icsa · 2020. 1. 1. · charge of identifying and evaluating external risk factors (e.g. new laws...
TRANSCRIPT
ICSA Internal Control Self Assessment
A Risk Management integrating approach
Presenter: Yves DUPONT, president ICIB vzw/asbl,
• ICHEC Formation Continueleading training institution in Brussels
hosting the DRM “Diplôme Risk management”,
accredited for the RIMAP certification
• Partnership with ICIB
Who we are
ICIB, European association for
Internal Control
Who we are
- International professional certifications CICS (Certified
Internal Control Specialist) delivered by our partner ICI in the US
- Member services
- Trainings and conferences
www.icib.org
DRM training
“Diploma in Risk Management”
A training program, developed
thanks to a partnership between
ICIB and ICHEC Formation
Continue
Who we are
Question 1
What is the relation between risk management and internal control ?
in my opinion:
1) Internal control is a component of the risk management and focuses on the
execution of the controls and procedures that has been identified by risk
management;
2) Risk management is a component of the internal control and delivers all
information needed to design and implement the mitigation actions;
3) Both processes are complementary and cooperate to the mitigation of all
enterprise risks;
4) Both processes are completely independent and manage their own risks;
5) None of these answers is correct
Internal Control or Risk management
…the allocation of risk assessment responsibilities should be organized
according to the knowledge that each party has on the behaviour of the
risks and their conjunction with other risk elements or events….
…Various actors in the risk management process could, for example, be in
charge of identifying and evaluating external risk factors (e.g. new laws are
analysed by the compliance manager), whereas the interrelation of those
risk factors with the operational processes will be analysed by 1st line
operational management in the frame of their internal control process….
Source: ICIB Position Paper, Precept 12 http://www.icib.org/position-paper-icib.ws
Proposed answer to question 1
Answer 3: Both are complementary and cooperate to the
mitigation of all enterprise risks;
Case study:
The Risk Manager of payroll service company identifies a risk related to the new data
protection regulation GDPR: R1: some confidential personnel information may
accidentally be transferred to the employer, in breach of this regulation…
A in detailed process analysis, led with the cooperation of the payment process owner
involved, led to the identification and the selection of two mitigation actions.
MA1: Classification of all information received from the employees
MA2: Double check all information send to the employer
MA3: Additional check by the director of the department
Question 2
Who will be the owner of this risk ?
in my opinion:
1) Risk manager
2) Payment process owner
3) Compliance officer
4) Director of the department
5) Internal control coordinator
Internal Control or Risk management
…An integrated internal control approach would mean that the process
owner takes responsibility for the major internal control tasks (including
risk assessment, designing mitigation actions and reporting tasks, as
described in Precept 5) related to the operational aspects of the process…
Source: ICIB Position Paper, Precept 8, http://www.icib.org/position-paper-icib.ws
Proposed answer to question 2
Answer 2: Payment process owner
Objectives:
- Making sure that the mitigation actions will be well designed and executed;
- Mobilize and coach the operational management for the treatment of these risks;
- Establish as basis for performance comparison between subsidiaries;
- Supporting the permanent enhancement of the mitigation actions;
- Assuring the residual risk level;
- As part of the monitoring process, prepare audit work.
Organizing the ICSA
Organizing the ICSA
Question from the risk manager:
“Hey manager, please report on a monthly basis on the compliance to the mitigation
actions procedure and give us the assurance that the risks are under control”
Answer from the payroll process manager:
“Yes, no problem, its ok”
They need better guidance, we need more assurance
Organizing the ICSA
How will you organize this ?
Organizing the ICSA
1. Ranking the
effectiveness and
the « ROI » of the
mitigation actions
3. Determine the
coverage level of
the mitigation
actions
4. Agree on the
tolerance for the
execution of each
point of control
5. Determine on
weighting factors
for the testing
elements
6. Scheduling and
executing the
testing campaigns
2. Outline the
mitigation actions
in points of control
Organizing the ICSA
1. Ranking the
effectiveness and
the « ROI » of the
mitigation actions
Rare Unlikely Possible LikelyAlmost
certain
Catastrophic 10 20 35 60 100
Major 6 12 21 36 60
Moderate 4 7 12 21 35
Minor 2 4 7 12 20
Insignificant 1 2 4 6 10
Opportunity -4 -8 -14 -24 -40
LIKELIHOOD
IMPACT
Effectiveness scores
MA1: 33
MA2: 17
MA3: 8
Organizing the ICSA
2. Outline the
mitigation actions
in points of control
MA1: Classification of all information received from the employees
a. All information from the employees is registered from reception (various channels)
b. Confidentiality of the information elements is scored (1 to 5)
c. Documents are earmarked according to the confidentiality score
d. Information needed for the payroll process is introduced in the system, with the
confidentiality score
e. …
MA2: Double check all information send to the employer
a. A XYZ file is created for every monthly expedition
b. Presentation of confidentiality scorings in this file
b. Sign off from manager before sending
Organizing the ICSA
3. Determine the
coverage level of
the mitigation
actions
20% 30% 15% 35%
15% 35% 10% 25% 15%MA1
MA2
Organizing the ICSA
4. Agree on the
tolerance for the
execution of each
point of control
- Tolerance for newly developed mitigation actions;
- Fixing operating effectiveness level objectives; continuous improvement
cycles;
- Execution above this tolerance level will be considered as ok;
Organizing the ICSA
5. Determine on
weighting factors
for the testing
elements
- Files from some employers may be considered more risky from a privacy
standpoint (ex: non EU countries);
- Some information (ex: regarding health) are to be treated as more
confidential;
- Weighting factors from 1 to 5
Organizing the ICSA
6. Scheduling and
executing the
testing campaigns- Schedule of testing campaigns according to stakeholder’s
(reporting) agenda
- Agree on who will execute the “point of control” tests
- Communicate on the results; striving towards a single audit
client's
auditor
SAS70
ISAE3402
complian
ce regulator 31-Jan 28-Feb 31-Mar …
AM1 a x x x x x
b x x x x
c x x x
d x x
AM2 a x x x x
b x x x x x
…
Stakeholder's agenda Testing agendatesting
instructions
Organizing the ICSA
Operational effectiveness of the mitigation action
weight
2 1 2 0 0 1 2 1 2
2 1 2 1 2 1 2 0 0
1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1
2 0 0 1 2 1 2 1 2
4 1 4 1 4 1 4 1 4
1 1 1 0 0 1 1 1 1
2 1 2 1 2 1 2 1 2
15 13 12 15 13
87% 80% 100% 87%
coverage 15% 35% 10% 25% *100/85
13% 28% 10% 22% 73% 85%
MA1dMA1a MA1b MA1c
Organizing the ICSA
- How can you relate this result to the residual risk level?
- How do you get on with the tolerance level?
- What actions can you take to enhance the final result?
- What will be the role of the internal auditor regarding this result?
Questions:
THANK YOUFor your attention
Presenter: Yves DUPONT,
president ICIB vzw/asbl
and of Riskovery Consult bvba/sprl,
Scientific director of risk management and
internal control trainings at ICHEC FC