Risk Management

Group 4
Bob Aldi (1706089721)
Dewa Wiyoga (1706998353)
Evan Soesanto (1706089803)
Chapter 2 Internal Audit’s Common
Body of Knowledge
History of CBOK
 Start with a question “What do I need to know to
become an experienced, qualified, and well respected
internal auditor?”
 Victor Brink introduced a book about internal audit
knowledge areas
 Other author have tried to define internal auditor
knowledge requirement over the years but not clear
 There still no recognized minimal set of internal audit
knowledge requirements
 William G. Bishop President of Institute of Internal Audit
proposed CBOK
 No CBOK created until his passed in 2004
What is Common Body Of Knowledge?
 A CBOK for any profession defines the minimum level of
proficiency needed for effective performance within that
profession.
 For example, the Bank Administration Institute
(BAI;www.bai.org) has released a CBOK for banking
industry risk professionals. With risk management an
important knowledge area of banking
Internal Audit’s CBOK
 adalah suatu Konsep yang mempelajari Audit Internal
sebagai suatu profesi dalam kerangka ilmu pengetahuan
 Sebagai suatu profesi , diatur dalam suatu Standar ialah
Standar Profesi Audit Internal ( SPAI ) yg berisikan Kode
Etik, Standar Atribut dan Standar Kinerja.
 Kerangka ilmu pengetahuan tsb membentuk dasar-dasar
konseptual dan berlaku sebagai standar utk pendidikan,
pelatihan, perekrutan, dan uji kompetensi bagi siapa saja yg
ingin bekerja dalam profesi Audit Internal.
 CBOK will help us:
 More clearly understand how internal auditing is being
practiced around the world
 Help us update our professional Standards
 Allow us to look closely at the framework of the profession
 the IIA Research Foundation (IIARF) launched a major
effort in 2006 to develop such a CBOK for the internal
audit profession. Its preliminary result, dated 2008, was
published in a mid-2007 research study
 Although called a CBOK, the IIARF’s approach was not to
define any set of internal audit common knowledge best
practices but to survey what internal auditors were doing
at the time of the study’s publication in country-by-
country practices of internal auditing.
 The following objectives:
 The knowledge and skills that internal auditors possess
 The skill and organizational levels used for the practice of
internal auditing work
 The actual duties performed by internal auditors
 The structure of internal audit organizations
 The types of industries which practice internal audit
 The regulatory environment of various countries
 The IIA has stated it plans to use the results of this 2007
study to improve future standards, procedures, and other
offerings in areas including revised internal audit
certifications and examinations, revised standards, and
other internal audit publications.
Demographics of Survey
 The IIARF CBOK surveys were assembled similar to a
consumer-type survey where participants were asked to
respond to questions based on a score ranging from 1 to
5 for each question.
 The results were published as a single mean value of the
various responses; no standard deviation values showed
the ranges of those responses.
Example Result
Based on the result…
 The IIA has stated that it plans to update the IIARF
CBOK study every three years and has expressed general
plans to develop and release other products and offerings
to enhance and build this internal audit CBOK.
 The IIARF’s CBOK is not a guide to internal auditor best
practices. Rather, it describes a wide range of internal
audit activities and how they are practiced
CHAPTER 6 Risk Management: COSO
ERM
 Enterprises need to identify all the business risks they and to manage these
risks to an acceptable level.
 Risk is a frequently used term in internal control standards and procedures.
It has become a term that many internal auditors agree to consider but fail
to define. One professional’s concept and understanding of risk may be
very different from another’s.
 COSO ERM is an approach that allows an enterprise and internal audit to
consider and assess risks at all levels, whether in an individual area, such as
for an information technology (IT) development project, or in global risks
regarding an international expansion.
 The emphasis is on why COSO ERM can be an important internal audit
tool to better understand and evaluate the risks surrounding internal
controls at all levels.
6.1 Risk Management Fundamentals
 Every enterprise exists to provide value for its stakeholders, but that value
can be eroded through unexpected events at all levels of the enterprise and
in all activities, ranging from day-to-day regular operations to setting
strategy for some future but uncertain endeavor.
 Risk management is an insurance-related concept where an individual or
enterprise uses insurance mechanisms to provide protection from those
risks.
 Enterprises today face a wide variety of risks and need some tools to sort
through all them in order to make rational cost and risk-related decisions.
 An effective risk management process requires four steps: (1) risk
identification, (2) quantitative or qualitative assessment of the documented
risks, (3) risk prioritization and response planning, and (4) risk monitoring.
6.1 Risk Management Fundamentals
a) Risk Identification
Management should endeavor to identify all possible risks that
may impact the success of the enterprise, ranging from the larger
or more significant overall business risks down to the less
important risks associated with individual projects or smaller
business units.
The idea here is not just to list every possible risk but for an
enterprise to identify those that might have a more major impact
operations, within a reasonable time period.
A good way to start the risk identification process is with a high-
level organization chart listing corporate-level as well as operating
units.
A better approach is to identify people at all levels of the
enterprise to serve as risk assessors.
Their goal would be to identify and then help assess risks in their
units built around a risk identification model framework.
6.1 Risk Management Fundamentals
An enterprise management team should
then start with this more complete list of
potential enterprise risks and ask
themselves questions along the lines of:

• Is the risk common across the

overall enterprise or unique to one
business group?
• Will the enterprise face this risk
because of internal or through
external events?
• Are the risks related, such that one
risk may cause another to occur?

The idea is to gain a strong understanding

of the nature of enterprise-level risks and
then to highlight the major risks, such as
the risk of a significant fall in customer
satisfaction ratings, the risk of a new and
very large competitor entering the
market, or the risk of an identified
significant control weakness as part of
the financial statement close.
6.1 Risk Management Fundamentals
b) Key Risk Assessments
A variety of approaches can be used here, ranging from best-guess
qualitative approaches to some detailed, very mathematical quantitative
analyses.
The idea is to help decide which of a series of potentially risky events
should give management the most to worry about. Responsible managers
should assess these risks using a questionnaire approach:
 What is the likelihood of this risk occurring over the next one-year period?
 What is the significance of the risk in terms of cost to the overall enterprise?
 A risk whose costs could lower earnings per share by perhaps 1 cent might qualify for the
maximum score of 9.
Approaches:
 Probability & Uncertainty
 Risk Interpendencies
 Risk Ranking
6.1 Risk Management Fundamentals
Approaches:
• Probability & Uncertainty
• Risk Interpendencies
• Risk Ranking
6.1 Risk Management Fundamentals
c) Quantitative Risk Analysis
(i) Expected Values & Response Planning
The idea is to estimate the cost impact of incurring some identified risk
and then to apply that cost to a risk factor probability to derive an
expected value or cost of the risk.
Knowledgeable people who understand the risk area often can provide
good estimates by considering questions of this type:
 What is the best-case cost estimate of incurring the risk? This is an assumption that
there will be only limited impact if the risk occurs.
 What would a sample of knowledgeable people estimate for the cost? For Risk A as
outlined, the director of marketing might be asked to supply an estimate.
 What is the expected value or cost of incurring the risk? This is the type of risk that
might include some base costs as well as such other factors as additional labor requirements.
 What is the worst-case cost of incurring the risk? This is a what-if-everythinggoes-
wrong type of estimate.
6.1 Risk Management Fundamentals
6.1 Risk Management Fundamentals
c) Quantitative Risk Analysis
(ii) Risk Monitoring
The identification of key risks can never be a single, one time process.
The environments surrounding identified risks will soon change as
surrounding conditions change.
Accurate monitoring processes are an essential component of risk
management.
6.2 COSO ERM: Enterprise Risk
Management

 Enterprise risk management is a process, effected by an entity’s board of

directors, management and other personnel, applied in a strategy setting
and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.

Key Points
• ERM is a process.
• ERM process is implemented by people in the enterprise.
• ERM is applied through the setting of strategies across the overall enterprise.
• Concept of risk appetite must be considered.
• ERM is designed to help achieve objectives.
• ERM-related goals and objectives are of little value unless they can be organized
6.3 COSO ERM Key Elements
6.3 COSO ERM Key Elements
a) Internal Environment Component
The COSO ERM internal environment component consists
of these elements:
 Risk management philosophy
 Risk appetite
 Board of directors attitudes
 Integrity and ethical values
 Commitment to competence
 Organizational structure
 Assignments of authority and responsibility
 Human resource standards

Two internal environment components of COSO ERM, the

enterprise’s risk management philosophy and its relative
appetite for risk, feed other elements of the COSO ERM
framework.
6.3 COSO ERM Key Elements
b) Objective Setting
Starting with an overall mission,
the approach is to:
(1) develop strategic objectives
to support accomplishment
of that mission,
(2) establish a strategy to meet
objectives,
(3) define any related
objectives, and
(4) define risk appetites to
complete that strategy.
6.3 COSO ERM Key Elements
c) Event Identification
Events are enterprise incidents or occurrences—external or external—
that affect the implementation of an ERM strategy and the achievement
of its objectives.
While our tendency is to think of events in a negative sense—
determining what went wrong—they can be positive as well.
However, going beyond just installing a meter on a production assembly
line, monitoring processes should include:
 External economic events
 Natural environmental events
 Political events
 Social factors
 Internal infrastructure events
 Internal process–related events
 External and internal technological events
6.3 COSO ERM Key Elements

An enterprise needs to define clearly its significant risk events and

then have processes in place to monitor them in order to take
any necessary appropriate actions.
The COSO ERM application techniques released material offers
some help here. The guidance material suggests enterprises
consider some of these approaches:
 Event inventories
 Facilitated workshops
 Interviews, questionnaires, and surveys
 Process flo analysis
 Leading events and escalation triggers
 Loss event data tracking
Inherent Risk: potential waste/loss due to nature
of an activity itself
Outside control of management & from external
factors

Residual Risk: risk that remains after management

responses to risk applied

Enterprise will always face some risk even after

responses.

Analyze from risk likelihoods & potential impacts

Likelihoods: probability/possibility that a risk will

occur
Impact
Risk Responses

The most difficult process because consist of:

1. Careful review of estimated risk
likelihoods and impact
2. Consideration associated cost and benefit
3. Develop appropriate risk response
strategies (planning and strategic thinking)

How risk responses can be handled?

1. Avoidance (selling business unit, exit from
risky geographic area, drop product line)
2. Reduction (product line diversification,
splitting IT operations into separate
locations, training employees)
3. Sharing (hedging to protect price
fluctuations, joint venture agreement)
4. Acceptance (no action)
Control activities
Create policies and procedures to ensure
action on identified risk response.

Activities: identifying, documenting, testing, validating

risk protection controls

Control activities generally include these internal

control areas:
• Separation of duties
• Audit trails
• Security and integrity
• Documentation

Control activities suggest by COSO ERM:

• Top level reviews (aware)
• Direct functional or activity management (key
role in control monitoring)
• Information processing
• Physical controls
• Performance indicators
• Segregation of duties
Monitoring
Creating policies and procedures necessary to ensure
action on identified risk response (link to risk response
strategies and actions)

To ensure that the risk responses are executed in a

timely and efficient manner.

Determine of control activities are performing properly by:

Identifying, documenting, testing, and validating risk
protection controls.

Control activities include these internal control areas:

• Separation of duties
• Audit trails
• Security and integrity
• Documentation

COSO ERM suggest these control activities:

• Top level reviews
• Direct functional or activity management
• Information Processing
• Physical controls
• Performance Indicator
Reporting
Necessary to determine that all installed ERM
components work effectively on a continuous
basis.

Monitoring should include ongoing reviews of the overall

ERM process ranging from identified objectives to
progress of ongoing ERM control activities.

Monitoring include these type of activities:

• Implementation of ongoing management reporting
mechanisms such as cash positions, unit sales, and key
financial data.
• Periodic Risk related alert reporting process should
monitor key aspect of established risk criteria,
including acceptable error rates or items held in
suspense. Report should show statistical trends and
comparison both with prior periods and with other
industry sectors.
• Current and periodic status reporting of risk related
findings and recommendations from internal &
external audit
• Update risk related information form sources such as
government revised rules, industry trends, economic
news
COSO ERM:
Enterprise Risk
Objectives
 Operations (concern to all levels of an enterprise
about risk)
 Direct manager usually have the best understanding of
operational risk but information lost when consolidated to
higher level reporting.
 Internal auditor should act as eyes and ears and report all
observed operations risk

 Reporting
 Cover the reliability of enterprise’s report of internal and
external financial and nonfinancial data.
 ERM concerned about risk of authorizing and releasing
inaccurate reports.

 Legal and regulatory compliance

 BOD, CEO, members of management need to understand
the nature and extent of all regulatory risks that the
enterprise faces.
 Legal department, key managers, internal audit can help in
assembling this information
Entity level risk
Risk encompassing the entire organizations
Small risk can impact an entire enterprise
Risk should be considered on an entity wide basis as well as by
individual operating units

Individual unit risk should be reviewed and consolidated first to

identify any key risks that may impact overall organizations.

Ex: Food quality in fast food chain

Business unit level risks

Corporate level formally outlines major risk related concerns
and ask responsible management at each major division to
survey risk objectives through operating units.

Significant risk can be identified at all level and the managed at

levels where they can receive the most direct local support.