Control & Risk Self Assessment

JOHN BARRETT Institute of Internal Auditors UK & Ireland North East District Society

Presentation & Discussion on Control & Risk Self Assessment

Does it really help to protect your reputation and your bank balance?

NRM York, 24 June 2010

I went to lunch and had crab cakes. The waiter came over and asked if I wanted leaded or unleaded"

Back to the Future

The 1980s was the decade of the start of an ongoing trend of business failures and scandals the likes of which had not previously been seen In the US the Braniff Airways and Lockheed bankruptcies were overshadowed by the Savings and Loan scandal which saw the demise of 747 building society equivalents (caused by imprudent mortgage lending) and Pres. George H W Bush had to bail out savers with $125bn of taxpayers money. The UK had its Maxwell, Polly Peck and BCCI scandals which heralded the first ever formal code of corporate governance in 1991 though it did little to halt business failures and has seen significant strengthening in 1998, 2003, 2005 and 2010 Amongst the many US responses was the Treadway Commission and the publication (in 1991) of the COSO Integrated Framework of Internal Control. Arguably the best piece of research on internal control it has also failed to prevent illegal and irresponsible governance

COSO INTEGRATED FRAMEWORK OF INTERNAL CONTROL MONITORING

Ongoing Monitoring Separate Evaluations Reporting Deficiencies

CONTROL ACTIVITIES
Downwards Upwards Horizontal Departmental External
Policies Procedures Hard control activities

Management Information Systems Performance Information Instructions & Guidance

RISK ASSESSMENT
Organisation-wide Objectives Activity-level Objectives Risk Management Managing Change

CONTROL ENVIRONMENT
Integrity & Ethical Values Commitment to Competence Board of Directors & Audit Committee Management Philosophy & Operating Style Organisational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices

Meanwhile, at Gulf Canada

Gulf was a mid-sized oil and gas company in the 1980s Competition forced the company into significant restructuring through high costs and low profit margins. Though all the fundamental controls were in place they failed to detect a significant ongoing fraud by senior managers and much soul searching ensued In addition to recognising the need for an integrated control framework (the Canadian CoCo model did not appear until 1995), Gulfs Internal Audit function introduced a system of control self assessment (later extended to focus more on risk) which was cascaded to all operating units from 1989 Without realising, they had established a concept which was to become internationally accepted following the publication of COSO, the UK Combined Code and the 100 or so other governance codes which exist around the world

CRSA Gulf Approach

Presentations to Board

Independent QA Review

Synthesis and Analysis Of Results

Internal Audit QA Review

Reporting on controls And risks

Assessing Controls & Risks (all departments)

Risk & Control Training

Control Self Assessment Some Definitions

a CSA programme is a process which allows individual line managers and staff to participate in reviewing existing controls for adequacy, and recommending, agreeing and implementing improvements (IIA) A formalised, documented and committed approach to the regular, fundamental and open review by managers and staff of the strength of control systems designed and operated to achieve business objectives and guard against risks within their sphere of influence (CIPFA)

..would one day completely replace the traditional audit as the primary assurance tool in the auditors toolkit (Gulf Canada)

CRSA-The Early days

Perceived as a threat to Internal Audit Sluggish start even in the US (only 17% of bodies were using it by 1995) Seen as exporting systems based audit to staff Less than 30% of processes/functions used CRSA and most of the applications were driven by Directors of Finance Supporters saw it as a useful control awareness initiative Audit critics believed it could be a new injection of life into flagging tick and turn auditing

More Failures and The Spur of Corporate Governance

BSB, Maxwell, BCCI, Ferranti, Fokker, Daewoo, DAF, Planet Hollywood, Bank of South Australia, Equitable Life, Enron, Global Crossing, Jenson, Railtrack, Swissair, WorldCom, Courts, Ilford, Air Europe, Allsports, Allders, Woolworths, Wedgwood, 161 US banks and hundreds more familiar brands International governance requirements to embed control in the day to day activities of an organisation provided an opportunity to sell CRSA (and the main sellers were auditors) CSA Users Group (IIA UK) Control Self Assessment Centre (IIA Inc) and Sentinel news sheet Consultants emerged to sell the concept along with new software Many Board members in need of re-assurance about the reliability of their risk and control systems bought into the concept

CSA Advantages

Line management becomes fully involved in risk & control Ownership creates greater awareness Corrective action can be taken more speedily The concept fits with neatly with empowerment models Facilitates embedding and reporting requirements Cheaper than employing more auditors?

CSA Variants
1. 2. 3. 4. 5. 6. Questionnaires to identify the operation of key controls Risk & control questionnaires linked to computerised scoring models (see BT example later) Control awareness workshops Practical control assurance workshops Management letters of representation Management initiated control systems

Most Popular Approaches

Control questionnaires (with or without audit assistance) Team workshops (usually with audit facilitation) 70% use workshop variants (staff interaction, better ownership but very time consuming)

Workshops

Identification of the purposes of the workshop Single subjects (e.g. treasury dealing) or generic topics (such as purchasing) Focus on objectives, control environment, system profiles, risk, controls, performance, reporting May involve managers or staff or both Need to decide who attends to ensure all opinions are represented One-off workshops or part of a series of workshops covering one department, several departments or the whole organisation Focus on key controls or all controls Discussions on strength of controls in practice, control limitations, reported control failures, emerging/changing risks and human factors The outcomes of workshops must be documented and circulated Workshops are usually well received, stimulating, raise commitment, identify blockages, promote ownership, build relationships and may also reveal fraudulent practice

CRSA Scope of Workshops

Objectives of the Activity/Process: Strategy/Control Environment: Policies, Laws, Plans, Budgets, Procedures, Standards, Responsibilities, Structures, Accountabilities, HR Policies, market conditions, training, guidance, management information, IT systems, interfaces, monitoring arrangements, reporting, payment regimes, performance measurement, external factors, best practice etc Operations:
Profile of the System (key stages) Objectives Risks Controls Expected Controls Actual Opinion Testing Evaluation/ Improvement Report/ Action

1.

2.

3.

4. Etc.

Practical Considerations
Must set objectives Decide on most appropriate approach What topics, processes, systems should be covered Amount of time to be invested COSO model or your own model Facilitation skills available Outputs from the workshop Reporting protocols Ongoing application

Possible CRSA Objectives

Assist employees in assuming responsibility for effective risk and control management Teach staff to analyse, evaluate and report on the application and effectiveness of control mechanisms Improve control awareness and the cost effectiveness of products/services Complements performance reporting regimes Enables managers to certify corporate governance statements with more certainty

Possible CSA Disadvantages

Relies too much on honesty May be too subjective (not related to business objectives) In practice, applied to traditional financial areas Time consuming Does not lend itself easily to cross functional systems Could become unreliable as an add on to normal duties Filling in documentation could become an end in itself

Other Considerations
Few organisations cover more than 30% of risk functions 70% of sponsors are internal audit After implementation, 60% of internal audit functions remain involved 50% use COSO, 50% use proprietary software or internal audit designed documentation (US experience) Time involvement may have to be rationed 68% of audit functions claim CRSA is one of its products

Potential Internal Audit Involvement

Advice on design, implementation & maintenance of risk management system Advice on risk, control and governance Undertake audits of business unit schedules using COSO model Review periodic reports of business units Membership of Risk & Control Panel Reporting on its own plans, activities and outcomes Contribute to overall assessment on Corporate Governance

Case Study

Control & Risk Self Assessment in BT

BT CRSA
Background to CRSA CRSA workshops focus on the business objectives or strategy of the group or team being audited. It allows them to identify the enablers and barriers (risks) to achieving their objectives/strategy in a safe workshop based environment. The benefits of CRSA to audit and the client are: - enables the audit to focus on key risks - client is more involved in reviewing and evaluating the risks to their own objectives - discussions at the workshop allow information and ideas to be shared and agreed - people learn more about their jobs and the jobs of others - awareness and understanding of internal control and business risk is heightened - its enjoyable. CRSA is part of total audit process - onsite work may still be carried out.

BT CRSA
The Clients Involvement To provide a business or process objective for the topic being audited.
Arrange for suitable delegates to attend - between 10 and 16 delegates.

Output from the workshop will be available to the client.

BT CRSA
CRSA workshop normally takes about three hours. We go through standard agenda, explaining what happens and highlighting the benefits of each part of the process.
Introductions, Principles, Objectives and Icebreaker: To introduce the CRSA technique, give an outline of the workshop principles and objectives and introduce the technology by using an icebreaker. What is Business Risk: To consider what constitutes a business risk and how risks can be categorised. Identification & Evaluation of Risks: To identify the risks to achieving the groups business objective and evaluate these by impact and likelihood. Management of Risks: To consider how high impact, high likelihood risks are managed.

BT CRSA
At the workshop there will be a short presentation on what is meant by risk, the different types of risk, and the responsibility for managing risk. Key risks to achieving the business objective are then identified by running a brainstorming session and are then evaluated in terms of likelihood of occurrence and potential impact. The workshops use ppvote technology which allows you to give a view or opinion anonymously whilst allowing all the workshop participants to view the overall opinion via graphs on screen

BT CRSA
During the voting session the attendees will be invited to vote and score all carried forward and new risks on a gross basis using the following scales: Impact: Likelihood: 1 Negligible - no noticeable effect 1 1 unlikely chances are slight 2 Low, slight effect on business 2 unlikely probably not 3 Moderate, business objective effected 3 doubtful, even 4 High, business objective undermined 4 probable, likely 5 Critical, business objective cannot be accomplished 80% almost certainly highly likely - 20% highly 21 - 40%

41 - 60%
61 - 80% 5 >

There will be two votes for each risk statement, one to assess the Gross Impact and one to assess the Gross Likelihood. The Gross risk is the overall inherent risk (zero based with no controls in place), which we try to mitigate against in order to leave the Net risk, which we try to control.

BT CRSA
Following this evaluation sufficient time is given for discussion focussed on the high impact risks that are most likely to occur and, more importantly, how these risks are his may highlight risks that are poorly managed and recommendations to improve control can then be agreed where appropriate.

Risk workshops encourage diversity of thought

Legal People

Suppliers & Advisers

Delivery

Intellectual Property

Operations

Funding

Information Management

Knowledge

Reputation
Strategic

Financial
Reporting

IT systems

Probity

Vision & Planning Change Mgt

Stakeholders & Political

Workshop Discussion 1
The system of internal control should be embedded in the operations of the company (Turnbull) Q1 Does CRSA fulfil the necessary criteria for embedding control? Q2 Should it be supplemented with other measures and if so, what type of measures?

Workshop Discussion 2
Q1 What do you believe is the most cost effective CRSA approach (workshops, questionnaires etc) and why? Q2 How would you select topics for CRSA application?

Workshop Discussion 3
Do you believe Internal Audit should devote a significant proportion of its resources to CRSA and if so, why? What do you think are the keys to running successful CRSA workshops?

CRSA References

Still the best UK publication (in my opinion) Control Self Assessment edited by Keith Wade and Andy Wynne in 1999 (published by Wiley) In addition to explaining the reasons for CRSA and the various approaches, it examines about 20 different public and private sector practices which are written by different experts and practitioners