Assurance Flashcards
Hopkin and Thomson 5 sources of internal assurance
Culture measurement
Unit documentation
Unit performance
Unit reports
Audit reports
ToR of AC defined by the Corporate Governance Institute
Financial reporting
Narrative reporting
IC and RM systems
Internal audit
External audit
Materiality
Risk is material if it can impact bottom line or
With holding info can influence investor decision making
Viability assessment requirement
1.UK Corp Gov. Disclosure on long term viability
2. Going concern - 12 months required by accounting standards
Control environment in risk management
Control activities, how effective they are, audit and risk assurance. Whole range of controls and interaction of controls to mitigate risks
FRC internal control system
1.encompasses policies, processes, tasks , behaviors
2. Effective and efficient operations by assessing risks , respond to risks, controls
3. Help reduce poor judgement , errors
3. Improve quality of reporting
4. Improve compliance with laws
FRC internal control system includes
Control activities
Information and communication
Monitoring of controls
What are controls - Hopkin and Thomson
Three definitions
1. Criteria of control - all elements of am organisation’s thay taken together, support achievement of objectives. Resources, systems, processes culture, structure and tasks
- CoSo - a process effected by board, management , designed to provide reasonable assurance regarding achievement of objectives
Effectiveness and efficacy of operations
Compliance with laws
Reliability on financial reporting - IIA - a set of process functions activities systems and people who together ensure achievement of objectives
LILAC model to risk culture
Leadership
Involvement
Learning
Accountability
Communication
IRM model to risk culture
ABC
Attitude
Behaviors
Culture
Attitude determines behaviors, repeated behavior sets culture
ISO definition
Effect of uncertainty on objectives . Effect can be positive or negative
Coordinated activities to direct and control an organization with regard to risk
IRM definition of risk
Combination of probability of an event and its consequences. Can be positive to negative
RM - process which helps org understand , evaluate and take action on risks with a view to increasing probability of success and reducing likelihood of failure
COSO definition of risk
Possibility that an event will occur and affect achievement of objectives. Positive and negativr
Orange book definition
Similar to COSO. Effect of uncertainty on objective. Usually has cause event and consequences
Objectives of risk management
MADE2
Mandatory
Assurance
Decision making
Effective
Efficient processes
ISO principles of RM
PACED
Proportionate
Aligned
Comprehensive
Embedded
Dynamic
Risk management will help improve 4 areas STOC
Strategy
Tactics
Operations
Compliance
4 types of risks
- Compliance - minimize
- Control risks - manage- associated with new projects. Unknown and unexpected events. Also called uncertainty risk.
- Hazard risks - mitigate - associated with potential harm or a situation to undermine objectives .
- Opportunity risk - embrace
Bow tie analysis
- Left side is source of hazard.indicates the risk classification used. High level sources are STOC
- Right side impact - FIRM
- Centre is categories of disruption that can happen- people , premise, provess and products
First step is to put risk description in the middle.then identify cause and impact.
Preventative and response controls
4Ts of hazard risk
Tolerate -low low- detect control
Transfer High impact - directive control
Treat High likelihood- corrective control
Terminate High high - preventive control
BCP and DRP are both corrective and directive. Or even a fifth type, can’t easily fit to PCDD
4Es of opportunity risks
Exploit - high reward
Explore - High risk
Expand/Exit- high reward high risk
Exist - low low
Sophistication level in risk management
- Inform - compliance mgmt. Unaware of obligations
- Reform - hazard . Aware of non compliance
3.conform - control mgmt. Actions to ensure compliance - Perform - opportunity mgmt.
Difference between standard and framework
Standard includes rm process and framework.
Framework includes structure, responsibilities administration, reporting and communication components of rm. Framework supports implementation of process.
Process includes risk assessment identification , analysis, evaluation, treatment and recording and reporting
Scope of risk management framework
RASP
Risk architecture, strategy , protocol
Architecture- roles , responsibilities, reporting structure
Strategy - risk strategy, appetite, attitude and philosophy
Protocols - rules and procedures , methodologies, tools and techniques. Need to be reviewed annual basis.range of documentation required. Ridk assessment procedures, control objectives, resourcing arrangement, reaction planning requirement (BCP) , risk assurance system(ToR for AC, CSA)
COSO cube
Objectives to achieve- strategic, operations, reporting, compliance
RM process - 8 steps.
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Info and communication
Monitoring
COSO rainbow double helix
ERM has to be embedded into activities of the organisation starting from mission, vision and values.
Strategy development
Business objectives
Implementation and performance
Enhanced value
5 principles/components
1. Governance and culture
2. Strategy and objective setting
3. Performa ce
4. Review and revision
5. Information communication and reporting
Double S model to risk culture
Soliditary
Sociability
Network - high social low soliditary
Communal - high social high soliditary
Fragmented - low social low soliditary
Mercenary - low social high soliditary
Components of context
External
Internal
Risk management context- includes RASP( including establishment of risk appetite or crtiera) and, Risk process itself.
Risk classification system PESTLE
Political
Economic
Social
Technological
Legal
Ethical or environmental
Used for external risks. Has to be combined with SWOT.
How to evaluate the context for risk management
Using FIRM scorecard and developing a riskiest index
Financial and infrastructure for internal context
Marketplace and reputation for external context
Risk register
- Includes all risks and means to identify based on scoring
- Three components- data collection, database, data communication
- Three functions - collecting risk info, establish trends and relationships between risks
- Communicate and escalate
Implementing ERM PIML
Plan - identify benefits, scope, strategy
Implement - risk appetite setting, establish benchmarks, agree assessment tools
Measure - evaluate control effectiveness, align risk management with other activities, embed risk aware culture
Learn - monitor risk , ERM performance and reporting
Implementing ERM PIML
Plan - identify benefits, scope, strategy
Implement - risk appetite setting, establish benchmarks, agree assessment tools
Measure - evaluate control effectiveness, align risk management with other activities, embed risk aware culture
Learn - monitor risk , ERM performance and reporting
Resilience
Definition - capacity if an organization to consistently achieve a desired state following a change in circumstances.
3 behaviors to achieve resilience
1. Awareness of changes
2. Prevent, protect, prepare in relation to all types of resources
3. Respond, recover and review in relation to disruptive events.
Risk assessment in ISO
Includes risk identification,
analysis - impact likelihood score
and evaluation - ranking against risk appetite or criteria
Risk assessment techniques
Questionnaire and checklists
Workshops and brainstorming - PESTLE, SWOT. Quantitative analysis - HAZOP, FMEA
Inspection and audit
Flow chart and dependency analysis
Crowdsourcing technology- using mobile applications to upload risks on a data platform
Risk attitude vs appetite
Attitude concerned with criteria surrounding a risk
Appetite is amount of risk we are willing to take
Risk classification by standard
FIRM
COSO - strategic ,operational, reporting , compliance
IRM - financial, strategic, operational, hazard
Orange book- several
Principles of risk appetite
Acknowledging interconnectedness - what’s acceptable in one of business not accepted in another
Messursbility
Variability - different for different risks
Maturity - how adept organisation is at managing risk will have a bearing on risk appetite
Controlling downside risks
Loss prevention - reducing likelihood.
Damage limitation - once evebt occurred. E.g fire sprinklers.
Cost containment- after damage limitation. Actions to minimize post incident cost, should be set out in BcP, DRP.
Risk zones 4Cs
Comfort - tolerate
Cautious - treat
Concerned - transfer
Critical - terminate
Types of controls
Preventative
Directive- first response once risk occurred
Detective - easy to administer and provide early warning
Corrective controls
Definition of control
- Criteria of control - all elements of an organisation that , taken together, support people in achievement of org. Objectives. Elements include resources, systems , processes, culture, structure and tasks
- COSO - a process, effected by BoD , mgmt and other personnel , designed to provide reasonable assurance regarding the achievement of objectives in the below categories
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with laws - IIA - set of process, functions activities, systems and people grouped together or consciously segregated to ensure effective achievement of goals and objectives
Components of CoCo framework
A continous cycle. Useful to benchmark compliance with internal control component of COSO.
1. Purpose
2. Commitment
3. Capability
4. Monitoring and learning
Control environment
FRC states IC system includes
1. Control activities
2. Information and communication processes
3. Monitoring the effectiveness
Control different to data collection and guidance. Should change cause or effect of risk
Terms of Reference for AC
Financial reporting
Narrative reporting.
IC and RM
IA
External audit - conduct tender, review independence, non audit services, effectiveness of audit
Sources of risk assurance
Culture measurement
Unit report
Unit performance
Unit documentation
Audit report
Control self assessment
KRIs
Internal Audit
IIA- IA is concerned with evaluating an organizations management of risk.
Central to effective risk framework is audit through
I. Assurance map - structured means or identifying and mapping source and types of assurance across 4(3) LoD. Risk and control owner, risk oversight, risk assurance.
II. Statistical saying
III. Risk prioritization techniques
Corporate governance- FRC
principles and provisions + guidance
5 sections - leadership ; division of responsibility ; composition ,succession and evaluation ; audit , risk and internal controls ; remuneration
Board should establish procedures to manage risk, oversee IC framework and determine nature and extent of principal risks the company is willing to assume.
Principal risks - events or circumstances that can threaten companies business model, future performance, solvency, liquidity and reputation.
Board structures
Unitary - executive plus non executive directors in one board
Two tier- supervision and management of operations
Types of corporate governance code
Want - principle based . Comply or explain
Compulsory - prescriptive. Comply and sign
Committees of board by UK FRC
Nomination
Remuneration
Audit
What is risk culture
- H&T - reflects attitude of every component of mgmt. How individuals behave in certain circumstances
- IRM - Values beliefs knowledge and understanding about risks. Can be reinforced through positive actions and behaviors
- COSO - culture, capacities and practices , integrated with strategy setting and execution thay organizations rely on to manage risk in creating preserving and realizing value
IRM risk culture framework
Risk culture
Organization culture
Behaviors
Personal ethics
Personal predisposition to risk/risk preference
Risk perceptions
Different perceptions imply risks might be missed, irrelevant risks might be captured, manage same risks inconsistently, managing stakeholder perceptions of risk rather than real risk
Bias
Bias influenced by
1. Conscious factors- org culture, familiarity, manageability, size of impact
2. Sub conscious - availability, representativeness , anchoring and adjustment, confirmation trap, bandwagon
3. Affective factors (feeling)
Understanding and improving risk culture
- Deloitte - 4 influences- risk competence, motivation, relationship , organization
- LILAC
- IRM ABC MODEL
- DOUBLE S - sociability, solidarity
ABC model
Attitude- chosen position towards risk, influenced by perception
Behavior- external observable actions
Cture - values beliefs knowledge and understanding about risk
What is successful risk culture
Deloitte
1. High level of understanding
2. Positive attitude
3. Move from reacting to active engagement and management of events
IRM
10 point component. Split between tone at the top - leadership, dealing with bad news
governance - clarity, transparency
competency - risk skill, risk resources
decisions - informed, reward
How to change risk culture
- Evaluate current risk culture
- Assess impact of current risk culture
- Identify areas of improvement
- Plan and implement change
5 Monitor and adapt to change
To become compliant - 1 to 2 years
Maturity - 5 to 10 years
4 step process - easy SATARLA
Define context and objectives
Assess risks
Manage risks
Monitor , review and report
Extended enterprise for understanding context by IRM
A structure where number of organisations come together. 4 steps to understand.
1. Core processes
2. Inputs to the process
3. Output
4. External influence
Stakeholder mapping - Mendelow matrix
Understand influence and interest in an activity
High influence , low interest - keep satisfied
High interest, high influence - actively engage and manage
High interest, low influence - keep informed
Low low - miminal effort
