21 Nisan 2016 Perşembe

GOVERNANCE, INTERNAL AUDIT AND ERM PROCESSES

Internal auditing is sometimes described as one of the four cornerstones of governance. The other three cornerstones are external auditing, executive management, and the board of directors.Two key contributions that the internal audit activity makes to governance are included in the definition of internal auditing:
  1. Assurance on the effectiveness of governance, risk management, and internal control,
  2. Advisory services for improvement for the risk management processes (RMP).
Clearly, internal auditing plays a very important role in improving the maturity of risk management with respect to effective risk management, including:
  1. Raising the profile of risk in organizational decision-making and planning at all levels.
  2. Providing training and guidance to other managers and staff.
  3. Making recommendations for improvement to risk-based controls.
  4. Keeping up-to-date with the latest thinking and serving as a source of risk expertise for the organization.
  5. Ensuring risk management is consistent and well-coordinated on an enterprise-wide basis.
  6. Providing assurance on risk management and its processes.
  7. Reporting on the level of operational risk as part of routine audit work.
  8. Championing risk and advocating enhanced risk maturity.
  9. Leading risk identification workshops.
  10. Providing practical tools that may assist risk management processes.
  11. Providing training for audit committees and management on all aspects of risk. 
  12. Offer consulting services in support of those charged with risk management. 
  13. Evaluate strategic risk management by determining whether strategic risks are known, responded to appropriately, and monitored accordingly. 
  14. Develop the expertise of the internal audit function to maximize its competency in risk.
  15. Supplement risk-related skills of the internal audit team (as required) by drawing upon third- party support.
As enterprise-wide risk management becomes established in organizations, the internal audit activity can progress from being risk-based to being ERM-based. It important for audit planning to be ERM-based rather than simply risk-based.

The chief audit executive (CAE) is responsible for developing a risk-based plan. 
  • The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. 
  • The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
  • With an effective, integrated, enterprise-wide approach to risk management, internal audit no longer needs to identify the risk universe. 
  • Management takes on that responsibility, and the internal auditors adopt it as the basis for describing the internal audit universe (the summation of all possible internal audits).
  • The audit universe will normally be influenced by the results of the risk management process. The CAE prepares the internal audit activity’s audit plan based on the audit universe, input from senior management and the board, and an assessment of risk and exposures affecting the organization. Of course, this assumes the internal auditors are confident about the ERM processes used to develop the risk universe. 
  • ERM can help identify and prioritize the risks that may then direct risk-based audit planning. However, to maintain its independence and objectivity, the internal audit activity must never be wholly dependent on ERM, and the internal auditors must exercise their own judgment about internal audit priorities.
Internal audit draws upon ERM for its risk-based approach. 
The internal auditors are responsible for assessing enterprise risk management—which is part of the risk universe—and providing assurance on it.

15 Nisan 2016 Cuma

BANKACILIKTA İÇ KONTROL SİSTEMİ

Faydaları sebebiyle etkin ve yeterli bir iç kontrol sistemine altı (6) noktada ihtiyaç duyulur.

  1. Faaliyetlerin güvenli (etkin ve yeterli) bir şekilde gerçekleştirilmesi,
  2. Stratejik amaçlara ulaşılması, Uzun dönemli karlılık hedeflerinin gerçekleştirilmesi,
  3. Finansal /yönetsel rapor ve bilgiler üzerinde doğruluk ve güvenilirliğinin sağlanması,
  4. Hile/Usulsüzlük önlenmesi, İtibar zedeleme riskinin azaltılması,
  5. Düzenlemelere (Yasalara),  politikalara, plan ve prosedürlere uyulmasının sağlanması,
  6. Kurum/ amaçlarının gerçekleştirilmesi (Yasa Amacı, Yönetim Amacı, Hissedar Amacı, Çalışan Amacı, Denetim Amacı...)

8 Nisan 2016 Cuma

Internal Environment- Hard and Soft Controls

Choices around systems, processes, structure, communication, planning, and allocation of resources each represent a potential strength or weakness, as well a source of risks or opportunities. They also may form part of the risk response, including internal controls.

Risk management processes need to fit in with the rest of the organization, and processes for identifying, analyzing, responding to, and reporting on risks are required to operate in such a way that they successfully
manage risks across all elements of the internal environment.

This is particularly useful as a tool for management when trying to bring about change. It also can serve as an indicator that risks and opportunities may arise not just within one area, but as a result of separate components working together.

Hard and Soft Elements (7S):
Hard Elements - Strategy, Structure, Systems
Activities: (Review,inspections, policies, reconciliations, structure, limits, user ID- passwords, physical counts, bank reconciliation).
Soft Elements- Style, Shared Values, Staff, Skills
People: Openness, clarity, competency, expectations, communications.
  • Hard elements are readily grasped and manipulated by management, and soft elements that are much less tangible and more easy to change. For example, it is relatively easy to issue a new strategy or introduce a revised system. However, to make either of these things work requires adjustments to other elements such as skills and shared values, which present a much greater challenge to manipulate.
  • Soft elements are more difficult to change, introduce, monitor, and manage.

4 Nisan 2016 Pazartesi

RISK PSYCHOLOGY

Risk psycholog is a fascinating field of research. There is an unavoidable, yet desirable, subjectivity to risk analysis and a natural inclination to focus on impact, because it is harder to comprehend likelihood in quite the same way. The result is that likelihood becomes exaggerated.
Consider the insecurities many people have about flying. The consequences of an airborne disaster are easy and somewhat unsettling to imagine. This translates into a perception that flying is more dangerous (i.e., more risky) than it is- perhaps even more risky than driving.
The fact that a passenger is more likely to suffer injury or death in the car on the way to or from the airport does not ease the psychological weight given to the risk level associated with flying. This has to do with the element of personal control. When driving a car, the driver feels—rightly or wrongly—that he can make a personal intervention to avoid an accident, but an airline passenger must rely on the pilot’s actions, someone else’s security arrangements, and the mechanical integrity of the plane.
Likewise, the psychological element is important when considering risk appetite. A group of managers may agree on the defined appetite of the organization, but each individual may vary when it comes to being either a risk taker or a risk avoider. The perceived level of acceptable risk depends on how it aligns with personal risk appetite.
In all situations, the role of “risk management” is to try to lead organizations toward an understanding of risk and objective appraisal while recognizing both the inevitability and value of subjective impressions. Armed with better information, the organization can make a more intelligent response.

Key Internal Stakeholders

A stakeholder is defined as anyone who has a stake or an interest in some activity, project, or
enterprise; or in this case, the organization as a whole. Stakeholder theory offers a more enlightened
perspective, compared with a narrower focus on the immediate beneficiaries, such as shareholders.
Being aware and taking account of those interests enables managers to secure support as required and
to anticipate resistance to an initiative. This analysis is an extremely important management activity. Organizations exist to serve the needs and interests of their stakeholders by:
  1. Delivering a sought-after service or product to customers.
  2. Providing financial returns on an investment to investors and owners.
  3. Paying amounts that are due in a timely fashion to suppliers.
  4. Creating a safe, attractive work environment.
  5. Providing accurate and timely data on pay to tax authorities.
Sometimes these interests can be in conflict. One party’s efficiency gain might be another ’s cut in income, and one party’s enhancements to product quality and service might be another ’s erosion of profit. Two primary stakeholders—the owners and management—sometimes can be in conflict, as the managers might seek personal or short-term gain, while the owners desire long-term returns on their investment. Organizational boundaries are often indistinct. For example, where does the organization end and the stakeholder begin ?

Managers are quick to realize that stakeholders wield great power. Customers may withhold their business, investors may withdraw their capital, employees may take industrial action, the government may raise taxes and increase regulation, pressure groups may lobby for greater environmental protection, and the public may demand greater transparency and ethical leadership.
Like other organizational endeavors, risk management processes should be designed to reflect a
balanced response to the needs and interests of stakeholders. This requires careful analysis, but it is
not always easy to identify the stakeholders and their interests, and even when they are known, they
may be subject to change. Often, an individual may span several stakeholder groups (an investor who
is also a customer, an owner, or shareholder who is also part of the executive team). However, despite
these problems, the analysis is still very valuable as it leads to greater sensitivity to potential sources
of conflict or opportunities for support.

Stakeholder analysis can be applied to any planned activity and development, including strategic
planning. When developing and reviewing risk management processes, asking key questions will help give due consideration to the needs and expectations of stakeholders:
  1. Whose interests will be affected (positively or negatively) by risk management ?
  2. What are the interests or stakes (objectives) of these stakeholder groups ?
  3. How could these groups impact (positively or negatively) on our ability to implement risk
  4. management ?
  5. What strategies can we adopt to anticipate, mitigate, and exploit the reactions of stakeholders to make risk management processes more successful ?
Simple measures, like involving stakeholders in the development of "risk management processes" and keeping people informed, can deliver the greatest benefit in stakeholder management.
Stakeholders may be categorized as being internal or external. Some refer to connected
stakeholders, such as non-executive directors who cross organizational boundaries between internal
and external stakeholders, and peripheral stakeholders who only have limited and intermittent
interests.

Staff interests may be promoted by official or unofficial representatives, trade unions, and similar
kinds of associations. Managers and directors may be considered to be part of staff as employees of
the organization, but they are also likely to have other personal, financial, and professional stakes in
it. The owners in a private sector organization look for a financial return on their investment and
have an interest in seeing their vision come to fruition.

All of these groups are internal stakeholders. In the public sector, the government department, body, or agency manages the organization on behalf of the public at large or specific groups within it, and these too become internal stakeholders with a greater or lesser degree of direct influence, depending upon the decision-making structures. Risk management processes must serve the interests of the organization and enable it to achieve its objectives. It is important to understand the impact risk management processes have on internal stakeholders.

Management of Third-party Business Relationships

Third parties are a stakeholder group comprising individuals or organizations that have been
engaged to undertake an activity on behalf of or in partnership with the contracting organization.There are significant benefits of working this way. Indeed, it is difficult to avoid entering into a
range of relationships with third parties. However, when working with others, the risks must be
considered carefully.
Third parties include:
  • Suppliers.
  • Contractors.
  • Subcontractors.
  • Consultants.
  • Strategic allies.
  • Business partners.
  • Subsidiaries.
  • Agents.
There should be a good reason for collaborative efforts, such as a way of increasing efficiency,
sharing risk, gaining additional capability, or exploiting new opportunities. Sometimes, however,
organizations are presented with the chance to work with another party and then attempt to create
activity to exploit the opportunity. While this can be successful, it also can result in unfocused activity
that falls outside the strategic plan, and ultimately serve as a distraction from achieving core
objectives.
Clarifying the nature of the relationship through a formal agreement or memorandum of
understanding (MOU) is one way of confirming expectations at the outset and avoiding
misunderstanding later. Such agreements may specify the period the relationship is intended to
endure, the objectives to be achieved, the roles and responsibilities of each party, how financial
commitments and rewards are to be shared, and the options for terminating the agreement.
Once initiated, such relationships rely on effective communication and good working relations. It
is important to agree on a schedule for making contact, holding meetings, sharing information, and
issuing reports.
The engagement of a third party to undertake some activity does not absolve the organization of
responsibility for risk. The organization’s own risk management processes need to extend to the
exposure to risks presented by the use of third-party contractors, subcontractors, vendors, affiliates,
and partners. While the appropriate response to any of these risks may be through various legal and
financial protections, it is important to recognize the full range of potential risks. 
Third-party risks tend to be greater when:

  1. The relationship is new.
  2. The relationship is entered into quickly.
  3. The services provided are critical to the organization’s operations.
  4. The financial value of the arrangement is significant.
  5. The duration of the relationship is extensive.
  6. The nature of the undertaking is complex.
  7. The third party is also engaged in other activities or relationships that may be in direct competition or conflict. There are several parties involved.
  8. The third party is planning to subcontract some or all of the work. 
  9. The potential for risk in third-party relationships is significant, stemming from failures by the third party or of the relationship itself. 
These risks include:

  1. Operational risk due to the complexities of two or more organizations working together different systems and strategic priorities.
  2. Reputational risk through association with another organization’s shortcomings.
  3. Financial risk involving delays, disruptions, underperformance, and penalties.
  4. Compliance risk where expectations are unclear and no party within the alliance has full oversight of all activities and related regulatory duties.
  5. Legal risks arising from a partner ’s breaches in regard to regulation and statutory requirements.
  6. Strategic risk through the potential for the relationship with the third party to soak up additional time and resources, divert the organization away from its primary goals, and result in the failure to achieve major objectives.

1 Nisan 2016 Cuma

CONSULTING ROLE OF INTERNAL AUDITOR

The internal auditors can make to risk management through consulting. While assurance engagements for ERM are generally delivered when everything needed is already in place, consultancy is likely to be required when there are no systems and processes or they are new, incomplete, or less than optimal. When serving as consultants, the internal auditors must adopt a different mindset from that of assurance, even though they will employ the same expertise and build useful knowledge.

The nature and extent of consulting to be offered by the internal audit activity must be set out clearly in the charter (in accordance with Standard ) and, like all activities undertaken by the internal audit function, must be limited to those tasks that can be performed competently by available capabilities. Standard  states that:
The chief audit executive must decline the consulting engagement or obtain competent advice
and assistance if the internal auditors lack the knowledge, skills, or other competencies
needed to perform all or part of the engagement.
This is in contrast to assurance engagements, which are not to be declined if resources are lacking
internally. (In such assurance cases, resources would be secured from other sources.)
Advisory work focuses on governance, risk, and control, which form internal audit’s primary
knowledge base. Consulting can take many forms.The various kinds of consulting services the internal auditors may provide or contribute to include:

  • Business process improvement.
  • Continuous monitoring.
  • Control self-assessment of risk and control self-assessment.
  • Forensic auditing.
  • Governance and ethics training.
  • Internal control review.
  • Internal control training.
  • Participation on committees or task forces.
  • Readiness.
  • Review of a new product or service before implementation.
  • Risk self-assessment.

We will focus on seven types of consulting engagements related to risk management:
  • Assisting in the identification and evaluation of risks through an analysis of strategy and the internal and external environments.
  • Developing management’s capabilities in respect to risk responses by providing coaching
  • Helping to draw risk management activities together across the organization in a more coherent, effective, and deeply embedded fashion 
  • Strengthening risk reporting by ensuring it is timely, relevant, and focused.
  • Maintaining and improving the risk management framework through a combination of testing, validation, and the offering of potential solutions to identified weaknesses .
  • Promoting risk management across the organization by acting as its champion (IV.F).
  • Advancing the progression toward greater risk maturity by developing the risk management strategy.
There are several characteristics, as well as important differences, that assurance and consulting
engagements have in common. The similarities arise from the simple fact that any activity carried out
by the internal auditors should be delivered in accordance with high standards of professional
practice. More specifically, both types of internal audit engagements must be:
  • Defined in the internal audit charter.
  • Delivered by the internal auditors with:
  • Due professional care.
  • Independence and objectivity
Internal auditors must exercise due professional care during a consulting engagement by considering the:
  1. Needs and expectations of clients, including the nature, timing, and communication of engagement results.
  2. Relative complexity and extent of work needed to achieve the engagement’s objectives.
  3. Cost of the consulting engagement in relation to potential benefits.
Furthermore, if it is clear at the outset that if there are any impediments to independence or
objectivity, they must be declared before accepting the engagement. This is also evident in the
Standards:If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.
The overriding safeguard is that, under no circumstances, should the internal auditors take
responsibility for risk management. It is also clear that a consulting engagement should not be
accepted simply because management requests it. It must be relevant and planned.

ARGUMENTS ON AUDIT FUNCTIONS

From The IIA’s definition of internal auditing, we know that the activity adds value to an organization through assurance and consulting (or advisory) services.

The definition of internal auditing was amended with much debate in 1999 to include consulting as
an explicit and distinct part of its role. Those opposed to broadening the definition in this way raised
four main objections:

  1. Internal audit had always included a consulting element through the recommendations it delivers within an assurance engagement and, therefore, it is unnecessary, unhelpful, and perhaps even damaging to separate it out.
  2. Consulting is not a distinctive activity, as many other functions offer advice and guidance to management. The primary value of internal audit comes through the delivery of assurance.
  3. There is a potential conflict of interest if internal audit takes on a consulting role separate from the delivery of assurance.
  4. The new definition includes both assurance and consulting with no indication of which is more important—the natural conclusion is that there should be an even split between the two activities. However, while consulting may be a trendier or more attractive role, assigning it undue emphasis could damage the primary focus for internal audit, which is and should remain assurance.

Despite these arguments, it has proved tremendously helpful to the profession and its stakeholders
for the definition to make clear the two ways in which internal audit adds value with independence and
objectivity. This has been supported by the development of corresponding standards and guidance that
provide much needed assistance for implementation. It is important to point out that the internal
auditors can only recommend, as they are not in a position to implement such actions, and
management is free to accept or reject any proposals.

In addition to the features that consulting and assurance engagements have in common, there are
some significant differences (see below). In practice, it may sometimes be hard to separate assurance
and consulting. For one thing, it is common for an assurance engagement to address weaknesses in
internal control and offer recommendations for improvement, and for a consulting engagement to
contribute to an overall audit opinion. Indeed, it is a requirement of the Standards that information
garnered through consulting be applied to the auditing of risk management:

  • Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes.
  • Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes.
Furthermore, it is often through assurance engagements that the need for consultation is identified
in the first place, leading to discussions with management regarding actions. Consulting, on the other
hand, can provide additional assurance by giving management detailed insights on a particular aspect
of the organization. The internal auditor should take care when framing an opinion on the basis of a
consultancy assignment to avoid any distortion regarding the materiality of the findings with respect
to risk and control.
Standards defines consulting services as follows:
Advisory and related client service activities, the nature and scope of which are agreed with
the client, are intended to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor assuming management
responsibility. Examples include counsel, advice, facilitation, and training.

Consulting services are advisory in nature, and are generally performed at the specific
request of an engagement client. The nature and scope of the consulting engagement are
subject to agreement with the engagement client. Consulting services generally involve two
parties: (1) the person or group offering the advice—the internal auditor, and (2) the person
or group seeking and receiving the advice—the engagement client. When performing
consulting services, the internal auditor should maintain objectivity and not assume
management responsibility.
Despite the origin of the consulting engagement, the skills and insights that enable an internal auditor to follow a risk-based approach in evaluating controls and delivering an opinion on their effectiveness are also highly valuable when providing constructive advice about systems development and business improvement.
However, assurance and consulting are distinct. If an assurance engagement identifies the potential value that consulting may bring to the same area of review, the scope must not shift from assurance to consulting without setting out a new proposition. If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated
in accordance with consulting standards.