ICSA Internal Control Self Assessment

A Risk Management integrating approach

Presenter: Yves DUPONT, president ICIB vzw/asbl,

yves.dupont@icib.org

• ICHEC Formation Continueleading training institution in Brussels

hosting the DRM “Diplôme Risk management”,

accredited for the RIMAP certification

• Partnership with ICIB

Who we are

ICIB, European association for

Internal Control

Who we are

- International professional certifications CICS (Certified

Internal Control Specialist) delivered by our partner ICI in the US

- Member services

- Trainings and conferences

www.icib.org

DRM training

“Diploma in Risk Management”

A training program, developed

thanks to a partnership between

ICIB and ICHEC Formation

Continue

Who we are

Question 1

What is the relation between risk management and internal control ?

in my opinion:

1) Internal control is a component of the risk management and focuses on the

execution of the controls and procedures that has been identified by risk

management;

2) Risk management is a component of the internal control and delivers all

information needed to design and implement the mitigation actions;

3) Both processes are complementary and cooperate to the mitigation of all

enterprise risks;

4) Both processes are completely independent and manage their own risks;

5) None of these answers is correct

Internal Control or Risk management

…the allocation of risk assessment responsibilities should be organized

according to the knowledge that each party has on the behaviour of the

risks and their conjunction with other risk elements or events….

…Various actors in the risk management process could, for example, be in

charge of identifying and evaluating external risk factors (e.g. new laws are

analysed by the compliance manager), whereas the interrelation of those

risk factors with the operational processes will be analysed by 1st line

operational management in the frame of their internal control process….

Source: ICIB Position Paper, Precept 12 http://www.icib.org/position-paper-icib.ws

Proposed answer to question 1

Answer 3: Both are complementary and cooperate to the

mitigation of all enterprise risks;

Case study:

The Risk Manager of payroll service company identifies a risk related to the new data

protection regulation GDPR: R1: some confidential personnel information may

accidentally be transferred to the employer, in breach of this regulation…

A in detailed process analysis, led with the cooperation of the payment process owner

involved, led to the identification and the selection of two mitigation actions.

MA1: Classification of all information received from the employees

MA2: Double check all information send to the employer

MA3: Additional check by the director of the department

Question 2

Who will be the owner of this risk ?

in my opinion:

1) Risk manager

2) Payment process owner

3) Compliance officer

4) Director of the department

5) Internal control coordinator

Internal Control or Risk management

…An integrated internal control approach would mean that the process

owner takes responsibility for the major internal control tasks (including

risk assessment, designing mitigation actions and reporting tasks, as

described in Precept 5) related to the operational aspects of the process…

Source: ICIB Position Paper, Precept 8, http://www.icib.org/position-paper-icib.ws

Proposed answer to question 2

Answer 2: Payment process owner

Objectives:

- Making sure that the mitigation actions will be well designed and executed;

- Mobilize and coach the operational management for the treatment of these risks;

- Establish as basis for performance comparison between subsidiaries;

- Supporting the permanent enhancement of the mitigation actions;

- Assuring the residual risk level;

- As part of the monitoring process, prepare audit work.

Organizing the ICSA

Organizing the ICSA

Question from the risk manager:

“Hey manager, please report on a monthly basis on the compliance to the mitigation

actions procedure and give us the assurance that the risks are under control”

Answer from the payroll process manager:

“Yes, no problem, its ok”

They need better guidance, we need more assurance

Organizing the ICSA

How will you organize this ?

Organizing the ICSA

1. Ranking the

effectiveness and

the « ROI » of the

mitigation actions

3. Determine the

coverage level of

the mitigation

actions

4. Agree on the

tolerance for the

execution of each

point of control

5. Determine on

weighting factors

for the testing

elements

6. Scheduling and

executing the

testing campaigns

2. Outline the

mitigation actions

in points of control

Organizing the ICSA

1. Ranking the

effectiveness and

the « ROI » of the

mitigation actions

Rare Unlikely Possible LikelyAlmost

certain

Catastrophic 10 20 35 60 100

Major 6 12 21 36 60

Moderate 4 7 12 21 35

Minor 2 4 7 12 20

Insignificant 1 2 4 6 10

Opportunity -4 -8 -14 -24 -40

LIKELIHOOD

IMPACT

Effectiveness scores

MA1: 33

MA2: 17

MA3: 8

Organizing the ICSA

2. Outline the

mitigation actions

in points of control

MA1: Classification of all information received from the employees

a. All information from the employees is registered from reception (various channels)

b. Confidentiality of the information elements is scored (1 to 5)

c. Documents are earmarked according to the confidentiality score

d. Information needed for the payroll process is introduced in the system, with the

confidentiality score

e. …

MA2: Double check all information send to the employer

a. A XYZ file is created for every monthly expedition

b. Presentation of confidentiality scorings in this file

b. Sign off from manager before sending

Organizing the ICSA

3. Determine the

coverage level of

the mitigation

actions

20% 30% 15% 35%

15% 35% 10% 25% 15%MA1

MA2

Organizing the ICSA

4. Agree on the

tolerance for the

execution of each

point of control

- Tolerance for newly developed mitigation actions;

- Fixing operating effectiveness level objectives; continuous improvement

cycles;

- Execution above this tolerance level will be considered as ok;

Organizing the ICSA

5. Determine on

weighting factors

for the testing

elements

- Files from some employers may be considered more risky from a privacy

standpoint (ex: non EU countries);

- Some information (ex: regarding health) are to be treated as more

confidential;

- Weighting factors from 1 to 5

Organizing the ICSA

6. Scheduling and

executing the

testing campaigns- Schedule of testing campaigns according to stakeholder’s

(reporting) agenda

- Agree on who will execute the “point of control” tests

- Communicate on the results; striving towards a single audit

client's

auditor

SAS70

ISAE3402

complian

ce regulator 31-Jan 28-Feb 31-Mar …

AM1 a x x x x x

b x x x x

c x x x

d x x

AM2 a x x x x

b x x x x x

…

Stakeholder's agenda Testing agendatesting

instructions

Organizing the ICSA

Operational effectiveness of the mitigation action

weight

2 1 2 0 0 1 2 1 2

2 1 2 1 2 1 2 0 0

1 1 1 1 1 1 1 1 1

1 1 1 1 1 1 1 1 1

2 0 0 1 2 1 2 1 2

4 1 4 1 4 1 4 1 4

1 1 1 0 0 1 1 1 1

2 1 2 1 2 1 2 1 2

15 13 12 15 13

87% 80% 100% 87%

coverage 15% 35% 10% 25% *100/85

13% 28% 10% 22% 73% 85%

MA1dMA1a MA1b MA1c

Organizing the ICSA

- How can you relate this result to the residual risk level?

- How do you get on with the tolerance level?

- What actions can you take to enhance the final result?

- What will be the role of the internal auditor regarding this result?

Questions:

THANK YOUFor your attention

Presenter: Yves DUPONT,

president ICIB vzw/asbl

and of Riskovery Consult bvba/sprl,

Scientific director of risk management and

internal control trainings at ICHEC FC

yves.dupont@icib.org