control, risk & self assessment by john barret
DESCRIPTION
IIA - UK & IrelandTRANSCRIPT
Control & Risk Self Assessment
JOHN BARRETT
Institute of Internal Auditors – UK & IrelandNorth East District Society
Presentation & Discussion onControl & Risk Self Assessment
Does it really help to protect your reputation and your bank balance?
NRM York, 24 June 2010
“I went to lunch and had crab cakes. The waiter came over and asked if I wanted leaded or unleaded"
Back to the Future
• The 1980’s was the decade of the start of an ongoing trend of business failures and scandals the likes of which had not previously been seen
• In the US the Braniff Airways and Lockheed bankruptcies were overshadowed by the Savings and Loan scandal which saw the demise of 747 building society equivalents (caused by imprudent mortgage lending) and Pres. George H W Bush had to bail out savers with $125bn of taxpayers money.
• The UK had its Maxwell, Polly Peck and BCCI scandals which heralded the first ever formal code of corporate governance in 1991 though it did little to halt business failures and has seen significant strengthening in 1998, 2003, 2005 and 2010
• Amongst the many US responses was the Treadway Commission and the publication (in 1991) of the COSO Integrated Framework of Internal Control. Arguably the best piece of research on internal control it has also failed to prevent illegal and irresponsible governance
CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
MONITORING
CO
MM
UN
ICA
TIO
N
INFO
RM
ATIO
N
COSO INTEGRATEDFRAMEWORK OF
INTERNAL CONTROL
• Ongoing Monitoring• Separate Evaluations• Reporting Deficiencies
• Policies• Procedures• Hard control activities
• Organisation-wide Objectives• Activity-level Objectives• Risk Management• Managing Change
• Integrity & Ethical Values• Commitment to Competence• Board of Directors & Audit Committee• Management Philosophy & Operating Style
• Organisational Structure• Assignment of Authority & Responsibility• Human Resource Policies & Practices
• Downwards• Upwards• Horizontal• Departmental• External
• Management Information Systems• Performance Information• Instructions & Guidance
Meanwhile, at Gulf Canada……
• Gulf was a mid-sized oil and gas company in the 1980’s• Competition forced the company into significant restructuring
through high costs and low profit margins. Though all the fundamental controls were in place they failed to detect a significant ongoing fraud by senior managers and much soul searching ensued
• In addition to recognising the need for an integrated control framework (the Canadian CoCo model did not appear until 1995), Gulf’s Internal Audit function introduced a system of control self assessment (later extended to focus more on risk) which was cascaded to all operating units from 1989
• Without realising, they had established a concept which was to become internationally accepted following the publication of COSO, the UK Combined Code and the 100 or so other governance codes which exist around the world
CRSA Gulf Approach
IndependentQA Review
Internal AuditQA Review
Presentations to Board
Synthesis and AnalysisOf Results
Reporting on controlsAnd risks
Assessing Controls & Risks (all departments)
Risk & Control Training
Control Self Assessment – Some Definitions
“a CSA programme is a process which allows individual line managers and staff to participate in reviewing existing controls for adequacy, and recommending, agreeing and implementing improvements” (IIA)
“A formalised, documented and committed approach to the regular, fundamental and open review by managers and staff of the strength of control systems designed and operated to achieve business objectives and guard against risks within their sphere of influence” (CIPFA)
“..would one day completely replace the traditional audit as the primary assurance tool in the auditor’s toolkit” (Gulf Canada)
CRSA-The Early days
• Perceived as a threat to Internal Audit • Sluggish start even in the US (only 17% of bodies were
using it by 1995)• Seen as exporting systems based audit to staff• Less than 30% of processes/functions used CRSA and
most of the applications were driven by Director’s of Finance
• Supporters saw it as a useful control awareness initiative• Audit critics believed it could be a new injection of life into
flagging tick and turn auditing
More Failures and The Spur of Corporate Governance
• BSB, Maxwell, BCCI, Ferranti, Fokker, Daewoo, DAF, Planet Hollywood, Bank of South Australia, Equitable Life, Enron, Global Crossing, Jenson, Railtrack, Swissair, WorldCom, Courts, Ilford, Air Europe, Allsports, Allders, Woolworths, Wedgwood, 161 US banks and hundreds more familiar brands
• International governance requirements to embed control in the day to day activities of an organisation provided an opportunity to sell CRSA (and the main sellers were auditors)
• CSA Users Group (IIA UK)• Control Self Assessment Centre (IIA Inc) and Sentinel news sheet• Consultants emerged to sell the concept along with new software• Many Board members in need of re-assurance about the
reliability of their risk and control systems bought into the concept
CSA Advantages
• Line management becomes fully involved in risk & control• Ownership creates greater awareness• Corrective action can be taken more speedily• The concept fits with neatly with empowerment models• Facilitates embedding and reporting requirements• Cheaper than employing more auditors?
CSA Variants
1. Questionnaires to identify the operation of key controls2. Risk & control questionnaires linked to computerised
scoring models (see BT example later)3. Control awareness workshops4. Practical control assurance workshops5. Management letters of representation6. Management initiated control systems
Most Popular Approaches
• Control questionnaires (with or without audit assistance)• Team workshops (usually with audit facilitation)• 70% use workshop variants (staff interaction, better
ownership but very time consuming)
Workshops
• Identification of the purposes of the workshop• Single subjects (e.g. treasury dealing) or generic topics (such as
purchasing)• Focus on objectives, control environment, system profiles, risk, controls,
performance, reporting• May involve managers or staff or both• Need to decide who attends to ensure all opinions are represented• One-off workshops or part of a series of workshops covering one
department, several departments or the whole organisation• Focus on key controls or all controls• Discussions on strength of controls in practice, control limitations, reported
control failures, emerging/changing risks and human factors• The outcomes of workshops must be documented and circulated• Workshops are usually well received, stimulating, raise commitment,
identify blockages, promote ownership, build relationships and may also reveal fraudulent practice
Profile of the System (key stages)
Objectives Risks Controls
Expected
Controls
Actual
Opinion Testing Evaluation/
Improvement
Report/
Action
1.
2.
3.
4. Etc.
Objectives of the Activity/Process: Strategy/Control Environment: Policies, Laws, Plans, Budgets, Procedures, Standards, Responsibilities, Structures, Accountabilities, HR Policies, market conditions, training, guidance, management information, IT systems, interfaces, monitoring arrangements, reporting, payment regimes, performance measurement, external factors, best practice etcOperations:
CRSA Scope of Workshops
Practical Considerations
• Must set objectives• Decide on most appropriate approach• What topics, processes, systems should
be covered• Amount of time to be invested• COSO model or your own model• Facilitation skills available• Outputs from the workshop• Reporting protocols• Ongoing application
Possible CRSA Objectives
• Assist employees in assuming responsibility for effective risk and control management
• Teach staff to analyse, evaluate and report on the application and effectiveness of control mechanisms
• Improve control awareness and the cost effectiveness of products/services
• Complements performance reporting regimes
• Enables managers to certify corporate governance statements with more certainty
Possible CSA Disadvantages
• Relies too much on honesty• May be too subjective (not related to business
objectives)• In practice, applied to traditional financial areas• Time consuming• Does not lend itself easily to cross functional systems• Could become unreliable as an “add on “ to normal
duties• Filling in documentation could become an end in itself
Other Considerations
• Few organisations cover more than 30% of risk functions
• 70% of sponsors are internal audit• After implementation, 60% of internal audit functions
remain involved• 50% use COSO, 50% use proprietary software or
internal audit designed documentation (US experience)
• Time involvement may have to be rationed• 68% of audit functions claim CRSA is one of its
products
Potential Internal Audit Involvement
• Advice on design, implementation & maintenance of risk management system
• Advice on risk, control and governance• Undertake audits of business unit schedules using
COSO model• Review periodic reports of business units• Membership of Risk & Control Panel• Reporting on its own plans, activities and outcomes• Contribute to overall assessment on Corporate
Governance
Case Study
Control & Risk Self Assessment in BT
BT CRSA
Background to CRSA• CRSA workshops focus on the business objectives or strategy of the
group or team being audited. It allows them to identify the enablers and barriers (risks) to achieving their objectives/strategy in a safe workshop based environment.
• The benefits of CRSA to audit and the client are: - enables the audit to focus on key risks - client is more involved in reviewing and evaluating the risks to their
own objectives - discussions at the workshop allow information and ideas to be
shared and agreed - people learn more about their jobs and the jobs of others - awareness and understanding of internal control and business
risk is heightened - it’s enjoyable.
CRSA is part of total audit process - onsite work may still be carried out.
BT CRSA
The Clients Involvement– To provide a business or process objective for the
topic being audited.
– Arrange for suitable delegates to attend - between 10 and 16 delegates.
– Output from the workshop will be available to the client.
BT CRSA
• CRSA workshop normally takes about three hours.• We go through standard agenda, explaining what happens and
highlighting the benefits of each part of the process.
– Introductions, Principles, Objectives and Icebreaker: To introduce the CRSA technique, give an outline of the workshop principles and objectives and introduce the technology by using an icebreaker.
– What is Business Risk: To consider what constitutes a business risk and how risks can be categorised.
– Identification & Evaluation of Risks: To identify the risks to achieving the group’s business objective and evaluate these by impact and likelihood.
– Management of Risks: To consider how high impact, high likelihood risks are managed.
BT CRSA
At the workshop there will be a short presentation on what is meant by risk, the different types of risk, and the responsibility for managing risk.
Key risks to achieving the business objective are then identified by running a brainstorming session and are then evaluated in terms of likelihood of occurrence and potential impact.
The workshops use ‘ppvote’ technology which allows you to give a view or opinion anonymously whilst allowing all the workshop participants to view the overall opinion via graphs on screen
BT CRSA During the voting session the attendees will be invited to vote and score
all carried forward and new risks on a gross basis using the following scales:
Impact:Likelihood:
1 Negligible - no noticeable effect 1 1 - 20% highly unlikely chances are slight
2 Low, slight effect on business 2 21 - 40% unlikely probably not
3 Moderate, business objective effected 3 41 - 60% doubtful, even
4 High, business objective undermined 4 61 - 80% probable, likely
5 Critical, business objective cannot be accomplished 5 > 80% almost certainly highly likely
There will be two votes for each risk statement, one to assess the Gross
Impact and one to assess the Gross Likelihood. The Gross risk is the overall inherent risk (“zero” based with no controls in place), which we try to mitigate against in order to leave the Net risk, which we try to control.
BT CRSA
Following this evaluation sufficient time is given for discussion focussed on the high impact risks that are most likely to occur and, more importantly, how these risks are his may highlight risks that are poorly managed and recommendations to improve control can then be agreed where appropriate.
Risk workshopsRisk workshopsencourage diversity of thoughtencourage diversity of thought
Operations
Strategic
FinancialKnowledge
Vision & Planning
Change Mgt
Stakeholders& Political
Information Management
Intellectual Property
IT systems
Suppliers & Advisers
Legal People
Delivery
Funding
Reporting
Probity
Reputation
Workshop Discussion 1
“The system of internal control should be embedded in the operations of the company” (Turnbull)
Q1 Does CRSA fulfil the necessary criteria for embedding control?
Q2 Should it be supplemented with other measures and if so, what type of measures?
Workshop Discussion 2
Q1 What do you believe is the most cost effective CRSA approach (workshops, questionnaires etc) and why?
Q2 How would you select topics for CRSA application?
Workshop Discussion 3
• Do you believe Internal Audit should devote a significant proportion of its resources to CRSA and if so, why?
• What do you think are the keys to running successful CRSA workshops?
CRSA References
Still the best UK publication (in my opinion)
“Control Self Assessment” edited by Keith Wade and Andy Wynne in 1999 (published by Wiley)
In addition to explaining the reasons for CRSA and the various approaches, it examines about 20 different public and private sector
practices which are written by different experts and practitioners