280 likes | 553 Views
Complimentary role of CAE and CRO in the provision of combined assurance. IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality. Discussion topics. King 111 on combined assurance-
E N D
Complimentary role of CAE and CRO in the provision of combined assurance IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality
Discussion topics • King 111 on combined assurance- • Where is it risky? Are we focusing where it matters?---- Source PwC statistical information • Critical areas of convergence for CAE and CRO • Requirements for effective cooperation between CAE and CRO • Benefits of combined assurance
King 111……… 3.5 The Audit Committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance services Combined assurance
Combined assurance model Council and Key Committees OVERSIGHT Audit and Risk Committee Municipal Manager and Key Committees Risk Management Committee MANAGEMENT GOVERNANCE First Line of Defence Third Line of Defence Second Line of Defence Internal and External Auditors Chief Risk Office Ethics and Compliance Ombudsperson Legal ASSURANCE Management of Operations
King 3 on risk management and combined assurance • The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks King 3 on IA and combined assurance • The board should receive assurance regarding the effectiveness of the risk management process
Can CAE and CRO collaborate? • What does ERM mean? • How do both functions fit into the equation? • How can internal audit assist and yet independently evaluate risk management activities?
ERM Definitions RIMS: ERM is a strategic business discipline that supports achievement of an organization’s objectives by addressing the full spectrum of its risks and managing a combined impact of those risks as a interrelated risk portfolio The IIA: ERM is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of objectives. Source: The IIA and RIMS
Common areas of convergence • ISO 31000:2009 • IIA International Professional Practice Framework • COSO ERM framework • Open Compliance and Ethics Group’s Red Book • RIMS and IIA 2012 joint report eThekwini Municipality - EXCO ERM
Risks that are generally not perceived as well managedHow well is risk being managed? Well managed PwC 2012 State of the IA Profession Study
Stakeholders value internal audit’s contribution… and want moreWhich risks are receiving too little attention from internal audit? PwC State of the IA Profession Study
The fact of the matter is……… • Are risks adequately covered in the risk profile? • Is risk information simplified or excessively cluttered? • Is risk information credible? Expertise of the CRO • Stakeholder consensus on risks raised by management? • CAE robust dialogue with CRO around ERM? • AG participation in dialogue? Is ERM effective? • Is IA specific skill available? • Does IA have enough budget?
Results of Ineffective Risk Management • Poor identification of risks • Breakdown in internal control that could prevent the organization from achieving its objective • Reactive responses to potential risks, rather than proactive • Changing/ new risks are not adequately identified, controlled and managed • Inability to leverage on internal audit expertise e.g root cause analysis, impact assessment etc • Inability to leverage on ERM expertise
Expectations from CAE • Timely recommendations • Risk impact insight • Quality of recommendations to improve business performance
Critical area of convergence for CAE/CRO • Root cause and impact assessments-IA • Controls design and implementation consulting-ERM • Action planning and real time assurance on implementation according to plan-IA/ERM • Combined assurance • Effective and efficient communication
An effective combined assurance framework To ensure success, the organisation requires: • A common risk language • Enabling technology • Clearly defined roles of all assurance providers • Approved combined assurance policy to ensure commitment to cooperate • A communication plan – encompassing ongoing communication • Involvement from senior leadership – “tone at the top” • Continued coordination, reporting and communication • Provision of necessary and appropriate training
Acknowledgements • King 111 • PwC 2012 State of Internal Audit Study • EThekwini Municipality ERM framework • RIMS and IIA 2012 Joint Report eThekwini Municipality - EXCO ERM
“Siyabongakakhulu” ????????????????? eThekwini Municipality - EXCO ERM