TIAPS ALB_Module 2A. Governance and Managerial Accountability
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Module</strong> 2: Good<br />
<strong>Governance</strong>,<br />
<strong>Managerial</strong><br />
<strong>Accountability</strong>,<br />
Developing Strategy,<br />
<strong>and</strong> Data Analysis<br />
<strong>TIAPS</strong> Albania 2023/24<br />
1
2
Table of Contents<br />
<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>, Developing Strategy, <strong>and</strong> Data<br />
Analysis ........................................................................................................................................... 5<br />
Introduction .................................................................................................................................. 5<br />
Relevant St<strong>and</strong>ards ..................................................................................................................... 7<br />
Relevant Competencies .............................................................................................................. 7<br />
References <strong>and</strong> Additional Reading............................................................................................ 7<br />
<strong>2A</strong>. <strong>Governance</strong> <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong> ............................................................................ 8<br />
<strong>2A</strong> Learning Outcomes ................................................................................................................ 8<br />
<strong>2A</strong>.1 <strong>Governance</strong> Revisited ........................................................................................................ 8<br />
<strong>2A</strong>.2 Risk Management ............................................................................................................. 12<br />
<strong>2A</strong>.2.1 Risk Concepts ............................................................................................................ 14<br />
<strong>2A</strong>.2.2 Risk Identification ....................................................................................................... 15<br />
<strong>2A</strong>.2.3 Risk Analysis <strong>and</strong> Evaluation ..................................................................................... 16<br />
<strong>2A</strong>.2.4 Risk Responses ......................................................................................................... 19<br />
<strong>2A</strong>.2.5 Monitoring .................................................................................................................. 20<br />
<strong>2A</strong>.3 COSO Internal Control – Integrated Framework.............................................................. 21<br />
<strong>2A</strong>.4 Decision-Making, Risk Management, <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong> ............................. 23<br />
<strong>2A</strong>.5 Entity-wide Risk Management .......................................................................................... 27<br />
2B. Managing People.................................................................................................................... 30<br />
2B Learning Outcomes.............................................................................................................. 30<br />
2B.1 Leadership ........................................................................................................................ 30<br />
2B.1.1 Styles of Leadership .................................................................................................. 30<br />
2B.1.2 Delegation .................................................................................................................. 31<br />
2B.1.3 Leadership as Service ............................................................................................... 32<br />
2B.2 Talent Management Strategies ......................................................................................... 35<br />
2B.3 Motivation .......................................................................................................................... 38<br />
2B.3.1 Maslow’s Pyramid ...................................................................................................... 38<br />
2B.3.2 McGregor’s Theory X, Theory Y ................................................................................ 39<br />
2B.3.3 Vroom’s Expectancy Theory ...................................................................................... 39<br />
2B.3.4 Hertzberg’s Two-Factor Model................................................................................... 39<br />
2B.4 Competency Frameworks…………………………………………………….…………..41<br />
3
2C. Quality Assurance .................................................................................................................. 44<br />
2C Learning Outcomes ............................................................................................................. 44<br />
2C.1 The Need for Quality Assurance ...................................................................................... 44<br />
2C.2 Elements of Internal Audit Quality Assurance .................................................................. 46<br />
2D. Managing the Internal Audit Activity ....................................................................................... 49<br />
2D Learning Outcomes ............................................................................................................. 49<br />
2D.1 Managing the Internal Audit Function............................................................................... 49<br />
2D.2 Internal Audit Strategic Planning ...................................................................................... 53<br />
2D.2.1 Engagement Work Program ...................................................................................... 53<br />
2D.2.2 Internal Audit Plan...................................................................................................... 53<br />
2D.2.3 Internal Audit Strategic Plan ...................................................................................... 54<br />
2D.3 Advanced Professional Practices ..................................................................................... 57<br />
2D.3.1 Using Digital Tools ..................................................................................................... 58<br />
2D.3.2 Agile Auditing ............................................................................................................. 60<br />
2D.3.3 Lean Auditing ............................................................................................................. 62<br />
2D.3.4 New <strong>and</strong> Evolving Risk Areas.................................................................................... 63<br />
2E. Data Analytics for Internal Auditing ........................................................................................ 70<br />
2E Learning Outcomes.............................................................................................................. 70<br />
2E.1 Data Analytics <strong>and</strong> Internal Auditing ................................................................................. 70<br />
2E.2 Data Analytics Methods .................................................................................................... 72<br />
2E.2.1 Variance Analysis ....................................................................................................... 72<br />
2E.2.2 Trend Analysis ............................................................................................................ 73<br />
2E.2.3 Reasonableness Testing ............................................................................................ 73<br />
2E.2.4 Ratio Estimation ......................................................................................................... 73<br />
2E.2.5 Benchmarking ............................................................................................................ 73<br />
2E.3 Data Analytics Tools .......................................................................................................... 74<br />
2E.4 Data Visualization ............................................................................................................. 77<br />
References <strong>and</strong> Additional Reading ............................................................................................. 80<br />
4
<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>,<br />
Developing Strategy, <strong>and</strong> Data Analysis<br />
Introduction<br />
The <strong>TIAPS</strong> program has been developed for public sector internal auditors typically with<br />
three to five years of relevant experience, including those who are or who aspire to be in<br />
supervisory <strong>and</strong> managerial positions. It is suitable for those who are familiar with how to<br />
plan <strong>and</strong> perform internal audit services <strong>and</strong> communicate findings <strong>and</strong> insights. It aims to<br />
develop a deeper practical underst<strong>and</strong>ing of the contribution internal audit makes to<br />
organizational effectiveness <strong>and</strong> improvement as well as exploring how to coordinate <strong>and</strong><br />
optimize internal audit resources <strong>and</strong> services. This includes building relationships with key<br />
stakeholders, developing a strategy for the internal audit function, managing people <strong>and</strong><br />
other resources, enhancing quality <strong>and</strong> effectiveness through adoption of advanced<br />
practices, providing audit opinions, <strong>and</strong> supervising audit engagements.<br />
The <strong>TIAPS</strong> program comprises four modules:<br />
<strong>Module</strong> 1: Audit <strong>and</strong> Assurance<br />
<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>, Developing Strategy, <strong>and</strong> Data<br />
Analysis<br />
<strong>Module</strong> 3: Accounting Fundamentals<br />
<strong>Module</strong> 4: Introduction to Performance Audit<br />
<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>, Developing Strategy, <strong>and</strong> Data<br />
Analysis builds on the concepts explored in <strong>Module</strong> 1: Audit <strong>and</strong> Assurance to ensure<br />
internal audit’s provision of relevant, high quality, <strong>and</strong> timely assurance <strong>and</strong> advice. The<br />
module examines the principles of decision-making <strong>and</strong> managerial accountability to support<br />
organizational risk management <strong>and</strong> internal control. It also identifies the roles <strong>and</strong><br />
responsibilities of internal audit management <strong>and</strong> leadership especially in respect of<br />
managing resources, people, <strong>and</strong> quality. The module is organized as follows:<br />
<strong>2A</strong>. <strong>Governance</strong> <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong><br />
<strong>2A</strong>.1 <strong>Governance</strong> Revisited<br />
<strong>2A</strong>.2 Risk Management<br />
<strong>2A</strong>.3 COSO Internal Control – Integrated Framework<br />
<strong>2A</strong>.4 Decision-Making, Risk Management, <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong><br />
<strong>2A</strong>.5 Entity-wide Risk Management<br />
2B. Managing People<br />
2B.1 Motivation<br />
5
2B.2 Talent Management Strategies<br />
2B.3 Motivation<br />
2B.4 Competency Frameworks<br />
2C. Quality Assurance<br />
2C.1 The Need for Quality Assurance<br />
2C.2 Elements of Internal Audit Quality Assurance<br />
2D. Managing the Internal Audit Activity<br />
2D.1 Managing the Internal Audit Function<br />
2D.2 Internal Audit Strategic Planning<br />
2D.3 Advance Professional Practices<br />
2E. Data Analytics for Internal Auditing<br />
2E.1 Data Analytics <strong>and</strong> Internal Auditing<br />
2E.2 Data Analytics Methods<br />
2E.3 Data Analytics Tools<br />
2E.4 Data Visualization<br />
References<br />
6
Relevant St<strong>and</strong>ards<br />
Reference is made throughout the <strong>TIAPS</strong> program to relevant international st<strong>and</strong>ards, principally<br />
those of The Institute of Internal Auditors (IIA) included in the International Professional Practices<br />
Framework (IPPF). Other st<strong>and</strong>ards <strong>and</strong> frameworks, most notably the COSO Internal Control –<br />
Integrated Framework, are also noted where appropriate.<br />
At the time of writing, The IIA is undertaking a major review of the IPPF with an expected period of<br />
public exposure in 2023. The content of this module reflects the 2017 edition (published in 2016 <strong>and</strong><br />
effective from the start of 2017). Participants should anticipate major revisions to the structure <strong>and</strong><br />
content of the IPPF, although fundamental principles about the practice of internal auditing are<br />
unlikely to change significantly. This program will be updated once the revisions to the IPPF are<br />
finalized <strong>and</strong> formally introduced.<br />
Relevant Competencies<br />
Reference is made throughout the material to relevant competencies taken from the IIA’s Internal<br />
Audit Competency Framework. The purpose of including these statements, which describe<br />
competencies at three levels (General Awareness, Applied Knowledge, <strong>and</strong> Expert), is to remind<br />
students of the practical nature of this program. To develop competencies, knowledge acquired by<br />
reading, reflection, <strong>and</strong> experience needs to be applied to practical situations <strong>and</strong> supported by<br />
appropriate attitudes <strong>and</strong> values. Personal <strong>and</strong> professional development is a continuous process.<br />
The IIA’s Internal Audit Competency Framework is designed for all internal auditors, is based on<br />
global research, <strong>and</strong> represents recognized best practices. The statements are necessarily brief <strong>and</strong><br />
much more detail <strong>and</strong> information is needed to substantiate <strong>and</strong> contextualize the content. The<br />
statements can be regarded as signposts to help internal auditors <strong>and</strong> their managers navigate their<br />
careers, identifying opportunities for ongoing advancement to remain competent <strong>and</strong> best able to<br />
meet or exceed the needs <strong>and</strong> expectations of their stakeholders.<br />
References <strong>and</strong> Additional Reading<br />
References are given at the end of this module. Participants are encouraged to read these to provide<br />
greater underst<strong>and</strong>ing of the topics. The items have been selected to complement the content<br />
included in this module <strong>and</strong> to offer internal auditors relevant, practical guidance.<br />
7
<strong>2A</strong>. <strong>Governance</strong> <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong><br />
<strong>2A</strong> Learning Outcomes<br />
On completion of this section, students will be better able to:<br />
• Describe the principles of effective decision-making.<br />
• Assess the effectiveness of risk management.<br />
• Apply the COSO model of internal control to support underst<strong>and</strong>ing of organizational<br />
governance.<br />
• Explain the importance of managerial accountability to governance, risk<br />
management, <strong>and</strong> internal control.<br />
• Evaluate the effectiveness of managerial accountability.<br />
• Describe the principles supporting entity-wide risk management.<br />
<strong>2A</strong>.1 <strong>Governance</strong> Revisited<br />
IIA Internal Audit Competency Framework: Common Business Processes<br />
General Awareness: Describe the risk <strong>and</strong> control implications of common business<br />
processes (human resources, procurement, contracting, product development, project<br />
management, sales, marketing, logistics, management of outsourced processes, etc.).<br />
Applied Knowledge: Examine the risks <strong>and</strong> controls related to the organization’s business<br />
processes.<br />
Expert: Recommend actions to address risks related to the organization’s business<br />
processes. 1<br />
<strong>Module</strong> 1 Audit <strong>and</strong> Assurance described internal audit’s contribution to governance <strong>and</strong> in<br />
doing so identified the key components of governance in the public sector with reference to<br />
important models. The need for the structures <strong>and</strong> processes that constitute governance<br />
arises due to accountability <strong>and</strong> uncertainty. Public officials have a duty of care to citizens<br />
whose resources they are using to achieve a public benefit. Consequently, managers <strong>and</strong><br />
leaders must adopt appropriate measures to ensure their actions <strong>and</strong> behaviors are likely to<br />
fulfill organizational purpose economically, effectively, efficiently, ethically, <strong>and</strong> sustainably.<br />
To achieve this, they must lead, direct, <strong>and</strong> oversee activities <strong>and</strong> make timely interventions<br />
as required. Well-intentioned plans <strong>and</strong> actions, however, cannot guarantee desirable<br />
outcomes. Resources, systems, people, <strong>and</strong> events are unreliable <strong>and</strong> unpredictable. Risk<br />
management <strong>and</strong> internal control – key components of governance – are needed to provide<br />
reasonable assurance objectives will be achieved within an acceptable margin of error.<br />
Internal audit’s contribution is to provide greater transparency <strong>and</strong> insight. This helps<br />
governing bodies 2 extend their oversight across the entity <strong>and</strong> receive independent<br />
assurance on the adequacy <strong>and</strong> effectiveness of governance, risk management, <strong>and</strong> internal<br />
control to complement <strong>and</strong> supplement reports received from management – including risk<br />
<strong>and</strong> compliance functions – regarding performance, position, <strong>and</strong> prospects. Internal audit<br />
1<br />
Internal Audit Competency Framework, The IIA, 2022.<br />
2<br />
Refer to <strong>Module</strong> 1 section 1A.2 for a description of governing bodies <strong>and</strong> the many forms they may take in the public sector.<br />
8
also serves management through assurance <strong>and</strong> advice, acting as a well-informed strategic<br />
advisor <strong>and</strong> champion of innovation <strong>and</strong> change.<br />
External audit provides additional transparency by ensuring external stakeholders receive<br />
reliable reports on all aspects of public sector activity. Internal <strong>and</strong> external auditors have a<br />
broadly similar purpose (although they have important differences), operate according to<br />
compatible professional st<strong>and</strong>ards, <strong>and</strong> act independently from (i.e., without responsibility for<br />
or interference by) the areas they review.<br />
Guidance from the Chartered Institute of Internal Auditors provides a useful comparison<br />
between internal auditors <strong>and</strong> external auditors, summarized in the table below <strong>and</strong> adapted<br />
for relevance to the public sector. 3<br />
Primary clients<br />
Purpose of<br />
assurance<br />
Coverage or<br />
nature of work<br />
Internal Audit<br />
Management <strong>and</strong> the governing<br />
body.<br />
To provide transparency <strong>and</strong><br />
insight to senior management <strong>and</strong><br />
the governing body on all aspects<br />
of governance, risk management,<br />
<strong>and</strong> internal control, to enable<br />
better decision-making, <strong>and</strong> to<br />
facilitate innovation <strong>and</strong><br />
improvements.<br />
“Internal audit covers all categories<br />
of risks <strong>and</strong> their management,<br />
starting from their identification,<br />
taking in various responses to<br />
risks, including traditional internal<br />
financial <strong>and</strong> non-financial controls<br />
<strong>and</strong> including the flow of<br />
information around the<br />
[organization] about risk. Internal<br />
auditors also cover governance<br />
processes <strong>and</strong> the internal control<br />
environment that seeks to mitigate<br />
risk <strong>and</strong> governance issues.”<br />
External Audit<br />
Superior entity, where applicable<br />
(such as line ministry), parliament,<br />
<strong>and</strong> the public.<br />
“To add verification, credibility, <strong>and</strong><br />
reliability to reports” from public<br />
entities to government <strong>and</strong> from<br />
government to the public. “An<br />
external audit process ensures that<br />
[an organization]’s internal controls,<br />
processes, guidelines <strong>and</strong> policies<br />
are adequate, effective <strong>and</strong> in<br />
compliance with governmental<br />
requirements, industry st<strong>and</strong>ards <strong>and</strong><br />
[organizational] policies. This type of<br />
audit also ensures that reporting<br />
mechanisms prevent errors in<br />
financial statements.”<br />
External auditors typically conduct:<br />
• Financial audits<br />
• Compliance audits<br />
• Performance audits<br />
The purpose of the financial is to<br />
confirm:<br />
• The accuracy <strong>and</strong> completeness<br />
of the client's accounting records.<br />
• Whether the client's accounting<br />
records have been prepared in<br />
accordance with the applicable<br />
accounting framework.<br />
• Whether the client's financial<br />
statements present fairly its<br />
results <strong>and</strong> financial position.<br />
Performance audits evaluate the<br />
3<br />
Position paper: Internal audit's relationship with external audit, Chartered Institute of Internal Auditors, 2020.<br />
9
Timing <strong>and</strong><br />
frequency<br />
Focus of<br />
opinion<br />
Responsibility<br />
for<br />
improvement<br />
Internal auditing is a permanent<br />
presence in the organization <strong>and</strong><br />
conducts engagements according<br />
to organizational priorities <strong>and</strong> risks<br />
based on a planned schedule as<br />
well as ad hoc missions.<br />
Internal audit provides assurance<br />
on the adequacy <strong>and</strong> effectiveness<br />
of governance, risk management,<br />
<strong>and</strong> internal control, which may<br />
include an opinion.<br />
“Improvement is fundamental to the<br />
role of internal audit. Working<br />
within the organization on a<br />
constant basis allows internal<br />
auditors to identify current or<br />
emerging weaknesses <strong>and</strong> advise<br />
<strong>and</strong> facilitate managers’ efforts to<br />
improve processes. At the same<br />
time, internal auditors have a<br />
professional duty to avoid usurping<br />
the responsibility of managers to<br />
manage.”<br />
economy, effectiveness, <strong>and</strong><br />
efficiency of projects <strong>and</strong> initiatives in<br />
terms of their outcomes <strong>and</strong> impacts.<br />
Compliance audits identify the<br />
conformance with policies,<br />
regulations, <strong>and</strong> other requirements.<br />
External audits (especially financial<br />
audits) tend to follow a cyclical<br />
pattern tied to annual reporting<br />
requirements.<br />
“The external audit focus is<br />
predominantly on validating that the<br />
financial statements are a true <strong>and</strong><br />
fair representation of past<br />
performance.”<br />
“External auditors have no explicit<br />
responsibility to improve their clients’<br />
governance or risk management<br />
processes. They have a duty to<br />
report internal control problems that<br />
they come across as part of their<br />
work.”<br />
We may also add the primary accountability of the head of the internal audit unit is to the<br />
governing body of the organization while external auditors of the Supreme Audit Institution<br />
are accountable to parliament, often reporting to a representative committee, the cabinet<br />
office, the head of government or the head of state.<br />
<strong>Governance</strong>, risk management, <strong>and</strong> internal control can be understood as different facets of<br />
the same thing. Their purpose is to provide reasonable assurance of organizational success.<br />
They operate at every level throughout an organization. Every activity, decision, plan, <strong>and</strong><br />
behavior contributes in some way – positively or negatively – to the entity’s economy,<br />
effectiveness, efficiency, integrity, <strong>and</strong> sustainability.<br />
<strong>Governance</strong> is the broadest of the three concepts. Its focus concerns the highest-level<br />
objectives, strategies, structures, processes, <strong>and</strong> decisions, <strong>and</strong> is driven by ultimate<br />
10
accountability to stakeholders. “Those charged with governance” typically refers to the<br />
members of the governing body <strong>and</strong> may include those with executive <strong>and</strong> nonexecutive<br />
roles.<br />
• Risk management takes account of the inherent uncertainty in all goal-oriented<br />
activity with the aim of optimizing outcomes, not to eliminate risk (which is impossible<br />
without ab<strong>and</strong>oning all goals <strong>and</strong> actions to achieve them) but to take better<br />
decisions. Both taking an action <strong>and</strong> refraining from doing so constitute taking a risk.<br />
Managing risk is part of the responsibility of management, although the governing<br />
body should ensure there are appropriate structures <strong>and</strong> processes in place. This<br />
may include individuals or teams with a specific focus on risk <strong>and</strong> compliance (i.e.,<br />
second line roles) to provide additional expertise, oversight, <strong>and</strong> challenge.<br />
• Internal control (sometimes referred to as control or managerial internal control<br />
(MIC)) describes management’s responses to risk.<br />
As noted in <strong>Module</strong> 1, not all entities have separate “second line” functions. The<br />
responsibility for managing risk, however, remains within management regardless of<br />
structure. Where there are no distinction second line functions, the task of managing risks<br />
sits with those who also have first line roles.<br />
<strong>2A</strong>.1: Reflection<br />
The term “internal control” sometimes creates a negative image – especially among<br />
managers – <strong>and</strong> can be a barrier to establishing a good underst<strong>and</strong>ing of the role <strong>and</strong><br />
importance of governance, risk management, <strong>and</strong> internal audit – which are also terms that<br />
are not well understood.<br />
Have you experienced difficulties communicating the purpose of internal control as well as<br />
governance, risk management, <strong>and</strong> internal audit?<br />
How do you – or how could you – explain these terms to your audit clients <strong>and</strong><br />
stakeholders to avoid such difficulties?<br />
In what ways, if any, does your internal audit function engage with other internal <strong>and</strong><br />
external assurance providers (such as risk <strong>and</strong> compliance functions, legal counsel, financial<br />
controllers, financial officers, <strong>and</strong> external auditors)?<br />
Are there ways in which internal audit could work more closely with other internal <strong>and</strong><br />
external assurance providers while maintaining appropriate safeguards for independence?<br />
11
<strong>2A</strong>.2 Risk Management<br />
IIA Internal Audit Competency Framework: Risk Management<br />
General Awareness: Describe fundamental concepts of risk <strong>and</strong> risk management; describe<br />
risk management frameworks.<br />
Applied Knowledge: Use a risk management framework to identify potential threats; examine<br />
the effectiveness of risk management within processes <strong>and</strong> functions.<br />
Expert: Appraise the methods used to assess the effectiveness of risk identification <strong>and</strong><br />
management. 4<br />
Risk management is the attempt to apply awareness <strong>and</strong> underst<strong>and</strong>ing of risks to<br />
strategizing, goal setting, planning, decision-making, deployment of resources, operational<br />
activity, monitoring, reporting, <strong>and</strong> forecasting. It is most effective when it is holistic (entitywide),<br />
consistent (supported by a common framework <strong>and</strong> terminology), <strong>and</strong> integrated<br />
(built-in rather than bolted-on). A general principle is that whoever is responsible for an<br />
activity or goal is also responsible for managing the associated risks. An entity may assign<br />
individuals or teams with specialist second line roles (e.g., risk management, compliance,<br />
information security, legal counsel, <strong>and</strong> financial control) to provide support for managers<br />
focused on first line roles (i.e., “front of house” services to clients <strong>and</strong> “back office” services<br />
to enable the organization to operate, such as administration, HR, finance <strong>and</strong> accounting,<br />
<strong>and</strong> IT, noting that many back office functions also have a focus on control). However, the<br />
general principle of risk ownership remains.<br />
In their approach to risk management, some organizations consciously adopt a formal<br />
framework, such as COSO Enterprise Risk Management – Integrating with Strategy <strong>and</strong><br />
Performance or ISO 31000: Risk Management. There are benefits in doing so, including<br />
having a ready-made objective benchmark of recognized best practice <strong>and</strong> a valuable tool<br />
for assessment <strong>and</strong> training. There are also disadvantages, including the need to ensure the<br />
model is relevant <strong>and</strong> the risk of getting distracted by excessive detail. Any approach needs<br />
to be appropriate, <strong>and</strong> its adoption should be incremental to match the needs <strong>and</strong> maturity of<br />
the entity. In all cases, internal audit is expected to evaluate the effectiveness of risk<br />
management <strong>and</strong> contribute to its improvement, in accordance with St<strong>and</strong>ard 2120 – Risk<br />
Management of the IPPF.<br />
Risk is commonly defined in connection with the attainment of objectives <strong>and</strong> allows for both<br />
favorable <strong>and</strong> adverse variances from desired outcomes. Three useful <strong>and</strong> similar definitions<br />
of risk are given below.<br />
• IIA: The possibility of an event occurring that will have an impact on the achievement<br />
of objectives. Risk is measured in terms of impact <strong>and</strong> likelihood. 5<br />
• ISO: The effect of uncertainty on objectives. 6<br />
• COSO: The possibility that events will occur <strong>and</strong> affect the achievement of<br />
objectives. 7<br />
4<br />
Internal Audit Competency Framework, The IIA, 2022.<br />
5<br />
International Professional Practices Framework, The IIA, 2016.<br />
6<br />
ISO 31000:2018 Risk Management, ISO, 2018.<br />
7<br />
COSO Enterprise Risk Management – Integrating with Strategy <strong>and</strong> Performance, COSO, 2017.<br />
12
It is worth quoting IIA St<strong>and</strong>ard 2120 – Risk Management in full as it succinctly directs<br />
auditors to consider key factors when determining the effectiveness of risk management<br />
processes.<br />
2120—Risk Management<br />
The internal audit activity must evaluate the effectiveness <strong>and</strong> contribute to the<br />
improvement of risk management processes.<br />
Interpretation:<br />
Determining whether risk management processes are effective is a judgment resulting<br />
from the internal auditor’s assessment that:<br />
• Organizational objectives support <strong>and</strong> align with the organization’s mission.<br />
• Significant risks are identified <strong>and</strong> assessed.<br />
• Appropriate risk responses are selected that align risks with the organization’s<br />
risk appetite.<br />
• Relevant risk information is captured <strong>and</strong> communicated in a timely manner<br />
across the organization, enabling staff, management, <strong>and</strong> the board to carry out<br />
their responsibilities.<br />
The internal audit activity may gather the information to support this assessment during<br />
multiple engagements. The results of these engagements, when viewed together,<br />
provide an underst<strong>and</strong>ing of the organization’s risk management processes <strong>and</strong> their<br />
effectiveness.<br />
Risk management processes are monitored through ongoing management activities,<br />
separate evaluations, or both.<br />
2120.A1 The internal audit activity must evaluate risk exposures relating to the<br />
organization’s governance, operations, <strong>and</strong> information systems regarding the:<br />
• Achievement of the organization’s strategic objectives.<br />
• Reliability <strong>and</strong> integrity of financial <strong>and</strong> operational information.<br />
• Effectiveness <strong>and</strong> efficiency of operations <strong>and</strong> programs.<br />
• Safeguarding of assets.<br />
• Compliance with laws, regulations, policies, procedures, <strong>and</strong> contracts.<br />
2120.A2 The internal audit activity must evaluate the potential for the occurrence of fraud<br />
<strong>and</strong> how the organization manages fraud risk.<br />
2120.C1 During consulting engagements, internal auditors must address risk consistent<br />
with the engagement’s objectives <strong>and</strong> be alert to the existence of other significant risks.<br />
2120.C2 Internal auditors must incorporate knowledge of risks gained from consulting<br />
engagements into their evaluation of the organization’s risk management processes.<br />
13
2120.C3 When assisting management in establishing or improving risk management<br />
processes, internal auditors must refrain from assuming any management responsibility<br />
by actually managing risks. 8<br />
Risk management involves multiple steps, to identify, assess, <strong>and</strong> implement responses to<br />
risks that are relevant to the organization <strong>and</strong> its objectives. The overall approach of risk<br />
management should be:<br />
• Planned, focused, <strong>and</strong> systematic.<br />
• Relevant to organizational need <strong>and</strong> priorities.<br />
• Maintained continuously as objectives <strong>and</strong> conditions change.<br />
• Monitored <strong>and</strong> adjusted as required.<br />
The process should be cyclical <strong>and</strong> iterative allowing for continuous improvement.<br />
Figure: Iterative <strong>and</strong> Cyclical Risk Management<br />
<strong>2A</strong>.2.1 Risk Concepts<br />
There are many related terms used regarding risk management. Internal auditors should<br />
make sure their meaning is clear when discussing risk with members of management <strong>and</strong><br />
the governing body. It is useful to agree a common taxonomy <strong>and</strong> to keep it simple. Some<br />
common terms are defined in the table below. However, some alternative definitions are<br />
possible, <strong>and</strong> the most important things are clarity <strong>and</strong> agreement.<br />
8<br />
International Professional Practices Framework, The IIA, 2016<br />
14
Concept<br />
Risk capacity<br />
Risk attitude<br />
Risk appetite<br />
Risk<br />
tolerance<br />
Risk universe<br />
Risk profile<br />
Risk severity<br />
Risk<br />
response<br />
Inherent risk<br />
Residual risk<br />
Definition <strong>and</strong> Application<br />
The ability to tolerate risk without significant failure.<br />
A general disposition or mindset with respect to risk, such as being risk<br />
averse or risk hungry.<br />
The level of risk an organization is willing to take, often expressed for<br />
categories (or classes) of risks.<br />
Risk appetite for specific activities or objectives, including acceptable<br />
variations beyond broader risk appetite, at least on a temporary basis.<br />
The totality of risks that may impact an organization.<br />
The aggregate pattern of significant risks across key activities.<br />
A measure of the level of risk (usually based on likelihood <strong>and</strong> impact).<br />
An organization’s actions taken in recognition of a risk to manage its<br />
impacts <strong>and</strong>/or likelihood within the limits agreed according to appetite <strong>and</strong><br />
tolerance.<br />
The level (severity) of a risk to which an organization is (theoretically)<br />
exposed in the absence of any risk responses (controls).<br />
The level (severity) of a risk to which an organization is exposed with risk<br />
responses (controls) in place.<br />
Risk appetite is an important concept since it sets the tone for risk management. COSO<br />
Guidance, Risk Appetite: Critical to Success, provides useful discussion on this topic.<br />
The COSO Enterprise Risk Management—Integrating with Strategy <strong>and</strong><br />
Performance defines risk appetite as: The types <strong>and</strong> amount of risk, on a broad level,<br />
an organization is willing to accept in pursuit of value.<br />
Inherent in this definition are several key points. Risk appetite:<br />
• Is intentionally broad to apply across an organization, recognizing that it may<br />
differ within various parts of the organization while remaining relevant in<br />
changing business conditions.<br />
• Focuses on risk that needs to be taken to pursue strategies that enhance<br />
long-term success.<br />
• Recognizes that risk is more than individual decisions.<br />
• Links to value – it is tied to the choices the organization makes on how it<br />
creates <strong>and</strong> preserves value. 9<br />
<strong>2A</strong>.2.2 Risk Identification<br />
The process of risk management begins with risk identification. Risks do not exist in the<br />
abstract but relate to objectives. Where there are no objectives there are no risks. Two<br />
individuals or entities in the same circumstances may face different risks or different levels of<br />
risk exposure because they have different goals. To answer the question “what are the<br />
risks?” we must first answer the question “what are the objectives?” Therefore, risk<br />
identification starts with a review of an organization’s purpose, goals, strategies, <strong>and</strong> targets.<br />
This can also be applied to departments, projects, <strong>and</strong> systems.<br />
9<br />
Risk Appetite: Critical to Success, COSO, 2020.<br />
15
Risk identification needs to be maintained on a regular basis. As internal <strong>and</strong> external<br />
conditions <strong>and</strong> goals change, the risk profile also evolves. New risks arise from new<br />
conditions (such as a change of leader, introduction of a new policy, changes to legislation<br />
<strong>and</strong> regulations, implementation of new systems, <strong>and</strong> shifts in economic <strong>and</strong> social factors).<br />
The process of risk identification often includes a combination of:<br />
• Review of purpose, goals, strategies, <strong>and</strong> targets.<br />
• Review of performance, position, <strong>and</strong> prospects.<br />
• Brainstorming workshops with key individuals.<br />
• Consideration of each class of risk or each major department, systems, or process.<br />
• Review of the existing risk register.<br />
• Review of previous audits <strong>and</strong> inspections.<br />
• Consideration of relevant guidance, articles, journals, <strong>and</strong> other literature.<br />
• Consultation with subject matter experts.<br />
Internal auditors are likely to be involved in supporting this process. The extent to which<br />
internal audit is asked to help will depend on the level of risk maturity (see below). They may<br />
facilitate risk self-assessment workshops <strong>and</strong> provide training. The head of internal audit<br />
should also make an independent risk assessment as part of the process of planning the<br />
schedule of engagements but must include the input of senior management <strong>and</strong> the<br />
governing body, in accordance with St<strong>and</strong>ard 2010.<br />
2010.A1 The internal audit activity’s plan of engagements must be based on a<br />
documented risk assessment, undertaken at least annually. The input of senior<br />
management <strong>and</strong> the board must be considered in this process. 10<br />
<strong>2A</strong>.2.3 Risk Analysis <strong>and</strong> Evaluation<br />
Risk workshops <strong>and</strong> other processes can yield long lists of risks. Some will be more<br />
important than others <strong>and</strong> many risks in the risk universe require little or no attention. To<br />
make this determination requires analysis <strong>and</strong> evaluation. This allows managers to prioritize<br />
<strong>and</strong> decide on appropriate risk responses.<br />
Not all risks are relevant or significant. Purely theoretical or hypothetical risks with very<br />
limited likelihood can safely be ignored. However, so-called black swan events occur<br />
infrequently <strong>and</strong> are hard to predict but may have significant impacts. In some parts of the<br />
world tornadoes, earthquakes, or hurricanes may occur although it is difficult to know where<br />
<strong>and</strong> when. There may also be very rare scenarios where such events are combined with<br />
conditions like tsunamis, wildfires, or high tides making the impacts that much greater. They<br />
are highly unlikely but that does not mean organizations (<strong>and</strong> individuals) can dismiss the<br />
possibility because from time to time such things will occur. The global Covid-19 p<strong>and</strong>emic<br />
caused rapid <strong>and</strong> widespread disruption. Nevertheless, many individuals <strong>and</strong> organizations<br />
had warned governments that such a scenario was possible. As we encroach more into the<br />
natural environment <strong>and</strong> encounter species with which humans have had little previous<br />
contact, the chances of diseases jumping to humans increase. Coupled with rapid mass<br />
global transportation significantly multiplies the chance of viruses spreading quickly.<br />
10 International Professional Practices Framework, The IIA, 2016<br />
16
Impact<br />
Other than black swan events, organizations must also consider emerging risks which are<br />
those with a high degree of uncertainty, often accompanied with high volatility, <strong>and</strong> with the<br />
potential for far-reaching <strong>and</strong> widespread consequences. They arise from conditions not<br />
previously experienced <strong>and</strong> so the posible chains of events <strong>and</strong> impacts are difficult to<br />
estimate. Risks arising from climate change, artificial intelligence, <strong>and</strong> geo-politics fall into<br />
this category. It is hard to prepare for the unknown, but organizations need to keep these in<br />
view, learn what they can from available information, <strong>and</strong> maintain active preparedness in<br />
the form of contingency plans as far as possible. This may include avoiding undue reliance<br />
on single organizations or territories for critical supplies <strong>and</strong> having built-in flexibility in<br />
operations. This is similar to business continuity <strong>and</strong> disaster recovery planning. We may not<br />
know what the cause may be, but we can prepare for denial of access to buildings, power<br />
outages, disruption to supply lines, loss of key personnel, staff shortages, <strong>and</strong> other social,<br />
political, environmental, or economic turmoil.<br />
Aside from black swan events <strong>and</strong> emerging risks, it is possible to classify, evaluate, <strong>and</strong><br />
prioritize risks. Classifications are developed to match the characteristics of the organization.<br />
Classes or categories may include:<br />
• Strategic risk.<br />
• Operational risk.<br />
• Financial risk.<br />
• Reporting risk.<br />
• IT risk.<br />
• Compliance risk.<br />
• Cybersecurity risk.<br />
• Reputational risk.<br />
The categories help with the process of managing risks <strong>and</strong> the choice of categories used<br />
should be made to suit organizational needs. Risk appetite may vary according to class of<br />
risk. Some broad topics, such as ESG (environmental, social, <strong>and</strong> governance), can<br />
represent risks in multiple classes, in the case of ESG this could include reputational,<br />
financial, reporting, <strong>and</strong> compliance risks.<br />
Evaluation of risks can include attaching descriptive or numerical values. Likelihood <strong>and</strong><br />
impact are usually the two most important dimensions, although others may be considered.<br />
Sometimes a grid is used similar to the one shown below.<br />
Severe<br />
Major<br />
Moderate<br />
Minor<br />
Insignificant<br />
Rare Unlikely Moderate Likely Highly<br />
likely<br />
Likelihood<br />
Figure: Risk Severity Matrix<br />
17
Impact<br />
Risks can be placed on the matrix according to their relative severity. Red, yellow, <strong>and</strong> green<br />
shading can be used to create a heat map. Alternative numerical values may be attached, as<br />
shown below.<br />
5 5 10 15 20 25<br />
4 4 8 12 16 20<br />
3 3 6 9 12 15<br />
2 2 4 6 8 10<br />
1 1 2 3 4 5<br />
1 2 3 4 5<br />
Likelihood<br />
Figure: Risk Severity Matrix – Numerical<br />
In this case, severity has been calculated as a product of likelihood <strong>and</strong> impact. However, an<br />
organization may be more concerned about a risk with a likelihood of 3 <strong>and</strong> an impact of 5<br />
than a risk with a likelihood of 5 <strong>and</strong> an impact of 3. We can tolerate more likely but less<br />
impactful events than less likely but more impactful ones. This suggests impact could be<br />
weighted if desired to reflect this. Other factors may also be considered, such as:<br />
• Vulnerability: how susceptible is the organization to certain types <strong>and</strong> levels of<br />
impact?<br />
• Velocity: how quickly will the impact be felt once the initial event has occurred?<br />
• Volatility: how much changeability <strong>and</strong> uncertainty is there regarding the<br />
circumstances <strong>and</strong> our assessment of likelihood <strong>and</strong> impact?<br />
• Simultaneous occurrence: if two or more related or unrelated impacts are felt at the<br />
same time, how will the organization be able to cope? Risks with lower individual<br />
severity may combine to create more significant impacts.<br />
There are many ways in which risk can be quantified with varying levels of sophistication <strong>and</strong><br />
granularity. There is a trade-off to be had. If a model is too simple it can reduce the value of<br />
quantifying risks. Three-point scales (whether qualitative or quantitative) are unlikely to be<br />
sufficient to reflect the real differences in levels of risk exposure faced by an organization. In<br />
models with an odd number of gradations there is a natural tendency to fall into the middle,<br />
after discounting the upper <strong>and</strong> lower extremes. This also reduces the effectiveness of the<br />
exercise.<br />
On the other h<strong>and</strong>, if a model is too complex it may become unwieldy. The effort involved in<br />
determining very fine gradations may exceed the benefits it yields. The process of evaluation<br />
should not get in the way of what the aim is. The purpose is to identify areas of risk that<br />
require attention <strong>and</strong> help with prioritization <strong>and</strong> determination of a proportionate response.<br />
COSO Risk Assessment in Practice provides useful guidance on this <strong>and</strong> related topics. 11<br />
It is important to remember the exercise of risk evaluation is not a perfect science.<br />
Organizations should be careful not to get seduced or distracted by the numbers. Risk<br />
evaluation is a tool to support the analysis, prioritization, <strong>and</strong> subsequent responses. For<br />
senior management <strong>and</strong> the governing body, the key questions are: what do we need to be<br />
focused on, what are we doing about it, <strong>and</strong> are our current responses effective?<br />
11<br />
Risk Assessment In Practice, COSO, 2012.<br />
18
<strong>2A</strong>.2.4 Risk Responses<br />
Having identified, classified, evaluated, <strong>and</strong> prioritized risks, the next stage is to determine<br />
appropriate responses. “Control” can suggest the response to a risk is always to restrict or<br />
reduce its impact but since some of the impacts of uncertainty on objectives are favorable –<br />
we sometimes exceed targets <strong>and</strong> forecasts, <strong>and</strong> new opportunities arise – then some of the<br />
responses are to take advantage of rather than limit risks. Risk responses can serve to<br />
manage either likelihood or impact or both.<br />
The aim of responses is to ensure the residual risk severity falls within the expressed risk<br />
appetite. Responses need to be proportionate in terms of cost <strong>and</strong> effort in relation to the<br />
size of the risk. Basic responses are described below.<br />
Basis Risk<br />
May include<br />
Responses<br />
Treat<br />
Reduce, mitigate, enhance, exploit, leverage, or optimize<br />
Terminate<br />
Avoid or ab<strong>and</strong>on the activity or goal<br />
Transfer<br />
Share (e.g., through insurance), spread, or outsource<br />
Tolerate<br />
Accept or pursue<br />
The effectiveness of the response can be measured by the difference between the inherent<br />
<strong>and</strong> residual risk severity. Sometimes these risk responses are used in combination. There is<br />
always an element of “tolerate” with regard to the residual risk unless the response is to<br />
terminate. Often public sector entities operate in areas of high risk – such as military combat,<br />
major construction, infectious diseases, nuclear power, <strong>and</strong> emergency response services –<br />
that need to be managed but cannot be terminated.<br />
Regular components of the control environment (described in section <strong>2A</strong>.3) – such as<br />
training, awareness raising, <strong>and</strong> well-communicated codes of conduct <strong>and</strong> policies – serve<br />
as general controls. A very common control is segregation of incompatible duties (as<br />
discussed in <strong>Module</strong> 1 Audit <strong>and</strong> Assurance under measures to address fraud risk). Consider<br />
the following specific controls for risks associated with cash receipts <strong>and</strong> payments:<br />
• Set tight limits on the number of people who can perform sensitive roles, such as<br />
authorizing payments <strong>and</strong> signing checks.<br />
• Assign separate cash drawers for each employee responsible for collecting cash <strong>and</strong><br />
record a daily tally.<br />
• Endorse checks at the point of receiving them to restrict their usage.<br />
• Do not allow employees to draw cash for personal use.<br />
• Do not collect amounts in excess of what is due <strong>and</strong> offer “cash back.”<br />
• Issue numbered receipts <strong>and</strong> keep a copy.<br />
• Deposit cash as soon as possible with deposit slip, otherwise secure undeposited<br />
amounts.<br />
• Keep blank checks secure.<br />
• Make checks out to specific payee (not “cash” or similar or left blank).<br />
• Conduct regular reviews <strong>and</strong> reconciliations <strong>and</strong> investigate irregularities. 12<br />
12<br />
Local Management Guide: The Practice of Internal Controls, Office o the New York State Comptroller, 2010.<br />
19
These are all designed to treat (through mitigation) the risk of money going missing through<br />
error or fraud. Most reduce likelihood. Setting authorization limits <strong>and</strong> making regular<br />
reviews reduce impact by restricting how much could go missing before the problem is<br />
identified.<br />
Financial speculation, investments in new technology, promotion of innovation to stimulate<br />
economic growth <strong>and</strong> address climate change, issuing government bonds, <strong>and</strong> adjusting<br />
interest rates <strong>and</strong> levels of taxation are examples of how the public sector can seek to<br />
exploit uncertainty.<br />
<strong>2A</strong>.2.5 Monitoring<br />
Monitoring is a key part of the risk management process. This includes monitoring controls<br />
to ensure they are operating as expected <strong>and</strong> maintaining a close watch for changes in the<br />
risk l<strong>and</strong>scape. Routine monitoring should be conducted by those implementing the controls<br />
<strong>and</strong> their supervisors. Completing reconciliations <strong>and</strong> stock takes are a form of monitoring.<br />
Inspections <strong>and</strong> audits may also be undertaken. Monitoring should include a combination of<br />
periodic <strong>and</strong> ad hoc review. Automated systems make it easier to maintain close monitoring<br />
<strong>and</strong> reports may be generated to highlight irregularities.<br />
<strong>2A</strong>.2: Reflection<br />
Think about the structures, processes, <strong>and</strong> resources in your organization that collectively<br />
represent risk management.<br />
What formal provisions are made in your organization for risk management?<br />
Is there a coherent, entity-wide approach to managing organizational risks?<br />
Is risk management connected with strategic <strong>and</strong> operational planning, reporting,<br />
monitoring, <strong>and</strong> performance management?<br />
Is there a common framework <strong>and</strong> agreed terminology used to describe risk?<br />
Is responsibility for risks <strong>and</strong> controls delegated down the organization to teams <strong>and</strong><br />
individuals?<br />
20
<strong>2A</strong>.3 COSO Internal Control – Integrated Framework<br />
IIA Internal Audit Competency Framework: Internal Control<br />
General Awareness: Identify types of controls.<br />
Applied Knowledge: Use an internal control framework to examine the effectiveness <strong>and</strong><br />
efficiency of internal controls.<br />
Expert: Evaluate <strong>and</strong> recommend improvements to the organization’s internal control<br />
framework; assess the organization’s implementation of its internal control framework. 13<br />
The best known <strong>and</strong> most widely used model for internal control is COSO Internal Control –<br />
Integrated Framework (2017). It is commonly adopted in the public sector <strong>and</strong> sometimes<br />
written into legislation. For example, it is a part of the European Union accession<br />
requirements within the model of Public Internal Financial Control (PIFC) (see <strong>Module</strong> 3<br />
Accounting Fundamentals).<br />
The COSO model comprises five interrelated elements:<br />
• Control environment.<br />
• Risk assessment.<br />
• Control activities.<br />
• Monitoring.<br />
• Information <strong>and</strong> communication.<br />
There is a natural intersection between risk management <strong>and</strong> internal control, especially in<br />
the components of risk assessment <strong>and</strong> control activities.<br />
Figure: The Five Elements of Internal Control<br />
• The internal control environment is the overall framework for control. It is established<br />
through diligent leadership, consistent tone-at-the-top, a commitment to integrity <strong>and</strong><br />
transparency, regular awareness-raising <strong>and</strong> training, clarity of roles <strong>and</strong><br />
responsibilities, <strong>and</strong> appropriate <strong>and</strong> documented delegation of authority.<br />
• Risk assessment is needed to identify, evaluate, <strong>and</strong> prioritize uncertainties that may<br />
impact the achievement of objectives. Risk assessment should form part of<br />
strategizing, planning, decision-making, operations, monitoring, <strong>and</strong> evaluation.<br />
13<br />
Internal Audit Competency Framework, The IIA, 2022.<br />
21
• Control activities are the responses developed to manage risks within acceptable<br />
limits. Controls may be a combination of preventive, detective, <strong>and</strong> corrective<br />
measures implemented as part of normal operating procedures <strong>and</strong> should be<br />
proportionate in terms of cost <strong>and</strong> effort in relation to the level of risk. Training should<br />
be provided as necessary. Implementing <strong>and</strong> maintaining control activities must be<br />
documented <strong>and</strong> included within a description of roles <strong>and</strong> responsibilities.<br />
• Systematic monitoring is a necessary part of ensuring the adequacy <strong>and</strong><br />
effectiveness of control activities to determine they are operating as intended. As<br />
objectives <strong>and</strong> risks change, it is likely control activities will need to be adjusted <strong>and</strong>,<br />
in some cases, removed. Routine <strong>and</strong> ad hoc monitoring is undertaken by<br />
supervisors <strong>and</strong> line managers as well as periodically by inspectors <strong>and</strong> internal <strong>and</strong><br />
external auditors.<br />
• Finally, the effectiveness of internal control is dependent on systems of information<br />
<strong>and</strong> communication to maintain up-to-date descriptions of processes <strong>and</strong> escalate<br />
issues to the appropriate level of authority in the event of a control failure.<br />
Any system of control needs to be cost-effective, proportionate to risks <strong>and</strong> priorities,<br />
compatible with organizational culture, <strong>and</strong> integrated within decision-making <strong>and</strong><br />
operations.<br />
<strong>2A</strong>.3: Reflection<br />
COSO Internal Control – Integrated Framework is central to the model of PIFC (Public<br />
Internal Financial Control).<br />
How well is COSO Internal Control – Integrated Framework understood in your<br />
organization – by senior leaders, managers, <strong>and</strong> staff?<br />
What role can the internal audit function play to promote greater awareness <strong>and</strong><br />
underst<strong>and</strong>ing regarding internal control <strong>and</strong> the COSO Internal Control – Integrated<br />
Framework?<br />
Based on your insights on the adequacy <strong>and</strong> effectiveness of internal control in your<br />
organization, which area or areas have the greatest need or opportunity for improvement<br />
(control environment, risk assessment, control activities, monitoring, <strong>and</strong> information <strong>and</strong><br />
communication)?<br />
22
<strong>2A</strong>.4 Decision-Making, Risk Management, <strong>and</strong> <strong>Managerial</strong><br />
<strong>Accountability</strong><br />
The principles of decision-making, risk management, <strong>and</strong> managerial accountability are<br />
closely related.<br />
Every organization or system requires a set of explicit <strong>and</strong> implicit rules to operate,<br />
sometimes referred to as bureaucracy. When the rules are burdensome in comparison with<br />
the objectives <strong>and</strong> complexity of the task, they can have a negative impact on effectiveness<br />
<strong>and</strong> efficiency. Excessive bureaucracy is known as red tape. Otherwise, formal <strong>and</strong> informal<br />
rules ensure activity is organized <strong>and</strong> purposeful. Specialization <strong>and</strong> the division of<br />
responsibilities increase <strong>and</strong> improve performance. Entities establish structures <strong>and</strong><br />
hierarchies as ways of organizing resources <strong>and</strong> functions, taking care to ensure there is<br />
clarity to avoid unintended gaps <strong>and</strong> unnecessary duplication as well as appropriate<br />
interconnection to maintain organizational coherence.<br />
However, rules are insufficient to complete every task. If they were, organizations would not<br />
need managers. Organizations are not machines. They are human undertakings. The<br />
function of managing is effectively one of making decisions. Tasks that do not require<br />
decision-making we can describe as purely administrative where one is simply abiding by<br />
rules <strong>and</strong> following instructions. In many cases, such tasks can be automated. In reality,<br />
there are few roles that lack any degree of discretion.<br />
In highly centralized organizations, important decision-making is made at the highest levels<br />
of authority. This can be appropriate when there is a strong need for uniformity <strong>and</strong> limited<br />
need for decision-making at lower levels, such as in an army or when junior team members<br />
have very limited knowledge <strong>and</strong> experience. In other situations, centralization can lead to<br />
bottlenecks where lengthy decision-making processes are carried out by individuals who are<br />
remote from operations, <strong>and</strong> there is often a failure to utilize talent which can lead to<br />
demotivation <strong>and</strong> demoralization. In centralized bodies, internal control is equated with<br />
following rules <strong>and</strong> is enforced through inspection. Most employees are therefore carrying<br />
out administrative tasks requiring multi-tiered signoffs as a paper trail <strong>and</strong> ex-ante approval<br />
for appropriations, commitments, disbursements, etc. Such a system is heavily focused on<br />
the legality <strong>and</strong> regularity (i.e., on compliance) of transactions <strong>and</strong> rather less on<br />
effectiveness <strong>and</strong> performance.<br />
Organizations with decentralized decision-making <strong>and</strong> control are more agile <strong>and</strong><br />
responsive. Employees’ expertise is more appropriate to their tasks, thus creating greater<br />
job satisfaction <strong>and</strong> engagement. Internal control operates most effectively at the level at<br />
which decisions are taken. Those closest to the action are best placed to underst<strong>and</strong> <strong>and</strong><br />
intervene. Tasks should be delegated to the lowest level at which sufficient competency<br />
exists to complete them successfully. It is otherwise an ineffective use of talent (<strong>and</strong> the<br />
financial resources necessary to pay for it) to have someone over- or under-qualified for their<br />
role.<br />
Managers make decisions to help achieve goals that satisfy the purpose of the team,<br />
division, department, entity, <strong>and</strong> governing administration. We have said previously that<br />
taking goal-oriented actions <strong>and</strong> taking risks are the same thing. Knowledge of risks helps<br />
prepare for a range of possible outcomes. The purpose of risk management is to enable<br />
23
managers to make good decisions. Independent assurance <strong>and</strong> advice from internal audit<br />
has the same purpose.<br />
Effective internal control is dependent on delegation of authority <strong>and</strong> powers to an<br />
appropriate level of activity. <strong>Accountability</strong> flows up the chain of comm<strong>and</strong> <strong>and</strong> ultimately to<br />
the highest levels of government. However, within this structure individuals are empowered<br />
to take actions in a reasonable manner regulated by suitable preventive <strong>and</strong> detective<br />
controls. Delegation of powers <strong>and</strong> responsibilities should be achieved without relieving the<br />
person who is delegating from responsibility for exercising those powers <strong>and</strong> responsibilities.<br />
<strong>Managerial</strong> accountability is defined as:<br />
A process whereby managers at all levels are responsible for, <strong>and</strong> may be required to<br />
explain, the decisions <strong>and</strong> actions taken to meet the objectives of the organisation [or<br />
section thereof] they manage. <strong>Managerial</strong> accountability implies responsibility for<br />
sound financial management at all levels, i.e., the adequate organisation, procedures<br />
<strong>and</strong> reporting of the results of the organisation. 14<br />
This does not just apply to financial resources or managers at the senior level. Every<br />
employee making decisions is a manager in this sense. In other words, “managerial<br />
accountability is an approach to public management in which managers are held<br />
accountable for results by assigning them responsibility, accompanied by delegated authority<br />
for decision making, <strong>and</strong> the autonomy <strong>and</strong> resources necessary to achieve the expected<br />
results.” 15 Delegation of authority must be executed in a carefully considered way. It<br />
introduces risks at every point where decisions are made. Hence, delegation of authority<br />
must be accompanied by appropriate controls to provide “guard rails” within which managers<br />
are authorized to use their judgment. There should be a documented schedule of delegation<br />
starting with entity objectives <strong>and</strong> showing a cascade of decision-making authority down the<br />
organization to appropriate teams <strong>and</strong> individuals.<br />
Figure: Components of <strong>Managerial</strong> <strong>Accountability</strong><br />
14<br />
Compendium of the public internal control systems in the EU Member States 2012, Publications Office of the European<br />
Union, 2012.<br />
15<br />
<strong>Managerial</strong> <strong>Accountability</strong> in the Western Balkans, Sigma, 2018.<br />
24
<strong>Managerial</strong> accountability requires firstly that there is clear delegation of responsibility <strong>and</strong><br />
secondly that managers are held to account, meaning they accept the consequences for<br />
their behavior, decisions, <strong>and</strong> performance, <strong>and</strong> are treated appropriately. This may include:<br />
• Being required to improve upon any subst<strong>and</strong>ard work, submit to increased<br />
supervision, <strong>and</strong> undertake additional training.<br />
• Receiving recognition (positive feedback, praise, rewards, bonuses, pay increases,<br />
promotion, <strong>and</strong> other opportunities.)<br />
• Receiving approbation (constructive criticism, loss of privileges, demotion, reassignment,<br />
suspension, <strong>and</strong> potentially loss of position.)<br />
This also entails a need for systematic <strong>and</strong> reliable performance reporting. Delegation is only<br />
executable if it genuinely combines responsibility, decision-making authority, <strong>and</strong> autonomy.<br />
• Responsibility: Tasks need to be defined <strong>and</strong> assigned formally <strong>and</strong> included in the<br />
manager’s role description.<br />
• Authority: Managers need to have the commensurate level of authority to fulfil the<br />
responsibilities assigned to them.<br />
• Autonomy: Managers must be able to make decisions freely within their assigned<br />
area of responsibility <strong>and</strong> have the necessary resources to achieve this.<br />
Autonomy allows managers to make decisions about financial <strong>and</strong> other resources in pursuit<br />
of goals with the possibility of getting this wrong. This is not the same as merely following<br />
detailed regulations, st<strong>and</strong>ards, <strong>and</strong> procedures. It involves the application of reasoning <strong>and</strong><br />
judgment.<br />
The purpose of internal control is reasonable assurance of success in a manner that is<br />
economic, effective, efficient, ethical, <strong>and</strong> sustainable. Success includes operating in<br />
conformance with legislation, regulation, policies, <strong>and</strong> other requirements <strong>and</strong> excitations.<br />
Internal control can be achieved by delegating responsibility, authority, <strong>and</strong> autonomy to the<br />
level of decision-making <strong>and</strong> activity <strong>and</strong> applying suitable controls as limits on managerial<br />
powers. The purpose is not to establish autonomous self-governing entities. It is common for<br />
governments to exercise direct control over the most significant assets <strong>and</strong> liabilities in the<br />
interests of national fiscal discipline. However, an increase in delegated responsibility<br />
supports more dynamic <strong>and</strong> responsive internal control. Managers are accountable for the<br />
consequences of their actions <strong>and</strong> behaviors <strong>and</strong> are duly incentivized to make continuous<br />
improvements. In some environments, managers are asked to make an annual declaration<br />
for their accountability for performance <strong>and</strong> internal control.<br />
Taken together, internal audit <strong>and</strong> managerial accountability are sometimes referred to as<br />
the double-lock of financial management. Their purpose is to improve the ways in which<br />
public resources are managed. Performance management is only as good as the<br />
effectiveness of internal control which in turn is dependent on the reliability of risk<br />
identification <strong>and</strong> assessment. Therefore, it is imperative that risk management activities are<br />
integrated into every stage of planning <strong>and</strong> operations, maintaining focus on the most<br />
significant risks to objectives.<br />
The role of internal audit is to support this process through independent assurance, insights,<br />
<strong>and</strong> advice, helping managers identify risks <strong>and</strong> design efficient <strong>and</strong> effective responses to<br />
25
them. Where controls are not working as intended, are focused on lower priority risks, or are<br />
disproportionate to the likelihood or impact of risks, they should be redesigned accordingly in<br />
the interests of economy, effectiveness, <strong>and</strong> efficiency.<br />
Prerequisites for <strong>Managerial</strong> <strong>Accountability</strong><br />
• Clarity of roles of responsibilities with sufficient differentiation at all levels as well as<br />
between entities (including ministries <strong>and</strong> their subordinated entities). This includes<br />
responsibility for the implementation of internal control aligned with the objectives <strong>and</strong><br />
risks of each activity.<br />
• Alignment with policies <strong>and</strong> procedures.<br />
• Risk-based strategic <strong>and</strong> operational planning.<br />
• Commitment by managers to act in the best interests of the organization.<br />
• Quality control to ensure subst<strong>and</strong>ard work is not accepted.<br />
• Organizational goals integrated within the planning process that are cascaded down to<br />
departments, divisions, teams, <strong>and</strong> individuals. Goals should be SMART, prioritized, <strong>and</strong><br />
documented.<br />
• Formalized schedule of delegation of responsibility, authority, <strong>and</strong> autonomy appropriate<br />
to levels of competency, to include devolved budgetary responsibility. Requirements for<br />
the process of delegation may be defined by law with very specific procedures to confirm<br />
transfer of responsibilities. More generally, organizations <strong>and</strong> leaders may assign tasks<br />
<strong>and</strong> duties from within their own span of responsibilities to members of their department<br />
or team. In all cases, delegation should be planned <strong>and</strong> documented carefully.<br />
• Regular assessment of managers’ competencies.<br />
• Performance evaluation <strong>and</strong> appraisal policies that ensure expectations are clearly<br />
communicated, supported, monitored, evaluated, <strong>and</strong> recognized.<br />
• Adequate supervision.<br />
• Training <strong>and</strong> professional development.<br />
• Implementation of a suitable entity-wide risk management framework.<br />
• Implementation of a suitable system of internal control, coordinated, <strong>and</strong> managed<br />
across the entity. Procedures <strong>and</strong> controls must be documented.<br />
• Merit-based <strong>and</strong> transparent recruitment <strong>and</strong> promotion.<br />
• Systematic monitoring <strong>and</strong> reporting of performance.<br />
<strong>2A</strong>.4: Reflection<br />
How would you describe the decision-making process in your organization – as highly<br />
centralized, highly decentralized, or somewhere in between?<br />
Consider the prerequisites listed above for managerial accountability. Which of these may<br />
be a cause of limiting the effective managerial accountability in your organization?<br />
What can internal audit do to strengthen managerial accountability in your organization?<br />
Do the principles of managerial accountability apply to the internal audit function? Do audit<br />
team members have appropriate levels of responsibility, authority, <strong>and</strong> autonomy?<br />
26
<strong>2A</strong>.5 Entity-wide Risk Management<br />
Within each assurance engagement, internal auditors evaluate the adequacy <strong>and</strong><br />
effectiveness of risk management <strong>and</strong> provide insights to support improvements.<br />
Additionally, the head of internal audit is often expected to offer an opinion on risk<br />
management for the organization as a whole. Risk management should be planned<br />
holistically to ensure consistency, coherence, <strong>and</strong> comprehensiveness. It is only at an<br />
aggregate level that an entity can consider its full risk profile.<br />
COSO describes entity-wide risk management as:<br />
The culture, capabilities, <strong>and</strong> practices, integrated with strategy-setting <strong>and</strong><br />
performance that organizations rely on to manage risk in creating, preserving, <strong>and</strong><br />
realizing value. It…includes practices that management puts in place to actively<br />
manage risk…[<strong>and</strong>] addresses more than internal control [to include] strategy-setting,<br />
governance, communicating with stakeholders, <strong>and</strong> measuring performance. Its<br />
principles apply at all levels of the organization <strong>and</strong> across all functions. 16<br />
The following table illustrates some of the key differences between risk management at a<br />
departmental, team, or process level <strong>and</strong> entity-wide risk management. It also distinguishes<br />
less mature from more mature risk management practices.<br />
Increasing Risk<br />
Management Maturity<br />
Characteristic<br />
Risk management at a<br />
departmental, team, <strong>and</strong> process<br />
level<br />
Approach • Tactical.<br />
• Focus on individual<br />
departments or classes of risk.<br />
• May be reactive, short-term,<br />
<strong>and</strong> fragmented.<br />
• May be based on periodic or<br />
sporadic risk assessments.<br />
• Likely to focus on likelihood<br />
<strong>and</strong> impact only.<br />
Guiding principle • Attention to risk tolerances.<br />
• Focus on detective <strong>and</strong><br />
preventive controls.<br />
Primary goals • Minimize losses, improve<br />
efficiencies, increase gains.<br />
Responsibility • Primarily the departmental<br />
leader or process owner.<br />
Scope • Risks within department, team,<br />
or process.<br />
• Focus on operational risks<br />
relevant to departmental, team,<br />
or process goals.<br />
Entity-wide Risk Management<br />
• Strategic.<br />
• Holistic organizational view.<br />
• Pro-active, long-term, <strong>and</strong><br />
integrated.<br />
• Continuous risk assessment<br />
process.<br />
• May consider other risk<br />
dimensions (such as volatility<br />
<strong>and</strong> correlation) in addition to<br />
likelihood <strong>and</strong> impact.<br />
• Attention to risk appetite.<br />
• Focus on leveraging opportunity<br />
as well as implementing control.<br />
• Fulfilment of organizational<br />
mission.<br />
• Should be assigned to a senior<br />
official.<br />
• All aspects of organizational<br />
activity, strategy, <strong>and</strong> planning.<br />
• Focus on strategic risks <strong>and</strong><br />
aggregated operational risks<br />
relevant to organizational goals.<br />
16<br />
COSO Enterprisewide Risk Management: Integrating with Strategy <strong>and</strong> Performance, COSO, 2017.<br />
27
As organizations develop <strong>and</strong> mature, so too should their organizational risk management.<br />
There are numerous models for risk management maturity sharing many common elements.<br />
The purpose of a model is to provide an initial assessment of current status, identify<br />
opportunities for improvement, <strong>and</strong> help establish a planned approach for increasing<br />
maturity. This is a process internal audit is well-placed to support.<br />
The Risk Maturity Model (RMM) 17 is one such model with five levels of maturity:<br />
1. Ad hoc.<br />
2. Initial.<br />
3. Repeatable.<br />
4. Managed.<br />
5. Leadership.<br />
The assessment is based on consideration of seven elements related to entity-wide risk<br />
management (ERM):<br />
Element<br />
1. Adoption of<br />
ERM-based<br />
process<br />
2. ERM Process<br />
Management<br />
3. Risk Appetite<br />
Management<br />
4. Root Cause<br />
Discipline<br />
5. Uncovering<br />
Risks<br />
6. Performance<br />
Management<br />
7. Business<br />
Resiliency <strong>and</strong><br />
Sustainability<br />
Focus<br />
Risk culture <strong>and</strong> level of executive or board-level support for<br />
enterprise risk management.<br />
Adoption of ERM methodology throughout the culture <strong>and</strong> decisions,<br />
<strong>and</strong> how well the risk management program follows best practice<br />
steps to identify, assess, evaluate, mitigate, <strong>and</strong> monitor risks.<br />
Awareness around risk-reward trade-offs, accountability for risk,<br />
defining risk tolerances, <strong>and</strong> whether the organization is effective in<br />
closing the gap between potential <strong>and</strong> actual risk.<br />
Risk identification by source, or root cause, versus the symptoms <strong>and</strong><br />
outcomes they produce. Focusing on the root cause of a risk <strong>and</strong><br />
classifying them accordingly will strengthen response <strong>and</strong> mitigation<br />
efforts.<br />
Quality <strong>and</strong> coverage of risk assessments. It examines the method of<br />
collecting risk information, the risk assessment process, <strong>and</strong> whether<br />
enterprise-wide trends <strong>and</strong> correlations can be uncovered from the<br />
risk information.<br />
Execution of visions <strong>and</strong> strategy. It evaluates the strength in planning,<br />
communicating, <strong>and</strong> measuring core enterprise goals with a riskbased<br />
process, <strong>and</strong> the extent to which progress deviates from<br />
expectations.<br />
Integration of business continuity, operational planning, <strong>and</strong> other<br />
sustainability activities with a risk-based methodology.<br />
Internal audit may adopt such a model, apply it to their evaluation of risk management, <strong>and</strong><br />
use it to help management identify opportunities <strong>and</strong> set goals for continuing improvement.<br />
17<br />
www.riskmaturitymodel.org<br />
28
<strong>2A</strong>.5: Reflection<br />
Use the Risk Maturity Model (or something similar) to assess the maturity of risk<br />
management in your organization. You may need to make an educated guess for any<br />
elements you are not wholly sure of.<br />
On a scale of 1-5 (where 1 is ad hoc, 2 initial, 3 repeatable, 4 managed, <strong>and</strong> 5 leadership)<br />
or similar, what score would you attribute to risk management maturity in your organization?<br />
What factors are the most significant in contributing to the risk management maturity in<br />
your organization?<br />
What role can internal auditing play to help management continue to improve risk<br />
management maturity?<br />
29