Life Cycle  Concentration  Default  Marketplace  Planning  Commodities Comprehensive risk assessment is very crucial to priorities controls evaluation across various risk categories          Accounting Information Budgeting & Forecasting Completeness/Accuracy Investment Evaluation Investor Relations Pension Fund Regulatory Reporting Relevance Taxation Human Capital            Integrity Technology  Financial Instruments  Foreign Exchange Accountability Change Readiness Communications Competencies/Skills Empowerment Hiring/Retention Leadership Outsourcing Performance Incentives Succession Planning Training/Development  Conflict of Interest  Employee Fraud  Ethical Decisionmaking  Illegal Acts  Management Fraud  Third-Party Fraud  Unauthorized Acts        Access Availability Data Integrity e-Commerce Infrastructure Reliability Technological Capacity  Interest Rate  Liquidity  Modeling  Opportunity Cost Right Description of risk is also crucial e.g. Employee Overtime V/s Liquidated damages
  6. 6. Behavior of Risks… High 17 RED 14 25 1 23 19 Potentially material Events 24 2 21 27 13 ORANGE 12 15 Probability 9 Materiality Threshold 18 26 6 22 AMBER Low 8 16 11 10 5 GREEN 20 7 4 Impact Risks are on constant move with changes in external environment and your response / mitigation steps
  7. 7. Risk Evaluation and Quantification Supplier concentration risk Potential Impact Likelihood of failure Supplier A Sales Dependency 200 $ Mln 10% of Budgeted Sales for FY 10-11 Margin of such sales 40 $ Mln 13% of Target EBIDTA for FY 10-11 50% ABC Ltd Overall Budgeted Sales 2000 $ Mln Mitigation Impact X Likelihood = Adequate stock to support change over time Share manufacturing facility • Value at Risk Alternative supplier development • 300 $ Mln • • Target EBIDTA Outright market purchase of end product 100 $ Mln of sales i.e. 5% of sales Transfer 20 $ Mln of EBIDTA i.e. 6.5% of EBIDTA • Assessment of likelihood is dependent on suppliers financial status, its exposure to economic factors, plant location, relations with supplier, competitors activities, disruption at its premises, contractual agreements, previous default history among other factors. BI and LOP Policy • Supplier extension clause To evaluate risks one needs to be fully aware of the impact the risk.. Preferably in financial terms
  8. 8. Risk Management Strategies – Some tools Strategic Risks- fully managed internally by the organisation Operations • Elimination /Termination • Avoidance Organisation's Risks Financial Risk Capacity / Appetite Risks - Cannot be managed by Organisation and needs to be transferred Compliance Business is exposed to multiple risks Risks - Partly managed internally by the organisation Ability to manage risk depends on Risk Appetite / capacity • Tolerate / Acceptance • Mitigation and Monitoring • Transfer Significant portion of risks can be transferred through contractual / insurance
  9. 9. Internal Control Framework Governance / Oversight Control Audit Committee, Risk Council Administrative Controls Policies, Guidelines, SOPs Management Controls Self Assessment, Questionnair e based Monitoring Controls On Ground process controls MIS, KPIs, Reports, Risk Radar. Reviews SOD, IT, Access Internal Audit, SOX, Risk Management, Compliance Predictive or Detective Whistle Blower, Independent Forum Extended Controls Customer, Vendor, Regulat or, Bank Controls External Controls influencing internal controls There is a world beyond Risk and Control Matrix (RCM)….
  10. 10. In our journey can we help Business to embrace Risk…… with greater understanding Your greatest growth opportunities are your greatest risks reversed

×