ERM and Internal Auditing 2016 Tea Talk v2a

IIAM ERM & IA - DSK Leong
2016
1
ERM AND INTERNAL AUDITING
INTERNAL AUDIT DIVISION
David S K Leong
BCA ,CA(NZ), CA (M), ACIB (UK), MBA
(Henley), CIA(US), CMIIA.
Brainstorming of risks and controls session in progress.

Brief Introduction & Background
David S K Leong
BCA ,CA(NZ), CA (M),ACIB (UK), MBA (Henley), CIA(US), CMIIA.
2016
2
 HSBC Malaysia Bhd. (1980-2005) serving as Risk Manager, Strategic
Planner, Chief Internal Auditor & Head, Sarbanes-Oxley Project.
 Kuwait Finance House (Malaysia) Bhd. (2005-11) – Chief Officer, Internal
Audit.
 Bank Islam Malaysia Bhd. (2012-2014)– Chief Internal Auditor. (Senior
General Manager)
 Credit Guarantee Corporation Malaysia Bhd. – Director, Internal Audit.
(Total of 35 years in banking of which 12 years as Chief Internal Auditor.)
 Additional :
 Member of Board of Governors, Institute of Internal Auditors, Malaysia.
 Deputy Chairman, IIAM’s Research, Technical & Advisory Committee..
 Examiner, Asian Institute of Chartered Bankers.

 OIC Current Accounts/Savings, HSBC, Johor Bahru. 4 years
 OIC, Trade Finance, HSBC Kuching, Sarawak -4 years.
 Assistant Manager Marketing, HSBC Kuching, Sarawak - 2years
 Credit Manager, HSBC, Kota Kinabalu, Sabah - 4 years
 Bank Branch Manager HSBC Bank, Labuan -2.5 years
 Manager Risk & Policy, HSBC Malaysia, Kuala Lumpur. -4 years
 Head of Strategy, HSBC Malaysia, Kuala Lumpur -1 year
 CIA, HSBC Malaysia -3 years.
IIAM ERM & IA - DSK Leong 2016 3
HSBC Work Experience 1980 - 2005

Risk Management Experiences
The Nightmares!
2016
4
 No risk management !
 Want to go own way (i.e. no way)!
 No definition of risk. (i.e. don’t know)
 Don’t know what is risk!
 Uses new unproven model risk.
 Ad hoc and unorganized approach/incomplete coverage.
 No monitoring/follow-up of controls.
 Inadequate risk staffing and skills
 Excessive power/arrogance
 Lack of power!
 Very defensive!
 Don’t want to be audited.
 Any more?

SIMPLE SURVEY
 How many don’t have Risk Management function?
 How many have not audited Risk Management?
 How many have audited Risk Management?
 How many of these are really happy with their Risk Management
Audit?
 How many are really comfortable with the Risk Management activities?
 How many have Risk Management Divisions that really manage
important risks effectively?
IIAM ERM & IA - DSK Leong 2016 5

2016
Page 6
1. Your internal audit findings are challenged 70 % of the time?
2. Your internal audit findings are 95% accepted all the time?
3. Your internal audit recommendations get implemented only 50% of the time?
4. Your internal audit recommendations are implemented 90 % even before
presentation to the Board.
5. Your internal auditors’ performance and remuneration are assessed by
management.
6. Your internal auditors’ performance and remuneration are assessed by the
Board.
7. You have a higher than average attrition rate among your internal auditors
than in the organization.
8. You have several other staff requesting to join internal audit department.
HONESTLY, WHAT SITUATION ARE YOU IN?

2016
Page 7
 Most Frequent Experience:
 CRO says, “We have Enterprise-wide Risk
Management!” –when actually he does not even
know what is risk.
 CRO says, “CIO will look after IT Risk Management.
RM don’t have the IT expertise.”
 CRO says: “ We have a ERM Policy.” But on paper
and in name only but not practiced. No
development.
 CRO says: “We cannot introduce ERM because
Head Office overseas should lead such an
initiative.”

2016
Page 8
1. Must be Enterprise –wide (From Top to Bottom)
2. There must not be any “Golden Boy” unit.
3. Includes All Risks (Strategic/Operational/Financial/Compliance/Governance)
4. Focuses on Key Risks. ( Not more than 30-50 Biggest Risks)
5. Integrates Across All Risk Types. (Not Siloed-approach)
6. Aggregated at the Enterprise Level (based on the Risk Appetite/HEAT Map).
7. Decision-making Required to Reduce/Treat Risk.
8. Appropriate Risk Disclosures. (Show how much shareholder value can be
damaged.)
9. Measure Value Impacts and Opportunity Impact.
10.Focuses on Main Stakeholders (Shareholders).
Source: Adapted from Jared Wade
10 Absolute Essential Features of ERM

2016
9
In other words,
Do you have these?

Benefits in Layman’s Language to the Company with an
Integrated Risk Framework and ERM Program
2016
Page 10
Risk Management becomes easy to apply. We will have substance instead of
form.
ERM gives the Board better real assurance over internal controls
All departments work on the same internationally recognized methodology.
Risk registers are easily available online to all users.
We have less work and less stress (no duplicated controls).
 Each entity will know their main risks and controls. This leads to more
focused work.
Entities will pass internal audits.
Internal audits reports will be comprehensible.
Company will suffer less losses make higher profits and be competitive.
Company has more time for strategy and be more focused.
Company will have compliance with Law, regulations and policies.

2016
11
1. Must be Enterprise–wide.
1. Led by the Board and CEO. And have a Project Champion.
2. Must Involve all Risk Areas.
3. Participation and Buy-in from all material areas on Initial Risk
Universe Assessment.
4. Participation and Mind-set must be integrated into operations,
remuneration and culture.
5. Supported and complemented by Internal Audit.
6. All use common methodology and be solution oriented.

2. There must not be any “Golden Boy” unit
2016
12
 All are Included without Exception.
 No “Special Treatment” even for “star performers”.
(This is exemplified by the case in Barings Bank in 1996 in which
the Bank eventually collapsed. Barings
Singapore was so profitable that Risk Management
and Internal Audit were told to go lightly on Nick
Leeson, the “Wonder Boy”. Loss:GBP860 Million.
Another tell-tale sign:
The “only expert” in complicated derivatives trading
in the 2008 Societe Generale Bank case – a
GBP3.7 Billion loss).
Enron 2004 –”The Smartest Guys in the Room.”

3. Includes All Risks (Strategic/Operational/Financial/
Compliance/Governance)
Aligning All the Main Components –Making Sure We All look at the
Same Things to Achieve Corporate Objectives.
Vision,
Strategy,
Corporate
Objectives
Risk
Manage-
ment
Training/
HR
Key
Performance
Indicators
Internal
Audit
Performance
Measure-
ment
IIAM ERM & IA - DSK Leong 2016 Page 13
Achieve
Corporate
ObjectivesSTRATEGIC DIRECTION
YEARLY BUDGETS
RISK APPETITE

2016
14
Where are
your risks?
All these
have to be
coordinated!

2016
15
5. Integrates Across All Risk Types. (Not Siloed-
approach)
Definition of Risk / What is Risk?
“ The possibility of an event occurring that will have an impact
on the achievement of objectives. Risk is measured in terms of
impact and likelihood.”
IPPF Glossary
In ISO 31000-2009 – “Risk is Uncertainty Over Objectives.”
By having the same methodology, everyone speaks the same
language and allows for aggregation of the enterprise’s risk.

2016
16
4. Focuses on Key Risks. (30-50 Biggest Risks)
These should be the risks that keep you awake at night.
Once these risks are identified using a collaborative brain-storming
session for all units using a common methodology measuring risks in
terms of impact and probability.
 Are All Risks Covered? The ERM method prescribes inclusion of all
major risks and measures effectiveness of their treatment. This
requires workers’ participation.
 Are you having excessive procedures? Board and Management
attention followed by action are aligned on real risks; and their
treatment and the monitoring. The process will find many traditional
processes are actually redundant. Therefore SOPs can be
streamlined/processes become efficient.
 Are your operations guys clueless and dissatisfied?
Implementers of ERM and workers often find more meaning in what they
do and are motivated because they now understand how to get real value
for their time. They know what and why they had to do and what auditors
will audit them on.

2016
17
Use the “HEAT MAP” tool to help disseminate risk
assessment methodology.

6. Aggregated at the Enterprise Level (Set the Risk Appetite/
HEAT Map). HEAT MAP. Where the Risks are!
TABLE A:
HEAT MAP (Operations)
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-49,999
(MODERATE)
RM50,000-199,999
(MAJOR)
>RM200,000
(Catastrophic)
Key
Catastrophic/High
Low IMPACT Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6 months)
LowLIKELIHOODVeryHigh
5 5.1 5.2 5.3 5.4 5.5
VERY PROBABLE (every 6-12 Months) 4 4.1 4.2 4.3 4.4 4.5
PROBABLE (Every 1-3 years 3 3.1 3.2 3.3 3.4 3.5
UNLIKELY (Every 4-10 years 2 2.1 2.2 2.3 2.4 2.5
RARE (Every more than 10 Years) 1 1.1 1.2 1.3 1.4 1.5
2..1
2..2
2..4
2.3
2
1.3
2
1.1
1.2
2
3.1
2016
18
Finding 2.4 is
plotted on
Heat Map
5.4: Denotes
probability 5,
Impact of 4.

7. Decision-making by Management to Reduce/Treat
Risk.
2016
19
Once a material risk is identified, there are 4 “T s” of Risk
Mitigation.
I. Treat (Implement Control to reduce/prevent the occurrence)
II. Transfer ( Reduce impact by transferring risk to another entity
or take out insurance/outsource.)
III. Terminate ( Abandoning /selling the business if risk impact is
deemed unbearable or cannot be controlled.)
IV. Tolerate – Accept the risk if within Risk Tolerance limits.
Action is taken is to ensure all risks accepted are within the risk appetite
(green) as shown in the following HEAT Map.
ERM is not to report risks only but to ensure correct control action is
taken.
Appraisal of performance is on action taken effectively.

2016
20
7. IMPACT OF CONTROLS ON TREATED RISKS (RESIDUAL RISK)
TABLE A:
HEAT MAP (Mill Operations)
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-49,999
(MODERATE)
RM50,000-199,999
(MAJOR)
>RM200,000
(Catastrophic)
Key
Catastrophic/High
Low IMPACT Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6 months)
5 5.1 5.2 5.3 5.4 5.5
VERY PROBABLE (every 6-12 Months) 4 4.1 4.2 4.3 4.4 4.5
PROBABLE (Every 1-3 years 3 3.1 3.2 3.3 3.4 3.5
UNLIKELY (Every 4-10 years 2 2.1 2.2 2.3 2.4 2.5
RARE (Every more than 10 Years) 1 1.1 1.2 1.3 1.4 1.5
Inherent
Risk
Residual
Risk

2016
21
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999(MINOR)
RM10,000-49,999
(MODERATE)
RM50,000-199,999
(MAJOR)
>RM200,000
(Catastrophic)
Key Catastrophic
/High
Low IMPACT
Very High
Medium
1 2 3 4 5Low
ALMOST CERTAIN
(1-6 months)
5 5.1 5.2 5.3 5.4 5.5
VERY PROBABLE
(every 6-12 Months)
4 4.1 4.2 4.3 4.4 4.5
PROBABLE (Every 1-
3 years
3 3.1 3.2 3.3 3.4 3.5
UNLIKELY (Every 4-
10 years
2 2.1 2.2 2.3 2.4 2.5
RARE (Every more
than 10 Years)
1 1.1 1.2 1.3 1.4 1.5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
VERY PROBABLE (every 6-
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
UNLIKELY (Every 4-10
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
RARE (Every more than 10
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
Finance
Mill Operations
Marketing
Plantations
Compliance
Human Resources
7. See One Picture of the
Aggregated Risks of Your
Company
You can see one picture or drill down into
component areas, even specific issues, because
of consistency of risk methodology.
Overall Enterprise-Wide HEAT MAP
Based on COSO ERM & IIA’s IPPF

PART 2.
COSO – Enterprise-wide Risk
Management.
2016
22

2016
23
5. Where Do We Start?
Before we even implement anything,
We have to understand the methodologies used –ERM and IIA’s IPPF.
Risk Evaluation Objectives according to IPPF Standard 2130-A1.

24
It Started in 1992 with the First Internal Control COSO Cube.

26
COSO/COSO ERM in 7 Different Languages!
The World’s Best Known and Only Established ERM Framework for Integrated
Control.

COSO (1) Evolved into COSO-ERM (2004)

ERM Re-defined / Improved:
“… a process, effected by an entity's board of directors, management
and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the
entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.”
Source: “COSO Enterprise Risk Management – Integrated Framework” 2004. COSO.
2016
28
So why Enterprise-wide Risk Management?

1992
2004
May 2013
The Development of the Three COSO Frameworks.
The 2013 COSO Framework (17 Principles) is the Best yet.
1992 COSO
has been
replaced
NEW!

2016
Page 30
A Quick View of the Overall
Framework that should be achieved.

2016
31

2016
32
RISK APPETITE
FRAMEWORK
ERM

Internal control is defined as follows:
“Internal control is a process, effected by an entity’s board of
directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance”
“Internal Control—Integrated Framework.”
COSO Publication May 2013
The Requirement is Integrated Internal Control.
Board must
lead and
sponsor!

“The combination of processes and structures implemented by
the Board to inform, direct, manage and monitor the activities
of the organization towards achievement of its objectives.”
IPPF Glossary
Definition of Governance – What the
Board is now expected to do.

Specimens of Internal Audit Report
based on COSO (2013) Format.
2016
35

2016
36
CA02 Control Activities
No review performed on audit trail report for MYSTICS
system
Criteria
The BNM Audit in 2013 has highlighted on the absence of
Policy and Procedures on the requirement to review audit
trail in MYSTIC System (Issue No. 15). FIN has since
revised the Policy and Procedures effective 19MAR14 to
incorporate periodic revision of audit trail by officer.
Section 1.1 of Audit Trail Review for MYSTIC is to guide
FIN in the preparation of Audit Trail Report where the
system administrator is responsible for the review of audit
trail every month for at least two (2) modules.
Condition
However, Audit's observation was that the review of audit
trail for MYSTIC system was not implemented / carried out
as now required under Section 1.1.
Cause
a) Guideline was not strictly followed and enforced
accordingly.
b) Unawareness of staff in-charge on the
usefulness/benefits of audit trail in monitoring activities
of MYSTIC users and preventing fraud risks.
Risk (High)
a) Non-compliance with Section 1.1 of Audit Trail Review
for MYSTICS Manual.
b) System control lapses may go undetected.
FIN must ensure that the Audit Trail
Review for MYSTICS Manual are
adhered accordingly and to report to
Risk Management Department
(RMD) on any unusual activities
under incident reporting (if any).
Management’s Response:
We have reviewed the audit trail for
the month of March 2014, April
2014, May 2014, Jun 2014 and
July 2014 and have been
concurred by FC accordingly on 2
September 2014.
Target Date:
Implemented
Person Responsible:
Zahid Muhammad, Head of
Section
Detailed Audit Finding as per Implementation Guide 2410-1

2016
37
TABLE 1: COSO 5 COMPONENTS & 17 PRINCIPLES MATRIX
CONTROL ENVIRONMENT
1. The organization demonstrates a commitment to integrity and ethical values.
Answer: Yes. Board of Directors is committed to ethical and integrity values.
2. The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control.
Answer: Yes. Board of Directors is independent and exercises oversight. New Board
members in 2014.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
Answer: Yes. Board has established reporting lines and structures. In 2013, Board has
changed the external auditors to PwC.
4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
Answer: FIN lost 6 experienced staff in 2013 and 2014 (including the Head of Department)
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
Finding IMP01: Absence of internal/manual attendance record for staff working during
public holidays
Opinion: Tightening of controls and discipline seems obvious given the nine control lapses in
this report.
RISK ASSESSMENT
6. The organization specifies objectives with sufficient clarity to enable the identification
and assessment of risks relating to objectives.
Opinion: This should be improved as staff do not seem to implement controls as they should.
7. Organization identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.
Opinion: The Identification of Risk is not adequate or systematic enough. Probably
coupled it with lack of responsibility, the control lapses occur.
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
Finding RA01: User ID (MYSTICS) logged in during staff's absence. (Medium Risk)
9. The organization identifies and assesses changes that could significantly impact the
system of internal control.
Answer: Yes. GST was highlighted to management.
CONTROL ACTIVITIES
10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
Yes: Controls are in manuals but not implemented. Hence, see findings in Principle No.12,
11. The organization selects and develops general control activities over technology to
support the achievement of objectives.
Finding CA05: No adjustments made for TPUB-i profit charged due to limitation in
Contract Financing Module (CFM-BOS) (Medium)
Finding CA08: Six (6) IDs of resigned staffs were not deactivated (Medium Risk)
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.
Finding CA01: Inappropriate month end closing (High Risk)
Finding CA02: No review performed on audit trail report for Mystics System (High Risk)
Finding CA03: Non-compliance with Accounting Policy -Checklist not used (High Risk)
Finding CA04: Incomprehensive updates in Manual (Medium Risk)
Finding CA06: Wrong Preparation of Accounts: Written off asset was treated as loss on
disposal of asset. (Medium Risk)
Finding CA07: Security Cabinet containing cheque book was not locked. (Medium Risk)
INFORMATION & COMMUNICATION
13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control.
See related comments in Principle No. 16.
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal
control.
Answer: Meetings are held with other internal parties.
15. The organization communicates with external parties regarding matters affecting the
functioning of internal control.
Answer: Yes. This is done with PwC, the external auditors.
MONITORING
16. The organization selects, develops and performs ongoing and / or separate
evaluations to ascertain whether the components of internal control are present and
functioning.
Answer: FIN will ensure the figures and information related to FIN are correct .
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
Answer: Yes, CGC as a whole communicate deficiencies but implementation is hampered
by staff quality and IT issues. See CA 03, 04, 05 and Finding Other 01 (Un-reconciled
receipts).

2016
38
Risk Rating and
Type
Reported this
Audit
Maximum for
Satisfactory
Maximum for
"Needs
Improvement"
High Risk 3 2 4
Medium Risk 6 6 6
Other Department
Risk
1 NA NA
Improvement 1 NA NA
TOTAL 11
Rating the Internal Audit Consistently/No Surprise Approach..

2016
39
“The former JP Morgan Chase trader known as the “London
Whale” has broken cover to say he was not responsible for the
scandal that lost the bank $6.2bn. In a letter sent late on Monday
night to news outlets including Financial News and Bloomberg,
Bruno Iksil said he was “instructed repeatedly” by his superiors to
carry out the trading strategy that led to the losses.”
Bruno Iksil (The “London Whale”)
The Independent
Does Senior Management (and Board) really know their Risk
Appetite?
(Mr Iksil is helping the US authorities bring a case against key figures at JP Morgan, but he is
not among those being prosecuted. JP Morgan lost USD 6.2 Billion and was fined USD 1
Billion by regulators.)
Jamie Dimon, JP Morgan’s
CEO.

Appeals court rules company
directors liable for offences
committed during their tenure
Published: 28 September 2015
2016
40
The Court of Appeal today ruled that Section 122(1) of the Securities
Industry Act 1983 (SIA) – which states that when an offence has been
committed under the act by a corporate body, a director or chief
executive officer (CEO) or one purporting to act in such a capacity for
the organisation is deemed liable – does not violate the Federal
Constitution.
The decision overturned the High Court’s ruling that the section was
unconstitutional when Transmile Group Bhd’s founder and former
CEO Gan Boon Aun and its former executive director Khiuddin
Mohd challenged the validity of a charge brought against them.
–
Is your
Board
aware of
this Risk?

Implication: Making COSO-ERM Thinking the Way of
Life for Achievement of Company Objectives.
5 Components 8 Components !
Is your Board &
Management
aware of COSO?

Implication: Changes Required for Internal
Audit
IA is prime mover and player in ERM
2016
42
 Professional & Proactive Internal
Audit. (IIA qualified)
 Risk-Based Internal Audit (Uses
COSO 2013).
 Implement International
Professional Practices Framework
(IPPF) which require IA to give
assurance on effectiveness of the
governance, risk management and
internal control systems.

Will IA’s Participation in ERM compromise IA’s
Independence? ANSWER – NO.
2016
Page 43

Starting ERM Risk Assessment - How to Identify Risks in
Your Division?
2016
Page 44
•Brainstorming (Participation by implementers)
•Delphi System (Asking Experts)
•Monte Carlo Simulation (IT Program)

Separation of Roles.
ERM Promotes Ownership of Risks.
2016
45

2016
46
• Identification of Risk
Universe.
• Organize Brainstorming
sessions in risk areas.
• Identify risks and identify
the controls.
• Document the high &
medium risks.
• Prepare each area’s top risks
and controls.
• Institute monitoring to
ensure identified controls
are implemented /working.
• Institute regular reporting to
ERM centre.
• Review controls and update
risk registers.
• Institute annual review
by Internal Audit.
• Internal Audit to test
ERM system in internal
audits of each area.
• Aggregate and update
quarterly reporting to
Risk Committee.
• Continuous training and
annual updating of Risk
Universe.
• Integrate into Strategic
review and annual
budgeting.
• Add stress testing to
ERM.
• Establish Scope and
Objectives of ERM
Project
• Establish ERM Project
Roles and Project
Structure.
• Identify key executives.
• Conduct training for key
individuals.
• Appoint CIA and Head of
ERM/CRO.
• Establish Risk Committee.
• Identify resources for
ERM.

In Summary:
Benefits of Coordinating the Company with an Integrated ERM
Program and IA
2016
Page 47
Risk Management becomes easy to apply. We will have substance instead of
form. Collaborative Risk Management achieved.
Internal audit recommendations become understandable and implemented.
ERM gives the Board better real assurance over internal controls.
All departments work on the same internationally recognized methodology.
Risk registers are easily available online to all users. Related risks are
identified. Redundant controls are eradicated.
We have less work and less stress (no duplicated controls).
 Each entity will know their main risks and controls. This leads to more
focused work and efficiency. Logical and fair internal audits.
Entities will pass internal audits. More value-add from internal audits.
Company will suffer less losses make higher profits and be competitive.
Company has more time for strategy and be more focused.
Company will have compliance with Law, regulations and policies.
For manufacturers, better safety in the operations area.
Less staff turnover – Better staff Morale.

Final Take Away Pointers
2016
48
 Look at Risks using COSO/COSO ERM Frameworks
 Establish with AC the Risk Appetite and COSO ((2013)/COSOERM.
 Do Risk Universe Analysis using Brainstorming
 Emphasize the Biggest Risks and review every three months.
 Do Internal Audit Planning using the COSO (2013) Framework.
 Discuss with Auditees the use of COSO (2013) Framework.
 Determine/Measure Risk using risk appetite set and risk registers.
 Report risks based on Criteria, Condition Impact and Cause into High
and Medium Risks,.
 Establish Real Cause with Auditees to recommend action.
 Hold the person/entity with responsibility/authority accountable.
 Be consistent with standards of evidence (No evidence, it’s an opinion)
 Write report based on COSO (2013) format.
 Be consistent with ratings across the board (No exception.)
 If you have any serious opinion (e.g. corruption) to share, write a
management memorandum separately to Management or Board.

2016
49
REMEMBER THIS?

Finally, where is your current risk management maturity
level?

2016
51
Thank you. Any Crushing Questions?

ERM and Internal Auditing 2016 Tea Talk v2a

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à ERM and Internal Auditing 2016 Tea Talk v2a

Similaire à ERM and Internal Auditing 2016 Tea Talk v2a (20)

ERM and Internal Auditing 2016 Tea Talk v2a